Kamis, 14 Mei 2009

Load Balancing

Setahun yang lalu, aku merasa koneksi internet di KODOK IJO ku sudah semakin melambat. Ini karena aku menambah jumlah klien internet menjadi 15. Mungin juga karena speedy yang kebanyakan user. hehe.. Akhirnya aku menambah 1 koneksi speedy lagi, mengingat di ponorogo ga ada ISP lain.
Untuk menghemat listrik, aku mulai belajar membuat Load Balancing Mikrotik (LBM) + Web proxy dalam 1 PC Mikrotik ver 2.9.27. Setelah semalaman bergadang di depan PC, akhirnya LBM ku jadi. Aku test tu LBM dan aku amati selama 1 minggu, ternyata ga bisa meload secara balance. Kadang 1 modem terisi penuh, padahal modem yang lain masih kosong. Padahal banyak request yang masuk. Akhirnya aku putuskan untuk menggunakan 2 PC, sehingga ada 2 gateway.
6Bulan yang lalu, ada pencerahan dari beberapa teman untuk menggunakan RB450 dari mikrotik juga. Aku beli, dan aku coba buat LBM lagi. Seperti yang dulu, LBM ga bisa berjalan sempurna, sampai akhirnya kutemukan kata kuncinya, "nth". Inilah yang membuat bibirku kembali tersenyum.
Ini konfigurasiku sekarang :



Ini print Mikrotik load balancing nya :
Dibaca dan dianalisis yaaa.. Jangan dicopy paste, pasti eror, hehe.. Kalo ada yang salah, kasih comment yaa..

####################################################################
####################################################################

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.10 (c) 1999-2008 http://www.mikrotik.com/

[admin@MikroTik] > interface print
Flags: X - disabled, R - running, D - dynamic, S - slave
# NAME TYPE MTU
0 R local ether 1500
1 R modem1 ether 1500
2 R modem2 ether 1500
3 ether4 ether 1500
4 ether5 ether 1500

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.4.1/24 192.168.4.0 192.168.4.255 local
1 192.168.2.2/24 192.168.2.0 192.168.2.255 modem2
2 192.168.1.2/24 192.168.1.0 192.168.1.255 modem1


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ngeNAT
chain=srcnat action=masquerade src-address=192.168.4.0/24

1 chain=srcnat action=src-nat to-addresses=192.168.2.2 to-ports=0-65535
connection-mark=odd

2 chain=srcnat action=src-nat to-addresses=192.168.1.2 to-ports=0-65535
connection-mark=even

[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; loadODD
chain=prerouting action=mark-connection new-connection-mark=odd
passthrough=yes connection-state=new in-interface=local nth=2,1

1 chain=prerouting action=mark-routing new-routing-mark=odd passthrough=no
in-interface=local connection-mark=odd

2 ;;; loadEVEN
chain=prerouting action=mark-connection new-connection-mark=even
passthrough=yes connection-state=new in-interface=local nth=2,1

3 chain=prerouting action=mark-routing new-routing-mark=even passthrough=no
in-interface=local connection-mark=even

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE IN..
0 A S 0.0.0.0/0 r 192.168.2.1 1 mo..
1 A S 0.0.0.0/0 r 192.168.1.1 1 mo..
2 A S 0.0.0.0/0 r 192.168.1.1 1 mo..
3 ADC 192.168.1.0/24 192.168.1.2 0 mo..
4 ADC 192.168.2.0/24 192.168.2.2 0 mo..
5 ADC 192.168.4.0/24 192.168.4.1 0 lo..

[admin@MikroTik] > ip dns print
primary-dns: 202.134.1.10
secondary-dns: 202.134.0.155
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 4KiB

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; menerima paket koneksi yang dibuat
chain=input action=accept connection-state=established

1 ;;; menerima paket koneksi yang behubungan
chain=input action=accept connection-state=related

2 ;;; mematikan paket yang salah
chain=input action=drop connection-state=invalid

3 ;;; mendeteksi & mematikan coneksi port scan
chain=input action=drop psd=21,3s,3,1 protocol=tcp

4 ;;; menumpas serangan DOS
chain=input action=tarpit src-address-list=black_list protocol=tcp
connection-limit=3,32

5 ;;; mendeteksi serangan DOS
chain=input action=add-src-to-address-list address-list=black_list
address-list-timeout=1d protocol=tcp connection-limit=10,32

6 ;;; melompat ke chain icmp
chain=input action=jump jump-target=icmp protocol=icmp

7 ;;; melompat ke chain services
chain=input action=jump jump-target=services

8 ;;; mengijinkan trafik broadcast
chain=input action=accept dst-address-type=broadcast

9 chain=input action=log log-prefix="filter"

10 ;;; mengijinkan akses router dari network yang dikenal
chain=input action=accept src-address=192.168.1.0

11 chain=input action=accept src-address=192.168.2.0

12 chain=input action=accept src-address=192.168.4.0

13 chain=input action=accept src-address=192.168.0.0

14 ;;; port scanner masuk daftar
chain=input action=add-src-to-address-list psd=21,3s,3,1
address-list=port_scanners address-list-timeout=2w protocol=tcp

15 ;;; scan syn/fin
chain=input action=add-src-to-address-list tcp-flags=fin,syn
address-list=port_scanners address-list-timeout=2w protocol=tcp

16 ;;; scan syn/rst
chain=input action=add-src-to-address-list tcp-flags=syn,rst
address-list=port_scanners address-list-timeout=2w protocol=tcp

17 ;;; scan fin/psh/urg
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack address-list=port_scanners
address-list-timeout=2w protocol=tcp

18 ;;; scan semua
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg address-list=port_scanners
address-list-timeout=2w protocol=tcp

19 ;;; scan null nmap
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!psh,!ack,!urg address-list=port_scanners
address-list-timeout=2w protocol=tcp

20 ;;; mematikan port scanner
chain=input action=drop src-address-list=port_scanners

21 ;;; 0:0 dan limit selama 5pac/s
chain=icmp action=accept icmp-options=0:0-255 protocol=icmp limit=5,5

22 ;;; 3:3 dan limit selama 5pac/s
chain=icmp action=accept icmp-options=3:3 protocol=icmp limit=5,5

23 ;;; 3:4 dan limit selama 5pac/s
chain=icmp action=accept icmp-options=3:4 protocol=icmp limit=5,5

24 ;;; 8:0 dan limit selama 5pac/s
chain=icmp action=accept icmp-options=8:0-255 protocol=icmp limit=5,5

25 ;;; 11:0 dan limit selama 5pac/s
chain=icmp action=accept icmp-options=11:0-255 protocol=icmp limit=5,5

26 ;;; mematikan icmop yang lainnya
chain=icmp action=drop protocol=icmp

27 ;;; menerima localhost
chain=services action=accept dst-address=127.0.0.1
src-address-list=127.0.0.1

28 ;;; mengijinkan MACwinbox
chain=services action=accept dst-port=20561 protocol=udp

29 ;;; MT discovery protocol
chain=services action=accept dst-port=5678 protocol=udp

30 ;;; mengijinkan permintaan DNS
chain=services action=accept dst-port=53 protocol=tcp

31 ;;; mengijinkan permintaan DNS
chain=services action=accept dst-port=53 protocol=udp

32 ;;; mengijinkan web proxy
chain=services action=accept dst-port=8080 protocol=tcp

33 ;;; mengijinkan web proxy
chain=services action=accept dst-port=80 protocol=tcp

34 ;;; mengijinkan web proxy
chain=services action=accept dst-port=23 protocol=tcp

35 chain=services action=return

36 ;;; mengijinkan pembuatan koneksi
chain=forward action=accept connection-state=established

37 ;;; mengijinkan koneksi yang bersangkutan
chain=forward action=accept connection-state=related

38 ;;; drop koneksi yang salah
chain=forward action=drop connection-state=invalid

39 ;;; mematikn worm blaster
chain=virus action=drop dst-port=135-139 protocol=tcp

40 ;;; mematikn worm blaster
chain=virus action=drop dst-port=135-139 protocol=udp

41 ;;; mematikn worm blaster
chain=virus action=drop dst-port=445 protocol=tcp

42 ;;; mematikn worm blaster
chain=virus action=drop dst-port=445 protocol=udp

43 ;;; mematikn worm blaster
chain=virus action=drop dst-port=593 protocol=tcp

44 ;;; mematikn worm blaster
chain=virus action=drop dst-port=1024-1030 protocol=tcp

45 ;;; mematikn my doom
chain=virus action=drop dst-port=1080 protocol=tcp

46 ;;; mematikn my doom
chain=virus action=drop dst-port=1214 protocol=tcp

47 ;;; nmd requester
chain=virus action=drop dst-port=1363 protocol=tcp

48 ;;; nmd server
chain=virus action=drop dst-port=1364 protocol=tcp

49 ;;; screen cast
chain=virus action=drop dst-port=1368 protocol=tcp

50 ;;; hromgrafx
chain=virus action=drop dst-port=1373 protocol=tcp

51 ;;; cichild
chain=virus action=drop dst-port=1377 protocol=tcp

52 ;;; worm
chain=virus action=drop dst-port=1433-1434 protocol=tcp

53 ;;; bagle virus
chain=virus action=drop dst-port=2745 protocol=tcp

54 ;;; damaru y
chain=virus action=drop dst-port=2283 protocol=tcp

55 ;;; drop beagle
chain=virus action=drop dst-port=2535 protocol=tcp

56 ;;; drop beagle-ck
chain=virus action=drop dst-port=2745 protocol=tcp

57 ;;; drop mudoom
chain=virus action=drop dst-port=3127-3128 protocol=tcp

58 ;;; drop backdoor opticpro
chain=virus action=drop dst-port=3410 protocol=tcp

59 ;;; drop worm
chain=virus action=drop dst-port=4444 protocol=tcp

60 ;;; drop worm
chain=virus action=drop dst-port=5554 protocol=tcp

61 ;;; drop worm
chain=virus action=drop dst-port=6881-6889 protocol=tcp

62 ;;; drop beagle b
chain=virus action=drop dst-port=8866 protocol=tcp

63 ;;; drop dabber
chain=virus action=drop dst-port=9898 protocol=tcp

64 ;;; drop damaru
chain=virus action=drop dst-port=10000 protocol=tcp

65 ;;; drop mydoom b
chain=virus action=drop dst-port=10080 protocol=tcp

66 ;;; drop netbus
chain=virus action=drop dst-port=12345 protocol=tcp

67 ;;; drop kuang2
chain=virus action=drop dst-port=17300 protocol=tcp

68 ;;; drop subseven
chain=virus action=drop dst-port=27374 protocol=tcp

69 ;;; drop phatbot,agobot,gaobot
chain=virus action=drop dst-port=65506 protocol=tcp

70 ;;; jump ke chain virus
chain=forward action=jump jump-target=virus

71 ;;; drop ping besar
chain=forward action=drop protocol=icmp packet-size=100-65535

72 chain=output action=drop src-address=192.168.4.0/24 protocol=icmp
packet-size=100-65535

73 ;;; mengijinkan udp
chain=forward action=accept protocol=udp

74 ;;; mengijinkan akses ke internet dari jaringan yang dikenal
chain=forward action=accept src-address=192.168.1.0/24

75 chain=forward action=accept src-address=192.168.2.0/24

76 chain=forward action=accept src-address=192.168.4.0/24

77 chain=forward action=accept src-address=192.168.0.0/24

78 ;;; mematikan yang lainnya
chain=forward action=drop

####################################################################
####################################################################

Untuk filternya, sesuai selera masing-masing orang.
Untuk proxynya, terserah deh mau pilih apa.
Untuk nth, nilai ini yang berjalan baik di LBM ku. Kalo ada yang menemukan nilai lebih bagus, sharing yaa...
Ini hasil downloadku dari indowebster :

Pengalaman yang aku dapat :
1. nilai nth sangat berpengaruh dalam Load Balancing.
2. Mikrotik versi 3.xx lebih baik drpd 2.9.xx
3. Pakai RB450 untuk LB lebih sip, karena : Sempurna, hemat listrik, Mikrotik udah original. hehe..

Wassalam
Diposting oleh di

6 komentar:

  1. Anonim8 Juni 2009 pukul 23.02

    mas...paket speedynya yang small office atau warnet?

    BalasHapus
  2. Are arm9 Juni 2009 pukul 17.16

    Ambil paket speedy office..

    BalasHapus
  3. three23 Juli 2009 pukul 19.44

    mas arm mohon bantuannya, saya baru nambah 1 line speedy, tapi saya amati beberapa hari sepertinya gak balance. saya sudah mencoba script diatas..

    BalasHapus
  4. Are arm29 Juli 2009 pukul 10.02

    sampean pake mikrotik ver berapa?
    ada perbedaan antara ver 2.xx dan 3.xx yaitu pada nth. Coba googling masalah nth..

    BalasHapus
  5. parwito18 Agustus 2009 pukul 06.06

    mas tak kopyne yow artikele buat belajar!!!!!!!!!!!!!

    BalasHapus
  6. Anonim24 November 2009 pukul 03.16

    mbah lentho
    ayo ngopi ngokop pipi hehehe bsd = bubrah sekarepe dewe ..... .... mtmt

    BalasHapus

Langganan: Posting Komentar (Atom)