Anda di halaman 1dari 35

SETTING MIKROTIK

Disini saya berikan sedikit command setting untuk firewall, pengaturan Gateway, DHCP_server,
Filter Rules anti virus, anti DDOS, anti netcut dan anti porno, Penggunakan mangle dan Queue
tree, tutorial ini langsung saya arahkan untuk menangani bandwidth limiter dengan pola pcq-
download dan upload. hasilnya akan terlihat seperti ini :

Limit diatas bisa anda ubah2 sesuai bandwidth internet anda, caranya langsung klik 2x pada
limiter di queue tree nya. oke, langsung aja....

# Bandwidth management by jinho.diaz with mikrotik RouterOs v. 5.18


# firewall sangat kuat, susah ditembus
# Script ini dapat berfungsi dengan baik pada mikrotik RouterOS versi 5.18 keatas
# Script ini tidak disarankan untuk mikrotik dengan speed processor dibawah 680 Mhz dan
memory kurang dari 128 MB
# WAN terdapat pada interface ether1-gateway mengarah ke speedy dengan gateway
192.168.1.1
# Lan terdapat pada interface ether2-local-master dengan gateway 192.168.2.254 mengarah ke
client
# mengandung anti netcut, anti porno, anti proxy luar negeri, anti hotspot shield
# mengandung anti vpn luar negeri, anti ultrasurf, anti freedom, anti scan winbox oleh user
# mengandung anti virus, anti ARP, nuke dan anti brute force attack
# limit IDM dan downloader sejenis, limit youtube dan streaming
# limit server akamai yang dapat anda atur sendiri pada queue tree
# script ini tidak menggunakan proxy internal, tetapi anda dapat menambahkannya sendiri
# pastikan anda didampingi oleh staff yang ahli untuk menghindari kesalahan penggunaaan
script.
# script ini dapat langsung anda pastekan satu persatu atau sekaligus pada new terminal consol
winbox-
# dengan tanpa membuang tanda pagar (#)

# beri nama pada interface ethernet anda


/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local-master

# tandai setiap paket masuk dengan layer7-protocol


/ip firewall layer7-protocol
add name=download regexp="\\.(exe|rar|zip|7z|cab|asf|pdf|wav|mp3|ram|msu|msi|n\
up|vdf|rmvb|daa|iso|nrg|bin|vcd|mp2|qt|raw|ogg|doc|xls|ppt|xlxs|mov|wmv|mp\
g|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|mpe|wma|docx|pptx|deb|flv2|tar|bzip|gzip\
|webm|gzip2).*\$"
add name=google regexp="google.com|google.co.id|yahoo.com|yahoo.co.id|yahoo|go\
ogle|bing|msn|wordpress|blogspot|blogger|web.id|co.id|net.id|go.id|hotmail\
|twitter"
add name=youtube regexp=o-o|youtube.com|webm
add name=http-video regexp="mivo.tv|mivotv|imediabiz|imedia|porn|video|stream|\
movie|live|0\\.9|.tv|.0|video|mov|wmv|mpg|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|\
mpe|wma|xhamster|xnxx|fuck|flv2|indostar-tv|nontontv.tv"
add name=bittorent regexp="^(\13bittorrent protocol|azver1\$|get /scrape\\\?in\
fo_hash=)|d1:ad2:id20:|87P\\)[RP]"
add name=torrent-wws regexp="^.*(get|GET).+(torrent|info_hash|thepiratebay|iso\
hunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitn\
ova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=torrent-www regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\
id|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|\
fulldls|btbot|fenopy|gpirate|commonbits).*\$"

# menentukan ip range untuk user


/ip pool
add name=default-dhcp ranges=192.168.1.1-192.168.1.253
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.253
add name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253
add name=dhcp_pool3 ranges=192.168.2.1-192.168.2.253

# tentukan DHCP-server
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=ether1-gateway lease-time=1d \
name=dhcp1
add add-arp=yes address-pool=dhcp_pool3 authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=ether2-local-master \
lease-time=1d name=dhcp_server

# atur bandwidth management


/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=384k name=3.DOWNLOAD packet-mark="" parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.Limited packet-mark=users parent=3.DOWNLOAD \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1792k name=1.BROWSING packet-mark="" parent=global-out \
priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=512k name=6.TUBE-TV packet-mark=users parent=global-out \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.KONEKSI packet-mark="" parent=global-total priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=768k name="4.LIVE VIDEO" packet-mark="" parent=global-in \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=5.GAME packet-mark="" parent=global-out priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=768k name=7.Chat packet-mark=users parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=768k name="8. Bittorent" packet-mark=packet-bittorent parent=\
global-out priority=8

# tentukan jenis limit untuk queue tree


/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
add kind=pcq name=PCQ_download pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=PCQ_upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=pcq-download2 pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=pcq-upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pfifo name=PING pfifo-limit=64
add kind=pcq name=DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=\
10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=768k \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=torrent pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=128k \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=akamai pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=\
32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=limit pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=\
32 pcq-src-address6-mask=64 pcq-total-limit=2000
set 14 kind=none name=only-hardware-queue
set 15 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 16 kind=pfifo name=default-small pfifo-limit=10

# pengaturan bandwidth managemen untuk limit ekstensi


/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=5.1.Game-Online packet-mark=online parent=5.GAME \
priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="5.2.Game FB" packet-mark=gamefb parent=5.GAME priority=\
2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.2.Hit packet-mark=hit parent=3.1.Limited priority=8 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.1.IDM packet-mark=idm parent=3.1.Limited priority=8 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=4.1.youtube packet-mark=stream-idm parent="4.LIVE VIDEO" \
priority=8 queue=DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1536k name="1.1.http brows" packet-mark=google parent=\
1.BROWSING priority=3 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.1.ping-out packet-mark="paket ip" parent=2.KONEKSI \
priority=1 queue=PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.2.ping-in packet-mark="paket dp" parent=2.KONEKSI \
priority=1 queue=PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="6.1.Tube Stream" packet-mark=users parent=6.TUBE-TV \
priority=8 queue=pcq-download2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=6.2.Mivo.TV packet-mark=paket-mtc parent=6.TUBE-TV \
priority=8 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="7.1. Camfrog" packet-mark=camfrog parent=7.Chat \
priority=8 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=wws packet-mark=packet-wws parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=www packet-mark=packet-www parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=port packet-mark=packet-port parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=allp2p packet-mark=packet-allp2p parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=1.2.akamai packet-mark=akamai parent=1.BROWSING \
priority=8 queue=akamai

# menentukan ip address untuk tiap interface ethernet


/ip address
add address=192.168.2.254/24 comment="default configuration" disabled=no \
interface=ether2-local-master network=192.168.2.0
add address=192.168.1.6/24 disabled=no interface=ether1-gateway network=\
192.168.1.0

# menentukan dhcp client


/ip dhcp-client
add add-default-route=yes comment="default configuration" \
default-route-distance=1 disabled=no interface=ether1-gateway \
use-peer-dns=yes use-peer-ntp=yes
# menentukan dhcp server untuk jaringan lokal, pastikan nanti user menggunakan ip obtain
/ip dhcp-server network
add address=192.168.1.0/24 dhcp-option="" dns-server="" gateway=192.168.1.1 \
ntp-server="" wins-server=""
add address=192.168.2.0/24 comment="default configuration" dhcp-option="" \
dns-server="" gateway=192.168.2.254 ntp-server="" wins-server=""

# menentukan dns yang digunakan


/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=203.130.193.74,203.130.206.250

# menentukan dns static yang digunakan


/ip dns static
add address=208.67.222.222 disabled=no name=router ttl=1d

# menentukan ip address yang dilarang masuk, ini akan otomatis bertambah setiap diakses
sebuah situs yang dilarang
/ip firewall address-list
add address=65.49.0.0/17 disabled=no list=UltraSurfServers
add address=204.107.140.0/24 disabled=no list=UltraSurfServers
add address=94.231.80.100 disabled=no list=your-freedom
add address=85.214.22.104 disabled=no list=your-freedom
add address=94.126.16.7 disabled=no list=your-freedom
add address=85.214.151.156 disabled=no list=your-freedom
add address=85.214.149.36 disabled=no list=your-freedom
add address=85.214.45.166 disabled=no list=your-freedom
add address=85.214.149.43 disabled=no list=your-freedom
add address=83.170.96.78 disabled=no list=your-freedom
add address=193.37.152.232 disabled=no list=your-freedom
add address=80.74.137.161 disabled=no list=your-freedom
add address=193.164.133.62 disabled=no list=your-freedom
add address=95.143.192.144 disabled=no list=your-freedom
add address=208.53.158.27 disabled=no list=your-freedom
add address=85.214.149.35 disabled=no list=your-freedom
add address=76.73.125.131 disabled=no list=your-freedom
add address=77.92.78.225 disabled=no list=your-freedom
add address=81.169.130.185 disabled=no list=your-freedom
add address=217.150.244.92 disabled=no list=your-freedom
add address=83.170.105.81 disabled=no list=your-freedom
add address=123.108.109.9 disabled=no list=your-freedom
add address=85.214.143.29 disabled=no list=your-freedom
add address=85.214.116.165 disabled=no list=your-freedom
add address=67.212.67.75 disabled=no list=your-freedom
add address=67.159.5.116 disabled=no list=your-freedom
add address=202.160.120.226 disabled=no list=your-freedom
add address=184.154.54.0/24 disabled=no list=Blokir
add address=217.114.211.0/24 disabled=no list=Blokir
add address=173.213.96.0/24 disabled=no list=Blokir
add address=193.200.150.0/24 disabled=no list=Blokir
add address=74.50.123.0/24 disabled=no list=Blokir
add address=85.17.200.0/24 disabled=no list=Blokir
add address=199.59.163.0/24 disabled=no list=Blokir
add address=176.9.204.0/24 disabled=no list=Blokir
add address=204.45.137.0/24 disabled=no list=Blokir

# menentukan filter untuk setiap lalu lintas internet


/ip firewall filter
add action=drop chain=forward comment="Drop Proxy luar negeri" disabled=no \
dst-address-list=proxys protocol=tcp
add action=drop chain=forward disabled=no dst-address-list=proxys protocol=\
udp
add action=drop chain=forward comment="Drop anonymox" disabled=no \
dst-address-list=anonymox protocol=tcp
add action=drop chain=forward disabled=no dst-address-list=anonymox protocol=\
udp
add action=drop chain=forward comment="Drop VPN Luar Negeri" disabled=no \
dst-address-list=Blokir protocol=tcp
add action=drop chain=forward disabled=no dst-address-list=Blokir protocol=\
udp
add action=drop chain=forward comment="Drop Hotspotshield" disabled=no \
dst-port=5345,5938,5245,3398,3451,5265,1755,5050,5396 protocol=tcp
add action=drop chain=forward disabled=no dst-port=\
5345,5938,5245,3398,3451,5265,1755,5050,5396 protocol=udp
add action=drop chain=forward disabled=no dst-port=\
10000-10010,9000,3211,15000-15010,1935,5231,800,989 protocol=tcp
add action=drop chain=forward disabled=no dst-port=\
10000-10010,9000,3211,15000-15010,1935,5231,800,989 protocol=udp
add action=drop chain=forward comment="Block UltraSurf" disabled=no protocol=\
tcp src-address-list=UltraSurfUsers
add action=drop chain=forward comment="Block Your-Freedom" disabled=no \
protocol=tcp src-address-list=yourfreedomuser
add action=drop chain=input comment=\
"ANTI BRUTE FORCE - block ssh brute forcers" disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment=\
"add ssh brute forcers ip to blacklist" connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage3" connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage2" connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage1" connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address=!192.168.2.254
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=\
"Virus Scan, BruteForce, DDOS & anti Netcut, jangan di non aktifkan" \
disabled=no dst-port=8291 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward disabled=no jump-target=virus
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \
chain=input disabled=no dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m \
chain=input disabled=no dst-port=7331 protocol=tcp src-address-list=knock
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=port-scanner disabled=no \
protocol=tcp psd=21,3s,3,1 src-address=!192.168.2.254
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=SYN/FIN disabled=no protocol=\
tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=SYN/RST disabled=no protocol=\
tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=FIN/PSH/URG disabled=no \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=NMAP disabled=no protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
add action=accept chain=output comment="Login Failure Winbox Mikrotik" \
content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \
protocol=tcp src-address=!192.168.2.254

# untuk menandai setiap paket data yang masuk pada lalu lintas internet
/ip firewall mangle
add action=add-src-to-address-list address-list=yourfreedomuser \
address-list-timeout=5m chain=prerouting comment="block user freedom" \
disabled=no dst-address-list=your-freedom protocol=tcp
add action=add-src-to-address-list address-list=UltraSurfUsers \
address-list-timeout=5m chain=prerouting comment=UltraSurfUsers disabled=\
no dst-address-list=UltraSurfServers protocol=tcp
add action=mark-connection chain=prerouting comment="limit akamai" disabled=\
no dst-address-list=akamai new-connection-mark=akamai passthrough=yes \
protocol=tcp src-address=!192.168.2.254
add action=mark-packet chain=prerouting connection-mark=akamai disabled=no \
new-packet-mark=akamai passthrough=no
add action=mark-packet chain=postrouting comment=HIT disabled=no dscp=12 \
new-packet-mark=hit passthrough=no
add action=mark-packet chain=postrouting content=X-Cache:HIT disabled=no \
new-packet-mark=hit passthrough=no
add action=mark-connection chain=prerouting comment=GAME disabled=no \
dst-port=1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=\
7341-7350,7451,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port="10402,11011-\
11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18901-18909,19\
000" new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=\
19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add action=mark-connection chain=prerouting disabled=no dst-port="1293,1479,61\
00-6152,7777-7977,8001,9401,9600-9602,12020-12080,30000,40000-40010" \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add action=mark-connection chain=prerouting disabled=no dst-port=\
42051-42052,11100-11125,11440-11460 new-connection-mark=GAMEONLINE \
passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=GAMEONLINE disabled=\
no new-packet-mark=online passthrough=no
add action=mark-connection chain=prerouting content=facebook.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=fbcdn.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=facebook.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=zynga.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=\
static.ak.connect.facebook.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add action=mark-connection chain=prerouting content=\
statics.poker.static.zynga.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-port=9339,843 \
new-connection-mark=fb_game passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=fb_game disabled=no \
new-packet-mark=gamefb passthrough=no
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
users-con passthrough=yes src-address=!192.168.2.254 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=users-con disabled=no \
new-packet-mark=users passthrough=yes
add action=mark-connection chain=prerouting comment=IDM disabled=no \
layer7-protocol=download new-connection-mark=idm passthrough=yes \
src-address=!192.168.2.254 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=idm disabled=no \
new-packet-mark=idm passthrough=no
add action=mark-connection chain=prerouting comment=Browsing disabled=no \
layer7-protocol=google new-connection-mark=google passthrough=yes \
src-address=!192.168.2.254 src-address-list=!IP
add action=mark-packet chain=forward connection-mark=google disabled=no \
new-packet-mark=google passthrough=no src-address=!192.168.2.254
add action=mark-connection chain=prerouting disabled=no layer7-protocol=\
youtube new-connection-mark=stream-idm passthrough=yes src-address=\
!192.168.2.254 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=stream-idm disabled=\
no new-packet-mark=stream-idm passthrough=no
add action=mark-connection chain=prerouting comment=ICMP disabled=no \
new-connection-mark="paket ic" passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark="paket ic" disabled=\
no new-packet-mark="paket ip" passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket ip" passthrough=yes
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=\
53 new-connection-mark="paket dc" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark="paket dc" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="paket dc" disabled=\
no new-packet-mark="paket dp" passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket dp" passthrough=yes
add action=mark-connection chain=prerouting comment="MIVO TV" disabled=no \
layer7-protocol=http-video new-connection-mark=paket-mtc passthrough=yes \
src-address=!192.168.2.254 src-address-list=!IP
add action=mark-packet chain=forward connection-mark=paket-mtc disabled=no \
new-packet-mark=paket-mtc passthrough=no
add action=mark-connection chain=prerouting comment=Camfrog disabled=no \
dst-port=2779,6667 new-connection-mark=camfrog passthrough=yes protocol=\
tcp
add action=mark-packet chain=prerouting connection-mark=camfrog disabled=no \
new-packet-mark=camfrog passthrough=no
add action=mark-connection chain=forward comment=bittorent disabled=no \
layer7-protocol=bittorent new-connection-mark=bittorent-limit \
passthrough=yes
add action=mark-packet chain=forward connection-mark=bittorent-limit \
disabled=no new-packet-mark=packet-bittorent passthrough=no
add action=mark-connection chain=forward comment=torrent-wws disabled=no \
layer7-protocol=torrent-wws new-connection-mark=wws-limit passthrough=yes
add action=mark-packet chain=forward connection-mark=wws-limit disabled=no \
new-packet-mark=packet-wws passthrough=no
add action=mark-connection chain=forward comment=torrent-www disabled=no \
layer7-protocol=torrent-www new-connection-mark=www-limit passthrough=yes
add action=mark-packet chain=forward connection-mark=www-limit disabled=no \
new-packet-mark=packet-www passthrough=no
add action=mark-connection chain=forward comment=torrent-allp2p disabled=no \
new-connection-mark=allp2p-limit p2p=all-p2p passthrough=yes
add action=mark-packet chain=forward connection-mark=allp2p-limit disabled=no \
new-packet-mark=packet-allp2p passthrough=no
add action=mark-connection chain=forward comment=torrent-port disabled=no \
new-connection-mark=port-limit passthrough=yes protocol=tcp src-port=\
58561,58045,14948,58008,58816,59097
add action=mark-packet chain=forward connection-mark=port-limit disabled=no \
new-packet-mark=packet-port passthrough=no

# setting nat untuk menghubungkan gateway user ke internet


/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway src-address=192.168.2.0/24

# setting redirect untuk mengarahkan user menggunakan DNS nawala anti porno, nonaktifkan
bila tidak diperlukan
add action=redirect chain=dstnat comment=\
"Redirect ke Port 53 untuk nawala anti porno project" disabled=no \
dst-port=53 protocol=tcp src-address=192.168.2.0/24 to-ports=53
add action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp \
src-address=192.168.2.0/24 to-ports=53

# setting disable untuk menghindari scan winbox oleh user


/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-local-master disabled=yes

# setting route antar gateway


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 \
target-scope=10

# setting queue untuk tiap interface


/queue interface
set ether1-gateway queue=ethernet-default
set ether2-local-master queue=ethernet-default

# pengaturan waktu sesuai zona indonesia


/system clock
set time-zone-name=Asia/Jakarta

# pengaturan default waktu mikrotik sesuai parameter pabrik


/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00

# pengaturan welcome text untuk consol terminal, bisa diganti dengan identitas anda
/system note
set note="M" show-at-login=yes

# pengaturan ntp client dengan server lokal / indonesia


/system ntp client
set enabled=yes mode=unicast primary-ntp=202.71.109.130 secondary-ntp=\
65.55.21.23

# pengaturan ntp client dengan server lokal / indonesia


/system ntp server
set broadcast=no broadcast-addresses="" enabled=yes manycast=yes multicast=no

# menentukan jadwal eksekusi script flush cache DNS


/system scheduler
add disabled=no interval=30m name="cache flush" on-event=cacheflush policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
start-time=startup

# menentukan jadwal eksekusi script penggantian DNS otomatis


/system scheduler
add disabled=no interval=1d name=dnschange on-event=dnschange policy=\
reboot,read,write,policy,test,password,sniff,sensitive start-time=startup

# menentukan jadwal eksekusi script anti netcut 1


/system scheduler
add disabled=no interval=1d name=antinetcut1 on-event=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

# menentukan jadwal eksekusi script anti netcut 2


/system scheduler
add disabled=no interval=1d name=antinetcut2 on-event=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

# menentukan jadwal eksekusi script membuat ARP otomatis untuk anti spoofing
/system scheduler
add disabled=no interval=20m name=leases on-event=lease policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/25/2013 start-time=04:58:44

# menentukan jadwal eksekusi script pengaturan zona waktu


/system scheduler
add disabled=no interval=6h name=ntp on-event=ntp policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/25/2013 start-time=06:57:11

# menentukan jadwal eksekusi script pengaturan zona waktu


/system scheduler
add disabled=no interval=6h name=ntp2 on-event=ntp2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/25/2013 start-time=06:57:32
# menentukan jadwal eksekusi script menandai paket akamai
/system scheduler
add disabled=no interval=15m name=akamai on-event=akamai policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

# menentukan jadwal eksekusi script menandai paket anonymous


/system scheduler
add disabled=no interval=11m name=anonymox on-event=anonymox policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

# menentukan jadwal eksekusi script menandai server proxy luar negeri


/system scheduler
add disabled=no interval=12m name=proxi on-event=proxi policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

# script untuk refresh dns agar tidak kepenuhan buffernya


/system script
add name=cacheflush policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns cache flush"

# script untuk memastikan mikrotik menggunakan dns yg kita tentukan setiap terjadi reboot
/system script
add name=dnschange policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns set servers=203.130.193.74,203.130.206.250 allow-remote-re\
quests=yes"

# script anti netcut 1


/system script
add name=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":local hosts [/ip dhcp-server lease find]\r\
\n:local pcname \"X\"\r\
\n:local pcnum 0\r\
\n:global hacklist \"\"\r\
\n:foreach h in \$hosts do={\r\
\n:local host [/ip dhcp-server lease get \$h host-name]\r\
\n:if ([:len \$host] >0) do {\r\
\n:set pcname (\$pcname . \",\" . \$host)\r\
\n:set pcnum (\$pcnum + 1)\r\
\n}\r\
\n}\r\
\n:foreach h in \$pcname do={\r\
\n:local hh 0\r\
\n:if (!([:find \$hacklist \$h]>=0)) do={\r\
\n:foreach k in \$pcname do={ :if (\$k=\$h) do={:set hh (\$hh + 1) } }\r\
\n:if (\$hh>2) do={\r\
\n:if ([:len \$hacklist] >0) do {:set hacklist (\$hacklist . \",\" . \$h)}\
\_else={:set hacklist \$h}\r\
\n}\r\
\n}\r\
\n}\r\
\n:local timer [:pick [/system clock get time] 3 5]\r\
\n:if ((\$switch > 0) || (\$timer >= \"58\")) do={\r\
\n:log warning (\"New Hacklist: \" . \$hacklist)"

# script anti netcut 2


/system script
add name=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="# use global hacklist variable\r\
\n#:log info (\$hacklist)\r\
\n:foreach host in \$hacklist do={\r\
\n:foreach i in= [/ip dhcp-server lease find host-name \$host] do={\r\
\n:local ipnum [/ip dhcp-server lease get \$i address]\r\
\n:local unum [/ip hotspot active find address \$ipnum]\r\
\n:if ([:len \$unum] >0) do {\r\
\n:local usr [/ip hotspot active get \$unum user]\r\
\n:log warning (\$host . \" \" . \$ipnum . \" \" . \$usr)\r\
\n#next line kick them out right now, could also check pppoe\r\
\n/ip hotspot active remove \$unum\r\
\n#other stuff can do now with the identified IP and USER\r\
\n}\r\
\n}\r\
\n}"

# script penentuan zona waktu


/system script
add name=ntp policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/system ntp client set enabled=yes mode=unicast primary-ntp=202.71\
.109.130 secondary-ntp=65.55.21.23\r\
\n"

# script penentuan zona waktu


/system script
add name=ntp2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/system clock set time-zone-name=Asia/Jakarta"

# script untuk mengubah arp dinamic menjadi static untuk menghindari spoofing oleh netcut
/system script
add name=lease policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/ip dhcp-server lease make-static [/ip dhcp-server lease find]"

# script untuk menandai setiap paket yang berasal dari server akamai
/system script
add name=akamai policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":foreach i in=[/ip dns cache find] do={\r\
\n:local bNew \"true\";\r\
\n:local cacheName [/ip dns cache all get \$i name] ;\r\
\n# :put \$cacheName;\r\
\n\r\
\n:if ([:find \$cacheName \"akamai\"] != 0) do={\r\
\n\r\
\n:local tmpAddress [/ip dns cache get \$i address] ;\r\
\n# :put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n:if ( [/ip firewall address-list find ] = \"\") do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=akamai comment=\
\$cacheName;\r\
\n} else={\r\
\n:foreach j in=[/ip firewall address-list find ] do={\r\
\n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\
\r\
\n:set bNew \"false\";\r\
\n}\r\
\n}\r\
\n:if ( \$bNew = \"true\" ) do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=akamai comment=\
\$cacheName;\r\
\n}\r\
\n}\r\
\n}\r\
\n}\r\
\n}"

# script untuk menandai setiap paket yang berasal dari server anonymous
/system script
add name=anonymox policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":foreach i in=[/ip dns cache find] do={\r\
\n:local bNew \"true\";\r\
\n:local cacheName [/ip dns cache all get \$i name] ;\r\
\n# :put \$cacheName;\r\
\n\r\
\n:if ([:find \$cacheName \"anony\"] != 0) do={\r\
\n\r\
\n:local tmpAddress [/ip dns cache get \$i address] ;\r\
\n# :put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n:if ( [/ip firewall address-list find ] = \"\") do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=anonymox comment\
=\$cacheName;\r\
\n} else={\r\
\n:foreach j in=[/ip firewall address-list find ] do={\r\
\n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\
\r\
\n:set bNew \"false\";\r\
\n}\r\
\n}\r\
\n:if ( \$bNew = \"true\" ) do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=anonymox comment\
=\$cacheName;\r\
\n}\r\
\n}\r\
\n}\r\
\n}\r\
\n}"

# script untuk menandai setiap paket yang berasal dari server proxy luar negeri
/system script
add name=proxi policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":foreach i in=[/ip dns cache find] do={\r\
\n:local bNew \"true\";\r\
\n:local cacheName [/ip dns cache all get \$i name] ;\r\
\n# :put \$cacheName;\r\
\n\r\
\n:if (([:find \$cacheName \"proxy\"] != 0) || ([:find \$cacheName \"proxi\
\"] != 0)) do={\r\
\n\r\
\n:local tmpAddress [/ip dns cache get \$i address] ;\r\
\n# :put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n:if ( [/ip firewall address-list find ] = \"\") do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=proxys comment=\
\$cacheName;\r\
\n} else={\r\
\n:foreach j in=[/ip firewall address-list find ] do={\r\
\n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\
\r\
\n:set bNew \"false\";\r\
\n}\r\
\n}\r\
\n:if ( \$bNew = \"true\" ) do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=proxys comment=\
\$cacheName;\r\
\n}\r\
\n}\r\
\n}\r\
\n}"

# pastikan untuk tidak mengubah apapun sebelum anda memahaminya benar-benar untuk
menghindari kesalahan
# Yups, semua sudah selesai, restart mikrotik anda.
# Anda dapat mendownload script diatas : disini atau disini

# Nb : seluruh tutorial tersebut sudah saya buktikan sendiri, jika ada tambahan, silahkan
komentar dan saran2nya, maaf bila tidak disertakan gambar.

# Created & modified by jinho at bagan batu, no more really secure, but need more time to make
it broken. enjoy :)
PCC LOADBALANCE 2 SPEEDY + BANDWIDTH MANAGEMENT MIKROTIK
RB750

# BACA KETERANGAN DENGAN TELITI SEBELUM MENGGUNAKAN SCRIPT INI !!!


# PCC Loadbalancing + Bandwidth management mikrotik v 5.x
# Scripting by jinho diaz
# Very simple but More Powerfull !!

# modem pertama (bwidth 2 mbps) : IP 192.168.5.1, pada ether2-master-local


# modem kedua (bwidht 1 mbps) : IP 192.168.4.1, pada ether3-slave-local
# LAN : IP 192.168.1.1 pada ether1-gateway

# Menggunakan PPPoE mikrotik untuk dial speedy agar resource modem -


# tetap stabil dan jarang down -

# pastikan anda mengganti username dan password speedy anda (ditandai dengan xxxxxx) -
# di bagian interface pppoe-client pada script ini.

# Script ini sudah di uji menggunakan 2 line speedy yang gateway-nya sama maupun tidak.
# Script ini tetap stabil pada Routerboard mikrotik RB750 versi 5.4 dengan CPU 400 mhz

/interface ethernet
set 0 arp=enabled name=ether1-gateway
set 1 arp=enabled master-port=none name=ether2-master-local
set 2 arp=enabled master-port=none name=ether3-slave-local
set 3 arp=enabled master-port=none name=ether4-slave-local
set 4 arp=enabled master-port=none name=ether5-slave-local

/ip firewall layer7-protocol


add name=download regexp="\\.(exe|rar|zip|7z|cab|asf|pdf|wav|mp3|ram|msu|msi|n\
up|vdf|rmvb|daa|iso|nrg|bin|vcd|mp2|qt|raw|ogg|doc|xls|ppt|xlxs|mov|wmv|mp\
g|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|mpe|wma|docx|pptx|deb|flv2|tar|bzip|gzip\
|webm|gzip2).*\$"
add name=google regexp="google.com|google.co.id|yahoo.com|yahoo.co.id|yahoo|go\
ogle|bing|msn|wordpress|blogspot|blogger|web.id|co.id|net.id|go.id|hotmail\
|twitter"
add name=youtube regexp=o-o|youtube.com|webm
add name=http-video regexp="mivo.tv|mivotv|imediabiz|imedia|porn|video|stream|\
movie|live|0\\.9|.tv|.0|video|mov|wmv|mpg|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|\
mpe|wma|xhamster|xnxx|fuck|flv2|indostar-tv|nontontv.tv"
add name=bittorent regexp="^(\13bittorrent protocol|azver1\$|get /scrape\\\?in\
fo_hash=)|d1:ad2:id20:|87P\\)[RP]"
add name=torrent-wws regexp="^.*(get|GET).+(torrent|info_hash|thepiratebay|iso\
hunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitn\
ova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=torrent-www regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\
id|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|\
fulldls|btbot|fenopy|gpirate|commonbits).*\$"

/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether1-gateway lease-time=3d name=dhcp1

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=ether2-master-local max-mru=1480 \
max-mtu=1480 mrru=disabled name=PPPoE-1 password=xxxxxxxx profile=\
default service-name="" use-peer-dns=yes user=xxxxxxxxxxx@telkom.net
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=ether3-slave-local max-mru=1480 \
max-mtu=1480 mrru=disabled name=PPPoE-2 password=xxxxxxxxx profile=\
default service-name="" use-peer-dns=yes user=xxxxxxxxxx@telkom.net

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.DOWNLOAD parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.Limited packet-mark=users parent=3.DOWNLOAD \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=1.BROWSING parent=global-out priority=4
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=6.TUBE-TV packet-mark=users parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.KONEKSI parent=global-total priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="4.LIVE VIDEO" parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=5.GAME parent=global-out priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=7.Chat packet-mark=users parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="8. Bittorent" packet-mark=packet-bittorent parent=\
global-out priority=8

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=PCQ_download pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=PCQ_upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=pcq-download2 pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=pcq-upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pfifo name=PING pfifo-limit=64
add kind=pcq name=DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=\
10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=torrent pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=128k \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=limited pcq-burst-rate=0 pcq-burst-threshold=256k \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=akamai pcq-burst-rate=0 pcq-burst-threshold=256k \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=64 pcq-total-limit=2000
set default-small kind=pfifo name=default-small pfifo-limit=10

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=5.1.Game-Online packet-mark=online parent=5.GAME \
priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="5.2.Game FB" packet-mark=gamefb parent=5.GAME priority=\
2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.2.Hit packet-mark=hit parent=3.1.Limited priority=8 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.1.IDM packet-mark=idm parent=3.1.Limited priority=8 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=4.1.youtube packet-mark=stream-idm parent="4.LIVE VIDEO" \
priority=8 queue=DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="1.1.http brows" packet-mark=google parent=1.BROWSING \
priority=3 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.1.ping-out packet-mark="paket ip" parent=2.KONEKSI \
priority=1 queue=PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.2.ping-in packet-mark="paket dp" parent=2.KONEKSI \
priority=1 queue=PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="6.1.Tube Stream" packet-mark=users parent=6.TUBE-TV \
priority=8 queue=pcq-download2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=6.2.Mivo.TV packet-mark=paket-mtc parent=6.TUBE-TV \
priority=8 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="7.1. Camfrog" packet-mark=camfrog parent=7.Chat \
priority=8 queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=wws packet-mark=packet-wws parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=www packet-mark=packet-www parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=port packet-mark=packet-port parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=allp2p packet-mark=packet-allp2p parent="8. Bittorent" \
priority=8 queue=torrent
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=1.2.akamai packet-mark=akamai parent=1.BROWSING \
priority=8 queue=akamai

/ip address
add address=192.168.1.1/24 disabled=no interface=ether1-gateway network=192.168.1.0
add address=192.168.5.2/24 disabled=no interface=ether2-master-local network=192.168.5.0
add address=192.168.4.2/24 disabled=no interface=ether3-slave-local network=192.168.4.0

/ip dhcp-server network


add address=192.168.1.0/24 gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=203.130.193.74,203.130.206.250

/ip firewall filter


add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"default configuration (anti netcut, defaultnya accept)" disabled=no \
protocol=udp
add action=accept chain=input disabled=no protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=forward comment=";;Block W32.Kido Conficker" disabled=\
no protocol=udp src-port=135-139
add action=drop chain=forward disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward disabled=no protocol=udp src-port=445
add action=drop chain=forward disabled=no dst-port=445 protocol=udp
add action=drop chain=forward disabled=no protocol=tcp src-port=135-139
add action=drop chain=forward disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward disabled=no protocol=tcp src-port=445
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward disabled=no dst-port=4691 protocol=tcp
add action=drop chain=forward disabled=no dst-port=5933 protocol=tcp
add action=drop chain=forward comment="Block LLMNR" disabled=no dst-port=5355 \
protocol=udp
add action=drop chain=forward disabled=no dst-port=4647 protocol=udp
add action=drop chain=forward comment="SMTP Deny" disabled=no protocol=tcp \
src-port=25
add action=drop chain=forward disabled=no dst-port=25 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Jinho.diaz Load Balancing" \
connection-state=new disabled=no dst-port=80 in-interface=ether1-gateway \
new-connection-mark=LB1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0 protocol=tcp src-address=192.168.1.0/24
add action=mark-routing chain=prerouting connection-mark=LB1 disabled=no \
in-interface=ether1-gateway new-routing-mark=Route1 passthrough=no \
src-address=192.168.1.0/24
add action=mark-connection chain=prerouting connection-state=new disabled=no \
dst-port=80 in-interface=ether1-gateway new-connection-mark=LB2 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 \
protocol=tcp src-address=192.168.1.0/24
add action=mark-routing chain=prerouting connection-mark=LB2 disabled=no \
in-interface=ether1-gateway new-routing-mark=Route2 passthrough=no \
src-address=192.168.1.0/24
add action=mark-packet chain=postrouting comment=HIT disabled=no dscp=12 \
new-packet-mark=hit passthrough=no
add action=mark-packet chain=postrouting content=X-Cache:HIT disabled=no \
new-packet-mark=hit passthrough=no
add action=mark-connection chain=prerouting comment=GAME disabled=no \
dst-port=1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=\
7341-7350,7451,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port="10402,11011-\
11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18901-18909,19\
000" new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=\
19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add action=mark-connection chain=prerouting disabled=no dst-port="1293,1479,61\
00-6152,7777-7977,8001,9401,9600-9602,12020-12080,30000,40000-40010" \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add action=mark-connection chain=prerouting disabled=no dst-port=\
42051-42052,11100-11125,11440-11460 new-connection-mark=GAMEONLINE \
passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=GAMEONLINE disabled=\
no new-packet-mark=online passthrough=no
add action=mark-connection chain=prerouting content=facebook.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=fbcdn.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=facebook.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=zynga.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add action=mark-connection chain=prerouting content=\
static.ak.connect.facebook.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add action=mark-connection chain=prerouting content=\
statics.poker.static.zynga.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-port=9339,843 \
new-connection-mark=fb_game passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=fb_game disabled=no \
new-packet-mark=gamefb passthrough=no
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
users-con passthrough=yes src-address=!192.168.1.1 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=users-con disabled=no \
new-packet-mark=users passthrough=yes
add action=mark-connection chain=prerouting comment=IDM disabled=no \
layer7-protocol=download new-connection-mark=idm passthrough=yes \
src-address=!192.168.1.1 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=idm disabled=no \
new-packet-mark=idm passthrough=no
add action=mark-connection chain=prerouting comment=Browsing disabled=no \
layer7-protocol=google new-connection-mark=google passthrough=yes \
src-address=!192.168.1.1 src-address-list=!IP
add action=mark-packet chain=forward connection-mark=google disabled=no \
new-packet-mark=google passthrough=no src-address=!192.168.1.1
add action=mark-connection chain=prerouting disabled=no layer7-protocol=\
youtube new-connection-mark=stream-idm passthrough=yes src-address=\
!192.168.1.1 src-address-list=!IP
add action=mark-packet chain=prerouting connection-mark=stream-idm disabled=\
no new-packet-mark=stream-idm passthrough=no
add action=mark-connection chain=prerouting comment=ICMP disabled=no \
new-connection-mark="paket ic" passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark="paket ic" disabled=\
no new-packet-mark="paket ip" passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket ip"
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=\
53 new-connection-mark="paket dc" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark="paket dc" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="paket dc" disabled=\
no new-packet-mark="paket dp" passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket dp"
add action=mark-connection chain=prerouting comment="MIVO TV" disabled=no \
layer7-protocol=http-video new-connection-mark=paket-mtc passthrough=yes \
src-address=!192.168.1.1 src-address-list=!IP
add action=mark-packet chain=forward connection-mark=paket-mtc disabled=no \
new-packet-mark=paket-mtc passthrough=no
add action=mark-connection chain=prerouting comment=Camfrog disabled=no \
dst-port=2779,6667 new-connection-mark=camfrog passthrough=yes protocol=\
tcp
add action=mark-packet chain=prerouting connection-mark=camfrog disabled=no \
new-packet-mark=camfrog passthrough=no
add action=mark-connection chain=forward comment=bittorent disabled=no \
layer7-protocol=bittorent new-connection-mark=bittorent-limit \
passthrough=yes
add action=mark-packet chain=forward connection-mark=bittorent-limit \
disabled=no new-packet-mark=packet-bittorent passthrough=no
add action=mark-connection chain=forward comment=torrent-wws disabled=no \
layer7-protocol=torrent-wws new-connection-mark=wws-limit passthrough=yes
add action=mark-packet chain=forward connection-mark=wws-limit disabled=no \
new-packet-mark=packet-wws passthrough=no
add action=mark-connection chain=forward comment=torrent-www disabled=no \
layer7-protocol=torrent-www new-connection-mark=www-limit passthrough=yes
add action=mark-packet chain=forward connection-mark=www-limit disabled=no \
new-packet-mark=packet-www passthrough=no
add action=mark-connection chain=forward comment=torrent-allp2p disabled=no \
new-connection-mark=allp2p-limit p2p=all-p2p passthrough=yes
add action=mark-packet chain=forward connection-mark=allp2p-limit disabled=no \
new-packet-mark=packet-allp2p passthrough=no
add action=mark-connection chain=forward comment=torrent-port disabled=no \
new-connection-mark=port-limit passthrough=yes protocol=tcp src-port=\
58561,58045,14948,58008,58816,59097
add action=mark-packet chain=forward connection-mark=port-limit disabled=no \
new-packet-mark=packet-port passthrough=no

/ip firewall nat


add action=masquerade chain=srcnat disabled=no src-address=192.168.1.0/24

/ip route
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PPPoE-1 routing-mark=Route1 scope=255 target-scope=10
add check-gateway=arp disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
PPPoE-1 routing-mark=Route1 scope=255 target-scope=10
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PPPoE-2 routing-mark=Route2 scope=255 target-scope=10
add check-gateway=arp disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
PPPoE-2 routing-mark=Route2 scope=255 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1 scope=255 \
target-scope=10

/system clock
set time-zone-name=Asia/Jakarta

/system ntp client


set enabled=yes mode=unicast primary-ntp=202.71.109.130 secondary-ntp=\
65.55.21.23
/system scheduler
add disabled=no interval=15m name="cache flush" on-event=cacheflush policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
start-time=startup
add disabled=no interval=1d name=antinetcut1 on-event=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
add disabled=no interval=1d name=antinetcut2 on-event=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
add disabled=no interval=6h name=ntp on-event=ntp policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/25/2013 start-time=06:57:11
add disabled=no interval=6h name=ntp2 on-event=ntp2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/25/2013 start-time=06:57:32
add disabled=no interval=1d name=dnschange on-event=dnschange policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup

/system script
add name=cacheflush policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns cache flush"
add name=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":local hosts [/ip dhcp-server lease find]\r\
\n:local pcname \"X\"\r\
\n:local pcnum 0\r\
\n:global hacklist \"\"\r\
\n:foreach h in \$hosts do={\r\
\n:local host [/ip dhcp-server lease get \$h host-name]\r\
\n:if ([:len \$host] >0) do {\r\
\n:set pcname (\$pcname . \",\" . \$host)\r\
\n:set pcnum (\$pcnum + 1)\r\
\n}\r\
\n}\r\
\n:foreach h in \$pcname do={\r\
\n:local hh 0\r\
\n:if (!([:find \$hacklist \$h]>=0)) do={\r\
\n:foreach k in \$pcname do={ :if (\$k=\$h) do={:set hh (\$hh + 1) } }\r\
\n:if (\$hh>2) do={\r\
\n:if ([:len \$hacklist] >0) do {:set hacklist (\$hacklist . \",\" . \$h)}\
\_else={:set hacklist \$h}\r\
\n}\r\
\n}\r\
\n}\r\
\n:local timer [:pick [/system clock get time] 3 5]\r\
\n:if ((\$switch > 0) || (\$timer >= \"58\")) do={\r\
\n:log warning (\"New Hacklist: \" . \$hacklist)"
add name=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="# use global hacklist variable\r\
\n#:log info (\$hacklist)\r\
\n:foreach host in \$hacklist do={\r\
\n:foreach i in= [/ip dhcp-server lease find host-name \$host] do={\r\
\n:local ipnum [/ip dhcp-server lease get \$i address]\r\
\n:local unum [/ip hotspot active find address \$ipnum]\r\
\n:if ([:len \$unum] >0) do {\r\
\n:local usr [/ip hotspot active get \$unum user]\r\
\n:log warning (\$host . \" \" . \$ipnum . \" \" . \$usr)\r\
\n#next line kick them out right now, could also check pppoe\r\
\n/ip hotspot active remove \$unum\r\
\n#other stuff can do now with the identified IP and USER\r\
\n}\r\
\n}\r\
\n}"
add name=ntp policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/system ntp client set enabled=yes mode=unicast primary-ntp=202.71\
.109.130 secondary-ntp=65.55.21.23\r\
\n"
add name=ntp2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/system clock set time-zone-name=Asia/Jakarta"
add name=dnschange policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/ip dns set servers=203.130.193.74,203.130.206.250 allow-remote-re\
quests=yes"