Setting Mikrotik part 3 ( Pemisahan bandwidth Lokal dan Internasional )

Selama mengelola Mikrotik Indonesia, banyak sekali muncul pertanyaan bagaimana cara melakukan pemisahan queue untuk trafik internet internasional dan trafik ke internet Indonesia (OpenIXP dan IIX). Di internet sebetulnya sudah ada beberapa website yang menampilkan cara pemisahan ini, tapi kami akan coba menampilkan kembali sesederhana mungkin supaya mudah diikuti.

Pada artikel ini, kami mengasumsikan bahwa:
Router Mikrotik melakukan Masquerading / src-nat untuk client. Client menggunakan IP privat.
Gateway yang digunakan hanya satu, baik untuk trafik internasional maupun IIX.
Anda bisa menggunakan web-proxy internal ataupun tanpa web-proxy. Jika Anda menggunakan web-proxy, maka ada beberapa tambahan rule yang perlu dilakukan. Perhatikan bagian NAT dan MANGLE pada contoh di bawah ini.
Jika ada parameter di atas yang berbeda dengan kondisi Anda di lapangan, maka konfigurasi yang ada di artikel ini harus Anda modifikasi sesuai dengan konfigurasi network Anda.


Pengaturan Dasar

Berikut ini adalah diagram network dan asumsi IP Address yang akan digunakan dalam contoh ini.



Untuk mempermudah pemberian contoh, kami mengupdate nama masing-masing interface sesuai dengan tugasnya masing-masing. [admin@MikroTik] > /interface pr

Flags: X - disabled, D - dynamic, R - running

# NAME TYPE RX-RATE TX-RATE MTU

0 R ether-public ether 0 0 1500

1 R ether-local ether 0 0 150



Untuk klien, akan menggunakan blok IP 192.168.0.0/24, dan IP Address 192.168.0.1 difungsikan sebagai gateway dan dipasang pada router, interface ether-local. Klien dapat menggunakan IP Address 192.168.0-2 hingga 192.168.0.254 dengan subnet mask 255.255.255.0. [admin@MikroTik] > /ip ad pr

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 202.0.0.1/24 202.0.0.0 202.0.0.255 ether-public

1 192.168.0.1/24 192.168.0.0 192.168.0.255 ether-local


Jangan lupa melakukan konfigurasi DNS server pada router, dan mengaktifkan fitur "allow remote request".

Karena klien menggunakan IP private, maka kita harus melakukan fungsi src-nat seperti contoh berikut. [admin@MikroTik] > /ip fi nat pr

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat out-interface=ether-public

action=masquerade



Jika Anda menggunakan web-proxy transparan, Anda perlu menambahkan rule nat redirect, seperti terlihat pada contoh di bawah ini (rule tambahan yang tercetak tebal). [admin@MikroTik] > /ip fi nat pr

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat out-interface=ether-public

action=masquerade

1 chain=dstnat in-interface=ether-local protocol=tcp

dst-port=80 action=redirect to-ports=8080


Jangan lupa mengaktifkan fitur web-proxy, dan men-set port layanan web-proxynya, dan disesuaikan dengan port redirect pada contoh di atas.

CEK: Pastikan semua konfigurasi telah berfungsi baik. Lakukanlah ping (baik dari router maupun dari klien) ke luar network Anda secara bergantian.



Pengaturan IP Address List

Mulai Mikrotik RouterOS versi 2.9, dikenal dengan fitur yang disebut IP Address List. Fitur ini adalah pengelompokan IP Address tertentu dan setiap IP Address tersebut bisa kita namai. Kelompok ini bisa digunakan sebagai parameter dalam mangle, firewall filter, nat, ataupun queue.

Mikrotik Indonesia telah menyediakan daftar IP Address yang diadvertise di OpenIXP dan IIX, yang bisa didownload dengan bebas di URL: http://www.mikrotik.co.id/getfile.php?nf=nice.rsc

File nice.rsc ini dibuat secara otomatis di server Mikrotik Indonesia setiap pagi sekitar pk 05.30, dan merupakan data yang telah di optimasi untuk menghilangkan duplikat entry dan tumpang tindih subnet. Saat ini jumlah baris pada script tersebut berkisar 430 baris.

Contoh isi file nice.rsc : # Script created by: Valens Riyadi @ www.mikrotik.co.id

# Generated at 26 April 2007 05:30:02 WIB ... 431 lines

/ip firewall address-list

add list=nice address="1.2.3.4"

rem [find list=nice]

add list=nice address="125.162.0.0/16"

add list=nice address="125.163.0.0/16"

add list=nice address="152.118.0.0/16"

add list=nice address="125.160.0.0/16"

add list=nice address="125.161.0.0/16"

add list=nice address="125.164.0.0/16"

.

.

dst...




Simpanlah file tersebut ke komputer Anda dengan nama nice.rsc, lalu lakukan FTP ke router Mikrotik, dan uploadlah file tersebut di router. Contoh di bawah ini adalah proses upload menggunakan MS-DOS prompt. C:>dir nice.*

Volume in drive C has no label.

Volume Serial Number is 5418-6EEF



Directory of C:

04/26/2007 06:42p 17,523 nice.rsc

1 File(s) 17,523 bytes

0 Dir(s) 47,038,779,392 bytes free



C:>ftp 192.168.0.1

Connected to 192.168.0.1.

220 R&D FTP server (MikroTik 2.9.39) ready

User (192.168.0.1:(none)): admin

331 Password required for admin

Password: ********

230 User admin logged in



ftp> ascii

200 Type set to A

ftp> put nice.rsc



200 PORT command successful

150 Opening ASCII mode data connection for '/nice.rsc'

226 ASCII transfer complete

ftp: 17523 bytes sent in 0.00Seconds 17523000.00Kbytes/sec.



ftp> bye

221 Closing



C:>



Setelah file diupload, import-lah file tersebut. [admin@MikroTik] > import nice.rsc



Opening script file nice.rsc

Script file loaded and executed successfully






Pastikan bahwa proses import telah berlangsung dengan sukses, dengan mengecek Address-List pada Menu IP - Firewall


Proses upload ini dapat juga dilakukan secara otomatis jika Anda memiliki pengetahuan scripting. Misalnya Anda membuat shell script pada Linux untuk melakukan download secara otomatis dan mengupload file secara otomatis setiap pk 06.00 pagi. Kemudian Anda tinggal membuat scheduler pada router untuk melakukan import file.

Jika Anda menggunakan RouterOS versi 3.x, proses update juga dapat dilakukan secara otomatis.

Perintah yang perlu dibuat adalah : /system sched add comment=”update-nice” disabled=no interval=1d name=”update-nice-rsc” on-event=”:if ([/file find name=nice.rsc] > 0) do={/file remove nice.rsc }; /tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc;/import nice.rsc” start-date=jan/01/1970 start-time=00:06:00




Pengaturan Mangle

Langkah selanjutnya adalah membuat mangle. Kita perlu membuat 1 buah connection mark dan 2 buah packet mark, masing-masing untuk trafik internasional dan lokal. [admin@MikroTik] > /ip firewall mangle pr

Flags: X - disabled, I - invalid, D - dynamic

0 chain=prerouting in-interface=ether-local

dst-address-list=nice

action=mark-connection new-connection-mark=conn-iix

passthrough=yes



1 chain=prerouting connection-mark=conn-iix

action=mark-packet new-packet-mark=packet-iix

passthrough=no



2 chain=prerouting action=mark-packet

new-packet-mark=packet-intl passthrough=no



Untuk rule #0, pastikanlah bahwa Anda memilih interface yang mengarah ke client. Untuk chain, kita menggunakan prerouting, dan untuk kedua packet-mark, kita menggunakan passthrough=no.

Jika Anda menggunakan web-proxy internal dan melakukan redirecting trafic, maka Anda membuat 2 buah rule tambahan seperti contoh di bawah ini (rule tambahan yang tercetak tebal). [admin@MikroTik] > /ip firewall mangle pr

Flags: X - disabled, I - invalid, D - dynamic



0 chain=prerouting in-interface=ether-local

dst-address-list=nice

action=mark-connection new-connection-mark=conn-iix

passthrough=yes



1 chain=prerouting connection-mark=conn-iix

action=mark-packet new-packet-mark=packet-iix

passthrough=no



2 chain=output connection-mark=conn-iix

action=mark-packet new-packet-mark=packet-iix

passthrough=no



3 chain=prerouting action=mark-packet

new-packet-mark=packet-intl passthrough=no



4 chain=output action=mark-packet

new-packet-mark=packet-intl passthrough=no




Pengaturan Simple Queue

Untuk setiap client, kita harus membuat 2 buah rule simple queue. Pada contoh berikut ini, kita akan melakukan limitasi untuk IP client 192.168.0.2/32, dan kita akan memberikan limitasi iix (up/down) sebesar 64k/256k, dan untuk internasional sebesar (up/down) 32k/128k. [admin@MikroTik]> /queue simple pr

Flags: X - disabled, I - invalid, D - dynamic

0 name="client02-iix" target-addresses=192.168.0.2/32

dst-address=0.0.0.0/0 interface=all parent=none

packet-marks=packet-iix direction=both priority=8

queue=default-small/default-small limit-at=0/0

max-limit=64000/256000 total-queue=default-small



1 name="client02-intl" target-addresses=192.168.0.2/32

dst-address=0.0.0.0/0 interface=all parent=none

packet-marks=packet-intl direction=both priority=8

queue=default-small/default-small limit-at=0/0

max-limit=32000/128000 total-queue=default-small








Pengecekan Akhir

Setelah selesai, lakukanlah pengecekan dengan melakukan akses ke situs lokal maupun ke situs internasional, dan perhatikanlah counter baik pada firewall mangle maupun pada simple queue.

Anda juga dapat mengembangkan queue type menggunakan pcq sehingga trafik pada setiap client dapat tersebar secara merata.



sumber dari http://www.mikrotik.co.id/artikel_lihat.php?id=23

Bagaimana Cara membuka Linksys WRT54G

The Linksys WRT54G


Antenna removal



Antenna removal is easy on most Linksys 802.11 routers. Just unscrew both antenna from the main router unit.

Removing the case


Forcefully pinching the front case on the Linksys WRT54G separates the front cover from the unit's rear compartment. Removal requires that a tamper-proof sticker (bottom right) be separated from the case. Breaking the seal, of course, voids the manufacturer's warranty.

The front cover removed



Here you can see the front cover of the WRT54G removed from the main unit. Note the warranty-voiding protective seal toward the bottom left.

The circuit board



Removing the front cover reveals the WRT54G circuit board. The LEDs display power, DMZ, WLAN, Ethernet port and Internet status, while the pushbutton enables Linksys' Secure Easy Setup.

Secure Easy Setup


The pushbutton, typically hidden behind the Linksys front panel, enables Secure Easy Setup.

Main circuit board


The main board hosts numerous circuits, the radio antennae connectors, Ethernet ports, the Broadcom CPU that powers the unit and Hynix RAM, among other items. Note that the main board is still attached to the unit's plastic bottom.

The main circuit board


Here's the main circuit board removed from the bottom panel. Note the capacitors (circled in red). The capacitors should be flat on top, as shown here. Rounded or leaking tops are a sign the unit suffered an electrical surge and needs to be replaced.

The bottom panel


Wireless connections sprout from the main board, circled in red here. Note the first wireless antenna connection is integrated to the main board.

The main circuits


Circled on top are the Broadcom CPU that powers the Linksys WRT54G, as well as the Hynix RAM module. Below are various microchips that help manage the unit's firewall, routing and network features.

That's it. I got it from this web and give it back to u

link :

http://techrepublic.com.com/2346-1035_11-62182-1.html

http://aoisound.blogspot.com/2009/03/bagaimana-cara-membuka-linksys-wrt54g.html

Setting Up A FreeRadius Based AAA Server With MySQL & Management With Daloradius

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.Submitted by awan (Contact Author) (Forums) on Fri, 2008-08-15 18:48. :: Ubuntu
Setting Up A FreeRadius Based AAA Server With MySQL & Management With Daloradius

This tutorial explains how you can set up a FreeRadius (1.1.7) server with Wifi authentication and accounting in conjunction with MySQL & web management with Daloradius on Ubuntu 8.04 LTS Server Edition This howto should work for a novice. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.

(For a basic how-to refer to the doc http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5.)

Following steps are involved:
Building Ubuntu 8.04 .debs (for eap/ttls support)
Installing the binary packages
Configuring the FR with MySQL
Setting up web management with Daloradius


Step 1- Building Ubuntu 8.04. packages

Note: Those who don't need openssl/tls/ttls (certificates etc..) just fetch the FR packages from ubuntu repos with apt-get & skip to step 3.

Before building the FreeRadius Ubuntu 8.04 package we have to apt-get some packages, necessary for the build process.

sudo su -

apt-get install debhelper libltdl3-dev libpam0g-dev \
libmysqlclient15-dev build-essential libgdbm-dev \
libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp \
autotools-dev dpatch libperl-dev libtool dpkg-dev libpq-dev \
libsnmp-dev libssl-dev

Get hold of the FreeRadius sources and start building the package like given below.

cd ~
apt-get source freeradius

Note: It is recommended that you carry this building process on a non-production server & move the final binary packages over to the production server. But it isn't mandatory if you know what you're doing.

cd freeradius-1.1.7/

Edit rule file (debian/rules):

vi debian/rules

Now search for these lines:
--without-rlm_eap_tls \
--without-rlm_eap_ttls \
--without-rlm_eap_peap \

and change them to look like this.
--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \


Also in the same file replace the text " --without-openssl " with " --with-openssl "

Now search for these lines and delete them.
for pkg in $(shell grep ^Package debian/control | awk '{print $$2}') ; d
o \
if dh_shlibdeps -p $$pkg -- -O | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

Save changes and quit vi. Now edit the control file (debian/control):

vi debian/control

Search for the line:
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev

and append libssl-dev to the end of this line so that it looks like this.
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev, libssl-dev

Save the changes and quit vi.

Assuming you are here ~/freeradius-1.1.7. Start building packages:

dpkg-buildpackage -rfakeroot

Note: You still might require some packages for these. apt-get/aptitiude them & rerun the rebuild process.

After a while (depending on your system) you should have some .deb files in the home directory.

freeradius_1.1.7-1build4_i386.deb
freeradius-dbg_1.1.7-1build4_i386.deb
freeradius-dialupadmin_1.1.7-1build4_all.deb
freeradius-iodbc_1.1.7-1build4_i386.deb
freeradius-krb5_1.1.7-1build4_i386.deb
freeradius-ldap_1.1.7-1build4_i386.deb
freeradius-mysql_1.1.7-1build4_i386.deb
freeradius-postgresql_1.1.7-1build4_i386.deb

Move these to a production server if this is your development workstation. (In this setup you won't be needing the postgresql , ldap, krb5 , iodbc , dbg, dialupadmin binaries.)


Step 2- Installing the binary packages

dpkg -i freeradius_1.1.7-1build4_i386.deb

dpkg -i freeradius-mysql_1.1.7-1build4_i386.deb

After running with the out of the box configuration validate against a local user.

E.g: run radius in debug mode:

freeradius -X

From another shell run this while the freeradius -X is running:

radtest abc 123 localhost 1812 testing123

Make sure the user abc with password 123 is set in the /etc/freeradius/users file.


Setp 3- Configuring the FR with MySQL

First the MySQL bits (creating the db & its admin user). Do the following from your shell.

mysqladmin -u root password 123456

mysql -u root -p

On the MySQL shell type the following:

CREATE DATABASE radius;

GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

exit;

Import the the FreeRadius schema. The sample schema resides at this location: /usr/share/doc/freeradius/examples/mysql.sql.gz.

Gunzip it there:

gunzip -d /usr/share/doc/freeradius/examples/mysql.sql.gz

Do the following:

mysql -u root -p radius < /usr/share/doc/freeradius/examples/mysql.sql To have a look at the db schema do the following: mysql -u root -p use database radius; show tables; quit; Now edit your /etc/freeradius/sql.conf. Reset the user/password/database parameters to reflect the changes (eg. radius/radpass/radius); to turn the NAS management from MySQL, search for the line readclients = no and change it to readclients = yes Edit the file /etc/freeradius/radius.conf and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL. Here is the authorize section: authorize { preprocess chap mschap suffix eap sql pap } And the accounting section: accounting { detail sql } To insert a test user in the database, go to the MySQL shell and run this: mysql -u root -p mysql> use database radius;

mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');

mysql> select * from radcheck where UserName='sqltest';

mysql> exit

Fire up radius in debug mode:

freeradius -X

Go to another shell and run the test:

radtest sqltest testpwd localhost 1812 testing123

At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine.

Congratulations! Your FreeRadius + MySQL setup is working.


4- Setting up web management with Daloradius

The latest stable release is version 0.9-7.

Get hold of the it from http://sourceforge.net/projects/daloradius.

tar -zxvf daloradius-0.9-7.tar.gz

cp daloradius-0.9-7/ /var/www -R

Download the following prerequisites packages:

apt-get install apache2

apt-get install php php-mysql php-pear php-gd php-pear-DB

Change permissions and ownership:

chown www-data:www-data /var/www/daloradius-0.9-7 -R

chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf

Daloradius needs to add a few more tables to the radius database we already created earlier.

mysql -u root -p radius < /var/www/daloradius-0.9-7/contrib/db/mysql-daloradius.sql Now, simply adjust the MySQL database information in the DaloRadius config file. vi /var/www/daloradius-0.9-7/library/daloradius.conf Fill in the database details, a few important parameters are listed below: ........... ...................... CONFIG_DB_ENGINE = mysql CONFIG_DB_HOST = 127.0.0.1 CONFIG_DB_USER = radius CONFIG_DB_PASS = radpass CONFIG_DB_NAME = radius ....................... ............ Save the file and exit. Set up the apache server. Edit the /etc/apache2/apache2.conf file and append this to the end of the file (customize to your likings): Alias /myradius "/var/www/daloradius-0.9-7/"
Options None
order deny,allow
deny from all
allow from 127.0.0.1
allow from


Save and exit.

Restart the httpd server:

/etc/init.d/apache2 restart

Fire up Firefox (or any other borowser) and go to the URL http:///myradius.

Log in with the administrator for management:

username: administrator
password: radius

Change this information first for the sake of security (info is located in the operator table).

Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivity from within the Daloradius frontend.

Congratulations you are done.

Developers of FreeRadius, MySQL and Daloradius, do accept my humble appreciation for all your efforts. Open source community, you also rock, thanx.

(Note: I haven't mentioned anything regarding setting up eap/ttls in this article. For that, just follow the section of setting up certificates and eap.conf from the below mentioned HowtoForge link.)

link : http://www.howtoforge.com/setting-up-a-freeradius-based-aaa-server-with-mysql-and-management-with-daloradius