################################################################################ .A.L.P.H.A....A.L.P.H.A....A.L.P.H.A....A.L.P.H.A....A.L.P.H.A. ########## Instalasi Jaringan untuk Warnet dengan Mikrotik dan Proxy ########### --[0]-- Intro Instalasi Mikrotik sebagai bandwidth management dengan Squid Proxy Server Bisa dipergunakan untuk Warnet, Laboratorium Perguruan tinggi atau Sekolah --[1]-- Persiapan Percobaan saat dilakukan dengan menggunakan PC, uraian spesifikasinya sbb: o Spesifikasi Mesin Proxy pake CentOs 4.4 - Prosesor Pentium 4 Cpu Clock 2.4 Ghz - RAM 512 MB - Harddis 40 GB - satu buah Card LAN Dlink o Spesifikasi Mesin Mikrotik - Prosesor Pentium III Cpu Clock 1,3 Ghz - RAM 256 MB - Harddisk 40 GB - 2 Card LAN Dlink + 1 prolink Mesin silahkan disesuaikan sesuai kondisi yang ada. (a) Skema/topologi jaringan Asumsi: Koneksi Internet dengan menggunakan xDSL menggunakan modem, bisa lewat infrastuktur telkom atau provider lainnya. Untuk koneksi melalui provider wireless bisa disesuaikan. _( o--+ ____| | / | Telpon | _/ -( +--[_] Splitter | | +----+ +---| | Modem xDSL +--*-+ (1)| +---+ | | | (3) | | +|---------+ | +-----+ | |. . . . . | | a| | | +--|-|-|-|-+ +---|=====| | | | | | | | | | | | | | |---+ +-|-|-|--[client 1] +----| |b +-|-|------------[client 2] | c| | +-|----------------------[client 3] | L-----J +--------[client n] | (2) d| +-----+ | | (4) |=====| | | | | | | | | L-----J Keterangan skema (1) = Modem xDSL (Ip Address : 192.168.1.1/24) (2) = Mikrotik Box dengan 3 ethernet card yaitu a (publik), b (local) dan c (Proxy) (3) = Switch Untuk sambungan ke Client. Asumsi Client Jumlahnya 20 Client Range Ip Address : 192.168.0.0/27 Alokasi Ip Client = 192.168.0.1-192.168.0.30 Ip Net ID : 192.168.0.0/27 Ip Broadcast : 192.168.0.31/27 (4) = Proxy Server Box (b) Alokasi IP Address [*] Mikrotik Box Keterangan Skema a = ethernet card 1 (Publik) -> Ip Address : 192.168.1.2/24 b = ethernet card 2 (Local) -> Ip Address : 192.168.0.30/27 c = ethernet card 3 (Proxy) -> Ip Address : 192.168.2.1/30 Gateway : 192.168.1.1 (ke Modem) [*] Client Client 1 - Client n, Ip Address : 192.168.0.n .... n (1-30) Contoh: Client 6 Ip Address : 192.168.0.6/27 Gateway : 192.168.0.30 (ke Mikrotik Box) [*] Linux untuk Proxy d = ethernet card 4 (Linux) -> Ip Address : 192.168.2.2/30 Gateway : 192.168.2.1/30 (ke ethernet 3 di Mikrotik) CATATAN : - Angka dibelakang Ip address ( /27) sama dengan nilai netmasknya untuk angka (/27) nilainya sama dengan 255.255.255.224. Untuk Sub Netmask blok ip address Local kelas C, dapat diuraikan sebagai berikut : Subnetmask kelas C ------------------- 255.255.255.0 = 24 -> 254 mesin .. .128 = 25 -> 128 mesin .. .192 = 26 -> 64 mesin .. .224 = 27 -> 32 mesin .. .240 = 28 -> 16 mesin .. .248 = 29 -> 8 mesin .. .252 = 30 -> 4 mesin .. .254 = 31 -> 2 mesin .. .255 = 32 -> 1 mesin !! Perlu dikurangin juga untuk 2 Ip adress yang tidak digunakan pada mesin. Yaitu 1 ip address untuk Network ID dan 1 ip address untuk broadcast - Susunan kabel UTP antara (2)-Mikrotik Box dengan (4)-Linux Box adalah Cross, --[2]-- Konfigurasi Dasar Sebagaimana di gambarkan pada skema jaringan diatas, jenis sistem operasi yang perlu disiapkan ada Sistem Operasi untuk Router yaitu Mikrotik RouterOS versi 2.9.27 level 6 dan Sistem Operasi Gnu/Linux distro CentOs versi 4.4 yang dipakai nantinya untuk mesin Proxy. Informasi untuk mikrotik ini dapat dilihat pada official websitenya di http://www.mikrotik.com dan http://www.mikrotik.co.id untuk Indonesia. Silahkan siapkan dulu ISOnya, andaikata pembaca belum mempunyainya, untuk ISO sample silahkan download di http://mikrotik.co.id/download.php. Begitu juga untuk Linux CentOsnya, silahkan download dahulu ISOnya di http://mirror.nsc.liu.se/CentOS/4.4/isos/i386/. CentOS ini versi 4.4. Sesuaikan saja Sistem Operasinya jika pembaca ingin memamakai Sistem Operasi yang berbeda dari percobaan yang dilakukan. Misalnya untuk mikrotik memakai MT Versi 2.8.x atau diatasnya lagi, begitu juga dengan Linux, silahkan dipilih sendiri Distrobusi yang disukai. Secara konsep konfigurasinya sama. Nah, di anggap kedua mesin telah siap beroperasi tentu telah di installkan pada kedua mesin. Sedangkan untuk CentOs, jika pembaca ingin membuat partisi khusus untuk /cache/ silahkan saja, Memang percobaan kali ini partisinya dibuat khusus. Konfigurasi dasar. (a) Mikrotik - Instalasi paket SYSTEM, SECURITY, DHCP (optional) - Set Ip addressnya sesuai dengan Skema, karena memeliki 3 card lan, maka di set IP address untuk ketiga card tersebut. Sesuaikan nama interfacenya berdasarkan skema diatas, berarti ada nama interface yaitu: 1. interface Public 2. interface Local 3. interface Proxy #Interface ------------------------------------------------------------------------------- [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R public ether 0 0 1500 1 R proxy ether 0 0 1500 2 R local ether 0 0 1500 [admin@MikroTik] interface> ------------------------------------------------------------------------------- Tentu saja nama interface boleh tidak sesuai dengan nama diatas, terserah pembaca. Yang jelas ketiga interface diatas memiliki Subnet Ip address ber beda, perhatikan skema. # IP Address ------------------------------------------------------------------------------ [admin@MikroTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.1.2/24 192.168.1.0 192.168.1.255 public 1 192.168.0.30/27 192.168.0.0 192.168.0.31 local 2 192.168.2.1/30 192.168.2.0 192.168.2.3 proxy [admin@MikroTik] > ------------------------------------------------------------------------------ - Set Ip Gateway atau routing. Untuk mikrotik gatewaynya ke Modem yaitu 192.168.1.1 # Ip Gateway ------------------------------------------------------------------------------------ [admin@MikroTik] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 192.168.2.0/30 192.168.2.1 proxy 1 ADC 192.168.0.0/27 192.168.0.30 local 2 ADC 192.168.1.0/24 192.168.1.2 public 3 A S 0.0.0.0/0 r 192.168.1.1 public [admin@MikroTik] > ------------------------------------------------------------------------------------ - Set DNS #Ip DNS ------------------------------------------------------------------------------------ [admin@MikroTik] > [admin@MikroTik] > invalid command name [admin@MikroTik] > ip dns print primary-dns: 203.130.193.74 secondary-dns: 202.134.0.155 allow-remote-requests: yes cache-size: 10240KiB cache-max-ttl: 1w cache-used: 271KiB [admin@MikroTik] > ------------------------------------------------------------------------------------ - Tambahkan rule di /ip firewall nat nya, untuk masquarade. #Rule Firewall NAT, Redirect ke Web Proxy ------------------------------------------------------------------------------------- [admin@MikroTik] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=public action=masquerade 1 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=80 action=dst-nat to-addresses=6n.219.6.110 to-ports=8080 2 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8000 action=dst-nat to-addresses=6n.219.6.110 to-ports=8080 3 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3128 action=dst-nat to-addresses=6n.219.6.110 to-ports=8080 ------------------------------------------------------------------------------------- (b) Squid Box Persiapan Port : 8080 Space : 3 Giga (3072 M) alokasi di : /cache/squid (Partisi hdd /cache/ network yang di allowed : 6n.21n.6.96/28 dan 192.168.14.0/27 Anggap squid telah didownload, dinstall, apakah melalui Tarball (tar zxvf squid-2.6.STABLE6-src.tar.gz) atau melalui RPM (RPM -ivh squid-2.6.STABLE6.rpm) konfigurasi dari root - cd /etc/squid - backup konfigurasi squid: [root@admin]#cp squid.conf squid.conf.org [root@admin]#cd - squid proxy server tidak dapat berjalan sebagai super user root, oleh karena itu, buatlah user yang akan menjalankan squid: [root@admin]#useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1 - buat folder /cache/squid setelah itu ownernya di ganti ke user squid [root@admin]#mkdir -p /cache/squid [root@admin]#chown -R squid:squid /cache/squid - buat folder cache_dir [root@admin]#mkdir /cache/squid/spool [root@admin]#chown -R squid:squid /cache/squid Setelah selesai di konfigurasi, maka disimpan dan dijalankan: [root@admin]#/etc/init.d/squid start atau # service squid start “Tapi” kalo udah pernah di nyalain sebelumnya, itu artinya squid itu jalan dengan config (/etc/squid/squid.conf) secara default Langkah pertama : # squid –help # squid -k reconfigure # squid -z baru lakukan # service squid restart atau # service squid stop (than) start Testing squid di browser sambil dilihat access log nya [root@admin]#tail -f /cache/squid/access.log Untuk transparent proxy dan Keamanan [optional] iptables -t nat -A PREROUTING -p tcp -s 6n.21n.6.96/28 –dport 80 -j DNAT –to-destination 6n.219.6.110:8080 bisa di simpan di /etc/rc.d/rc.local kalo bingung nyari config iptablesnya dan iptables -t nat -A PREROUTING -p tcp -s 192.168.14.0/27 -d 192.168.14.30/27 –dport 8080 -j DNAT –to-destination 6n.21n.6.110:8080 squid.conf ---------- #============================================================$ # baratev.sourceforge.net $ # SQUID PROXY CACHE $ # alpha version $ #============================================================$ http_port 8080 transparent icp_port 3130 icp_query_timeout 0 mcast_icp_query_timeout 2000 dead_peer_timeout 10 seconds #============================================================$ hierarchy_stoplist cgi-bin ? .js .jsp localhost visicom provider.net acl QUERY urlpath_regex cgi-bin \? .js .jsp localhost visicom provider.net no_cache deny QUERY #============================================================$ #============================================================$ # OPTIONS WHICH AFFECT THE CACHE SIZE #============================================================$ cache_mem 8 MB maximum_object_size 128 MB maximum_object_size_in_memory 32 KB cache_swap_low 98% cache_swap_high 99% store_dir_select_algorithm round-robin ipcache_size 2048 ipcache_low 98 ipcache_high 99 fqdncache_size 2048 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF #============================================================$ # LOGFILE PATHNAMES AND CACHE DIRECTORIES #============================================================$ cache_dir aufs /cache/squid 4500 18 256 cache_access_log /var/log/squid/access.log cache_log none cache_store_log none mime_table /etc/mime.conf pid_filename /var/run/squid.pid log_fqdn off log_mime_hdrs off log_ip_on_direct off logfile_rotate 7 debug_options ALL,1 buffered_logs off emulate_httpd_log off #============================================================$ # FTP section #============================================================$ ftp_user anonymous@ ftp_list_width 32 ftp_passive on ftp_sanitycheck on #============================================================$ # DNS resolution section #============================================================$ cache_dns_program /squid/libexec/dnsserver dns_children 24 dns_nameservers 127.0.0.1 XXX.XXX.XXX.XXX #============================================================$ # Refresh Rate #============================================================$ refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 override-expire refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 0 90% 1440 refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 98 negative_ttl 3 minutes positive_dns_ttl 53 seconds negative_dns_ttl 29 seconds forward_timeout 4 minutes connect_timeout 2 minutes peer_connect_timeout 1 minutes pconn_timeout 120 seconds shutdown_lifetime 10 seconds read_timeout 15 minutes request_timeout 5 minutes persistent_request_timeout 1 minute client_lifetime 60 minutes half_closed_clients off #============================================================$ # ACL section #============================================================$ acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl skynet src xxx.xxx.xxx.xxx/xx acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT #acl badip url_regex -i "/squid/ip-deny" #acl badurl url_regex -i "/squid/bad-url" acl warnet src xxx.xxx.xxx.xxx/xx acl virus dst 204.177.92.204/32 64.191.99.145/32 acl gator dstdom_regex gator hot_indonesia.exe acl exploit urlpath_regex winnt/system32/cmd.exe? acl exploit urlpath_regex splashPages/black.sps? acl BADPORTS port 7 9 11 19 22 23 25 110 119 513 514 http_access deny virus http_access deny gator http_access deny exploit http_access deny BADPORTS http_access deny badip http_access deny badurl http_access allow manager http_access allow localhost http_access allow skynet http_access allow warnet http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access deny all miss_access allow all always_direct allow localhost warnet always_direct deny all #============================================================$ # Parameter Administratif $ #============================================================$ cache_mgr support@provider.net cache_effective_user squid cache_effective_group _squid visible_hostname proxy.provider.net unique_hostname support@provider.net #============================================================$ # Transparent proxy setting #============================================================$ httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on httpd_accel_no_pmtu_disc on httpd_accel_single_host off half_closed_clients off header_access From deny all header_access Referer deny all header_access Server deny all header_access WWW-Authenticate deny all header_access Link deny all header_access Via deny all header_access X-Forwarded-For deny all header_access Accept-Encoding deny all header_access User-Agent deny all header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0) header_access Accept deny all header_replace Accept */* header_access Accept-Language deny all header_replace Accept-Language id, en #============================================================$ # ACCELERATOR #============================================================$ memory_pools off forwarded_for off log_icp_queries off icp_hit_stale on minimum_direct_hops 4 minimum_direct_rtt 400 store_avg_object_size 13 KB store_objects_per_bucket 20 client_db on netdb_low 9900 netdb_high 10000 netdb_ping_period 30 seconds query_icmp off pipeline_prefetch on reload_into_ims on vary_ignore_expire on max_open_disk_fds 100 nonhierarchical_direct on prefer_direct off #============================================================$ # MISCELLANEOUS #============================================================$ logfile_rotate 3 store_dir_select_algorithm round-robin shutdown_lifetime 10 seconds cachemgr_passwd disable shutdown cachemgr_passwd all buffered_logs off offline_mode off coredump_dir /squid ignore_unknown_nameservers on acl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.com header_access Accept-Encoding deny hotmail #============================================================$ # DELAY POOLS #============================================================$ acl download url_regex -i ftp .exe .mp3 .vqf .tar.gz .wmv .tar.bz .tar.bz2 .gz .rpm .zip acl download url_regex -i .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .tar .doc acl download url_regex -i .ppt .z .wmf .mov .arj .lzh .gzip .bin .wma # delay_pools 2 delay_pools 2 delay_class 1 2 delay_parameters 1 8000/8000 6000/8000 delay_access 1 allow download delay_access 1 deny all delay_class 2 2 delay_parameters 2 25000/25000 10000/16000 #200kb/200kb 80Kb/128Kb delay_access 2 allow user delay_access 2 deny all # Silahkan diisi #============================================================$ # DOWNLOAD LIMIT #============================================================$ #reply_body_max_size 3072000 deny !client> Ganti nilai dengan yang dikehendaki #============================================================$ # SNMP #============================================================$ acl snmpcommunity snmp_community public snmp_port 3401 snmp_access allow snmpcommunity localhost snmp_access deny all --[4]-- Evaluasi --[5]-- Troubleshooting - Subnetmask Sama, ping dari mikrotik ke mesin linux tidak reply --[6]-- Referensi o http://www.squid-cache.org o http://www.mikrotik.com ######################################################################## Documentation,Editing,Optimization by baratev.sourceforge.net ########################################################################