Apabila kita menggunakan Routerboard untuk koneksi Ethernet lebih dari 2 (WAN, LAN1, LAN2 & DMZ) dan kita ingin membatasi hanya koneksi internet nya saja, sementara Bandwidth untuk LAN & DMZ tetap unlimited, maka ini yang harus dibuat:
Contoh kasus:
Sebuah Routerboard digunakan untuk me-routing 4 macam network sebagai berikut:
/ip address
add address=202.182.189.27/28 broadcast=202.182.189.31 comment="default \
configuration" disabled=no interface=WAN network=202.182.189.16
add address=172.17.142.20/23 broadcast=172.17.143.255 comment="added by \
setup" disabled=no interface=LAN2 network=172.17.142.0
add address=172.17.140.1/24 broadcast=172.17.140.255 comment="added by setup" \
disabled=no interface=DMZ network=172.17.140.0
add address=172.17.144.2/24 broadcast=172.17.144.255 comment="" disabled=no \
interface=LAN1 network=172.17.144.0
Buat NAT sbb:
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN1 \
src-address=172.17.140.0/24 to-addresses=172.17.144.2 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN2 \
src-address=172.17.140.0/24 to-addresses=172.17.142.20 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=DMZ \
src-address=172.17.142.0/23 to-addresses=172.17.140.1 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN1 \
src-address=172.17.142.0/23 to-addresses=172.17.144.2 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=DMZ \
src-address=172.17.144.0/24 to-addresses=172.17.140.1 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN2 \
src-address=172.17.144.0/24 to-addresses=172.17.142.20 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.140.0/24 to-addresses=202.182.189.27 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.142.0/23 to-addresses=202.182.189.27 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.144.0/24 to-addresses=202.182.189.27 to-ports=0-65535
Lalu kita ingin membatasi hanya Bandwidth Internet saja (tidak termasuk bandwidth LAN) dimana kecepatan Internet upload=128kbit & download=256kbit, tetapi khusus client dengan IP address 172.17.144.166 (user client yang bernama Istakhry) memiliki unlimited internet bandwidth. Sementara kecepatan bandwidth antar LAN & DMZ tidak dibatasi, maka settingnya seperti ini:
1. Buat mangle untuk menandai paket data yang melintas di jaringan sbb:
/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no \
dst-address=172.17.144.166 in-interface=WAN new-packet-mark=Istakhry \
passthrough=yes
2. Setting Queue Type sbb:
/queue type
add kind=pcq name="PCQ_download" pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name="PCQ_upload" pcq-classifier=src-address pcq-limit=50 \
pcq-rate=128000 pcq-total-limit=2000
3. Setting Queue Tree sbb:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue1" packet-mark=LAN1_LAN2 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue2" packet-mark=LAN2_LAN1 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue3" packet-mark=LAN1_DMZ parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue4" packet-mark=LAN1_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue5" packet-mark=LAN2_DMZ parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue6" packet-mark=LAN2_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue7" packet-mark=DMZ_LAN1 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue8" packet-mark=DMZ_LAN2 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue9" packet-mark=DMZ_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue10" packet-mark=WAN_LAN1 parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue11" packet-mark=WAN_LAN2 parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue12" packet-mark=WAN_DMZ parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue13" packet-mark=Istakhry parent=global-out \
priority=8 queue=default
Nah selesai sudah.....smoga membantu.
Contoh kasus:
Sebuah Routerboard digunakan untuk me-routing 4 macam network sebagai berikut:
/ip address
add address=202.182.189.27/28 broadcast=202.182.189.31 comment="default \
configuration" disabled=no interface=WAN network=202.182.189.16
add address=172.17.142.20/23 broadcast=172.17.143.255 comment="added by \
setup" disabled=no interface=LAN2 network=172.17.142.0
add address=172.17.140.1/24 broadcast=172.17.140.255 comment="added by setup" \
disabled=no interface=DMZ network=172.17.140.0
add address=172.17.144.2/24 broadcast=172.17.144.255 comment="" disabled=no \
interface=LAN1 network=172.17.144.0
Buat NAT sbb:
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN1 \
src-address=172.17.140.0/24 to-addresses=172.17.144.2 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN2 \
src-address=172.17.140.0/24 to-addresses=172.17.142.20 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=DMZ \
src-address=172.17.142.0/23 to-addresses=172.17.140.1 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN1 \
src-address=172.17.142.0/23 to-addresses=172.17.144.2 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=DMZ \
src-address=172.17.144.0/24 to-addresses=172.17.140.1 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=LAN2 \
src-address=172.17.144.0/24 to-addresses=172.17.142.20 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.140.0/24 to-addresses=202.182.189.27 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.142.0/23 to-addresses=202.182.189.27 to-ports=0-65535
add action=src-nat chain=srcnat comment="" disabled=no out-interface=WAN \
src-address=172.17.144.0/24 to-addresses=202.182.189.27 to-ports=0-65535
Sengaja tidak menggunakan Masqurede agar mudah memblok koneksi internet ke salah satu Network Segment.
Lalu kita ingin membatasi hanya Bandwidth Internet saja (tidak termasuk bandwidth LAN) dimana kecepatan Internet upload=128kbit & download=256kbit, tetapi khusus client dengan IP address 172.17.144.166 (user client yang bernama Istakhry) memiliki unlimited internet bandwidth. Sementara kecepatan bandwidth antar LAN & DMZ tidak dibatasi, maka settingnya seperti ini:
1. Buat mangle untuk menandai paket data yang melintas di jaringan sbb:
/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN1 \
new-packet-mark=LAN1_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=LAN2 \
new-packet-mark=LAN2_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=DMZ \
new-packet-mark=DMZ_WAN out-interface=WAN passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_LAN1 out-interface=LAN1 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_LAN2 out-interface=LAN2 passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no in-interface=WAN \
new-packet-mark=WAN_DMZ out-interface=DMZ passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no \
dst-address=172.17.144.166 in-interface=WAN new-packet-mark=Istakhry \
passthrough=yes
2. Setting Queue Type sbb:
/queue type
add kind=pcq name="PCQ_download" pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name="PCQ_upload" pcq-classifier=src-address pcq-limit=50 \
pcq-rate=128000 pcq-total-limit=2000
3. Setting Queue Tree sbb:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue1" packet-mark=LAN1_LAN2 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue2" packet-mark=LAN2_LAN1 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue3" packet-mark=LAN1_DMZ parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue4" packet-mark=LAN1_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue5" packet-mark=LAN2_DMZ parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue6" packet-mark=LAN2_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue7" packet-mark=DMZ_LAN1 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue8" packet-mark=DMZ_LAN2 parent=global-out \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue9" packet-mark=DMZ_WAN parent=global-out \
priority=8 queue=PCQ_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue10" packet-mark=WAN_LAN1 parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue11" packet-mark=WAN_LAN2 parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue12" packet-mark=WAN_DMZ parent=global-out \
priority=8 queue=PCQ_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="queue13" packet-mark=Istakhry parent=global-out \
priority=8 queue=default
Nah selesai sudah.....smoga membantu.