Belajar Mikrotik RouterOS dari Salah seorang Pakar Mikrotik Dunia, yaitu Dennis Burgess. Informasi lebih lanjut silahkan klik http://www.mikrotikcore.com/
Archive for the 'Mikrotik' Category
Lebih lengkap silahkan dilihat di SINI
xxxxxxxxxxxxxxxxxxxxx
Pentest Lab
xxxxxxxxxxxxxxxxxxxxx
Secara default untuk mengakses RouterOS dapat melalui:
o Telnet
o SSH
o HTTP
o Winbox
o FTP
o Mac-Telnet
### Minimal Firewall Configuration
Fig. Topologi
Target Attacker
[ vmWare ] ;--------x x---------; [ Notebook ]
192.168.0.1/24 192.168.0.2/24
RouterOS winXP
Alatbantu:
- PortScanner . Nmap v4.2
- HTTP BruteForce . FScan v0.6
- SSH BruteForce
- FTP BruteForce
- Portknock
;;;;;;;;;;;; Ada lima Rule ;;;;;;;;;;
o1. Drop Port Scanner
o2. Drop SSH BruteForce
o3. Drop FTP BruteForce
o4. Drop HTTP/HTTPS BruteForce
o5. PortKnocking Rule
o1. Drop Port Scanner
-----------------------------------------------------------------------------------
D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1
Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:12 SE Asia Stand
ard Time
Initiating ARP Ping Scan at 17:12
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 17:12, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 16.50s elapsed
Initiating XMAS Scan at 17:12
Scanning 192.168.0.1 [9 ports]
Completed XMAS Scan at 17:12, 1.27s elapsed (9 total ports)
Initiating Service scan at 17:12
Scanning 4 services on 192.168.0.1
Discovered open port 80/tcp on 192.168.0.1
Discovered open|filtered port 80/tcp on 192.168.0.1 is actually open
Discovered open port 23/tcp on 192.168.0.1
Discovered open|filtered port 23/tcp on 192.168.0.1 is actually open
Discovered open port 22/tcp on 192.168.0.1
Discovered open|filtered port 22/tcp on 192.168.0.1 is actually open
Discovered open port 21/tcp on 192.168.0.1
Discovered open|filtered port 21/tcp on 192.168.0.1 is actually open
Completed Service scan at 17:12, 6.09s elapsed (4 services on 1 host)
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.0.1 appears to be up ... good.
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9 (protocol 1.99)
23/tcp open telnet Linux telnetd
24/tcp closed priv-mail
25/tcp closed smtp
80/tcp open http MikroTik router http config
139/tcp closed netbios-ssn
179/tcp closed bgp
8080/tcp closed http-proxy
MAC Address: 00:0C:29:D1:59:AB (VMware)
Service Info: Host: MikroTik; OS: Linux; Device: router
Read data files from: C:\Program Files\Nmap
Service detection performed. Please report any incorrect results at http://insec
ure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.203 seconds
Raw packets sent: 14 (562B) | Rcvd: 7 (302B)
D:\>
-----------------------------------------------------------------------------------
Tambahkan rule;
-----------------------------------------------------------------------------------
| add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
| address-list="port scanners" address-list-timeout=2w comment="Drop Port \
| Scanners" disabled=no
| add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
| action=add-src-to-address-list address-list="port scanners" \
| address-list-timeout=2w comment="" disabled=no
| add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
| address-list="port scanners" address-list-timeout=2w comment="" \
| disabled=no
| add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
| address-list="port scanners" address-list-timeout=2w comment="" \
| disabled=no
| add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
| action=add-src-to-address-list address-list="port scanners" \
| address-list-timeout=2w comment="" disabled=no
| add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
| action=add-src-to-address-list address-list="port scanners" \
| address-list-timeout=2w comment="" disabled=no
| add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
| action=add-src-to-address-list address-list="port scanners" \
| address-list-timeout=2w comment="" disabled=no
| add chain=input src-address-list="port scanners" action=drop comment="" \
| disabled=no
-----------------------------------------------------------------------------------
IP address Attacker akan dimasukkan kedalam ip firewall address-list, Maka;
-----------------------------------------------------------------------------------
D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1
Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:16 SE Asia Stand
ard Time
Initiating ARP Ping Scan at 17:16
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 17:16, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:16
Completed Parallel DNS resolution of 1 host. at 17:17, 16.50s elapsed
Initiating XMAS Scan at 17:17
Scanning 192.168.0.1 [9 ports]
Completed XMAS Scan at 17:17, 1.26s elapsed (9 total ports)
Initiating Service scan at 17:17
Scanning 9 services on 192.168.0.1
Completed Service scan at 17:17, 5.00s elapsed (9 services on 1 host)
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.0.1 appears to be up ... good.
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
24/tcp open|filtered priv-mail
25/tcp open|filtered smtp
80/tcp open|filtered http
139/tcp open|filtered netbios-ssn
179/tcp open|filtered bgp
8080/tcp open|filtered http-proxy
MAC Address: 00:0C:29:D1:59:AB (VMware)
Read data files from: C:\Program Files\Nmap
Service detection performed. Please report any incorrect results at http://insec
ure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.094 seconds
Raw packets sent: 19 (762B) | Rcvd: 1 (42B)
D:\>
[admin@MikroTik] ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Save Haven 192.168.0.3-192.168.0.5
1 D Save Haven 192.168.0.2
2 D port scanners 192.168.0.2
[admin@MikroTik] ip firewall address-list>
C:\Documents and Settings\adminz>ping 192.168.0.1 -t
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 24, Received = 19, Lost = 5 (20% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\adminz>
-----------------------------------------------------------------------------------
o2. Drop SSH BruteForces
-----------------------------------------------------------------------------------
| add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
| action=drop comment="Drop SSH brute forcers" disabled=no
| add chain=input protocol=tcp dst-port=22 connection-state=new \
| src-address-list=ssh_stage3 action=add-src-to-address-list \
| address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
| disabled=no
| add chain=input protocol=tcp dst-port=22 connection-state=new \
| src-address-list=ssh_stage2 action=add-src-to-address-list \
| address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
| add chain=input protocol=tcp dst-port=22 connection-state=new \
| src-address-list=ssh_stage1 action=add-src-to-address-list \
| address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
| add chain=input protocol=tcp dst-port=22 connection-state=new \
| action=add-src-to-address-list address-list=ssh_stage1 \
| address-list-timeout=1m comment="" disabled=no
-----------------------------------------------------------------------------------
o3. Drop FTP BruteForce
-----------------------------------------------------------------------------------
| add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
| action=drop comment="Drop FTP brute forcers" disabled=no
| add chain=output protocol=tcp content="530 Login incorrect" \
| dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
| add chain=output protocol=tcp content="530 Login incorrect" \
| action=add-dst-to-address-list address-list=ftp_blacklist \
| address-list-timeout=3h comment="" disabled=no
-----------------------------------------------------------------------------------
o4. Drop HTTP/HTTPS BruteForce
Meminimalkan attacking terhadap port http/https ke RouterOS dengan BruteForce
Seperti:
------------------------------------------------------------------------------------
D:\fscan>fscan.exe --ports 80 --hosts 192.168.0.1 --threads 200
Fast HTTP Auth Scanner v0.6
(c) Andres Tarasco - http://www.514.es
[+] Loaded 26 user/pass combinations
[+] Loaded 42 ignored webservers
[+] Loaded 41 Router authentication schemes
[+] Loaded 51 webform authentication schemes
[+] Loaded 13 Single Users
[+] Scanning 1 hosts (192.168.0.1 - (null))
[+] Scanning 1 ports - bruteforce is active
Server Port status password banner
192.168.0.1 80 200 not:found (mikrotik routeros)
scan Finished
D:\fscan>
------------------------------------------------------------------------------------
Jika dilihat pada log RouterOS :
------------------------------------------------------------------------------------
[admin@MikroTik] > log print
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user Admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user cisco from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user 1234 from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user operator from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user user from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user super from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user test from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user Cisco from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user smc from 192.168.0.2 via web
16:49:45 system,error,critical login failure for user support from 192.168.0.2 via web
16:52:17 system,error,critical login failure for user admin via local
------------------------------------------------------------------------------------
Tambahkan Rule di firewall RouterOS
-----------------------------------------------------------------------------------
| add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \
| action=drop comment="Drop Web brute forcers" disabled=no
| add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \
| action=drop comment="" disabled=no
| add chain=output protocol=tcp content="invalid user name or password" \
| dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
| add chain=output protocol=tcp content="invalid user name or password" \
| action=add-dst-to-address-list address-list=web_blacklist \
| address-list-timeout=3h comment="" disabled=no
-----------------------------------------------------------------------------------
Dilakukan Bruteforce lagi, maka:
-----------------------------------------------------------------------------------
[admin@MikroTik] ip firewall address-list> pr
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Save Haven 192.168.0.3-192.168.0.5
1 D Save Haven 192.168.0.2
2 D web_blacklist 192.168.0.2
[admin@MikroTik] ip firewall address-list>
D:\fscan>fscan.exe --ports 80 --hosts 192.168.0.1 --threads 200
Fast HTTP Auth Scanner v0.6
(c) Andres Tarasco - http://www.514.es
[+] Loaded 26 user/pass combinations
[+] Loaded 42 ignored webservers
[+] Loaded 41 Router authentication schemes
[+] Loaded 51 webform authentication schemes
[+] Loaded 13 Single Users
[+] Scanning 1 hosts (192.168.0.1 - (null))
[+] Scanning 1 ports - bruteforce is active
Server Port status password banner
scan Finished
D:\fscan>
-----------------------------------------------------------------------------------
o5. PortKnocking Rule
Tambahkan Rule pada Firewall filter:
-----------------------------------------------------------------------------------
| add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \
| address-list=knock-knock address-list-timeout=15s comment="Port Knocking" \
| disabled=no
| add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \
| action=add-src-to-address-list address-list="Save Haven" \
| address-list-timeout=3h comment="" disabled=no
| add chain=input src-address-list="Save Haven" action=accept comment="" \
| disabled=no
| add chain=input action=drop comment="" disabled=no
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
# Download tool portknocking
D:\>wget http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip
# Ekstrak file
D:\knock>dir
Volume in drive D is ---data.
Volume Serial Number is 20B3-1A4D
Directory of D:\knock
19/07/2008 15:24 <DIR> .
19/07/2008 15:24 <DIR> ..
03/07/2005 02:30 1.295.582 cygwin1.dll
10/08/2005 14:52 15.238 knock.exe
2 File(s) 1.310.820 bytes
2 Dir(s) 714.395.648 bytes free
D:\knock>
C:\Documents and Settings\adminz>ping 192.168.0.1 -t
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 6, Received = 0, Lost = 6 (100% loss),
Control-C
^C
C:\Documents and Settings\adminz>
D:\>telnet 192.168.0.1 22
Connecting To 192.168.0.1...Could not open connection to the host, on port 22: C
onnect failed
D:\>putty -ssh -l admin 192.168.0.1
D:\>
---------------------------------------------
|PuTTY Fatal Error [x]|
|-------------------------------------------|
| |
| (X) Network error: Connection timed out |
| |
| +-----------+ |
| | OK | |
| +-----------+ |
| |
---------------------------------------------
D:\knock>knock.exe
usage: knock [options] <host> <port[:proto]> [port[:proto]] ...
options:
-u, --udp make all ports hits use UDP (default is TCP)
-v, --verbose be verbose
-V, --version display version
-h, --help this help
example: knock myserver.example.com 123:tcp 456:udp 789:tcp
D:\knock>knock 192.168.0.1 1337:tcp 17954:udp
D:\knock>
C:\Documents and Settings\adminz>ping 192.168.0.1 -t
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.1:
Packets: Sent = 18, Received = 11, Lost = 7 (38% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\adminz>
D:\>putty -ssh -l admin 192.168.0.1
D:\>
=======================================================================================
| 192.168.0.1 - PuTTY [_][O][X]|
|-------------------------------------------------------------------------------------+
|Using username "admin". [^]|
|admin@192.168.0.1's password: | ||
| | ||
| MMM MMM KKK TTTTTTTTTTT KKK | ||
| MMMM MMMM KKK TTTTTTTTTTT KKK | ||
| MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK | ||
| MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK | ||
| MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK | ||
| MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK | ||
| | ||
| MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/ | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
| | ||
|Terminal xterm detected, using multiline input mode | ||
|[admin@MikroTik] > log print | ||
|17:38:31 system,info,account user admin logged in from 192.168.0.2 via ssh [v]|
=======================================================================================
Export file configuration
-------------------------;
/ ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="Drop Port \
Scanners" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="" \
disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="" \
disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
action=drop comment="Drop SSH brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
action=drop comment="Drop FTP brute forcers" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h comment="" disabled=no
add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \
action=drop comment="Drop Web brute forcers" disabled=no
add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \
action=drop comment="" disabled=no
add chain=output protocol=tcp content="invalid user name or password" \
dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="invalid user name or password" \
action=add-dst-to-address-list address-list=web_blacklist \
address-list-timeout=3h comment="" disabled=no
add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \
address-list=knock-knock address-list-timeout=15s comment="Port Knocking" \
disabled=no
add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \
action=add-src-to-address-list address-list="Save Haven" \
address-list-timeout=3h comment="" disabled=no
add chain=input src-address-list="Save Haven" action=accept comment="" \
disabled=no
add chain=input action=drop comment="" disabled=no
### Other Security
o SSH Preshated Key authentication
Generate Publik dan private key
Menggunakan ssh keygen pada *NIX
sh$ ssh-keygen -t dsa -f ./id_dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_dsa.
Your public key has been saved in ./id_dsa.pub.
The key fingerprint is:
91:d7:08:be:b6:a1:67:5e:81:02:cb:4d:47:d6:a0:3b admin-ssh@beka
Menggunakan PuTTYGen Pada Windows
Upload file publik key ke RouterOS gunakan Scp, selanjutnya import file,
[admin@MikroTik] user ssh-keys> import file=id_dsa.pub user=admin-ssh
[admin@MikroTik] user ssh-keys> print
# USER KEY-OWNER
0 admin-ssh admin-ssh@beka
[admin@MikroTik] user ssh-keys>
o Firewall - http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling
o Syslog Daemon
Implementasi QoS (Quality of Services) di Mikrotik banyak bergantung pada sistem HTB (Hierarchical Token Bucket). HTB memungkinkan kita membuat queue menjadi lebih terstruktur, dengan melakukan pengelompokan-pengelompokan bertingkat. Yang banyak tidak disadari adalah, jika kita tidak mengimplementasikan HTB pada Queue (baik Simple Queue maupun Queue Tree), ternyata ada beberapa parameter yang tidak bekerja seperti yang kita inginkan.Beberapa parameter yang tidak bekerja adalah priority, dan dual limitation (CIR / MIR).
Pada pembahasan artikel ini, kita akan mengambil contoh sebuah sistem QoS sederhana, di mana kita ingin mengalokasikan bandwidth sebesar 400kbps untuk 3 client, di mana masing-masing client bisa mendapatkan maksimal 200kbps. Di antara ketiga client tersebut, memiliki prioritas yang berbeda, yaitu: 1,2, dan 3.
Untuk mempermudah pemantauan dan pembuktian, kita akan menggunakan queue tree.
Cara paling mudah untuk melakukan queue dengan queue tree, adalah dengan menentukan parameter :
- parent (yang harus diisi dengan outgoing-interface),
- packet-mark (harus dibuat terlebih dahulu di ip-firewall-mangle),
- max-limit (yang merupakan batas kecepatan maksimum), atau dikenal juga dengan MIR (Maximum Information Rate)
Untuk percobaan awal, semua priority diisi angka yang sama: 8, dan parameter limit-at tidak kita isi. Gambar berikut ini adalah ilustrasi apa yang akan terjadi dengan konfigurasi di atas.
Karena alokasi bandwidth yang tersedia hanya 400kbps, sedangkan total akumulasi ketiga client melebihinya (600 kbps), maka ketiga client akan saling berebut, dan tidak bisa diprediksikan siapa yang akan menang (menggunakan bandwidth secara penuh) dan siapa yang akan kalah (tidak mendapatkan bandwidth yang sesuai).
Misalkan q1 adalah client dengan prioritas tertinggi, dan q3 adalah client dengan prioritas terbawah. Kita akan mencoba memasukkan nilai prioritas untuk masing-masing client sesuai dengan prioritasnya.
Tampak pada gambar di atas, meskipun sekarang q1 sudah memiliki prioritas tertinggi, namun ketiga client masih berebutan bandwidth dan tidak terkontrol.
Gambar berikut akan mencoba mengimplementasikan nilai limit-at. Seharusnya, limit-at adalah CIR (Committed Information Rate), merupakan parameter di mana suatu client akan mendapatkan bandwidthnya, apapun kondisi lainnya, selama bandwidthnya memang tersedia.
Ternyata q1 masih tidak mendapatkan bandwidth sesuai dengan limit-at (CIR) nya. Padahal, karena bandwidth yang tersedia adalah 400kbps, seharusnya mencukupi untuk mensuplai masing-masing client sesuai dengan limit-at nya.
Berikutnya, kita akan menggunakan parent queue, dan menempatkan ketiga queue client tadi sebagai child queue dari parent queue yang akan kita buat. Pada parent queue, kita cukup memasukkan outgoing-interface pada parameter parent, dan untuk ketiga child, kita mengubah parameter parent menjadi nama parent queue. Pertama-tama, kita belum akan memasukkan nilai max-limit pada parent-queue, dan menghapus semua parameter limit-at pada semua client.
Tampak pada contoh di atas, karena kita tidak memasukkan nilai max-limit pada parent, maka priority pada child pun belum bisa terjaga.
Setelah kita memasang parameter max-limit pada parent queue, barulah prioritas pada client akan berjalan.
Tampak pada contoh di atas, q1 dan q2 mendapatkan bandwidth hampir sebesar max-limitnya, sedangkan q3 hampir tidak kebagian bandwidth. Prioritas telah berjalan dengan baik. Namun, pada kondisi sebenarnya, tentu kita tidak ingin ada client yang sama sekali tidak mendapatkan bandwidth.
Untuk itu, kita perlu memasang nilai limit-at pada masing-masing client. Nilai limit-at ini adalah kecepatan minimal yang akan di dapatkan oleh client, dan tidak akan terganggu oleh client lainnya, seberapa besarpun client lainnya ‘menyedot’ bandwidth, ataupun berapapun prioritasnya. Kita memasang nilai 75kbps sebagai limit-at di semua client.
Tampak bahwa q3, yang memiliki prioritas paling bawah, mendapatkan bandwidth sebesar limit-at nya. q1 yang memiliki prioritas tertinggi, bisa mendapatkan bandwidth sebesar max-limitnya, sedangkan q2 yang prioritasnya di antara q1 dan q3, bisa mendapatkan bandwidth di atas limit-at, tapi tidak mencapai max-limit. Pada contoh di atas, semua client akan terjamin mendapatkan bandwidth sebesar limit-at, dan jika ada sisa, akan dibagikan hingga jumlah totalnya mencapai max-limit parent, sesuai dengan prioritas masing-masing client.
Jumlah akumulatif dari limit-at tidaklah boleh melebihi max-limit parent. Jika hal itu terjadi, seperti contoh di bawah ini, jumlah limit-at ketiga client adalah 600kbps, sedangkan nilai max-limit parent hanyalah 400kbps, maka max-limit parent akan bocor. Contoh di bawah ini mengasumsikan bahwa kapasitas keseluruhan memang bisa mencapai nilai total limit-at. Namun, apabila bandwidth yang tersedia tidak mencapai total limit-at, maka client akan kembali berebutan dan sistem prioritas menjadi tidak bekerja.
Sedangkan, mengenai max-limit, max-limit sebuah client tidak boleh melebihi max-limit parent. Jika hal ini terjadi, maka client tidak akan pernah mencapai max-limit, dan hanya akan mendapatkan kecepatan maksimum sebesar max-limit parent (lebih kecil dari max-limit client).
Jika semua client memiliki prioritas yang sama, maka client akan berbagi bandwidth sisa. Tampak pada contoh di bawah ini, semua client mendapatkan bandwidth yang sama, sekitar 130kbps (total 400kbps dibagi 3).
Yang perlu diingat mengenai HTB:
- HTB hanya bisa berjalan, apabila rule queue client berada di bawah setidaknya 1 level parent, setiap queue client memiliki parameter limit-at dan max-limit, dan parent queue harus memiliki besaran max-limit.
- Jumlah seluruh limit-at client tidak boleh melebihi max-limit parent.
- Max-limit setiap client harus lebih kecil atau sama dengan max-limit parent.
- Untuk parent dengan level tertinggi, hanya membutuhkan max-limit (tidak membutuhkan parameter limit-at).
- Untuk semua parent, maupun sub parent, parameter priority tidak diperhitungkan. Priority hanya diperhitungkan pada child queue.
- Perhitungan priority baru akan dilakukan setelah semua limit-at (baik pada child queue maupun sub parent) telah terpenuhi.
Panduan praktis cara perhitungan limit-at dan max-limit
Di asumsikan bandwidth yang tersedia sebesar 1000kbps. Dan jumlah seluruh client adalah 70. Yang perlu diketahui adalah :
- Berapa jumlah maksimal client yang menggunakan internet pada saat yang bersamaan. Jumlah ini belum tentu sama dengan jumlah komputer yang ada, apabila semua client tidak pernah terkoneksi secara bersamaan. Sebagai contoh, untuk kasus ini kita asumsikan adalah 50.
- Berapa jumlah minimal client yang menggunakan internet pada saat yang bersamaan. Sebagai contoh, untuk kasus ini kita asumsikan adalah 10
Maka, untuk setiap client (1 client dibuatkan 1 rule queue), limit-at nya adalah 1000 / 50 = 20kbps, dan max-limit nya adalah 1000 / 10 = 100 kbps.
Jangan lupa untuk menambahkan parent dengan max-limit sebesar 1000kbps (tidak perlu limit-at), dan memasukkan semua queue client di bawah parent queue. Jika untuk terminal tertentu membutuhkan priority lebih besar, maka kita bisa menggunakan priority yang berbeda-beda, tergantung dengan urutan prioritasnya.
Dibuat oleh: Valens Riyadi – MIKROTIK INDONESIA – www.mikrotik.co.id
Recent Comments