Modul MTCTCE PDF
Modul MTCTCE PDF
Traffic Control
(MTCTCE)
Certified Mikrotik Training - Advanced Class (MTCTCE)
Organized by: Citraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
Schedule - Module
Sesi 1
Hari 1
00-2
Sesi 2
Basic Config
Sesi 3
Sesi 4
L2 Security
Hari 2
Firewall
L7
Protocol
Hari 3
QOS
Test
6-Mar-12
Schedule
00-3
Sessi 1
Coffee Break
Sessi 2
Lunch
Sessi 3
Coffee Break
Sessi 4
08.30 10.15
10.15 10.30
10.30 - 12.15
12.15 13.15
13.15 15.00
15.00 15.15
15.15 - 17.00
6-Mar-12
00-4
6-Mar-12
Certification Test
00-5
6-Mar-12
Trainers
Novan Chris
l
l
l
Pujo Dewobroto
l
l
l
00-6
6-Mar-12
Perkenalkan
Perkenalkanlah :
l
l
l
l
00-7
Nama Anda
Tempat bekerja
Kota / domisili
Apa yang Anda kerjakan sehari-hari dan fiturfitur apa yang ada di Mikrotik yang Anda
gunakan
6-Mar-12
Thank You !
info@mikrotik.co.id
Diijinkan menggunakan sebagian atau seluruh materi pada modul ini, baik
berupa ide, foto, tulisan, konfigurasi, diagram, selama untuk
kepentingan pengajaran, dan memberikan kredit dan link ke
www.mikrotik.co.id
Basic Configuration,
DHCP & Proxy
Objectives
01-10
DNS Server
DHCP Server
DHCP Client
DHCP Relay
Proxy Access Control
6-Mar-12
First do First !
01-11
6-Mar-12
WLAN1
10.10.10.1/24
WLAN1
10.10.10.X/24
ETHER1
192.168.1.1/24
ETHER1
192.168.2.1/24
ETHER1
192.168.X.1/24
ETHERNET PORT
192.168.1.2/24
ETHERNET PORT
192.168.2.2/24
ETHERNET PORT
192.168.X.2/24
MEJA 1
01-12
WLAN1
10.10.10.2/24
MEJA 2
Mikrotik Indonesia http://www.mikrotik.co.id
MEJA X
6-Mar-12
IP Configuration
01-13
Routerboard Setting
l WAN IP : 10.10.10.x/24
l Gateway : 10.10.10.100
l LAN IP : 192.168.x.1/24
l DNS : 10.100.100.1
l Services: Src-NAT and DNS Server
Laptop Setting
l IP Address : 192.168.x.2/24
l Gateway : 192.168.x.1
l DNS : 192.168.x.1
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
01-14
6-Mar-12
Subdomain
Top-Level Domain
www.wikipedia.org
01-15
6-Mar-12
DNS - 2
Recursive DNS
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
01-17
6-Mar-12
01-18
6-Mar-12
01-19
6-Mar-12
01-20
6-Mar-12
Cache Lists
01-21
6-Mar-12
DHCP
01-22
6-Mar-12
DHCP Discovery
l
DHCP Offer
l
DHCP Acknowledgement
l
01-23
DHCP Request
l
6-Mar-12
caller-id option
01-24
6-Mar-12
DHCP Client
System_identity
Mac Address
01-25
6-Mar-12
DHCP Server
01-26
6-Mar-12
01-27
http://www.iana.org/assignments/bootp-dhcp-parameters
6-Mar-12
l
l
l
01-28
6-Mar-12
Raw Format :
l
l
l
l
l
01-29
0x | 10 | 0A27 | 0A260101 |
0x Hex Number
10 Subnet/Prefix = 16
0A27 Network = 10.39.0.0
0A260101 Gateway = 10.38.1.1
6-Mar-12
01-30
6-Mar-12
4
192.168.1.1
5
01-31
6
7
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
01-32
6-Mar-12
IP Address Pool
01-33
6-Mar-12
IP Address Pools
01-34
6-Mar-12
01-35
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
address berikutnya
tidak digunakan
address digunakan
6-Mar-12
01-36
6-Mar-12
01-37
6-Mar-12
01-38
6-Mar-12
DHCP-Server Alerts!!!
01-39
6-Mar-12
DHCP Alerts !
Authoritative = yes
01-40
DHCP
Client
Internet
Local Network
Rogue DHCP
6-Mar-12
DHCP Alerts !
01-41
6-Mar-12
01-42
6-Mar-12
DHCP - Authoritative
Authoritative = yes
DHCP
Client
Internet
Local Network
01-43
Rogue DHCP
6-Mar-12
Internet
Delay = 5s
Local Network
01-44
6-Mar-12
10.10.10.100/24
ETHER2
ETHER1
BRIDGE
01-45
ETHER2
ETHER1
BRIDGE
6-Mar-12
DHCP Relay
01-46
6-Mar-12
Buatlah konfigurasi
setting DHCP Relay
DHCP SERVER
ETHER2
172.16.30.1/24
ETHER1
01-47
192.168.31.1/24
ETHER2
172.16.30.2/24
ETHER1
DHCP RELAY
192.168.32.1/24
6-Mar-12
01-48
6-Mar-12
01-49
6-Mar-12
Proxy
Internet
01-50
6-Mar-12
Konsep Proxy
Internet
PROXY
01-51
Internet
6-Mar-12
Access list
l
01-52
Logging facility
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
Setup Proxy
01-53
6-Mar-12
Mengaktifkan Proxy
01-54
6-Mar-12
01-55
6-Mar-12
01-56
Layer 3 information
URL / Host
HTTP Method
6-Mar-12
01-57
6-Mar-12
URL Filtering
http://www.domain.com/path1/path2/file1.jpg
Destination host
Special Characters
l
l
01-58
Destination path
www.do?ai?.com
www.domain.*
*domain*
6-Mar-12
Regular Expressions
l
l
01-59
http://www.regular-expressions.info/reference.html
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
Dst-Host=:(torrent|limewire|thepiratebay|
torrentz|isohunt)+.*
Complete RegEx :
:(torrentz|torrent|thepiratebay|isohunt|entertane|
demonoid|btjunkie|mininova|flixflux|torrentz|vertor|
h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|
zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|
flixflux|seedpeer|fenopy|gpirate|commonbits)+.*
01-60
6-Mar-12
Cache
01-61
6-Mar-12
01-62
6-Mar-12
Layer 2 - Security
Outline
02-64
6-Mar-12
LAN
02-65
6-Mar-12
Layer 2 Network
02-66
6-Mar-12
02-67
6-Mar-12
Internet
Internet
Local Network
02-68
6-Mar-12
Layer 2 Attack !
02-69
6-Mar-12
MAC Flood
Bridge FDB Overload
CPU 100% !
Internet
Local Network
02-70
Mac-address:
00:0C:42:00:00:00
00:0C:42:00:00:01
00:0C:42:00:00:02
00:0C:42:00:00:03
.
.
.
00:0C:42:ff:ff:ff
6-Mar-12
MAC Flood
02-71
6-Mar-12
Exploiting Neighborhood
Lots Discovery Request
CPU 100% !
Internet
Local Network
02-72
Mac-address:
00:0C:42:00:00:00
00:0C:42:00:00:01
00:0C:42:00:00:02
00:0C:42:00:00:03
.
.
.
00:0C:42:ff:ff:ff
6-Mar-12
Exploiting Neighborhood
02-73
6-Mar-12
02-74
6-Mar-12
DHCP Starvation
Run-out IP
DHCP Sever FAIL !
NEED IPs !
Internet
Local Network
NEED IP ?
NEED IP ?
02-75
Mac-address:
00:0C:42:00:00:00
00:0C:42:00:00:01
00:0C:42:00:00:02
00:0C:42:00:00:03
.
.
.
00:0C:42:ff:ff:ff
6-Mar-12
DHCP Starvation
02-76
Penyerang mengenerate banyak sekali macaddress dan menghabiskan pool DHCP server.
Penyerang mengenerate banyak sekali DHCP
Discovery packet tetapi tidak mengirimkan packet
konfirmasi.
6-Mar-12
02-77
6-Mar-12
Internet
Local Network
Im The Router !
To Gateway
02-78
6-Mar-12
02-79
6-Mar-12
Internet
Local Network
02-80
Im The Hotspot !
6-Mar-12
l
l
02-81
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
Countermeasures
02-82
6-Mar-12
02-83
6-Mar-12
192.168.10.2/24
02-84
Ether3
Bridge
Ether1
Bridge
Ether3
Meja 1
Silakan download program
etherflood.exe untuk melakukan
simulasi flooding mac-address di
jaringan bridge.
Amati perubahan yang terjadi pada
router Anda (Bridge Host, ARP,interface
dan CPU).
Mikrotik Indonesia http://www.mikrotik.co.id
192.168.10.4/24
Meja 2
Mac-address:
00:0C:42:00:00:00
00:0C:42:00:00:01
00:0C:42:00:00:02
00:0C:42:00:00:03
.
.
.
00:0C:42:ff:ff:ff
6-Mar-12
02-85
6-Mar-12
02-86
6-Mar-12
02-87
6-Mar-12
02-88
6-Mar-12
02-89
6-Mar-12
192.168.10.2/24
Meja 1
02-90
Ether3
Bridge
Bridge
Ether3
Ether1
192.168.10.4/24
Meja 2
6-Mar-12
02-91
6-Mar-12
Countermeasure - ARP
Poisoning / Spoofing
l
02-92
6-Mar-12
Countermeasure - ARP
Poisoning / Spoofing
02-93
6-Mar-12
Resource Sharing
02-94
6-Mar-12
02-95
Matikan Default
Forward pada
Wireless Mikrotik.
6-Mar-12
Bridge1
Ether 1
Ether 2
Ether 3
Ether 4
Ether 5
Internet
02-96
6-Mar-12
Bridge Filter :
l
02-97
6-Mar-12
Forwading on SWos
V
X
X
02-98
X
X
6-Mar-12
02-99
6-Mar-12
Encryption
02-100
6-Mar-12
Firewall
Certified Mikrotik Training - Advanced Class (MTCTCE)
Organized by: Citraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
Objectives
Packet Flow
Firewall Mangle
l
l
l
Firewall Filter
l
l
03-102
Conn Mark
Packet Mark
Routing Mark
IP Address List
Advanced Parameter
NAT
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
Packet Flow
03-103
6-Mar-12
PREROUTING
Hotspot Input
Conn-Tracking
Mangle
Dst-NAT
Global-In Queue
Global-Total Queue
03-104
PRE
ROUTING
FORWARD
POST
ROUTING
INTERFACE
QUEUE / HTB
INPUT
LOCAL
PROCESS
OUTPUT
OUTPUT
INTERFACE
INPUT
Mangle
Filter
FORWARD
Bridge Decision
TTL = TTL - 1
Mangle
Filter
Acounting
OUTPUT
Bridge Decision
Conn-Tracking
Mangle
Filter
Routing Adjusment
POSTROUTING
Mangle
Global-Out Queue
Global-Total Queue
Source-NAT
Hotspot Output
6-Mar-12
OUTPUT
Bridge Decision
Conn-Tracking
Mangle
Filter
Routing Adjusment
IP Flow (RoSv3)
-
Use ip
firewall
+
PRE
ROUTING
BRIDGE
DST-NAT
+
INPUT is
Bridged?
Bridge
Decision
Routing
Decision
Use ip
firewall
BRIDGE
INPUT
BRIDGE
FORWARD
BRIDGE
SRC-NAT
FORWARD
INPUT
INPUT
INTERFACE
IPSEC
DECRYPTION
PREROUTING
Hotspot Input
Conn-Tracking
Mangle
Dst-NAT
Global-In Queue
Global-Total Queue
INPUT
Mangle
Filter
03-105
FORWARD
Bridge Decision
TTL = TTL - 1
Mangle
Filter
Acounting
OUTPUT is
Bridged?
OUTPUT
Routing
Decision
LOCAL
PROCESS-IN
LOCAL
PROCESS-OUT
IPSEC
ENCRYPTION
BRIDGE
OUTPUT
Bridge
Decision
IPsec
Policy
POSTROUTING
Mangle
Global-Out Queue
Global-Total Queue
Source-NAT
Hotspot Output
POST
ROUTING
IPsec
Policy
Use ip
firewall
OUTPUT
INTERFACE
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-106
6-Mar-12
Packet Flow
03-107
6-Mar-12
Input Interface
03-108
6-Mar-12
Output Interface
03-109
6-Mar-12
Local Process
03-110
6-Mar-12
Routing Decision
03-111
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-112
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-113
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-114
6-Mar-12
To
Mangle
Firewall
Queue
Outside
Router/
Local
Process
Prerouting
Input
Input
Global-Total
Router/
Local
Process
Outside
Output
Output
Global-Out
Outside
Outside
Global-In
Postrouting
Global-Total
Interface
Prerouting
Forward
Global-In
Forward
Postrouting
Global-Out
Global-Total
Interface
03-115
6-Mar-12
03-116
6-Mar-12
Connection State
03-117
6-Mar-12
Connection State
Firewall
New
03-118
Established
Related
Invalid
6-Mar-12
Firewall Mangle
03-119
Mangle adalah cara untuk menandai paketpaket data tertentu, dan kita akan
menggunakan tanda (Marking) tersebut pada
fitur lainnya, misalnya pada filter, routing, NAT,
ataupun queue.
Tanda mangle ini hanya bisa digunakan pada
router yang sama, dan tidak terbaca pada
router lainnya.
Pembacaan / pelaksanaan rule mangle akan
dilakukan dari atas ke bawah secara berurutan.
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
Type of Mark
Connection Mark
l
Route Mark
l
03-120
6-Mar-12
Penggunaan Mangle
QUEUE TREE
MANGLE
PACKET
MARK
CONNECTION
MARK
FIREWALL
FIREWALL
FILTER
ROUTE
MARK
POLICY ROUTE
(STATIC ROUTE)
03-121
6-Mar-12
Mangle Action
03-122
6-Mar-12
03-123
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Input
Chain 2
13
14
15
16
17
18
19
20
21
----------------------------------------------------------------------------------------------------
1
2
3a
11
12
13a
22
23
24
25
---------------------------------------------------------------------------------------------------------------
Chain 1
3
4
5
6
7
8
9
10
-----------------------------------------------------------------------------------------
6-Mar-12
03-124
Jump to chain-awal
TCP chain-tcp
UDP chain-udp
Rule lainnya
Rule lainnya
Rule lainnya
1
2
99
---------------------------------return
Chain ICMP
CHAIN FORWARD
1
Jump to chain-awal
Chain TCP
TCP chain-tcp
1
2
99
UDP chain-udp
Rule lainnya
Rule lainnya
Rule lainnya
1
2
99
---------------------------------return
---------------------------------return
Chain UDP
1
2
99
---------------------------------return
6-Mar-12
03-125
6-Mar-12
Chain Input
l
l
Chain Forward
l
l
Chain Output
l
l
03-126
6-Mar-12
Parameter Mangle
Chain Prerouting
l
l
Chain Postrouting
l
l
03-127
6-Mar-12
Connection Mark
03-128
6-Mar-12
Packet Mark
03-129
6-Mar-12
Route-Mark
03-130
6-Mar-12
Passthrough on Mangle
INPUT Traffic
CONN-MARK
conn-client-1
passthrough=yes
PACKET-MARK
packet-client-1
passthrough=yes
PACKET-MARK
packet-client-2
passthrough=yes
PACKET-MARK
packet-client-3
passthrough=yes
conn-mark: --none
packet-mark: --none
route-mark: --none-conn-mark: conn-client-1
packet-mark: --none-route-mark: --none-conn-mark: conn-client-1
packet-mark: packet-client-1
route-mark: --none-conn-mark: conn-client-1
packet-mark: packet-client-2
route-mark: --none-conn-mark: conn-client-1
packet-mark: packet-client-3
route-mark: --none--
OUTPUT Traffic
03-131
6-Mar-12
Passthrough on Mangle
INPUT Traffic
CONN-MARK
PACKET-MARK
conn-client-1
passthrough=yes
packet-client-1 passthrough=no
PACKET-MARK
packet-client-2
passthrough=no
PACKET-MARK
packet-client-3
passthrough=no
conn-mark: --none
packet-mark: --none
route-mark: --none-conn-mark: conn-client-1
packet-mark: --none-route-mark: --none-conn-mark: conn-client-1
packet-mark: packet-client-1
route-mark: --none--
OUTPUT Traffic
03-132
6-Mar-12
Mangle - NTH
03-133
6-Mar-12
WEB server 2
Every=3
Packet=2
03-134
Every=3
Packet=1
WEB server 1
6-Mar-12
Mangle - PCC
03-135
6-Mar-12
www.Yahoo.com
INTERNET
PCC
Both Address
(2,1)
03-136
PCC
Both Address
(2,0)
6-Mar-12
03-137
6-Mar-12
Rencana Prioritas
DNS SSH ICMP
Telnet HTTP request
HTTPS
1
VoIP skype
Video Conference
VPN MSN
DNS SSH ICMP
Telnet HTTP request
HTTPS
Game
P2P
mail
HTTP download
sFTP FTP
Game
VoIP skype
Video Conference
VPN MSN
mail
HTTP download
sFTP FTP
P2P
03-138
8
Mikrotik Indonesia http://www.mikrotik.co.id
6-Mar-12
How to mark?
Group
P2P_services
Priority
8
Service
P2P
Mails
Download
services
7
HTTP downloads
FTP
SFTP
DNS
Ensign
services
User requests
Communication
services
03-139
ICMP
HTTPS
Telnet
SSH
HTTP requests
Online game servers
VoIP
Skype
Video Conference
VPN
MSN
Protocol
Dst-Port
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
ICMP
TCP
TCP
TCP
TCP
110
995
143
993
25
80
20
21
22
53
53
443
23
22
80
Other Conditions
p2p=all-p2p
Connection-bytes=500000-0
Packet-size=1400-1500
Packet-size=0-1400
Connection-bytes=0-500000
dst-address-list of server
6-Mar-12
03-140
6-Mar-12
Firewall Filter
03-141
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-142
6-Mar-12
03-143
DROP virus
DROP spam server
DROP virus
DROP
DROP
DROP
DROP
DROP
DROP
DROP
ACCEPT ALL
6-Mar-12
03-144
ACCEPT HTTP
ACCEPT POP3
ACCEPT SMTP
ACCEPT IM
ACCEPT IRC
ACCEPT FTP
ACCEPT SSH
ACCEPT TELNET
ACCEPT ..
ACCEPT ..
DROP THE OTHER
6-Mar-12
RouterOS v3 Services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
03-145
PORT
20
21
22
23
53
80
179
443
646
1080
1723
1968
2000
2210
2211
2828
3128
8291
8728
-------
PROTOCOL
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
/1
/2
/4
DESCRIPTION
FTP
FTP
SSH, SFTP
Telnet
DNS
HTTP
BGP
SHTTP (Hotspot)
LDP (MPLS)
SoCKS (Hotspot)
PPTP
MME
Bandwidth Server
Dude Server
Dude Server
uPnP
Web Proxy
Winbox
API
ICMP
IGMP (Multicast)
IPIP
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PORT
53
123
161
500
520
521
646
1698
1699
1701
1812
1813
1900
1966
5678
---------------
PROTOCOL
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
/46
/47
/50
/51
/89
/103
/112
DESCRIPTION
DNS
NTP
SNMP
IPSec
RIP
RIP
LDP (MPLS)
RSVP (MPLS)
RSVP (MPLS)
L2TP
User-Manager
User-Manager
uPnP
MME
Neighbor Discovery
RSVP (MPLS)
PPRP, EoIP
IPSec
IPSec
OSPF
PIM (Multicast)
VRRP
6-Mar-12
Bogon IP Address
03-146
6-Mar-12
Address List
03-147
6-Mar-12
[LAB-2] IP Filtering
03-148
6-Mar-12
03-149
-------------------------------------------------------jump
---------------------------------------------
Forward
TCP Chain
1
2
3
4
5
6
7
8
9
----------------------------------------------------------------------------------------return
1
2
3
4
5
6
7
8
9
10
-------------------------------------------------------jump
---------------------------------------------
6-Mar-12
03-150
6-Mar-12
03-151
6-Mar-12
Chain input
l
l
Chain forward
l
l
Chain output
l
l
03-152
6-Mar-12
03-153
6-Mar-12
03-154
6-Mar-12
03-155
6-Mar-12
03-156
6-Mar-12
connection-byte
l
03-157
6-Mar-12
03-158
6-Mar-12
icmp-type
l
03-159
6-Mar-12
connection-limit
l
03-160
6-Mar-12
03-161
6-Mar-12
IDM Detection
03-162
6-Mar-12
limit
l
03-163
6-Mar-12
03-164
6-Mar-12
dst-limit
l
expire :
03-165
6-Mar-12
src/dst-address-type:
l
l
l
l
03-166
6-Mar-12
03-167
6-Mar-12
NAT
03-168
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
03-169
6-Mar-12
Chain srcnat
masquerade
l
03-170
6-Mar-12
Chain dstnat
redirect
l
03-171
6-Mar-12
NAT netmap
03-172
Local Network
192.168.1.0/24
6-Mar-12
NAT - same
03-173
Local Network
192.168.1.0/24
6-Mar-12
03-174
direct
melalui proxy : HIT
melalui proxy : MISS
6-Mar-12
SRC-NAT
TCP 80
Internet
PROXY
1 Direct
03-175
2 MISS
Mikrotik Indonesia http://www.mikrotik.co.id
3 HIT
6-Mar-12
03-176
6-Mar-12
Pengenalan HIT
03-177
6-Mar-12
Setting Mangle
0 chain=prerouting action=mark-connection newconnection-mark=conn-client passthrough=yes ininterface=ether1
1 chain=prerouting action=mark-packet new-packetmark=packet-client passthrough=no connectionmark=conn-client
2 chain=output action=mark-packet new-packetmark=packet-hit passthrough=no out-interface=ether1
connection-mark=conn-client dscp=4
3 chain=output action=mark-packet new-packetmark=packet-client passthrough=no outinterface=ether1 connection-mark=conn-client dscp=!4
03-178
6-Mar-12
03-179
6-Mar-12
SRC-NAT
TCP 80
Internet
INTERNASIONAL
1
6
PROXY
5
IIX
Internet
4
3
1. Direct IIX
4. HIT IIX
03-180
2. Direct Internasional
5. MISS Internasional
3. MISS IIX
6 HIT Internasional
6-Mar-12
03-181
6-Mar-12
03-182
6-Mar-12
Import
03-183
6-Mar-12
Address-List
03-184
6-Mar-12
Mangle 1
03-185
6-Mar-12
Mangle 2
03-186
6-Mar-12
NAT
0 chain=srcnat action=masquerade outinterface=wlan1
1 chain=srcnat action=masquerade outinterface=wlan2
2 chain=dstnat action=redirect to-ports=8080
protocol=tcp in-interface=ether1 dst-port=80
03-187
6-Mar-12
Route
0 dst-address=0.0.0.0/0 gateway=10.20.20.100
distance=1 scope=30 routing-mark=route-iix
1 dst-address=0.0.0.0/0 gateway=10.10.10.100
distance=1 scope=30
03-188
6-Mar-12
Policy Routing
10.10.20.100
wlan2
03-189
6-Mar-12
Test!
03-190
6-Mar-12
L7 Filter
Certified Mikrotik Training - Advanced Class (MTCTCE)
Organized by: Citraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
Outline
04-192
6-Mar-12
Traffic Clasifier
04-193
6-Mar-12
ToS
04-194
TCP / UDP
Packet
Protocol
Src Addr
Dst Addr
Src
Port
Dst
Port
DATA
6-Mar-12
L7 Requirement
04-195
6-Mar-12
Layer 7 Protocol
04-196
6-Mar-12
Regular Expression
04-197
6-Mar-12
04-198
6-Mar-12
RegEx Usefull
04-199
6-Mar-12
RegEx How To
04-200
6-Mar-12
RegEx - Example
SSH :
l
FTP :
l
^220[\x09-\x0d -~]*ftp
Yahoo :
l
04-201
^ssh-[12]\.[0-9]
^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
6-Mar-12
04-202
http://protocolinfo.org/wiki/Main_Page
http://l7-filter.sourceforge.net/protocols
www.mikrotik.com/download/l7-protos.rsc
6-Mar-12
L7 RegEx on Mikrotik
04-203
6-Mar-12
04-204
6-Mar-12
04-205
6-Mar-12
04-206
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d
-~]*(content-type: video)
6-Mar-12
L7 - Video Mangle
04-207
6-Mar-12
L7 - Video Queue
04-208
6-Mar-12
L7 - Conclusion
Keuntungan :
l
l
l
Konsekuensi :
l
04-209
6-Mar-12
QoS
Certified Mikrotik Training - Advanced Class (MTCTCE)
Organized by: Citraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
Materi QoS
05-211
6-Mar-12
Quality of Service
05-212
6-Mar-12
Queue Disciplines
Scheduler queues
Shaper queues
05-213
6-Mar-12
Shaper
Mbps
2
10
15
20
detik
kelebihan data-rate
akan didrop
5
05-214
10
15
20
detik
6-Mar-12
Scheduler
Mbps
2
10
15
20
detik
kelebihan data-rate
akan di antri
5
05-215
10
15
20
detik
6-Mar-12
Queue Kinds
Scheduler queues:
l
l
l
l
l
Shaper queues:
l
l
05-216
6-Mar-12
Queue Kinds
05-217
6-Mar-12
transmit queues.
05-218
6-Mar-12
Skema FIFO
Flow 1
Flow 2
Flow 3
Flow 4
Jika penuh
akan di drop
05-219
6-Mar-12
05-220
RED tidak melimit kecepatan, tetapi bila buffer sudah penuh, maka
secara tidak langsung akan menyeimbangkan data rate setiap user.
Saat ukuran queue rata-rata mencapai min-threshold, RED secara
random akan memilih paket data untuk di drop
Saat ukuran queue rata-rata mencapai max-threshold, paket data
akan di drop
Jika ukuran queue sebenarnya (bukan rata-ratanya) jauh lebih
besar dari red-max-threshold, maka semua paket yang melebihi
red-limit akan didrop.
RED digunakan jika kita memiliki trafik yang congested. Sangat
sesuai untuk trafik TCP, tetapi kurang baik digunakan untuk trafik
UDP.
6-Mar-12
Logika RED
Antrian
Paket
A < MinThreshold
Hitung
Rata-rata
Panjang
Queue
(A)
rendah
A > MinThreshold
A < MaxThreshold
Kalkulasi
Kemungkinan
Drop
tinggi
A > MaxThreshold
05-221
Drop
Paket
6-Mar-12
Skema RED
Flow 1
ke
interface
Flow 2
Flow 3
Flow 4
Secara random
akan di drop
05-222
6-Mar-12
05-223
6-Mar-12
Skema SFQ
Flow 1
ke
interface
Flow 2
Flow 3
Flow 4
Algoritma
Hashing
05-224
sub-queue
Algoritma
Round
Robin
6-Mar-12
05-225
6-Mar-12
Setting PCQ
05-226
6-Mar-12
Skema PCQ
pcq-clasifier
src-address
sub-queue
Algoritma
Round
Robin
SRC-ADDRESS=10.0.0.1
SRC-ADDRESS=10.0.0.2
Flow 1
Flow 2
Flow 3
SRC-ADDRESS=10.0.0.3
SRC-ADDRESS=10.0.0.4
ke
interface
SRC-ADDRESS=10.0.0.5
Flow 4
SRC-ADDRESS=10.0.0.6
SRC-ADDRESS=10.0.0.7
05-227
6-Mar-12
Pcq-rate=128000
2 users
4 users
128k
queue=pcq-down
max-limit=512k
128k
73k
73k
73k
73k
128k
128k
05-228
7 users
128k
128k
73k
73k
73k
6-Mar-12
Pcq-rate=0
1 user
2 users
7 users
73k
256k
73k
73k
queue=pcq-down
max-limit=512k
512k
73k
73k
256k
73k
73k
05-229
6-Mar-12
Burst
05-230
6-Mar-12
Rate(kbps)
512
Burst-limit
Average Rate
384
256
Max-limit
192
Burst-Threshold
128
Limit-at
05-231
10
15
20
time(s)
6-Mar-12
05-232
6-Mar-12
05-233
6-Mar-12
PCQ - Burst
05-234
6-Mar-12
PCQ - Burst
05-235
6-Mar-12
05-236
6-Mar-12
Posisi Queue
Interface
Virtual:
05-237
Global In
Global Out
Global Total
6-Mar-12
PRE
ROUTING
ROUTING
DECISION
MANGLE
FORWARD
OUTPUT
FILTER
FORWARD
POST
ROUTING
QUEUE
GLOBAL-IN
ROUTING
ADJUSTMENT
MANGLE
POSTROUTING
DST-NAT
FILTER
OUTPUT
QUEUE
GLOBAL-OUT
INPUT
MANGLE
PREROUTING
MANGLE
INPUT
MANGLE
OUTPUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
05-238
6-Mar-12
Penggunaan Mangle
05-239
6-Mar-12
05-240
6-Mar-12
Level1
Level2
POP3
Flow 1
ke
interface
HTTP
Flow 2
HTTP
&FTP
Flow 3
Flow 4
LOCAL
FTP
FILTER
05-241
6-Mar-12
HTB States
hijau
l
l
kuning
l
Posisi di mana data-rate lebih besar dari limit-at, namun lebih kecil dari maxlimit.
Diijinkan atau tidaknya penambahan trafik bergantung pada :
merah
l
l
05-242
posisi parent, jika prioritas class sama dengan parentnya dan parentnya dalam
posisi kuning
posisi class itu sendiri, jika parent sudah berstatus kuning.
6-Mar-12
Staged Limitation
05-243
6-Mar-12
Struktur HTB
05-244
6-Mar-12
05-245
6-Mar-12
Contoh :
l
l
l
l
05-246
6-Mar-12
Tips
05-247
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Name: C
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
2mbps
2mbps
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Name: C
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
2mbps
2mbps
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Priority: 1
Name: C
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Priority: 8
3mbps
2mbps
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
2mbps
Name: C1
Parent: C
Limit-at: 2mbps
Max-limit: 4mbps
Name: C2
Parent: C
Limit-at: 2mbps
Max-limit: 4mbps
2mbps
2mbps
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
2mbps
Name: C1
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
2mbps
Name: C2
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
2mbps
C1 dan C2 bisa naik hingga max-limit, karena parentnya (C) memiliki limit-at
hingga 4mbps.
05-252
6-Mar-12
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Priority: 1
Name: C1
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 4
Name: C2
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
4mbps
2mbps
2mbps
Pada saat semua limit-at sudah tercapai, sisa kapasitas akan dibagikan
berdasarkan prioritas.
05-253
6-Mar-12
Name: C1
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 4
Name: C2
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
2mbps
2mbps
6-Mar-12
4mbps
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Name: B1
Parent: B
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
2mbps
Name: C
Parent: A
Limit-at: 4mbps
Max-limit: 6mbps
Name: B2
Parent: B
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
2mbps
Name: C1
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
Name: C2
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
2mbps
2mbps
Name: C3
Parent: C
Limit-at: 2mbps
Max-limit: 3mbps
Priority: 8
2mbps
6-Mar-12
2mbps
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Priority: 1
Name: B1
Parent: B
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 5
1mbps
Name: C
Parent: A
Limit-at: 3mbps
Max-limit: 6mbps
Priority: 8
Name: B2
Parent: B
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 6
1mbps
Name: C1
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 2
Name: C2
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 3
2mbps
Name: C3
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 4
2mbps
2mbps
C1, C2, C3 mendapatkan 2mbps karena priority-nya lebih tinggi dari B1 dan B2
05-256
6-Mar-12
2mbps
4mbps
Name: C
Parent: A
Limit-at: 3mbps
Max-limit: 6mbps
Priority: 1
Name: B2
Parent: B
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 6
2mbps
Name: C1
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 2
Name: C2
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 3
2mbps
1mbps
Name: C3
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 4
1mbps
6-Mar-12
3,2mbps
Name: B
Parent: A
Limit-at: 2mbps
Max-limit: 4mbps
Priority: 1
Name: B1
Parent: B
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 8
1,6mbps
Name: C
Parent: A
Limit-at: 3mbps
Max-limit: 6mbps
Priority: 8
Name: B2
Parent: B
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 8
1,6mbps
Name: C1
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 8
Name: C2
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 8
1,6mbps
1,6mbps
Name: C3
Parent: C
Limit-at: 1mbps
Max-limit: 2mbps
Priority: 8
1,6mbps
6-Mar-12
05-259
6-Mar-12
Simple Queue
6-Mar-12
Simple Queue
05-261
6-Mar-12
Target Address
05-262
6-Mar-12
Interface
05-263
6-Mar-12
05-264
6-Mar-12
SRC-NAT
TCP 80
Internet
INTERNASIONAL
1
6
PROXY
5
IIX
Internet
4
3
1 Direct IIX
2 Direct Intl
05-265
3 MISS IIX
4 HIT IIX
Mikrotik Indonesia http://www.mikrotik.co.id
5 MISS Intl
6 HIT Intl
6-Mar-12
Simple Queue
05-266
6-Mar-12
Simple Queue
0
05-267
6-Mar-12
Queue Tree
05-268
6-Mar-12
05-269
6-Mar-12
ROUTING
Mangle Client
(3)
DECISION
PRE
ROUTING
QUEUE
GLOBAL-IN
FILTER
FORWARD
OUTPUT
DST-NAT
INPUT
MANGLE
PREROUTING
MANGLE
FORWARD
FILTER
OUTPUT
ROUTING
OueueADJUSTMENT
Client
(4)
MANGLE
MANGLE
Mangle
Prioritas
(1)
INPUT
OUTPUT
POST
ROUTING
MANGLE
POSTROUTING
QUEUE
GLOBAL-OUT
SRC-NAT
CONNECTION
TRACKING
FILTER
INPUT
CONNECTION
TRACKING
HTB
INTERFACE
INPUT
INTERFACE
LOCAL
PROCESS
ROUTING
DECISION
OUTPUT
INTERFACE
05-270
6-Mar-12
Mangle Client - 1
05-271
6-Mar-12
Mangle Client - 2
05-272
6-Mar-12
Mangle Client - 3
05-273
6-Mar-12
Queue-tree
05-274
6-Mar-12
Traffic Control
(LAB Session)
Certified Mikrotik Training - Advanced Class (MTCTCE)
Organized by: Citraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
KONSEP
00-276
3/6/12
Network Topology
ISP 1
SSID: training
Wlan1
R1
ISP 2
SSID: training2
Wlan2
Ether 3
Ether 2
R3
R2
Ether 2
Ether 3
AP Wlan2
Wlan2
LAN
00-277
Ether 2
R4
Keterangan :
R1 Router Backbone
R2 Router BM
R3 Router Proxy
R4 Router Distribusi
3/6/12
R1 Router Backbone
ISP 1
SSID: training2
ISP 2
SSID: training
Wlan1
10.10.10.X/24
Ether 3
10.Y.1.1/24
10.20.20.X/24
Wlan2
R1
10.Y.1.2/24
Ether 2
R2
00-278
3/6/12
R2 Router BM
R1
Ether 3
10.Y.1.2/24 Ether 2
R3
10.Y.2.1/24
Ether 3
R2
Ether 2
10.Y.2.2/24
AP Wlan2
10.Y.3.1/24
SSID: kelompokY
Wlan2
10.Y.3.2/24
R4
00-279
3/6/12
R3 Router Proxy
R3
10.Y.2.1/24
Ether 3
Ether 2
10.Y.2.2/24
00-280
Ether 2
R2
3/6/12
R4 Router Distribusi
R2
SSID: kelompokY
AP Wlan2
10.Y.3.2/24
Wlan2
Router R4 adalah
sebagai Router Distribusi.
Konfigurasi bandwith
merata di semua client
berdasarkan protocol :
l
172.16.Y.0/24
l
l
LAN
00-281
Ether 2
172.16.Y.1/24
R4
TCP
UDP
ICMP
3/6/12
Selamat
Mengerjakan !
info@mikrotik.co.id
Diijinkan menggunakan sebagian atau seluruh materi pada modul ini, baik
berupa ide, foto, tulisan, konfigurasi, diagram, selama untuk
kepentingan pengajaran, dan memberikan kredit dan link ke
www.mikrotik.co.id