Mikrotik RB 750 + PFsense as Squid Box



  • mohon bantuannya untuk
    http://forum.pfsense.org/index.php/topic,38930.msg200664.html#msg200664

    belum dapat penyelesaian nya



  • Sesuai dengan janji ( janji adalah hutang  :) , insya allah hutang segera terlunasi ) amiiin…. !!

    Just share settingan saya Mikocok bersanding dengan PFSense.

    Clients ------- Mikrotik 3 port -------- Inet

    port 3 mikrotik ----- pfsense ------ inernet

    modem : 192.168.2.1

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    oke langsung kupas aja.
    asumsi mesin pfsense running well & tunning with LUSCA.
    oprekan & tune-up bisa open panduan dari om anto_DIGIT http://forum.pfsense.org/index.php/topic,29019.0.html

    sebagai manageable clients, baik itu hotspot & management bandwidht semua ada dimikrotik.
    Settingan hotspot disini tidak usah dibahas googling aja tutnya.
    settingan ini menggunakan L7 untuk filternya. Khusus untuk destination port 80, dibelokan ke arah pfsense sebagai proxy servernya port 3128.
    Maaf bung disini PFSense hanya dijadikan proxy server ( Maknyuss.... )

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    setting L7 :
    /ip firewall layer7-protocol
    add name="Extension " .exe "" regexp="^.get.+\.exe.$"
    add name="Extension " .mp4 "" regexp="^.get.+\.mp4.$"
    add name="Extension " .rar"" regexp="^.get.+\.rar.$"
    add name="Extension " .zip"" regexp="^.get.+\.zip.$"
    add name="Extension " .mp3 "" regexp="^.get.+\.mp3.$"
    add name="Extension " .7z "" regexp="^.get.+\.7z.$"
    add name="Extension " .cab "" regexp="^.get.+\.cab.$"
    add name="Extension " .asf "" regexp="^.get.+\.asf.$"
    add name="Extension " .mov "" regexp="^.get.+\.mov.$"
    add name="Extension " .wmv "" regexp="^.get.+\.wmv.$"
    add name="Extension " .mpg "" regexp="^.get.+\.mpg.$"
    add name="Extension " .mpeg "" regexp="^.get.+\.mpeg.$"
    add name="Extension " .mkv "" regexp="^.get.+\.mkv.$"
    add name="Extension " .avi "" regexp="^.get.+\.avi.$"
    add name="Extension " .flv "" regexp="^.get.+\.flv.$"
    add name="Extension " .pdf "" regexp="^.get.+\.pdf.$"
    add name="Extension " .wav "" regexp="^.get.+\.wav.$"
    add name="Extension " .rm "" regexp="^.get.+\.rm.$"
    add name="Extension " .rmvb "" regexp="^.get.+\.rmvb.$"
    add name="Extension " .dat "" regexp="^.get.+\.dat.$"
    add name="Extension " .daa "" regexp="^.get.+\.daa.$"
    add name="Extension " .iso "" regexp="^.get.+\.iso.$"
    add name="Extension " .nrg "" regexp="^.get.+\.nrg.$"
    add name="Extension " .bin "" regexp="^.get.+\.bin.$"
    add name="Extension " .vcd "" regexp="^.get.+\.vcd.$"
    add name="Extension " .mp2 "" regexp="^.get.+\.mp2.$"
    add name="Extension " .3gp "" regexp="^.get.+\.3gp.$"
    add name="Extension " .mpe "" regexp="^.get.+\.mpe.$"
    add name="Extension " .qt "" regexp="^.get.+\.qt.$"
    add name="Extension " .raw "" regexp="^.get.+\.raw.$"
    add name="Extension " .wma "" regexp="^.get.+\.wma.$"
    add name="Extension " .ogg "" regexp="^.get.+\.ogg.$"
    add name="Extension " .doc "" regexp="^.get.+\.doc.$"
    add name="Extension " .ram "" regexp="^.get.+\.ram.$"
    add name=edonkey regexp="^[\C5\D4\E3-\E5].?.?.?.?([\01\02\05\14\15\16\18
        \19\1A\1B\1C !234568@ABCFGHIJKLMNOPQRSTUVWX[\81\82\90\91\93\96\97\98\99\     \9A\9B\9C\9E\A0\A1\A2\A3\A4]|Y….............\?[ -~]|\96….\$)" add name=goboogy regexp="<peerplat>|^get /getfilebyhash\\.cgi\\\?|^get /queue_\     register\\.cgi\\\?|^get /getupdowninfo\\.cgi\\\?" add name=soribada regexp="^GETMP3\r\     \nFilename|^\01.\?.\?.\?(Q:\\+|Q2:)|^\10[\14-\16]\10[\15-\17].\?.\?.\?.\?\     \$" add name=rdp regexp=rdpdr.*cliprdr.*rdpsnd add name=gnutella regexp="^(gnd[\01\02]\?.\?.\?\01|gnutella connect/[012]\\.[0\     -9]\r\     \n|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshar\     e|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: applicat\     ion/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[\     0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[\     1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnutella|.\     …...............\?lime)" add name=cvs regexp="^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\     \n" add name=nbns regexp="\01\10\01|\\)\10\01\01|0\10\01" add name=shoutcast regexp=\     "icy [1-5][0-9][0-9] [\t-\r -~]*(content-type:audio|icy-)" add name=dns regexp="^.\?.\?.\?.\?[\01\02].\?.\?.\?.\?.\?.\?[\01-\?][a-z0-9][\     \01-\?a-z]*[\02-\06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\01-\10\1C][\     \01\03\04\FF]" add name=quake-halflife regexp="^\FF\FF\FF\FFget(info|challenge)" add name=poco regexp="^\80\94\     \n\01….\1F\9E" add name=ciscovpn regexp="^\01\F4\01\F4" add name=x11 regexp="^[lb].\?\0B" add name=xboxlive regexp="^X\80….....\F3|^\06XN" add name=applejuice regexp="^ajprot\r\     \n" add name=zmaap regexp="^\1B\D7;H[\01\02]\01\?\01" add name=live365 regexp=membername.*session.*player add name=rlogin regexp="^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]\?[0-9]\?[0-9]\?00" add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*(con\     nection:|content-type:|content-length:|date:)|post [\t-\r -~]* http/[01]\\\     .[019]" add name=sip regexp=\     "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]" add name=pop3 regexp="^(\\+ok |-err )" add name=smb regexp="\FFsmb[r%]" add name=quake1 regexp="^\80\0C\01quake\03" add name=lpd regexp="^(\01[!-~]+|\02[!-~]+\     \n.[\01\02\03][\01-\     \n -~]*|[\03\04][!-~]+[\t-\r]+[a-z][\t-\r -~]*|\05[!-~]+[\t-\r]+([a-z][!-~\     ]*[\t-\r]+[1-9][0-9]\?[0-9]\?|root[\t-\r]+[!-~]+).*)\     \n\$" add name=mute regexp="^(Public|AES)Key: [0-9a-f]*\     \nEnd(Public|AES)Key\     \n\$" add name=ssh regexp="^ssh-[12]\\.[0-9]" add name=jabber regexp=\     "<stream:stream[\t-\r ][="" -~]*[\t-\r="" ]xmlns="['\&quot;]jabber&quot;<br">add name=ncp regexp="^(dmdt.*\01.*(\"\"|\11\11|uu)|tncp.*33)" add name=tls regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B)" add name=directconnect regexp="^(\\\$mynick |\\\$lock |\\\$key )" add name=netbios regexp="\81.\?.\?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-\     P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A\     -P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][\     A-P][A-P]" add name=tftp regexp="^(\01|\02)[ -~]*(netascii|octet|mail)" add name=subspace regexp="^\01….\11\10........\01\$" add name=hotline regexp="^....................TRTPHOTL\01\02" add name=doom3 regexp="^\FF\FFchallenge" add name=ftp regexp="^220[\t-\r -~]*ftp" add name=kugoo regexp="^1..\8E" add name=tsp regexp="^[\01-\13\16-\$]\01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+" add name=battlefield1942 regexp="^\01\11\10\\|\F8\02\10@\06" add name=ssdp regexp="^notify[\t-\r ]\\*[\t-\r ]http/1\\.1[\t-\r -~]*ssdp:(ali\     ve|byebye)|^m-search[\t-\r ]\\*[\t-\r ]http/1\\.1[\t-\r -~]*ssdp:discover" add name=imap regexp="^(\\* ok|a[0-9]+ noop)" add name=ares regexp="^\03[]Z].\?.\?\05\$" add name=fasttrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ \     -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: \     kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^g\     ive [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\?[0-9]\?[0-9]\?" add name=qq regexp="^.\?\02.+\03\$" add name=100bao regexp="^\01\01\05\     \n" add name=aim regexp=\     "^(\\*[\01\02].*\03\0B|\\*\01.\?.\?.\?.\?\01)|flapon|toc_signon.*0x" add name=unknown regexp=. add name=msn-filetransfer regexp=\     "^(ver [ -~]*msnftp\r\     \nver msnftp\r\     \nusr|method msnmsgr:)" add name=yahoo regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80" add name=validcertssl regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B).*\     (thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust\     \_root|entrust\\.net limited)" add name=ntp regexp="^([\13\1B#\D3\DB\E3]|[\14\1C\$]…....\?.\?.\?.\?.\?.\?.\     \?.\?.\?[\C6-\FF])" add name=gnucleuslan regexp=\     "gnuclear connect/[\t-\r -~]*user-agent: gnucleus [\t-\r -~]*lan:" add name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\     \n\$" add name=bgp regexp=\     "^\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF..\?\01[\03\04]" add name=tesla regexp="\03\9A\89\"111\\.00 Beta |\E2<i\1e\1c\e9"<br>add name=openft regexp="x-openftalias: [-)(0-9a-z ~.]" add name=h323 regexp=\     "^\03..\?\08…\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05" add name=finger regexp=\     "^[a-z][a-z0-9\\-_]+|login: [\t-\r -~]* name: [\t-\r -~]* Directory:" add name=ident regexp="^[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?[\t-\r]*,[\t-\r]*[1-9\     ][0-9]\?[0-9]\?[0-9]\?[0-9]\?(\r\     \n|[\r\     \n])\?\$" add name=gkrellm regexp="^gkrellm [23].[0-9].[0-9]\     \n\$" add name=hddtemp regexp=\     "^\\|/dev/[a-z][a-z][a-z]\\|[0-9a-z]*\\|[0-9][0-9]\\|[cfk]\\|" add name=socks regexp="\05[\01-\08]*\05[\01-\08]\?.*\05[\01-\03][\01\03].*\05[\     \01-\08]\?[\01\03]" add name=biff regexp="^[a-z][a-z0-9]+@[1-9][0-9]+\$" add name=dhcp regexp="^[\01\02][\01- ]\06.*c\82sc" add name=smtp regexp="^220[\t-\r -~]* (e\?smtp|simple mail)" add name=ipp regexp=ipp:// add name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\t-\r -~]*cvr0\r\     \n\$|usr 1 [!-~]+ [0-9\. ]+\r\     \n\$|ans 1 [!-~]+ [0-9\. ]+\r\     \n\$" add name=irc regexp="^(nick[\t-\r -~]*user[\t-\r -~]*:|user[\t-\r -~]*:[\02-\r\     \_-~]*nick[\t-\r -~]*\r\     \n)" add name=gopher regexp="^[\t-\r]*[1-9,+tgi][\t-\r -~]*\t[\t-\r -~]*\t[a-z0-9.]\     *\\.[a-z][a-z].\?.\?\t[1-9]" add name=telnet regexp="^\FF[\FB-\FE].\FF[\FB-\FE].\FF[\FB-\FE]" add name=snmp regexp="^\02\01\04.+([\A0-\A3]\02[\01-\04].\?.\?.\?.\?\02\01.\?\     \02\01.\?0|\A4\06.+@\04.\?.\?.\?.\?\02\01.\?\02\01.\?C)" add name=nntp regexp=\     "^(20[01][\t-\r -~]*AUTHINFO USER|20[01][\t-\r -~]*news)" add name=aimwebcontent regexp=user-agent:aim/ add name=rtsp regexp="rtsp/1.0 200 ok" add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\     \?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\     \05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?\     .\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\t.\?.\?.\?.\?.\?.\?.\?.\     \?\t|\     \n.\?.\?.\?.\?.\?.\?.\?.\?\     \n|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\r.\?.\?.\     \?.\?.\?.\?.\?.\?\r|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\     \?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12\     .\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?\     .\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\     \16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\     \?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\     \?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\     \1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F| .\?.\?.\?.\     \?.\?.\?.\?.\? |!.\?.\?.\?.\?.\?.\?.\?.\?!|\".\?.\?.\?.\?.\?.\?.\?.\?\"|#.\     \?.\?.\?.\?.\?.\?.\?.\?#|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|%.\?.\?.\?.\?.\?\     .\?.\?.\?%|&.\?.\?.\?.\?.\?.\?.\?.\?&|'.\?.\?.\?.\?.\?.\?.\?.\?'|\\(.\?.\?\     .\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?\     .\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|,.\?.\?.\?.\?.\?.\?.\?.\?,|-.\?.\     \?.\?.\?.\?.\?.\?.\?-|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|/.\?.\?.\?.\?.\?.\?.\     \?.\?/|0.\?.\?.\?.\?.\?.\?.\?.\?0|1.\?.\?.\?.\?.\?.\?.\?.\?1|2.\?.\?.\?.\?\     .\?.\?.\?.\?2|3.\?.\?.\?.\?.\?.\?.\?.\?3|4.\?.\?.\?.\?.\?.\?.\?.\?4|5.\?.\     \?.\?.\?.\?.\?.\?.\?5|6.\?.\?.\?.\?.\?.\?.\?.\?6|7.\?.\?.\?.\?.\?.\?.\?.\?\     7|8.\?.\?.\?.\?.\?.\?.\?.\?8|9.\?.\?.\?.\?.\?.\?.\?.\?9|:.\?.\?.\?.\?.\?.\     \?.\?.\?:|;.\?.\?.\?.\?.\?.\?.\?.\?;|<.\?.\?.\?.\?.\?.\?.\?.\?<|=.\?.\?.\?\     .\?.\?.\?.\?.\?=|>.\?.\?.\?.\?.\?.\?.\?.\?>|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\     \?|@.\?.\?.\?.\?.\?.\?.\?.\?@|A.\?.\?.\?.\?.\?.\?.\?.\?A|B.\?.\?.\?.\?.\?.\     \?.\?.\?B|C.\?.\?.\?.\?.\?.\?.\?.\?C|D.\?.\?.\?.\?.\?.\?.\?.\?D|E.\?.\?.\?\     .\?.\?.\?.\?.\?E|F.\?.\?.\?.\?.\?.\?.\?.\?F|G.\?.\?.\?.\?.\?.\?.\?.\?G|H.\     \?.\?.\?.\?.\?.\?.\?.\?H|I.\?.\?.\?.\?.\?.\?.\?.\?I|J.\?.\?.\?.\?.\?.\?.\?\     .\?J|K.\?.\?.\?.\?.\?.\?.\?.\?K|L.\?.\?.\?.\?.\?.\?.\?.\?L|M.\?.\?.\?.\?.\     \?.\?.\?.\?M|N.\?.\?.\?.\?.\?.\?.\?.\?N|O.\?.\?.\?.\?.\?.\?.\?.\?O|P.\?.\?\     .\?.\?.\?.\?.\?.\?P|Q.\?.\?.\?.\?.\?.\?.\?.\?Q|R.\?.\?.\?.\?.\?.\?.\?.\?R|\     S.\?.\?.\?.\?.\?.\?.\?.\?S|T.\?.\?.\?.\?.\?.\?.\?.\?T|U.\?.\?.\?.\?.\?.\?.\     \?.\?U|V.\?.\?.\?.\?.\?.\?.\?.\?V|W.\?.\?.\?.\?.\?.\?.\?.\?W|X.\?.\?.\?.\?\     .\?.\?.\?.\?X|Y.\?.\?.\?.\?.\?.\?.\?.\?Y|Z.\?.\?.\?.\?.\?.\?.\?.\?Z|\[.\?\     .\?.\?.\?.\?.\?.\?.\?\[|\].\?.\?.\?.\?.\?.\?.\?.\?\]|\].\?.\?.\?.\?.\?\     .\?.\?.\?\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|_.\?.\?.\?.\?.\?.\?.\?.\?_|.
        ?.?.?.?.?.?.?.?`|a.?.?.?.?.?.?.?.?a|b.?.?.?.?.?.?.?
        .?b|c.?.?.?.?.?.?.?.?c|d.?.?.?.?.?.?.?.?d|e.?.?.?.?.
        ?.?.?.?e|f.?.?.?.?.?.?.?.?f|g.?.?.?.?.?.?.?.?g|h.?.?
        .?.?.?.?.?.?h|i.?.?.?.?.?.?.?.?i|j.?.?.?.?.?.?.?.?j|
        k.?.?.?.?.?.?.?.?k|l.?.?.?.?.?.?.?.?l|m.?.?.?.?.?.?.
        ?.?m|n.?.?.?.?.?.?.?.?n|o.?.?.?.?.?.?.?.?o|p.?.?.?.?
        .?.?.?.?p|q.?.?.?.?.?.?.?.?q|r.?.?.?.?.?.?.?.?r|s.?.
        ?.?.?.?.?.?.?s|t.?.?.?.?.?.?.?.?t|u.?.?.?.?.?.?.?.?
        u|v.?.?.?.?.?.?.?.?v|w.?.?.?.?.?.?.?.?w|x.?.?.?.?.?.
        ?.?.?x|y.?.?.?.?.?.?.?.?y|z.?.?.?.?.?.?.?.?z|\{.?.?.
        ?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.
        ?.?\}|~.?.?.?.?.?.?.?.?~|\7F.?.?.?.?.?.?.?.?\7F|\80.?.
        ?.?.?.?.?.?.?\80|\81.?.?.?.?.?.?.?.?\81|\82.?.?.?.?.?.
        ?.?.?\82|\83.?.?.?.?.?.?.?.?\83|\84.?.?.?.?.?.?.?.?\84|
        \85.?.?.?.?.?.?.?.?\85|\86.?.?.?.?.?.?.?.?\86|\87.?.?.?
        .?.?.?.?.?\87|\88.?.?.?.?.?.?.?.?\88|\89.?.?.?.?.?.?.?
        .?\89|\8A.?.?.?.?.?.?.?.?\8A|\8B.?.?.?.?.?.?.?.?\8B|\8C.
        ?.?.?.?.?.?.?.?\8C|\8D.?.?.?.?.?.?.?.?\8D|\8E.?.?.?.?.
        ?.?.?.?\8E|\8F.?.?.?.?.?.?.?.?\8F|\90.?.?.?.?.?.?.?.?
        \90|\91.?.?.?.?.?.?.?.?\91|\92.?.?.?.?.?.?.?.?\92|\93.?.
        ?.?.?.?.?.?.?\93|\94.?.?.?.?.?.?.?.?\94|\95.?.?.?.?.?.
        ?.?.?\95|\96.?.?.?.?.?.?.?.?\96|\97.?.?.?.?.?.?.?.?\97|
        \98.?.?.?.?.?.?.?.?\98|\99.?.?.?.?.?.?.?.?\99|\9A.?.?.?
        .?.?.?.?.?\9A|\9B.?.?.?.?.?.?.?.?\9B|\9C.?.?.?.?.?.?.?
        .?\9C|\9D.?.?.?.?.?.?.?.?\9D|\9E.?.?.?.?.?.?.?.?\9E|\9F.
        ?.?.?.?.?.?.?.?\9F|\A0.?.?.?.?.?.?.?.?\A0|\A1.?.?.?.?.
        ?.?.?.?\A1|\A2.?.?.?.?.?.?.?.?\A2|\A3.?.?.?.?.?.?.?.?
        \A3|\A4.?.?.?.?.?.?.?.?\A4|\A5.?.?.?.?.?.?.?.?\A5|\A6.?.
        ?.?.?.?.?.?.?\A6|\A7.?.?.?.?.?.?.?.?\A7|\A8.?.?.?.?.?.
        ?.?.?\A8|\A9.?.?.?.?.?.?.?.?\A9|\AA.?.?.?.?.?.?.?.?\AA|
        \AB.?.?.?.?.?.?.?.?\AB|\AC.?.?.?.?.?.?.?.?\AC|\AD.?.?.?
        .?.?.?.?.?\AD|\AE.?.?.?.?.?.?.?.?\AE|\AF.?.?.?.?.?.?.?
        .?\AF|\B0.?.?.?.?.?.?.?.?\B0|\B1.?.?.?.?.?.?.?.?\B1|\B2.
        ?.?.?.?.?.?.?.?\B2|\B3.?.?.?.?.?.?.?.?\B3|\B4.?.?.?.?.
        ?.?.?.?\B4|\B5.?.?.?.?.?.?.?.?\B5|\B6.?.?.?.?.?.?.?.?
        \B6|\B7.?.?.?.?.?.?.?.?\B7|\B8.?.?.?.?.?.?.?.?\B8|\B9.?.
        ?.?.?.?.?.?.?\B9|\BA.?.?.?.?.?.?.?.?\BA|\BB.?.?.?.?.?.
        ?.?.?\BB|\BC.?.?.?.?.?.?.?.?\BC|\BD.?.?.?.?.?.?.?.?\BD|
        \BE.?.?.?.?.?.?.?.?\BE|\BF.?.?.?.?.?.?.?.?\BF|\C0.?.?.?
        .?.?.?.?.?\C0|\C1.?.?.?.?.?.?.?.?\C1|\C2.?.?.?.?.?.?.?
        .?\C2|\C3.?.?.?.?.?.?.?.?\C3|\C4.?.?.?.?.?.?.?.?\C4|\C5.
        ?.?.?.?.?.?.?.?\C5|\C6.?.?.?.?.?.?.?.?\C6|\C7.?.?.?.?.
        ?.?.?.?\C7|\C8.?.?.?.?.?.?.?.?\C8|\C9.?.?.?.?.?.?.?.?
        \C9|\CA.?.?.?.?.?.?.?.?\CA|\CB.?.?.?.?.?.?.?.?\CB|\CC.?.
        ?.?.?.?.?.?.?\CC|\CD.?.?.?.?.?.?.?.?\CD|\CE.?.?.?.?.?.
        ?.?.?\CE|\CF.?.?.?.?.?.?.?.?\CF|\D0.?.?.?.?.?.?.?.?\D0|
        \D1.?.?.?.?.?.?.?.?\D1|\D2.?.?.?.?.?.?.?.?\D2|\D3.?.?.?
        .?.?.?.?.?\D3|\D4.?.?.?.?.?.?.?.?\D4|\D5.?.?.?.?.?.?.?
        .?\D5|\D6.?.?.?.?.?.?.?.?\D6|\D7.?.?.?.?.?.?.?.?\D7|\D8.
        ?.?.?.?.?.?.?.?\D8|\D9.?.?.?.?.?.?.?.?\D9|\DA.?.?.?.?.
        ?.?.?.?\DA|\DB.?.?.?.?.?.?.?.?\DB|\DC.?.?.?.?.?.?.?.?
        \DC|\DD.?.?.?.?.?.?.?.?\DD|\DE.?.?.?.?.?.?.?.?\DE|\DF.?.
        ?.?.?.?.?.?.?\DF|\E0.?.?.?.?.?.?.?.?\E0|\E1.?.?.?.?.?.
        ?.?.?\E1|\E2.?.?.?.?.?.?.?.?\E2|\E3.?.?.?.?.?.?.?.?\E3|
        \E4.?.?.?.?.?.?.?.?\E4|\E5.?.?.?.?.?.?.?.?\E5|\E6.?.?.?
        .?.?.?.?.?\E6|\E7.?.?.?.?.?.?.?.?\E7|\E8.?.?.?.?.?.?.?
        .?\E8|\E9.?.?.?.?.?.?.?.?\E9|\EA.?.?.?.?.?.?.?.?\EA|\EB.
        ?.?.?.?.?.?.?.?\EB|\EC.?.?.?.?.?.?.?.?\EC|\ED.?.?.?.?.
        ?.?.?.?\ED|\EE.?.?.?.?.?.?.?.?\EE|\EF.?.?.?.?.?.?.?.?
        \EF|\F0.?.?.?.?.?.?.?.?\F0|\F1.?.?.?.?.?.?.?.?\F1|\F2.?.
        ?.?.?.?.?.?.?\F2|\F3.?.?.?.?.?.?.?.?\F3|\F4.?.?.?.?.?.
        ?.?.?\F4|\F5.?.?.?.?.?.?.?.?\F5|\F6.?.?.?.?.?.?.?.?\F6|
        \F7.?.?.?.?.?.?.?.?\F7|\F8.?.?.?.?.?.?.?.?\F8|\F9.?.?.?
        .?.?.?.?.?\F9|\FA.?.?.?.?.?.?.?.?\FA|\FB.?.?.?.?.?.?.?
        .?\FB|\FC.?.?.?.?.?.?.?.?\FC|\FD.?.?.?.?.?.?.?.?\FD|\FE.
        ?.?.?.?.?.?.?.?\FE|\FF.?.?.?.?.?.?.?.?\FF)"
    add name=skypetoskype regexp="^..\02….........."
    add name=counterstrike-source regexp="^\FF\FF\FF\FF.cstrikeCounter-Strike"
    add name=halflife2-deathmatch regexp="^\FF\FF\FF\FF.hl2mpDeathmatch"
    add name=freenet regexp="^\01[\08\t][\03\04]"
    add name=battlefield2 regexp="^(\11 \01…?\11|\FE\FD.?.?.?.?.?.?(\14
        \01\06|\FF\FF\FF))|[]\01].?battlefield2"
    add name=napster regexp="^(.[\02\06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0
        -9]? "[\t-\r -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\t-\r -~]+")"
    add name=soulseek regexp="^(\05..?|.\01.[ -~]+\01F..?.?.?.?.?.?.?)$"
    add name=xunlei regexp="^[()]…?.?.?(reg|get|query)"
    add name=ssl regexp="^(.?.?\16\03.
    \16\03|.?.?\01\03\01?.
    \0B)"
    add name=citrix regexp="2&\85\92X"
    add name=whois regexp="^[ !-~]+\r
        \n$"
    add name=dayofdefeat-source regexp="^\FF\FF\FF\FF.dodDay of Defeat"
    add name=teamspeak regexp="^\F4\BE\03.teamspeak"
    add name=worldofwarcraft regexp="^\06\EC\01"
    add name=ventrilo regexp="^..?v\$\CF"
    add name=http-rtsp regexp="^(get[\t-\r -~]
    Accept: application/x-rtsp-tunnell
        ed|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\t-\r -~]a=control:rtsp://)"
    add name=thecircle regexp=
        "^t\03ni.?[\01-\06]?t[\01-\05]s[
        \n\0B](glob|who are you$|query data)"
    add name=uucp regexp="^\10here="
    add name=pcanywhere regexp="^(nq|st)$"
    add name=subversion regexp="^\( success \( 1 2 \("
    add name=imesh regexp="^(post[\t-\r -~]
    <passwordhash>….....................
        ........</passwordhash><clientver>|4\80?\r?\FC\FF\04|get[\t-\r -~]Host:
        _imsh\.download-prod\.musicnet\.com|\02(\01|\02)\83.?.?.?.?.?.?.
        ?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\02(\01|
        \02)\83)"
    add name=cimd regexp="\02[0-4][0-9]:[0-9]+.
    \03$"
    add name=mohaa regexp="^\FF\FF\FF\FFgetstatus
        \n"
    add name=stun regexp="^[\01\02]….............?$"
    add name=tor regexp=TOR1.
    <identity>add name=radmin regexp="^\01\01(\08\08|\1B\1B)$"
    add name=unset regexp=.
    add name=chikka regexp="^CTPv1.[123] Kamusta.\r
        \n$"
    add name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\
        .1) [1-5][0-9][0-9] [\t-\r -~]
    #####REPLAY_CHUNK_START#####)"
    add name=armagetron regexp=YCLC_E|CYEL
    add name=bittorrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scrap
        e\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data
        \?fid=)|d1:ad2:id20:|\x08'7P\)[RP]"

    Setting Manglenya :
    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=exe disabled=no
        layer7-protocol="Extension " .exe "" new-connection-mark=exe_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=exe_conn disabled=no
        new-packet-mark=exe passthrough=no
    add action=mark-connection chain=prerouting comment=zip disabled=no
        layer7-protocol="Extension " .zip"" new-connection-mark=zip_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=zip_conn disabled=no
        new-packet-mark=zip passthrough=no
    add action=mark-connection chain=prerouting comment=rar disabled=no
        layer7-protocol="Extension " .rar"" new-connection-mark=rar_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rar_conn disabled=no
        new-packet-mark=rar passthrough=no
    add action=mark-connection chain=prerouting comment=cab disabled=no
        layer7-protocol="Extension " .cab "" new-connection-mark=cab_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=cab_conn disabled=no
        new-packet-mark=cab passthrough=no
    add action=mark-connection chain=prerouting comment=asf disabled=no
        layer7-protocol="Extension " .asf "" new-connection-mark=asf_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=asf_conn disabled=no
        new-packet-mark=asf passthrough=no
    add action=mark-connection chain=prerouting comment=mov disabled=no
        layer7-protocol="Extension " .mov "" new-connection-mark=mov_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mov_conn disabled=no
        new-packet-mark=mov passthrough=no
    add action=mark-connection chain=prerouting comment=wmv disabled=no
        layer7-protocol="Extension " .wmv "" new-connection-mark=wmv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wmv_conn disabled=no
        new-packet-mark=wmv passthrough=no
    add action=mark-connection chain=prerouting comment=mpg disabled=no
        layer7-protocol="Extension " .mpg "" new-connection-mark=mpg_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mpg_conn disabled=no
        new-packet-mark=mpg passthrough=no
    add action=mark-connection chain=prerouting comment=mkv disabled=no
        layer7-protocol="Extension " .mkv "" new-connection-mark=mkv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mkv_conn disabled=no
        new-packet-mark=mkv passthrough=no
    add action=mark-connection chain=prerouting comment=avi disabled=no
        layer7-protocol="Extension " .avi "" new-connection-mark=avi_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=avi_conn disabled=no
        new-packet-mark=avi passthrough=no
    add action=mark-connection chain=prerouting comment=flv disabled=no
        layer7-protocol="Extension " .flv "" new-connection-mark=flv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=flv_conn disabled=no
        new-packet-mark=flv passthrough=no
    add action=mark-connection chain=prerouting comment=pdf disabled=no
        layer7-protocol="Extension " .pdf "" new-connection-mark=pdf_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=pdf_conn disabled=no
        new-packet-mark=pdf passthrough=no
    add action=mark-connection chain=prerouting comment=wav disabled=no
        layer7-protocol="Extension " .wav "" new-connection-mark=wav_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wav_conn disabled=no
        new-packet-mark=wav passthrough=no
    add action=mark-connection chain=prerouting comment=rm disabled=no
        layer7-protocol="Extension " .rm "" new-connection-mark=rm_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rm_conn disabled=no
        new-packet-mark=rm passthrough=no
    add action=mark-connection chain=prerouting comment=mp3 disabled=no
        layer7-protocol="Extension " .mp3 "" new-connection-mark=mp3_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp3_conn disabled=no
        new-packet-mark=mp3 passthrough=no
    add action=mark-connection chain=prerouting comment=mp4 disabled=no
        layer7-protocol="Extension " .mp4 "" new-connection-mark=mp4_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp4_conn disabled=no
        new-packet-mark=mp4 passthrough=no
    add action=mark-connection chain=prerouting comment=ram disabled=no
        layer7-protocol="Extension " .ram "" new-connection-mark=ram_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ram_conn disabled=no
        new-packet-mark=ram passthrough=no
    add action=mark-connection chain=prerouting comment=rmvb disabled=no
        layer7-protocol="Extension " .rmvb "" new-connection-mark=rmvb_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rmvb_conn disabled=no
        new-packet-mark=rmvb passthrough=no
    add action=mark-connection chain=prerouting comment=dat disabled=no
        layer7-protocol="Extension " .dat "" new-connection-mark=dat_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=dat_conn disabled=no
        new-packet-mark=dat passthrough=no
    add action=mark-connection chain=prerouting comment=daa disabled=no
        layer7-protocol="Extension " .daa "" new-connection-mark=daa_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=daa_conn disabled=no
        new-packet-mark=daa passthrough=no
    add action=mark-connection chain=prerouting comment=iso disabled=no
        layer7-protocol="Extension " .iso "" new-connection-mark=iso_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=iso_conn disabled=no
        new-packet-mark=iso passthrough=no
    add action=mark-connection chain=prerouting comment=bin disabled=no
        layer7-protocol="Extension " .bin "" new-connection-mark=bin_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=bin_conn disabled=no
        new-packet-mark=bin passthrough=no
    add action=mark-connection chain=prerouting comment=vcd disabled=no
        layer7-protocol="Extension " .vcd "" new-connection-mark=vcd_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=vcd_conn disabled=no
        new-packet-mark=vcd passthrough=no
    add action=mark-connection chain=prerouting comment=mp2 disabled=no
        layer7-protocol="Extension " .mp2 "" new-connection-mark=mp2_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp2_conn disabled=no
        new-packet-mark=mp2 passthrough=no
    add action=mark-connection chain=prerouting comment=3gp disabled=no
        layer7-protocol="Extension " .3gp "" new-connection-mark=3gp_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=3gp_conn disabled=no
        new-packet-mark=3gp passthrough=no
    add action=mark-connection chain=prerouting comment=mpe disabled=no
        layer7-protocol="Extension " .mpe "" new-connection-mark=mpe_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mpe_conn disabled=no
        new-packet-mark=mpe passthrough=no
    add action=mark-connection chain=prerouting comment=qt disabled=no
        layer7-protocol="Extension " .qt "" new-connection-mark=qt_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=qt_conn disabled=no
        new-packet-mark=qt passthrough=no
    add action=mark-connection chain=prerouting comment=raw disabled=no
        layer7-protocol="Extension " .raw "" new-connection-mark=raw_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=raw_conn disabled=no
        new-packet-mark=raw passthrough=no
    add action=mark-connection chain=prerouting comment=wma disabled=no
        layer7-protocol="Extension " .wma "" new-connection-mark=wma_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wma_conn disabled=no
        new-packet-mark=wma passthrough=no
    add action=mark-connection chain=prerouting comment=ogg disabled=no
        layer7-protocol="Extension " .ogg "" new-connection-mark=ogg_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ogg_conn disabled=no
        new-packet-mark=ogg passthrough=no
    add action=mark-connection chain=prerouting comment=doc disabled=no
        layer7-protocol="Extension " .doc "" new-connection-mark=doc_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=doc_conn disabled=no
        new-packet-mark=doc passthrough=no
    add action=mark-connection chain=prerouting comment=applejuice disabled=no
        layer7-protocol=applejuice new-connection-mark=applejuice_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=applejuice_conn
        disabled=no new-packet-mark=applejuice passthrough=no
    add action=mark-connection chain=prerouting comment=ares disabled=no
        layer7-protocol=ares new-connection-mark=ares_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ares_conn disabled=no
        new-packet-mark=ares passthrough=no
    add action=mark-connection chain=prerouting comment=bittorent disabled=no
        layer7-protocol=bittorrent new-connection-mark=bittorent_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=bittorent_conn
        disabled=no new-packet-mark=bittorent passthrough=no
    add action=mark-connection chain=prerouting comment=chikka disabled=no
        layer7-protocol=chikka new-connection-mark=chikka_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=chikka_conn disabled=
        no new-packet-mark=chika passthrough=no
    add action=mark-connection chain=prerouting comment=directconnect disabled=no
        layer7-protocol=directconnect new-connection-mark=directconnect_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=directconnect_conn
        disabled=no new-packet-mark=directconnect passthrough=no
    add action=mark-connection chain=prerouting comment=ftp disabled=no
        layer7-protocol=ftp new-connection-mark=ftp passthrough=no protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ftp disabled=no
        new-packet-mark=ftp passthrough=no
    add action=mark-connection chain=prerouting comment=doom3 disabled=no
        layer7-protocol=doom3 new-connection-mark=doom3_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=doom3_conn disabled=
        no new-packet-mark=doom3 passthrough=no
    add action=mark-connection chain=prerouting comment=edonkey disabled=no
        layer7-protocol=edonkey new-connection-mark=edonkey_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=edonkey_conn
        disabled=no new-packet-mark=edonkey passthrough=no
    add action=mark-connection chain=prerouting comment=fastrack_conn disabled=no
        layer7-protocol=fasttrack new-connection-mark=fasttrack passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=fasttrack disabled=no
        new-packet-mark=fastrack passthrough=no
    add action=mark-connection chain=prerouting comment=gnutella disabled=no
        layer7-protocol=gnutella new-connection-mark=gnutella_conn passthrough=
        yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=gnutella_conn
        disabled=no new-packet-mark=gnutella passthrough=no
    add action=mark-connection chain=prerouting comment=skype disabled=no
        layer7-protocol=skypeout new-connection-mark=skype_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=skype_conn disabled=
        no new-packet-mark=skype passthrough=no
    add action=mark-connection chain=prerouting comment=7z disabled=no
        layer7-protocol="Extension " .7z "" new-connection-mark=7z_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=7z_conn disabled=no
        new-packet-mark=7z passthrough=no

    Yang terakhir kita buat management bandwidht menggunakan queue tree.
    ( Boleh juga menggunakan simple queueu terserah anda suka suka sesuai selera )

    Buat parent dulu seperti ini :
    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=128k name="traffic shapping" parent=global-out priority=8
    ( ini nantinya khusus alokasi buat para mania bandwidht sesuaikan dengan besarnya bw yg anda miliki )

    setelah itu setting childnya seperti ini :

    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=exe packet-mark=exe parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=zip packet-mark=zip parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rar packet-mark=rar parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=cab packet-mark=cab parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=asf packet-mark=asf parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mov packet-mark=mov parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wmv packet-mark=wmv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mpg packet-mark=mpg parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mkv packet-mark=mkv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=avi packet-mark=avi parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=flv packet-mark=flv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=pdf packet-mark=pdf parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wav packet-mark=wav parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rm packet-mark=rm parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp3 packet-mark=mp3 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp4 packet-mark=mp4 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ram packet-mark=ram parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rmvb packet-mark=rmvb parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=dat packet-mark=dat parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=daa packet-mark=daa parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=iso packet-mark=iso parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=bin packet-mark=bin parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=vcd packet-mark=vcd parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp2 packet-mark=mp2 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=3gp packet-mark=3gp parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mpe packet-mark=mpe parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=qt packet-mark=qt parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=raw packet-mark=raw parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wma packet-mark=wma parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ogg packet-mark=ogg parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=doc packet-mark=doc parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=applejuice packet-mark=applejuice parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ares packet-mark=ares parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=8 name=bittorent packet-mark=bittorent parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=chika packet-mark=chika parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=dconnect packet-mark=directconnect parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ftp packet-mark=ftp parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=doom3 packet-mark=doom3 parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=edonkey packet-mark=edonkey parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=fasttrack packet-mark=fastrack parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=gnutella packet-mark=gnutella parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=64k name=skype packet-mark=skype parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=7z packet-mark=7z parent="traffic shapping" priority=8
        queue=default

    ( dijamin insya allah segala macam downloader mati kutu. Maksud Queue diatas kita alokasikan untuk downloader mania bw sebesar 128k, sesuai selera bung. Caching video youtube berlari kencang bak dikejar anjing. browsing wusss…. wusss.....  wkwk... wk....wk....)

    semoga bermanfaat.
    salam</identity></clientver></i\1e\1c\e9"<br></stream:stream[\t-\r></peerplat>



  • Thx share setingan mikrotiknya
    dicoba dulu kl mogok bantuin dorongnya :D



  • @ardy_2006:

    Sesuai dengan janji ( janji adalah hutang  :) , insya allah hutang segera terlunasi ) amiiin…. !!

    Just share settingan saya Mikocok bersanding dengan PFSense.

    Clients ------- Mikrotik 3 port -------- Inet

    port 3 mikrotik ----- pfsense ------ inernet

    modem : 192.168.2.1

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    oke langsung kupas aja.
    asumsi mesin pfsense running well & tunning with LUSCA.
    oprekan & tune-up bisa open panduan dari om anto_DIGIT http://forum.pfsense.org/index.php/topic,29019.0.html

    sebagai manageable clients, baik itu hotspot & management bandwidht semua ada dimikrotik.
    Settingan hotspot disini tidak usah dibahas googling aja tutnya.
    settingan ini menggunakan L7 untuk filternya. Khusus untuk destination port 80, dibelokan ke arah pfsense sebagai proxy servernya port 3128.
    Maaf bung disini PFSense hanya dijadikan proxy server ( Maknyuss.... )

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    setting L7 :
    /ip firewall layer7-protocol
    add name="Extension " .exe "" regexp="^.get.+\.exe.$"
    add name="Extension " .mp4 "" regexp="^.get.+\.mp4.$"
    add name="Extension " .rar"" regexp="^.get.+\.rar.$"
    add name="Extension " .zip"" regexp="^.get.+\.zip.$"
    add name="Extension " .mp3 "" regexp="^.get.+\.mp3.$"
    add name="Extension " .7z "" regexp="^.get.+\.7z.$"
    add name="Extension " .cab "" regexp="^.get.+\.cab.$"
    add name="Extension " .asf "" regexp="^.get.+\.asf.$"
    add name="Extension " .mov "" regexp="^.get.+\.mov.$"
    add name="Extension " .wmv "" regexp="^.get.+\.wmv.$"
    add name="Extension " .mpg "" regexp="^.get.+\.mpg.$"
    add name="Extension " .mpeg "" regexp="^.get.+\.mpeg.$"
    add name="Extension " .mkv "" regexp="^.get.+\.mkv.$"
    add name="Extension " .avi "" regexp="^.get.+\.avi.$"
    add name="Extension " .flv "" regexp="^.get.+\.flv.$"
    add name="Extension " .pdf "" regexp="^.get.+\.pdf.$"
    add name="Extension " .wav "" regexp="^.get.+\.wav.$"
    add name="Extension " .rm "" regexp="^.get.+\.rm.$"
    add name="Extension " .rmvb "" regexp="^.get.+\.rmvb.$"
    add name="Extension " .dat "" regexp="^.get.+\.dat.$"
    add name="Extension " .daa "" regexp="^.get.+\.daa.$"
    add name="Extension " .iso "" regexp="^.get.+\.iso.$"
    add name="Extension " .nrg "" regexp="^.get.+\.nrg.$"
    add name="Extension " .bin "" regexp="^.get.+\.bin.$"
    add name="Extension " .vcd "" regexp="^.get.+\.vcd.$"
    add name="Extension " .mp2 "" regexp="^.get.+\.mp2.$"
    add name="Extension " .3gp "" regexp="^.get.+\.3gp.$"
    add name="Extension " .mpe "" regexp="^.get.+\.mpe.$"
    add name="Extension " .qt "" regexp="^.get.+\.qt.$"
    add name="Extension " .raw "" regexp="^.get.+\.raw.$"
    add name="Extension " .wma "" regexp="^.get.+\.wma.$"
    add name="Extension " .ogg "" regexp="^.get.+\.ogg.$"
    add name="Extension " .doc "" regexp="^.get.+\.doc.$"
    add name="Extension " .ram "" regexp="^.get.+\.ram.$"
    add name=edonkey regexp="^[\C5\D4\E3-\E5].?.?.?.?([\01\02\05\14\15\16\18
        \19\1A\1B\1C !234568@ABCFGHIJKLMNOPQRSTUVWX[\81\82\90\91\93\96\97\98\99\     \9A\9B\9C\9E\A0\A1\A2\A3\A4]|Y….............\?[ -~]|\96….\$)" add name=goboogy regexp="<peerplat>|^get /getfilebyhash\\.cgi\\\?|^get /queue_\     register\\.cgi\\\?|^get /getupdowninfo\\.cgi\\\?" add name=soribada regexp="^GETMP3\r\     \nFilename|^\01.\?.\?.\?(Q:\\+|Q2:)|^\10[\14-\16]\10[\15-\17].\?.\?.\?.\?\     \$" add name=rdp regexp=rdpdr.*cliprdr.*rdpsnd add name=gnutella regexp="^(gnd[\01\02]\?.\?.\?\01|gnutella connect/[012]\\.[0\     -9]\r\     \n|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshar\     e|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: applicat\     ion/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[\     0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[\     1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnutella|.\     …...............\?lime)" add name=cvs regexp="^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\     \n" add name=nbns regexp="\01\10\01|\\)\10\01\01|0\10\01" add name=shoutcast regexp=\     "icy [1-5][0-9][0-9] [\t-\r -~]*(content-type:audio|icy-)" add name=dns regexp="^.\?.\?.\?.\?[\01\02].\?.\?.\?.\?.\?.\?[\01-\?][a-z0-9][\     \01-\?a-z]*[\02-\06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\01-\10\1C][\     \01\03\04\FF]" add name=quake-halflife regexp="^\FF\FF\FF\FFget(info|challenge)" add name=poco regexp="^\80\94\     \n\01….\1F\9E" add name=ciscovpn regexp="^\01\F4\01\F4" add name=x11 regexp="^[lb].\?\0B" add name=xboxlive regexp="^X\80….....\F3|^\06XN" add name=applejuice regexp="^ajprot\r\     \n" add name=zmaap regexp="^\1B\D7;H[\01\02]\01\?\01" add name=live365 regexp=membername.*session.*player add name=rlogin regexp="^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]\?[0-9]\?[0-9]\?00" add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*(con\     nection:|content-type:|content-length:|date:)|post [\t-\r -~]* http/[01]\\\     .[019]" add name=sip regexp=\     "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]" add name=pop3 regexp="^(\\+ok |-err )" add name=smb regexp="\FFsmb[r%]" add name=quake1 regexp="^\80\0C\01quake\03" add name=lpd regexp="^(\01[!-~]+|\02[!-~]+\     \n.[\01\02\03][\01-\     \n -~]*|[\03\04][!-~]+[\t-\r]+[a-z][\t-\r -~]*|\05[!-~]+[\t-\r]+([a-z][!-~\     ]*[\t-\r]+[1-9][0-9]\?[0-9]\?|root[\t-\r]+[!-~]+).*)\     \n\$" add name=mute regexp="^(Public|AES)Key: [0-9a-f]*\     \nEnd(Public|AES)Key\     \n\$" add name=ssh regexp="^ssh-[12]\\.[0-9]" add name=jabber regexp=\     "<stream:stream[\t-\r ][="" -~]*[\t-\r="" ]xmlns="['\&quot;]jabber&quot;<br">add name=ncp regexp="^(dmdt.*\01.*(\"\"|\11\11|uu)|tncp.*33)" add name=tls regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B)" add name=directconnect regexp="^(\\\$mynick |\\\$lock |\\\$key )" add name=netbios regexp="\81.\?.\?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-\     P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A\     -P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][\     A-P][A-P]" add name=tftp regexp="^(\01|\02)[ -~]*(netascii|octet|mail)" add name=subspace regexp="^\01….\11\10........\01\$" add name=hotline regexp="^....................TRTPHOTL\01\02" add name=doom3 regexp="^\FF\FFchallenge" add name=ftp regexp="^220[\t-\r -~]*ftp" add name=kugoo regexp="^1..\8E" add name=tsp regexp="^[\01-\13\16-\$]\01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+" add name=battlefield1942 regexp="^\01\11\10\\|\F8\02\10@\06" add name=ssdp regexp="^notify[\t-\r ]\\*[\t-\r ]http/1\\.1[\t-\r -~]*ssdp:(ali\     ve|byebye)|^m-search[\t-\r ]\\*[\t-\r ]http/1\\.1[\t-\r -~]*ssdp:discover" add name=imap regexp="^(\\* ok|a[0-9]+ noop)" add name=ares regexp="^\03[]Z].\?.\?\05\$" add name=fasttrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ \     -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: \     kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^g\     ive [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\?[0-9]\?[0-9]\?" add name=qq regexp="^.\?\02.+\03\$" add name=100bao regexp="^\01\01\05\     \n" add name=aim regexp=\     "^(\\*[\01\02].*\03\0B|\\*\01.\?.\?.\?.\?\01)|flapon|toc_signon.*0x" add name=unknown regexp=. add name=msn-filetransfer regexp=\     "^(ver [ -~]*msnftp\r\     \nver msnftp\r\     \nusr|method msnmsgr:)" add name=yahoo regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80" add name=validcertssl regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B).*\     (thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust\     \_root|entrust\\.net limited)" add name=ntp regexp="^([\13\1B#\D3\DB\E3]|[\14\1C\$]…....\?.\?.\?.\?.\?.\?.\     \?.\?.\?[\C6-\FF])" add name=gnucleuslan regexp=\     "gnuclear connect/[\t-\r -~]*user-agent: gnucleus [\t-\r -~]*lan:" add name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\     \n\$" add name=bgp regexp=\     "^\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF..\?\01[\03\04]" add name=tesla regexp="\03\9A\89\"111\\.00 Beta |\E2<i\1e\1c\e9"<br>add name=openft regexp="x-openftalias: [-)(0-9a-z ~.]" add name=h323 regexp=\     "^\03..\?\08…\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05" add name=finger regexp=\     "^[a-z][a-z0-9\\-_]+|login: [\t-\r -~]* name: [\t-\r -~]* Directory:" add name=ident regexp="^[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?[\t-\r]*,[\t-\r]*[1-9\     ][0-9]\?[0-9]\?[0-9]\?[0-9]\?(\r\     \n|[\r\     \n])\?\$" add name=gkrellm regexp="^gkrellm [23].[0-9].[0-9]\     \n\$" add name=hddtemp regexp=\     "^\\|/dev/[a-z][a-z][a-z]\\|[0-9a-z]*\\|[0-9][0-9]\\|[cfk]\\|" add name=socks regexp="\05[\01-\08]*\05[\01-\08]\?.*\05[\01-\03][\01\03].*\05[\     \01-\08]\?[\01\03]" add name=biff regexp="^[a-z][a-z0-9]+@[1-9][0-9]+\$" add name=dhcp regexp="^[\01\02][\01- ]\06.*c\82sc" add name=smtp regexp="^220[\t-\r -~]* (e\?smtp|simple mail)" add name=ipp regexp=ipp:// add name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\t-\r -~]*cvr0\r\     \n\$|usr 1 [!-~]+ [0-9\. ]+\r\     \n\$|ans 1 [!-~]+ [0-9\. ]+\r\     \n\$" add name=irc regexp="^(nick[\t-\r -~]*user[\t-\r -~]*:|user[\t-\r -~]*:[\02-\r\     \_-~]*nick[\t-\r -~]*\r\     \n)" add name=gopher regexp="^[\t-\r]*[1-9,+tgi][\t-\r -~]*\t[\t-\r -~]*\t[a-z0-9.]\     *\\.[a-z][a-z].\?.\?\t[1-9]" add name=telnet regexp="^\FF[\FB-\FE].\FF[\FB-\FE].\FF[\FB-\FE]" add name=snmp regexp="^\02\01\04.+([\A0-\A3]\02[\01-\04].\?.\?.\?.\?\02\01.\?\     \02\01.\?0|\A4\06.+@\04.\?.\?.\?.\?\02\01.\?\02\01.\?C)" add name=nntp regexp=\     "^(20[01][\t-\r -~]*AUTHINFO USER|20[01][\t-\r -~]*news)" add name=aimwebcontent regexp=user-agent:aim/ add name=rtsp regexp="rtsp/1.0 200 ok" add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\     \?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\     \05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?\     .\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\t.\?.\?.\?.\?.\?.\?.\?.\     \?\t|\     \n.\?.\?.\?.\?.\?.\?.\?.\?\     \n|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\r.\?.\?.\     \?.\?.\?.\?.\?.\?\r|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\     \?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12\     .\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?\     .\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\     \16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\     \?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\     \?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\     \1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F| .\?.\?.\?.\     \?.\?.\?.\?.\? |!.\?.\?.\?.\?.\?.\?.\?.\?!|\".\?.\?.\?.\?.\?.\?.\?.\?\"|#.\     \?.\?.\?.\?.\?.\?.\?.\?#|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|%.\?.\?.\?.\?.\?\     .\?.\?.\?%|&.\?.\?.\?.\?.\?.\?.\?.\?&|'.\?.\?.\?.\?.\?.\?.\?.\?'|\\(.\?.\?\     .\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?\     .\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|,.\?.\?.\?.\?.\?.\?.\?.\?,|-.\?.\     \?.\?.\?.\?.\?.\?.\?-|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|/.\?.\?.\?.\?.\?.\?.\     \?.\?/|0.\?.\?.\?.\?.\?.\?.\?.\?0|1.\?.\?.\?.\?.\?.\?.\?.\?1|2.\?.\?.\?.\?\     .\?.\?.\?.\?2|3.\?.\?.\?.\?.\?.\?.\?.\?3|4.\?.\?.\?.\?.\?.\?.\?.\?4|5.\?.\     \?.\?.\?.\?.\?.\?.\?5|6.\?.\?.\?.\?.\?.\?.\?.\?6|7.\?.\?.\?.\?.\?.\?.\?.\?\     7|8.\?.\?.\?.\?.\?.\?.\?.\?8|9.\?.\?.\?.\?.\?.\?.\?.\?9|:.\?.\?.\?.\?.\?.\     \?.\?.\?:|;.\?.\?.\?.\?.\?.\?.\?.\?;|<.\?.\?.\?.\?.\?.\?.\?.\?<|=.\?.\?.\?\     .\?.\?.\?.\?.\?=|>.\?.\?.\?.\?.\?.\?.\?.\?>|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\     \?|@.\?.\?.\?.\?.\?.\?.\?.\?@|A.\?.\?.\?.\?.\?.\?.\?.\?A|B.\?.\?.\?.\?.\?.\     \?.\?.\?B|C.\?.\?.\?.\?.\?.\?.\?.\?C|D.\?.\?.\?.\?.\?.\?.\?.\?D|E.\?.\?.\?\     .\?.\?.\?.\?.\?E|F.\?.\?.\?.\?.\?.\?.\?.\?F|G.\?.\?.\?.\?.\?.\?.\?.\?G|H.\     \?.\?.\?.\?.\?.\?.\?.\?H|I.\?.\?.\?.\?.\?.\?.\?.\?I|J.\?.\?.\?.\?.\?.\?.\?\     .\?J|K.\?.\?.\?.\?.\?.\?.\?.\?K|L.\?.\?.\?.\?.\?.\?.\?.\?L|M.\?.\?.\?.\?.\     \?.\?.\?.\?M|N.\?.\?.\?.\?.\?.\?.\?.\?N|O.\?.\?.\?.\?.\?.\?.\?.\?O|P.\?.\?\     .\?.\?.\?.\?.\?.\?P|Q.\?.\?.\?.\?.\?.\?.\?.\?Q|R.\?.\?.\?.\?.\?.\?.\?.\?R|\     S.\?.\?.\?.\?.\?.\?.\?.\?S|T.\?.\?.\?.\?.\?.\?.\?.\?T|U.\?.\?.\?.\?.\?.\?.\     \?.\?U|V.\?.\?.\?.\?.\?.\?.\?.\?V|W.\?.\?.\?.\?.\?.\?.\?.\?W|X.\?.\?.\?.\?\     .\?.\?.\?.\?X|Y.\?.\?.\?.\?.\?.\?.\?.\?Y|Z.\?.\?.\?.\?.\?.\?.\?.\?Z|\[.\?\     .\?.\?.\?.\?.\?.\?.\?\[|\].\?.\?.\?.\?.\?.\?.\?.\?\]|\].\?.\?.\?.\?.\?\     .\?.\?.\?\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|_.\?.\?.\?.\?.\?.\?.\?.\?_|.
        ?.?.?.?.?.?.?.?`|a.?.?.?.?.?.?.?.?a|b.?.?.?.?.?.?.?
        .?b|c.?.?.?.?.?.?.?.?c|d.?.?.?.?.?.?.?.?d|e.?.?.?.?.
        ?.?.?.?e|f.?.?.?.?.?.?.?.?f|g.?.?.?.?.?.?.?.?g|h.?.?
        .?.?.?.?.?.?h|i.?.?.?.?.?.?.?.?i|j.?.?.?.?.?.?.?.?j|
        k.?.?.?.?.?.?.?.?k|l.?.?.?.?.?.?.?.?l|m.?.?.?.?.?.?.
        ?.?m|n.?.?.?.?.?.?.?.?n|o.?.?.?.?.?.?.?.?o|p.?.?.?.?
        .?.?.?.?p|q.?.?.?.?.?.?.?.?q|r.?.?.?.?.?.?.?.?r|s.?.
        ?.?.?.?.?.?.?s|t.?.?.?.?.?.?.?.?t|u.?.?.?.?.?.?.?.?
        u|v.?.?.?.?.?.?.?.?v|w.?.?.?.?.?.?.?.?w|x.?.?.?.?.?.
        ?.?.?x|y.?.?.?.?.?.?.?.?y|z.?.?.?.?.?.?.?.?z|\{.?.?.
        ?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.
        ?.?\}|~.?.?.?.?.?.?.?.?~|\7F.?.?.?.?.?.?.?.?\7F|\80.?.
        ?.?.?.?.?.?.?\80|\81.?.?.?.?.?.?.?.?\81|\82.?.?.?.?.?.
        ?.?.?\82|\83.?.?.?.?.?.?.?.?\83|\84.?.?.?.?.?.?.?.?\84|
        \85.?.?.?.?.?.?.?.?\85|\86.?.?.?.?.?.?.?.?\86|\87.?.?.?
        .?.?.?.?.?\87|\88.?.?.?.?.?.?.?.?\88|\89.?.?.?.?.?.?.?
        .?\89|\8A.?.?.?.?.?.?.?.?\8A|\8B.?.?.?.?.?.?.?.?\8B|\8C.
        ?.?.?.?.?.?.?.?\8C|\8D.?.?.?.?.?.?.?.?\8D|\8E.?.?.?.?.
        ?.?.?.?\8E|\8F.?.?.?.?.?.?.?.?\8F|\90.?.?.?.?.?.?.?.?
        \90|\91.?.?.?.?.?.?.?.?\91|\92.?.?.?.?.?.?.?.?\92|\93.?.
        ?.?.?.?.?.?.?\93|\94.?.?.?.?.?.?.?.?\94|\95.?.?.?.?.?.
        ?.?.?\95|\96.?.?.?.?.?.?.?.?\96|\97.?.?.?.?.?.?.?.?\97|
        \98.?.?.?.?.?.?.?.?\98|\99.?.?.?.?.?.?.?.?\99|\9A.?.?.?
        .?.?.?.?.?\9A|\9B.?.?.?.?.?.?.?.?\9B|\9C.?.?.?.?.?.?.?
        .?\9C|\9D.?.?.?.?.?.?.?.?\9D|\9E.?.?.?.?.?.?.?.?\9E|\9F.
        ?.?.?.?.?.?.?.?\9F|\A0.?.?.?.?.?.?.?.?\A0|\A1.?.?.?.?.
        ?.?.?.?\A1|\A2.?.?.?.?.?.?.?.?\A2|\A3.?.?.?.?.?.?.?.?
        \A3|\A4.?.?.?.?.?.?.?.?\A4|\A5.?.?.?.?.?.?.?.?\A5|\A6.?.
        ?.?.?.?.?.?.?\A6|\A7.?.?.?.?.?.?.?.?\A7|\A8.?.?.?.?.?.
        ?.?.?\A8|\A9.?.?.?.?.?.?.?.?\A9|\AA.?.?.?.?.?.?.?.?\AA|
        \AB.?.?.?.?.?.?.?.?\AB|\AC.?.?.?.?.?.?.?.?\AC|\AD.?.?.?
        .?.?.?.?.?\AD|\AE.?.?.?.?.?.?.?.?\AE|\AF.?.?.?.?.?.?.?
        .?\AF|\B0.?.?.?.?.?.?.?.?\B0|\B1.?.?.?.?.?.?.?.?\B1|\B2.
        ?.?.?.?.?.?.?.?\B2|\B3.?.?.?.?.?.?.?.?\B3|\B4.?.?.?.?.
        ?.?.?.?\B4|\B5.?.?.?.?.?.?.?.?\B5|\B6.?.?.?.?.?.?.?.?
        \B6|\B7.?.?.?.?.?.?.?.?\B7|\B8.?.?.?.?.?.?.?.?\B8|\B9.?.
        ?.?.?.?.?.?.?\B9|\BA.?.?.?.?.?.?.?.?\BA|\BB.?.?.?.?.?.
        ?.?.?\BB|\BC.?.?.?.?.?.?.?.?\BC|\BD.?.?.?.?.?.?.?.?\BD|
        \BE.?.?.?.?.?.?.?.?\BE|\BF.?.?.?.?.?.?.?.?\BF|\C0.?.?.?
        .?.?.?.?.?\C0|\C1.?.?.?.?.?.?.?.?\C1|\C2.?.?.?.?.?.?.?
        .?\C2|\C3.?.?.?.?.?.?.?.?\C3|\C4.?.?.?.?.?.?.?.?\C4|\C5.
        ?.?.?.?.?.?.?.?\C5|\C6.?.?.?.?.?.?.?.?\C6|\C7.?.?.?.?.
        ?.?.?.?\C7|\C8.?.?.?.?.?.?.?.?\C8|\C9.?.?.?.?.?.?.?.?
        \C9|\CA.?.?.?.?.?.?.?.?\CA|\CB.?.?.?.?.?.?.?.?\CB|\CC.?.
        ?.?.?.?.?.?.?\CC|\CD.?.?.?.?.?.?.?.?\CD|\CE.?.?.?.?.?.
        ?.?.?\CE|\CF.?.?.?.?.?.?.?.?\CF|\D0.?.?.?.?.?.?.?.?\D0|
        \D1.?.?.?.?.?.?.?.?\D1|\D2.?.?.?.?.?.?.?.?\D2|\D3.?.?.?
        .?.?.?.?.?\D3|\D4.?.?.?.?.?.?.?.?\D4|\D5.?.?.?.?.?.?.?
        .?\D5|\D6.?.?.?.?.?.?.?.?\D6|\D7.?.?.?.?.?.?.?.?\D7|\D8.
        ?.?.?.?.?.?.?.?\D8|\D9.?.?.?.?.?.?.?.?\D9|\DA.?.?.?.?.
        ?.?.?.?\DA|\DB.?.?.?.?.?.?.?.?\DB|\DC.?.?.?.?.?.?.?.?
        \DC|\DD.?.?.?.?.?.?.?.?\DD|\DE.?.?.?.?.?.?.?.?\DE|\DF.?.
        ?.?.?.?.?.?.?\DF|\E0.?.?.?.?.?.?.?.?\E0|\E1.?.?.?.?.?.
        ?.?.?\E1|\E2.?.?.?.?.?.?.?.?\E2|\E3.?.?.?.?.?.?.?.?\E3|
        \E4.?.?.?.?.?.?.?.?\E4|\E5.?.?.?.?.?.?.?.?\E5|\E6.?.?.?
        .?.?.?.?.?\E6|\E7.?.?.?.?.?.?.?.?\E7|\E8.?.?.?.?.?.?.?
        .?\E8|\E9.?.?.?.?.?.?.?.?\E9|\EA.?.?.?.?.?.?.?.?\EA|\EB.
        ?.?.?.?.?.?.?.?\EB|\EC.?.?.?.?.?.?.?.?\EC|\ED.?.?.?.?.
        ?.?.?.?\ED|\EE.?.?.?.?.?.?.?.?\EE|\EF.?.?.?.?.?.?.?.?
        \EF|\F0.?.?.?.?.?.?.?.?\F0|\F1.?.?.?.?.?.?.?.?\F1|\F2.?.
        ?.?.?.?.?.?.?\F2|\F3.?.?.?.?.?.?.?.?\F3|\F4.?.?.?.?.?.
        ?.?.?\F4|\F5.?.?.?.?.?.?.?.?\F5|\F6.?.?.?.?.?.?.?.?\F6|
        \F7.?.?.?.?.?.?.?.?\F7|\F8.?.?.?.?.?.?.?.?\F8|\F9.?.?.?
        .?.?.?.?.?\F9|\FA.?.?.?.?.?.?.?.?\FA|\FB.?.?.?.?.?.?.?
        .?\FB|\FC.?.?.?.?.?.?.?.?\FC|\FD.?.?.?.?.?.?.?.?\FD|\FE.
        ?.?.?.?.?.?.?.?\FE|\FF.?.?.?.?.?.?.?.?\FF)"
    add name=skypetoskype regexp="^..\02….........."
    add name=counterstrike-source regexp="^\FF\FF\FF\FF.cstrikeCounter-Strike"
    add name=halflife2-deathmatch regexp="^\FF\FF\FF\FF.hl2mpDeathmatch"
    add name=freenet regexp="^\01[\08\t][\03\04]"
    add name=battlefield2 regexp="^(\11 \01…?\11|\FE\FD.?.?.?.?.?.?(\14
        \01\06|\FF\FF\FF))|[]\01].?battlefield2"
    add name=napster regexp="^(.[\02\06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0
        -9]? "[\t-\r -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\t-\r -~]+")"
    add name=soulseek regexp="^(\05..?|.\01.[ -~]+\01F..?.?.?.?.?.?.?)$"
    add name=xunlei regexp="^[()]…?.?.?(reg|get|query)"
    add name=ssl regexp="^(.?.?\16\03.
    \16\03|.?.?\01\03\01?.
    \0B)"
    add name=citrix regexp="2&\85\92X"
    add name=whois regexp="^[ !-~]+\r
        \n$"
    add name=dayofdefeat-source regexp="^\FF\FF\FF\FF.dodDay of Defeat"
    add name=teamspeak regexp="^\F4\BE\03.teamspeak"
    add name=worldofwarcraft regexp="^\06\EC\01"
    add name=ventrilo regexp="^..?v\$\CF"
    add name=http-rtsp regexp="^(get[\t-\r -~]
    Accept: application/x-rtsp-tunnell
        ed|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\t-\r -~]a=control:rtsp://)"
    add name=thecircle regexp=
        "^t\03ni.?[\01-\06]?t[\01-\05]s[
        \n\0B](glob|who are you$|query data)"
    add name=uucp regexp="^\10here="
    add name=pcanywhere regexp="^(nq|st)$"
    add name=subversion regexp="^\( success \( 1 2 \("
    add name=imesh regexp="^(post[\t-\r -~]
    <passwordhash>….....................
        ........</passwordhash><clientver>|4\80?\r?\FC\FF\04|get[\t-\r -~]Host:
        _imsh\.download-prod\.musicnet\.com|\02(\01|\02)\83.?.?.?.?.?.?.
        ?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\02(\01|
        \02)\83)"
    add name=cimd regexp="\02[0-4][0-9]:[0-9]+.
    \03$"
    add name=mohaa regexp="^\FF\FF\FF\FFgetstatus
        \n"
    add name=stun regexp="^[\01\02]….............?$"
    add name=tor regexp=TOR1.
    <identity>add name=radmin regexp="^\01\01(\08\08|\1B\1B)$"
    add name=unset regexp=.
    add name=chikka regexp="^CTPv1.[123] Kamusta.\r
        \n$"
    add name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\
        .1) [1-5][0-9][0-9] [\t-\r -~]
    #####REPLAY_CHUNK_START#####)"
    add name=armagetron regexp=YCLC_E|CYEL
    add name=bittorrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scrap
        e\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data
        \?fid=)|d1:ad2:id20:|\x08'7P\)[RP]"

    Setting Manglenya :
    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=exe disabled=no
        layer7-protocol="Extension " .exe "" new-connection-mark=exe_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=exe_conn disabled=no
        new-packet-mark=exe passthrough=no
    add action=mark-connection chain=prerouting comment=zip disabled=no
        layer7-protocol="Extension " .zip"" new-connection-mark=zip_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=zip_conn disabled=no
        new-packet-mark=zip passthrough=no
    add action=mark-connection chain=prerouting comment=rar disabled=no
        layer7-protocol="Extension " .rar"" new-connection-mark=rar_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rar_conn disabled=no
        new-packet-mark=rar passthrough=no
    add action=mark-connection chain=prerouting comment=cab disabled=no
        layer7-protocol="Extension " .cab "" new-connection-mark=cab_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=cab_conn disabled=no
        new-packet-mark=cab passthrough=no
    add action=mark-connection chain=prerouting comment=asf disabled=no
        layer7-protocol="Extension " .asf "" new-connection-mark=asf_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=asf_conn disabled=no
        new-packet-mark=asf passthrough=no
    add action=mark-connection chain=prerouting comment=mov disabled=no
        layer7-protocol="Extension " .mov "" new-connection-mark=mov_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mov_conn disabled=no
        new-packet-mark=mov passthrough=no
    add action=mark-connection chain=prerouting comment=wmv disabled=no
        layer7-protocol="Extension " .wmv "" new-connection-mark=wmv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wmv_conn disabled=no
        new-packet-mark=wmv passthrough=no
    add action=mark-connection chain=prerouting comment=mpg disabled=no
        layer7-protocol="Extension " .mpg "" new-connection-mark=mpg_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mpg_conn disabled=no
        new-packet-mark=mpg passthrough=no
    add action=mark-connection chain=prerouting comment=mkv disabled=no
        layer7-protocol="Extension " .mkv "" new-connection-mark=mkv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mkv_conn disabled=no
        new-packet-mark=mkv passthrough=no
    add action=mark-connection chain=prerouting comment=avi disabled=no
        layer7-protocol="Extension " .avi "" new-connection-mark=avi_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=avi_conn disabled=no
        new-packet-mark=avi passthrough=no
    add action=mark-connection chain=prerouting comment=flv disabled=no
        layer7-protocol="Extension " .flv "" new-connection-mark=flv_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=flv_conn disabled=no
        new-packet-mark=flv passthrough=no
    add action=mark-connection chain=prerouting comment=pdf disabled=no
        layer7-protocol="Extension " .pdf "" new-connection-mark=pdf_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=pdf_conn disabled=no
        new-packet-mark=pdf passthrough=no
    add action=mark-connection chain=prerouting comment=wav disabled=no
        layer7-protocol="Extension " .wav "" new-connection-mark=wav_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wav_conn disabled=no
        new-packet-mark=wav passthrough=no
    add action=mark-connection chain=prerouting comment=rm disabled=no
        layer7-protocol="Extension " .rm "" new-connection-mark=rm_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rm_conn disabled=no
        new-packet-mark=rm passthrough=no
    add action=mark-connection chain=prerouting comment=mp3 disabled=no
        layer7-protocol="Extension " .mp3 "" new-connection-mark=mp3_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp3_conn disabled=no
        new-packet-mark=mp3 passthrough=no
    add action=mark-connection chain=prerouting comment=mp4 disabled=no
        layer7-protocol="Extension " .mp4 "" new-connection-mark=mp4_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp4_conn disabled=no
        new-packet-mark=mp4 passthrough=no
    add action=mark-connection chain=prerouting comment=ram disabled=no
        layer7-protocol="Extension " .ram "" new-connection-mark=ram_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ram_conn disabled=no
        new-packet-mark=ram passthrough=no
    add action=mark-connection chain=prerouting comment=rmvb disabled=no
        layer7-protocol="Extension " .rmvb "" new-connection-mark=rmvb_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=rmvb_conn disabled=no
        new-packet-mark=rmvb passthrough=no
    add action=mark-connection chain=prerouting comment=dat disabled=no
        layer7-protocol="Extension " .dat "" new-connection-mark=dat_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=dat_conn disabled=no
        new-packet-mark=dat passthrough=no
    add action=mark-connection chain=prerouting comment=daa disabled=no
        layer7-protocol="Extension " .daa "" new-connection-mark=daa_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=daa_conn disabled=no
        new-packet-mark=daa passthrough=no
    add action=mark-connection chain=prerouting comment=iso disabled=no
        layer7-protocol="Extension " .iso "" new-connection-mark=iso_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=iso_conn disabled=no
        new-packet-mark=iso passthrough=no
    add action=mark-connection chain=prerouting comment=bin disabled=no
        layer7-protocol="Extension " .bin "" new-connection-mark=bin_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=bin_conn disabled=no
        new-packet-mark=bin passthrough=no
    add action=mark-connection chain=prerouting comment=vcd disabled=no
        layer7-protocol="Extension " .vcd "" new-connection-mark=vcd_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=vcd_conn disabled=no
        new-packet-mark=vcd passthrough=no
    add action=mark-connection chain=prerouting comment=mp2 disabled=no
        layer7-protocol="Extension " .mp2 "" new-connection-mark=mp2_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mp2_conn disabled=no
        new-packet-mark=mp2 passthrough=no
    add action=mark-connection chain=prerouting comment=3gp disabled=no
        layer7-protocol="Extension " .3gp "" new-connection-mark=3gp_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=3gp_conn disabled=no
        new-packet-mark=3gp passthrough=no
    add action=mark-connection chain=prerouting comment=mpe disabled=no
        layer7-protocol="Extension " .mpe "" new-connection-mark=mpe_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=mpe_conn disabled=no
        new-packet-mark=mpe passthrough=no
    add action=mark-connection chain=prerouting comment=qt disabled=no
        layer7-protocol="Extension " .qt "" new-connection-mark=qt_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=qt_conn disabled=no
        new-packet-mark=qt passthrough=no
    add action=mark-connection chain=prerouting comment=raw disabled=no
        layer7-protocol="Extension " .raw "" new-connection-mark=raw_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=raw_conn disabled=no
        new-packet-mark=raw passthrough=no
    add action=mark-connection chain=prerouting comment=wma disabled=no
        layer7-protocol="Extension " .wma "" new-connection-mark=wma_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=wma_conn disabled=no
        new-packet-mark=wma passthrough=no
    add action=mark-connection chain=prerouting comment=ogg disabled=no
        layer7-protocol="Extension " .ogg "" new-connection-mark=ogg_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ogg_conn disabled=no
        new-packet-mark=ogg passthrough=no
    add action=mark-connection chain=prerouting comment=doc disabled=no
        layer7-protocol="Extension " .doc "" new-connection-mark=doc_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=doc_conn disabled=no
        new-packet-mark=doc passthrough=no
    add action=mark-connection chain=prerouting comment=applejuice disabled=no
        layer7-protocol=applejuice new-connection-mark=applejuice_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=applejuice_conn
        disabled=no new-packet-mark=applejuice passthrough=no
    add action=mark-connection chain=prerouting comment=ares disabled=no
        layer7-protocol=ares new-connection-mark=ares_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ares_conn disabled=no
        new-packet-mark=ares passthrough=no
    add action=mark-connection chain=prerouting comment=bittorent disabled=no
        layer7-protocol=bittorrent new-connection-mark=bittorent_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=bittorent_conn
        disabled=no new-packet-mark=bittorent passthrough=no
    add action=mark-connection chain=prerouting comment=chikka disabled=no
        layer7-protocol=chikka new-connection-mark=chikka_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=chikka_conn disabled=
        no new-packet-mark=chika passthrough=no
    add action=mark-connection chain=prerouting comment=directconnect disabled=no
        layer7-protocol=directconnect new-connection-mark=directconnect_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=directconnect_conn
        disabled=no new-packet-mark=directconnect passthrough=no
    add action=mark-connection chain=prerouting comment=ftp disabled=no
        layer7-protocol=ftp new-connection-mark=ftp passthrough=no protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=ftp disabled=no
        new-packet-mark=ftp passthrough=no
    add action=mark-connection chain=prerouting comment=doom3 disabled=no
        layer7-protocol=doom3 new-connection-mark=doom3_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=doom3_conn disabled=
        no new-packet-mark=doom3 passthrough=no
    add action=mark-connection chain=prerouting comment=edonkey disabled=no
        layer7-protocol=edonkey new-connection-mark=edonkey_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=edonkey_conn
        disabled=no new-packet-mark=edonkey passthrough=no
    add action=mark-connection chain=prerouting comment=fastrack_conn disabled=no
        layer7-protocol=fasttrack new-connection-mark=fasttrack passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=fasttrack disabled=no
        new-packet-mark=fastrack passthrough=no
    add action=mark-connection chain=prerouting comment=gnutella disabled=no
        layer7-protocol=gnutella new-connection-mark=gnutella_conn passthrough=
        yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=gnutella_conn
        disabled=no new-packet-mark=gnutella passthrough=no
    add action=mark-connection chain=prerouting comment=skype disabled=no
        layer7-protocol=skypeout new-connection-mark=skype_conn passthrough=yes
        protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=skype_conn disabled=
        no new-packet-mark=skype passthrough=no
    add action=mark-connection chain=prerouting comment=7z disabled=no
        layer7-protocol="Extension " .7z "" new-connection-mark=7z_conn
        passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=7z_conn disabled=no
        new-packet-mark=7z passthrough=no

    Yang terakhir kita buat management bandwidht menggunakan queue tree.
    ( Boleh juga menggunakan simple queueu terserah anda suka suka sesuai selera )

    Buat parent dulu seperti ini :
    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=128k name="traffic shapping" parent=global-out priority=8
    ( ini nantinya khusus alokasi buat para mania bandwidht sesuaikan dengan besarnya bw yg anda miliki )

    setelah itu setting childnya seperti ini :

    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=exe packet-mark=exe parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=zip packet-mark=zip parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rar packet-mark=rar parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=cab packet-mark=cab parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=asf packet-mark=asf parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mov packet-mark=mov parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wmv packet-mark=wmv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mpg packet-mark=mpg parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mkv packet-mark=mkv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=avi packet-mark=avi parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=flv packet-mark=flv parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=pdf packet-mark=pdf parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wav packet-mark=wav parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rm packet-mark=rm parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp3 packet-mark=mp3 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp4 packet-mark=mp4 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ram packet-mark=ram parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=rmvb packet-mark=rmvb parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=dat packet-mark=dat parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=daa packet-mark=daa parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=iso packet-mark=iso parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=bin packet-mark=bin parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=vcd packet-mark=vcd parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mp2 packet-mark=mp2 parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=3gp packet-mark=3gp parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=mpe packet-mark=mpe parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=qt packet-mark=qt parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=raw packet-mark=raw parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=wma packet-mark=wma parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ogg packet-mark=ogg parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=doc packet-mark=doc parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=applejuice packet-mark=applejuice parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ares packet-mark=ares parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=8 name=bittorent packet-mark=bittorent parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=chika packet-mark=chika parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=dconnect packet-mark=directconnect parent=
        "traffic shapping" priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=ftp packet-mark=ftp parent="traffic shapping" priority=8
        queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=doom3 packet-mark=doom3 parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=edonkey packet-mark=edonkey parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=fasttrack packet-mark=fastrack parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=gnutella packet-mark=gnutella parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=64k name=skype packet-mark=skype parent="traffic shapping"
        priority=8 queue=default
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
        max-limit=0 name=7z packet-mark=7z parent="traffic shapping" priority=8
        queue=default

    ( dijamin insya allah segala macam downloader mati kutu. Maksud Queue diatas kita alokasikan untuk downloader mania bw sebesar 128k, sesuai selera bung. Caching video youtube berlari kencang bak dikejar anjing. browsing wusss…. wusss.....  wkwk... wk....wk....)

    semoga bermanfaat.
    salam</identity></clientver></i\1e\1c\e9"<br></stream:stream[\t-\r></peerplat>

    Mas Ardy , Tolong di jelaskan untuk setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    Alamat nya emang harus pake 10.10.3.2 ya ? Kenapa kok bisa begitu ?
    Mohon dijelaskan, Thanks !



  • Klo network kecil ok lah model gt klo buat isp hancur zzzz…... klo paket di belok2an jelas latency besar palagi client banyak game online jelas terasa, sy lbh pilih pfsense - mikritink - client klo pun dibalik jelas sama2 double routing dr network client,limiter,pf,modem apa mau dalam 1 subnet? klo ga mau bnyk routing ya client set direct aja ke pf ga usah lwt limiter atau xtrem ke modemna langsung



  • @mxn:

    Klo network kecil ok lah model gt klo buat isp hancur zzzz…... klo paket di belok2an jelas latency besar palagi client banyak game online jelas terasa, sy lbh pilih pfsense - mikritink - client klo pun dibalik jelas sama2 double routing dr network client,limiter,pf,modem apa mau dalam 1 subnet? klo ga mau bnyk routing ya client set direct aja ke pf ga usah lwt limiter atau xtrem ke modemna langsung

    topology network yg kita gunakan belum tentu cocok diterapkan di network yang lain.
    nggak ada salahnya kita mencoba. kalau ada error & kurang pas bisa saling share. Ngomongin masalah latency tentunya berkaitan dengan hardware yang kita gunakan. faktor I/O juga harus diperhatian. PFSENSE saya menggunakan dual LAN CARD server & mobo asus 478/1.8GH/80GBx2/2GB & dua power supply yg pasti bukan power supply abal abal digandeng dengan mikrotik RB 750 G versi 5.7 melayani 30 - 50 clients online bersamaan msh anteng anteng aja ping time masih rata rata satuan paling banter belasan. jarak client 5km-20km menggunakan wireless sebagai media koneksi. So pasti perangkat / AP juga diperhitungkan. jangan cuma asal & asal cuma pasang.



  • nothing perfect on this world …

    sekelas ISP pemilihan hardware, juga topologi sangatlah diutamakan
    tidak berarti kelas low dan middle user tdk boleh pake high grade hardware
    selalu untuk diingat ... jangan salahkan pf nya
    para developer dan user (worl wide) sudah mengimplementasikan pf di kelas entreprise
    tinggal ambil kesimpulan ... apakah pf untuk anda ?



  • @serangku:

    nothing perfect on this world …

    Setujuh banget juragan. selain itu " every system is vulnerable "



  • Mas Ardy Tolong bisa di jelaskan lebih detail untuk settingan NAT-nya ? Saya sdh coba cara seperti di atas tetapi belum berhasil.Atau mungkin ada rekan2 yg sdh berhasil mohon bisa di sharing di sini.Thanks !



  • Om setuju dengan setingan di atas … btw setelah om amati nggak ada exception untuk game online di sini hanya memcekek... applikasi atau port yang hau s bandwidth .....

    jika mau untuk game online .. nya lebih wuss ..

    perlu ditambah mangle .., dnegan acuan sebagai berikut ... setiap ... source yanng menuju port atau ip game online akan di tangkap .. dan di tandai .., dengan mark connection ... game onlinenya .. seteloah itu baru ditandai paketnya contoh ... PB .. setelah tertangkap paket tersebut di larikan  ke que tree ., contoh buat PB .. dengan acuan semua bandwith untuk game online di losss

    semoga berhasil

    Kambeeng
    PFSI



  • Kalu gue seh mending pakai pf aja langsung …. tinggal modif dikit okeeeeeee maknyusssssss



  • Before, saya minta ijin sama Om Moderator ( kambeeng ) karena postingan saya tidak membahas PFSense.
    Tetapi Routing mikrotik, karena saya uda yakin  PFSense Lusca yg kita semua pakai uda mantap sebagai proxy server untuk dikawinkan sama mikrotik

    Dulu saya uda posting Cekek downloader dengan firewall layer7-protocol. Setelah saya amati & monitoring, ternyata firewall layer7-protocol yg saya gunakan terlalu memakan resource RB750G. Akhirnya setelah mencoba & terus mencoba macam macam regexp akhirnya temukan setting yg amat simple & akurat.

    just share, jika ada yg kasih masukan monggo, semoga menjadi lebih baik lagi.

    Tangkap semua extention file menggunakan L7 protocol (cuma satu file lebih ramping)
    /ip firewall layer7-protocol
    add name=download regexp="\.(zip|gz(a|i)|rar|raw|ram|7z|bz|bzip|gzip|tar.gz|tgz
       |iso|doc|pdf|cab|bin|xml|vcf|exe|app|vb|scr|avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(
       a|v)|og(x|v|a|g|m)|rm|r(a|p)m|vob|flv|x-flv|3gp|vcd|nrg|amr|klv|wav|DivX|mov
       |wmv|rmvb|aac|dat|amv|ifo|imovieproj|ivr|qt|swf)"

    Tandai dulu keluar masuknya paket dengan setting mngle.
    /ip firewall mangle
    add action=mark-packet chain=prerouting comment=download disabled=no layer7-protocol=download
       new-packet-mark=download passthrough=no protocol=tcp

    Sekarang kita set besarnya bandwidht yg kita alokasikan untuk mania download.
    Lebih hebatnya lagi kita bisa set sesuai schedule download, disini untuk jam download saya set tengah malam sampai menjelang pagi. full bypass download sepuas puasnya. jam tsb dilarang komplen cause uda pada bobo. heee… heee.... heee....

    /queue simple
    add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both
       disabled=no interface=all limit-at=0/0 max-limit=0/166k name=download
       packet-marks=download parent=none priority=8 queue=
       default-small/default-small time=7h-23h59m,sun,mon,tue,wed,thu,fri,sat
       total-queue=default-small

    untuk setting NAT dan lain lain masih seperti postingan awal dulu.

    Sementara ini dulu, ntar saya sambung, saat ini lagi mencoba regexp untuk limit youtube tetapi kalau uda masuk cache proxy tidak kelimit.( proxy hit )

    semoga bermanfaat



  • @ardy_2006:

    Sesuai dengan janji ( janji adalah hutang  :) , insya allah hutang segera terlunasi ) amiiin…. !!

    Just share settingan saya Mikocok bersanding dengan PFSense.

    Clients ------- Mikrotik 3 port -------- Inet

    port 3 mikrotik ----- pfsense ------ inernet

    modem : 192.168.2.1

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    oke langsung kupas aja.
    asumsi mesin pfsense running well & tunning with LUSCA.
    oprekan & tune-up bisa open panduan dari om anto_DIGIT http://forum.pfsense.org/index.php/topic,29019.0.html

    sebagai manageable clients, baik itu hotspot & management bandwidht semua ada dimikrotik.
    Settingan hotspot disini tidak usah dibahas googling aja tutnya.
    settingan ini menggunakan L7 untuk filternya. Khusus untuk destination port 80, dibelokan ke arah pfsense sebagai proxy servernya port 3128.
    Maaf bung disini PFSense hanya dijadikan proxy server ( Maknyuss.... )

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    bung ardy bisa lebih di jelaskan topologi di atas, sy masih bingung dgn pfsense 2 ether tersebut terutama di interface WAN (192.168.2.3) ….
    itu kan di set static. Kl u/ port 1 (192.168.3.2) nyambung ke port mikrotik ether3 PROXY PFSENSE ( 192.168.3.1 ) nah kl untuk port WAN nya nyambung ke mana?
    Trus modem na di set static juga kan ( pppoe di modem )?

    terima kasih



  • sengaja saya "kawinkan" PF dengan mikrotik karna dengan mikrotik lebih detil untuk pantau upload/download setiap client secara real time…
    sedangkan PF diposisikan sebagai eksternal Proxy karna pasti lebih kenceng pakai LUSCA.

    Dengan perkawinan silang PF+Mikrotik beban kerja PF lebih ringan terbukti dari status "Memory Usage" pada dashboard PF.



  • @mumtazian:

    @ardy_2006:

    Sesuai dengan janji ( janji adalah hutang  :) , insya allah hutang segera terlunasi ) amiiin…. !!

    Just share settingan saya Mikocok bersanding dengan PFSense.

    Clients ------- Mikrotik 3 port -------- Inet

    port 3 mikrotik ----- pfsense ------ inernet

    modem : 192.168.2.1

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    oke langsung kupas aja.
    asumsi mesin pfsense running well & tunning with LUSCA.
    oprekan & tune-up bisa open panduan dari om anto_DIGIT http://forum.pfsense.org/index.php/topic,29019.0.html

    sebagai manageable clients, baik itu hotspot & management bandwidht semua ada dimikrotik.
    Settingan hotspot disini tidak usah dibahas googling aja tutnya.
    settingan ini menggunakan L7 untuk filternya. Khusus untuk destination port 80, dibelokan ke arah pfsense sebagai proxy servernya port 3128.
    Maaf bung disini PFSense hanya dijadikan proxy server ( Maknyuss.... )

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    bung ardy bisa lebih di jelaskan topologi di atas, sy masih bingung dgn pfsense 2 ether tersebut terutama di interface WAN (192.168.2.3) ….
    itu kan di set static. Kl u/ port 1 (192.168.3.2) nyambung ke port mikrotik ether3 PROXY PFSENSE ( 192.168.3.1 ) nah kl untuk port WAN nya nyambung ke mana?
    Trus modem na di set static juga kan ( pppoe di modem )?

    terima kasih

    iya tuh wan-ya nyambung kemana ? koq blm ada jawaban ?



  • @asepyulisman:

    adsl ----pcmikrotik----switch--client
                     |
                     |
                 pfsense
    

    om kalau boleh tau proxy hitnya nembus sampai berapa Mega ???

    salam buat rekan2 semua…
    Disini sy sudah memakai pf 64bit sudah 5 bulanan, top proxy hitnya bs nembus sampe 69Mbps dengan 25 client. tapi nembus segitu jarang sekali, rata2 tiap hari top hit dari 3,5Mb - 5Mb..
    topology ane seperti diatas, dengan pf sense 1 lan card tunggal (sbg wan + lan) menuju mikrotiknya, untuk Wan menggunakan vlan, sedang LAN menggunakan real mac addressnya.
    Mesin ane pake pentium D 3Gb, RAM 4Gb, HDD 2 unit (80Gb & 160Gb), 1 buat system + coss, 1 lagi buat cache.
    Cache ane jarang bgt sampe 50%, malah sekarang turun lagi. apakah itu normal ? mohon masukannya, terima kasih.

    Filesystem    Size    Used  Avail Capacity  Mounted on
    /dev/ad4s1a    64G    18G    41G    31%    /
    devfs          1.0K    1.0K      0B  100%    /dev
    /dev/md0      3.6M    44K    3.3M    1%    /var/run
    /dev/ad6s1a    144G    32G    101G    24%    /HDD2



  • @sis.net.id:

    Setelah ngubek-ngubek om Goo*le, PF Forum n Other Forum. untuk cari resep untuk mau buat RB 750 menjadi GARANG akhirnya bisa nemu resep seperti ini :

    Topologi :

    ADSL(Bridge) –---------- Mikocok -------------- Switch ------------ Client
                                           | |
                              PFSense (Squid + Lusca)

    Saya harap pembaca sudah paham dengan cara kerja Mikocok

    Mikocok Conf :
    Ether 0  = PPoE Client ke Spedol
    Ether 1  = Ke Client IP 192.168.88.2-254
    Ether 2  = default
    Ether 3  = ke LAN PF Box IP 192.168.200.1
    Ether 4  = ke WAN PF Box IP 172.3.3.2

    Alat yang di butuhkan :

    1 unit Mikocok RB 750 / 750G
    1 unit CPU Bekas/Baru asal masih bisa nyala dengan minimum Procesor PIII
    4 unit kabel LAN
    1 unit modem Spedol (Set Bridge) nanti mikrotik yang dial ke Speedol

    Langkah selanjutnya :

    Set pada sisi PF-nya

    1. Install pfbox (sesuai Manual).
    2. Setelah selesai install PFbox-nya masuk ke WEB Confignya.
    3. Buka menu system --> packeges --> Cari SQUID 2.7 (yang udah pasti stable) trus Install
    4. ketik pada Diagnostic -> Command promt : http://pfsense-cacheboy.googlecode.com/svn/trunk/script/package.sh && chmod +x package.sh && ./package.sh
    5. Buka menu system --> packeges --> Cari Lusca
    6. atau Cari tut's nginstall LUSCA cache PFsense di Mbah Goo*le (Lusca cache merupakan Optional Install)
    7. Buka menu Services --> Proxy Services --> Pastikan Proxy Portnya 3128
    *. TAB General --> centang Allow users on interface, tranparent proxy,Enabled logging, Transparent X-Forward, & Disable VIA --> klik Save
    *. TAB Cache Mgmt --> Hardisk cache system = coos+aufs (bila sudah teristal Lusca), Coss HD      cache size 50, HD cache size 100, memory cache size 8 (Sesuaikan dengan kap. MEM), Max memory object size 4 (Sesuaikan dengan kap. MEM), Minimum object size 10 (Sesuaikan dengan kap. MEM), Maximum object size 6(Sesuaikan dengan kap. MEM)--> Klik Save
    *. TAB Access control --> Allowed subnets (masukkan IP 192.168.88.0/24) --> klik Save
    *. TAB Traffic Mgmt --> Matiin aja "Enable delay pool" (Biarin mikocok yg ngatur BW-nya)
    8. Buat yang pake add-on LUSCA Cache configurasinya di sesuaikan dengan kebutuhan aja yah..
    9. Lanjut pastikan Squid Services sudah berjalan. Klik Status Sevices --> Lihat Squid jalan atau tidak
    10. Restart PF Box --> setelah restart, PFBox udah Ready to work.

    Set pada sisi Mik*otik-nya

    1. IP --> address

    Flags: X - disabled, I - invalid, D - dynamic
    #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
    0   ;;; default configuration
         192.168.88.1/24    192.168.88.0    192.168.88.255  ether2-local-master   
    1   10.10.30.6/28      10.10.30.0      10.10.30.15     ether1-gateway         
    2   192.168.200.100/24 192.168.200.0   192.168.200.255 ether4-local-slave     
    3   172.3.1.1/24       172.3.1.1       172.3.1.255     ether5-local-slave

    2. IP --> firewall --> Nat

    Flags: X - disabled, I - invalid, D - dynamic
    0   ;;; Client
         chain=srcnat action=masquerade out-interface=ether1-gateway

    1 X chain=dstnat action=dst-nat to-addresses=192.168.200.1 to-ports=3128
         protocol=tcp src-address=192.168.88.0/24 in-interface=ether4-local-slave
         dst-port=80

    2   ;;; Proxy
         chain=srcnat action=masquerade out-interface=ether5-local-slave

    3   ;;; NAT Proxy
         chain=srcnat action=masquerade src-address=192.168.200.1
         out-interface=ether1-gateway

    4   ;;; Belok ke-Proxy
         chain=dstnat action=dst-nat to-addresses=192.168.200.1 to-ports=3128
         protocol=tcp in-interface=ether2-local-master dst-port=80

    3. IP --> firewall --> Nat

    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
    B - blackhole, U - unreachable, P - prohibit
    #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
    0 A S  0.0.0.0/0          10.10.30.6      10.10.30.1         1       
    1 X S  0.0.0.0/0          192.168.200.100 192.168.200.1      1       
    2 X S  0.0.0.0/0          10.10.30.6      192.168.200.1      2       
                                               10.10.30.1       
    3 ADC  10.10.30.0/28      10.10.30.6      ether1-gateway     0       
    4 ADC  172.3.1.0/24       172.3.1.1       ether5-local-slave 0       
    5 ADC  192.168.88.0/24    192.168.88.1    ether2-local-ma... 0       
    6 ADC  192.168.200.0/24   192.168.200.100 ether4-local-slave 0


    Bagi akang-akang yang memiliki metoda yang lain mungkin dengan menggunakan 1 LAN card saja
    yang menuju ke PF boxnya dapat memberikan masukkan bagaimana cara membuatnya? dan di share
    disini untuk kemajuan teman-teman pecinta PFsense & Mikocok :)

    ditunggu yee Commentnya

    Maju terus networking indonesia

    buat nubie kayak saya…
    postingan mas bernilai 6 huruf :

    T.O.P.B.G.T
    ;D



  • topologi saya yang dulu

    RADIO/AKSES POINT <–------>RB750<-------->PF SENSE<-------->SWITCH<-------->CLIENT
                                                  ╚>RADIO/AKSES POINT ke client beda gedung

    ga tahu kenapa si RB sering hang, kalau pun ga hang speed internetnya ga garang "lemot"

    adakah yang salah???



  • permisi numpang nanya,klo untuk setingan pfsense menggunakan 1 lan aja gmn ya ya,.
    topologi

    ADSL(Bridge) (1)–---------- Mikocok -------------- Switch(2) ------------ Client
                                          | (3)
                              PFSense (Squid + Lusca)

    Mikocok Conf :

    Ether 1  =  IP 192.168.101.2/24 (Gateway speedy)
    Ether 2  =  IP 192.168.4.1/24    (Lokal warnet)
    Ether 3  =  IP 192.168.2.2/24    (Proxy )

    yang mau saya tanyakan gmn cara instal Set webconfig pada sisi PF-nya dan Set pada sisi Mik*otik-nya.pfsense sdh sy instal sesuai manual petunjuk instalnya dan sdh bs akses ke webconfignya.

    Hardware Technical Data Seperti
    MB :ASUS P5G41
    PROCESSOR: DUAL CORE 3.0
    RAM SIZE:3 Giga
    HD SIZE : 250 giga
    NETWORK CARD : Tp link
    PFSENSE VER. : 2.0.1-RELEASE (i386)built FreeBSD 8.1-RELEASE-p6

    DIGUNAKAN UNTUK : WARNET

    untuk modem sendiri sy seting menjadi bridge jd pppoe dari spidi langsung, kepada smw teman2 pfsense mohon bantuanya sy sudah muter2 di mbah google tp ga ktemu2 untuk setingan seperti diatas.Maklum sy msh Newbie bgt.trimakasih sebelumnya .salam kenal buat smw temen2 pfsense se Nusantara.



  • @sablan:

    permisi numpang nanya,klo untuk setingan pfsense menggunakan 1 lan aja gmn ya ya,.
    topologi

    ADSL(Bridge) (1)–---------- Mikocok -------------- Switch(2) ------------ Client
                                           | (3)
                              PFSense (Squid + Lusca)

    Mikocok Conf :

    Ether 1  =  IP 192.168.101.2/24 (Gateway speedy)
    Ether 2  =  IP 192.168.4.1/24    (Lokal warnet)
    Ether 3  =  IP 192.168.2.2/24    (Proxy )

    yang mau saya tanyakan gmn cara instal Set webconfig pada sisi PF-nya dan Set pada sisi Mik*otik-nya.pfsense sdh sy instal sesuai manual petunjuk instalnya dan sdh bs akses ke webconfignya.

    Hardware Technical Data Seperti
    MB :ASUS P5G41
    PROCESSOR: DUAL CORE 3.0
    RAM SIZE:3 Giga
    HD SIZE : 250 giga
    NETWORK CARD : Tp link
    PFSENSE VER. : 2.0.1-RELEASE (i386)built FreeBSD 8.1-RELEASE-p6

    DIGUNAKAN UNTUK : WARNET

    untuk modem sendiri sy seting menjadi bridge jd pppoe di dial dr mikocok, kepada smw teman2 pfsense mohon bantuanya sy sudah muter2 di mbah google tp ga ktemu2 untuk setingan seperti diatas.Maklum sy msh Newbie bgt.trimakasih sebelumnya .salam kenal buat smw temen2 pfsense se Nusantara.



  • Mohon pencerahan

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    Setelah saya baca
    WAN mikrotik ip 192.168.2.2 WAN PFsense 192.168.3.2 tapi kok  NAT nya bisa gini ya..??

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    Mohon untuk bisa dilengkapi, saya lg butuh bgt



  • Coba main2 kesini ada yang sudah mengawinkan pf + mt dan sukses …. silahkan di check
    http://www.facebook.com/photo.php?fbid=325718020852060&set=o.393320928141&type=1&relevant_count=1&ref=nf



  • Ikutan ach.. silahkan dicoba dan dilengkapi semua berjalan dengan baik

    MIKROTIK RB750 DENGAN PFSENSE + LUSCA PROXY

    modem
                                              |
                                          switch
                |–--(port1) ---------| |-----------to pfsense wan
            MIKROTIK RB750                                  |
                |----(port3) -----Kabel UTP CROSS---|
                |----(port2) --to switch to clients

    ======================
    pfsense wan : DHCP dari Modem
    pfsense lan : 192.168.12.1/24 port proxy 3128 LUSCA

    proxy : 192.168.12.15/24
    lan  : 192.168.10.15/24
    modem : 192.168.3.1/24 (DHCP)

    ip clients : 192.168.10.xxx dst

    ======================
    setting interface
    Code:

    /interface set 0 name=public
    /interface set 1 name=lan
    /interface set 2 name=proxy

    ======================
    setting ip address
    code:

    /ip address
    add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=public comment="" disabled=no
    add address=192.168.10.15/24 network=192.168.10.0 broadcast=192.168.10.255 interface=lan comment="" disabled=no
    add address=192.168.12.15/24 network=192.168.12.0 broadcast=192.168.12.255 interface=proxy comment="" disabled=no

    =======================
    setting route:
    Code:

    /ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 comment="" disabled=no

    =======================
    setting dns:
    Code:

    /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=10.17.3.245,10.17.3.252 (dns fren)

    /ip dns static add name="192.168.3.1" address=192.168.3.1 ttl=1d

    ========================
    setting nat:
    Code:

    /ip firewall nat
    add chain=srcnat action=masquerade out-interface=public
    add chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (Bila menggunakan web proxy internal)
    add chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (proxy external)
    add chain=srcnat action=masquerade out-interface=proxy (agar bisa buka pfsense/putty/winscp diclient)

    /ip firewall nat print

    0  chain=srcnat action=masquerade out-interface=public

    1 X chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan
        dst-port=80

    2  chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp
        src-address=192.168.10.0/24 in-interface=lan dst-port=80

    3  chain=srcnat action=masquerade out-interface=proxy

    ========================
    setting manggle:
    Code:

    /ip firewall mangle
    add chain=forward content="X-Cache: HIT" action=mark-connection new-connection-mark=squid_con passthrough=yes comment="" disabled=no
    add chain=forward connection-mark=squid_con action=mark-packet new-packet-mark=squid_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=!squid_con action=mark-connection new-connection-mark=all_con passthrough=yes comment="" disabled=no
    add chain=forward protocol=tcp src-port=80 connection-mark=all_con action=mark-packet new-packet-mark=http_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=icmp connection-mark=all_con action=mark-packet new-packet-mark=icmp_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=tcp dst-port=1973 connection-mark=all_con action=mark-packet new-packet-mark=top_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=all_con action=mark-packet new-packet-mark=test_pkt passthrough=no comment="" disabled=no

    /ip firewall mangle print

    0  chain=forward action=mark-connection new-connection-mark=squid_con passthrough=yes content=X-Cache: HIT

    1  chain=forward action=mark-packet new-packet-mark=squid_pkt passthrough=no connection-mark=squid_con

    2  chain=forward action=mark-connection new-connection-mark=all_con passthrough=yes
        connection-mark=!squid_con

    3  chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no protocol=tcp src-port=80
        connection-mark=all_con

    4  chain=forward action=mark-packet new-packet-mark=icmp_pkt passthrough=no protocol=icmp
        connection-mark=all_con

    5  chain=forward action=mark-packet new-packet-mark=top_pkt passthrough=no protocol=tcp dst-port=1973
        connection-mark=all_con

    6  chain=forward action=mark-packet new-packet-mark=test_pkt passthrough=no connection-mark=all_con

    =======================
    setting queue :

    /queue simple
    add name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=squid_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=35000/256000 total-queue=default-small disabled=no
    add name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=top_pkt direction=both priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp_pkt direction=both priority=2 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="The_other_port_queue" target-addresses=192.168.12.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=http_pkt direction=both priority=8 queue=default-small/default-small limit-at=5000/5000 max-limit=50000/256000 total-queue=default-small disabled=no
    add name="another_port" target-addresses=192.168.10.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=test_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/256000 total-queue=default-small disabled=no

    /queue simple print

    0    name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=squid_pkt direction=both priority=8
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    1    name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none
          direction=both priority=8 queue=default-small/default-small
          limit-at=0/0 max-limit=35k/256k burst-limit=0/0 burst-threshold=0/0
          burst-time=0s/0s total-queue=default-small

    2    name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all
          parent=none packet-marks=top_pkt direction=both priority=1
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    3    name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=icmp_pkt direction=both priority=2
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small



  • sekalian cantumkan setingan di pfsensenya om ….. , mungkin banyak rekan2 yang ingin tahu



  • @abnisrea:

    Ikutan ach.. silahkan dicoba dan dilengkapi semua berjalan dengan baik

    MIKROTIK RB750 DENGAN PFSENSE + LUSCA PROXY

    modem
                                              |
                                          switch
                |–--(port1) ---------| |-----DHCP dr Modem------to pfsense wan
            MIKROTIK RB750                                                          |
                |----(port3) -----Kabel UTP CROSS---------------------|
                |----(port2) --to switch to clients

    ======================
    pfsense wan : DHCP dari Modem
    pfsense lan : 192.168.12.1/24 port proxy 3128 LUSCA

    proxy : 192.168.12.15/24
    lan  : 192.168.10.15/24
    modem : 192.168.3.1/24 (DHCP)

    ip clients : 192.168.10.xxx dst

    ======================
    setting interface
    Code:

    /interface set 0 name=public
    /interface set 1 name=lan
    /interface set 2 name=proxy

    ======================
    setting ip address
    code:

    /ip address
    add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=public comment="" disabled=no
    add address=192.168.10.15/24 network=192.168.10.0 broadcast=192.168.10.255 interface=lan comment="" disabled=no
    add address=192.168.12.15/24 network=192.168.12.0 broadcast=192.168.12.255 interface=proxy comment="" disabled=no

    =======================
    setting route:
    Code:

    /ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 comment="" disabled=no

    =======================
    setting dns:
    Code:

    /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=10.17.3.245,10.17.3.252 (dns fren)

    /ip dns static add name="192.168.3.1" address=192.168.3.1 ttl=1d

    ========================
    setting nat:
    Code:

    /ip firewall nat
    add chain=srcnat action=masquerade out-interface=public
    add chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (Bila menggunakan web proxy internal)
    add chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (proxy external)
    add chain=srcnat action=masquerade out-interface=proxy (agar bisa buka pfsense/putty/winscp diclient)

    /ip firewall nat print

    0  chain=srcnat action=masquerade out-interface=public

    1 X chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan
        dst-port=80

    2  chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp
        src-address=192.168.10.0/24 in-interface=lan dst-port=80

    3  chain=srcnat action=masquerade out-interface=proxy

    ========================
    setting manggle:
    Code:

    /ip firewall mangle
    add chain=forward content="X-Cache: HIT" action=mark-connection new-connection-mark=squid_con passthrough=yes comment="" disabled=no
    add chain=forward connection-mark=squid_con action=mark-packet new-packet-mark=squid_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=!squid_con action=mark-connection new-connection-mark=all_con passthrough=yes comment="" disabled=no
    add chain=forward protocol=tcp src-port=80 connection-mark=all_con action=mark-packet new-packet-mark=http_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=icmp connection-mark=all_con action=mark-packet new-packet-mark=icmp_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=tcp dst-port=1973 connection-mark=all_con action=mark-packet new-packet-mark=top_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=all_con action=mark-packet new-packet-mark=test_pkt passthrough=no comment="" disabled=no

    /ip firewall mangle print

    0  chain=forward action=mark-connection new-connection-mark=squid_con passthrough=yes content=X-Cache: HIT

    1  chain=forward action=mark-packet new-packet-mark=squid_pkt passthrough=no connection-mark=squid_con

    2  chain=forward action=mark-connection new-connection-mark=all_con passthrough=yes
        connection-mark=!squid_con

    3  chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no protocol=tcp src-port=80
        connection-mark=all_con

    4  chain=forward action=mark-packet new-packet-mark=icmp_pkt passthrough=no protocol=icmp
        connection-mark=all_con

    5  chain=forward action=mark-packet new-packet-mark=top_pkt passthrough=no protocol=tcp dst-port=1973
        connection-mark=all_con

    6  chain=forward action=mark-packet new-packet-mark=test_pkt passthrough=no connection-mark=all_con

    =======================
    setting queue :

    /queue simple
    add name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=squid_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=35000/256000 total-queue=default-small disabled=no
    add name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=top_pkt direction=both priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp_pkt direction=both priority=2 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="The_other_port_queue" target-addresses=192.168.12.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=http_pkt direction=both priority=8 queue=default-small/default-small limit-at=5000/5000 max-limit=50000/256000 total-queue=default-small disabled=no
    add name="another_port" target-addresses=192.168.10.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=test_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/256000 total-queue=default-small disabled=no

    /queue simple print

    0    name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=squid_pkt direction=both priority=8
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    1    name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none
          direction=both priority=8 queue=default-small/default-small
          limit-at=0/0 max-limit=35k/256k burst-limit=0/0 burst-threshold=0/0
          burst-time=0s/0s total-queue=default-small

    2    name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all
          parent=none packet-marks=top_pkt direction=both priority=1
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    3    name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=icmp_pkt direction=both priority=2
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    Untuk Om Juragan Kambeeng
    Settingan Pfsense nya semua standar non DHCP tanpa firewall termasuk luscanya standar port 3128.. semua berjalan dengan normal..

    pada wan dhcp dr modem gatway dari modem..

    Salam PFI



  • sy binun dgn 2 interface pfsense yg dikawinkan dgn mikrot*k, jalan" nemu ini http://forum.pfsense.org/index.php/topic,52481.0.html wew ternyata pakai 1 lan di PF na plus dial PPPoE juga di mkt cmn setingana lom digelar aja hehehe

    disini si thread starter memberikan topologi jaringan yg jelas dan peng-alamatan ip yg jelas di setiap interface (interface mkt & Pf) , SANGAT JELAS sekali sehingga yg baru belajar komputer sprti sy tdk kebingungan  ;D

    smoga si TS segera menggelar setingan di mkt dan pfsense na

    Amiiiin…............  ;D



  • @abnisrea:

    @abnisrea:

    Ikutan ach.. silahkan dicoba dan dilengkapi semua berjalan dengan baik

    MIKROTIK RB750 DENGAN PFSENSE + LUSCA PROXY

    modem
                                               |
                                           switch
                |–--(port1) ---------| |-----DHCP dr Modem------to pfsense wan
            MIKROTIK RB750                                                           |
                |----(port3) -----Kabel UTP CROSS---------------------|
                |----(port2) --to switch to clients

    ======================
    pfsense wan : DHCP dari Modem
    pfsense lan : 192.168.12.1/24 port proxy 3128 LUSCA

    proxy : 192.168.12.15/24
    lan   : 192.168.10.15/24
    modem : 192.168.3.1/24 (DHCP)

    ip clients : 192.168.10.xxx dst

    ======================
    setting interface
    Code:

    /interface set 0 name=public
    /interface set 1 name=lan
    /interface set 2 name=proxy

    ======================
    setting ip address
    code:

    /ip address
    add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=public comment="" disabled=no
    add address=192.168.10.15/24 network=192.168.10.0 broadcast=192.168.10.255 interface=lan comment="" disabled=no
    add address=192.168.12.15/24 network=192.168.12.0 broadcast=192.168.12.255 interface=proxy comment="" disabled=no

    =======================
    setting route:
    Code:

    /ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 comment="" disabled=no

    =======================
    setting dns:
    Code:

    /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=10.17.3.245,10.17.3.252 (dns fren)

    /ip dns static add name="192.168.3.1" address=192.168.3.1 ttl=1d

    ========================
    setting nat:
    Code:

    /ip firewall nat
    add chain=srcnat action=masquerade out-interface=public
    add chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (Bila menggunakan web proxy internal)
    add chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan dst-port=80 (proxy external)
    add chain=srcnat action=masquerade out-interface=proxy (agar bisa buka pfsense/putty/winscp diclient)

    /ip firewall nat print

    0   chain=srcnat action=masquerade out-interface=public

    1 X chain=dstnat action=redirect to-ports=3128 protocol=tcp src-address=192.168.10.0/24 in-interface=lan
         dst-port=80

    2   chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=3128 protocol=tcp
         src-address=192.168.10.0/24 in-interface=lan dst-port=80

    3   chain=srcnat action=masquerade out-interface=proxy

    ========================
    setting manggle:
    Code:

    /ip firewall mangle
    add chain=forward content="X-Cache: HIT" action=mark-connection new-connection-mark=squid_con passthrough=yes comment="" disabled=no
    add chain=forward connection-mark=squid_con action=mark-packet new-packet-mark=squid_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=!squid_con action=mark-connection new-connection-mark=all_con passthrough=yes comment="" disabled=no
    add chain=forward protocol=tcp src-port=80 connection-mark=all_con action=mark-packet new-packet-mark=http_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=icmp connection-mark=all_con action=mark-packet new-packet-mark=icmp_pkt passthrough=no comment="" disabled=no
    add chain=forward protocol=tcp dst-port=1973 connection-mark=all_con action=mark-packet new-packet-mark=top_pkt passthrough=no comment="" disabled=no
    add chain=forward connection-mark=all_con action=mark-packet new-packet-mark=test_pkt passthrough=no comment="" disabled=no

    /ip firewall mangle print

    0   chain=forward action=mark-connection new-connection-mark=squid_con passthrough=yes content=X-Cache: HIT

    1   chain=forward action=mark-packet new-packet-mark=squid_pkt passthrough=no connection-mark=squid_con

    2   chain=forward action=mark-connection new-connection-mark=all_con passthrough=yes
         connection-mark=!squid_con

    3   chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no protocol=tcp src-port=80
         connection-mark=all_con

    4   chain=forward action=mark-packet new-packet-mark=icmp_pkt passthrough=no protocol=icmp
         connection-mark=all_con

    5   chain=forward action=mark-packet new-packet-mark=top_pkt passthrough=no protocol=tcp dst-port=1973
         connection-mark=all_con

    6   chain=forward action=mark-packet new-packet-mark=test_pkt passthrough=no connection-mark=all_con

    =======================
    setting queue :

    /queue simple
    add name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=squid_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=35000/256000 total-queue=default-small disabled=no
    add name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=top_pkt direction=both priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp_pkt direction=both priority=2 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
    add name="The_other_port_queue" target-addresses=192.168.12.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=http_pkt direction=both priority=8 queue=default-small/default-small limit-at=5000/5000 max-limit=50000/256000 total-queue=default-small disabled=no
    add name="another_port" target-addresses=192.168.10.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=test_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/256000 total-queue=default-small disabled=no

    /queue simple print

    0    name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=squid_pkt direction=both priority=8
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    1    name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none
          direction=both priority=8 queue=default-small/default-small
          limit-at=0/0 max-limit=35k/256k burst-limit=0/0 burst-threshold=0/0
          burst-time=0s/0s total-queue=default-small

    2    name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all
          parent=none packet-marks=top_pkt direction=both priority=1
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    3    name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none
          packet-marks=icmp_pkt direction=both priority=2
          queue=default-small/default-small limit-at=0/0 max-limit=0/0
          burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
          total-queue=default-small

    Untuk Om Juragan Kambeeng
    Settingan Pfsense nya semua standar non DHCP tanpa firewall termasuk luscanya standar port 3128.. semua berjalan dengan normal..

    pada wan dhcp dr modem gatway dari modem..

    Salam PFI

    Pemahaman sy begini kedua wan dr sisi mikocok dan pfsense mendapat dhcp dr modem, ini klo tdk salah  ;D
    mohon dijelaskan om tujuan di bikin kedua wan sejajar seperti diatas

    Thx

    Salam PFSI



  • Kawin silang Pfsense + Mikocok sukses….

    PF - mesin Virtualbox
    Mikocok - Virtualbox

    hasilnya jozzz.... gk kecolongan client yg sukanya Upload.
    Cache Youtube lancar jaya selalu....... ::)



    ![kawin silang.JPG](/public/imported_attachments/1/kawin silang.JPG)
    ![kawin silang.JPG_thumb](/public/imported_attachments/1/kawin silang.JPG_thumb)



  • @mumtazian:

    @ardy_2006:

    Sesuai dengan janji ( janji adalah hutang  :) , insya allah hutang segera terlunasi ) amiiin…. !!

    Just share settingan saya Mikocok bersanding dengan PFSense.

    Clients ------- Mikrotik 3 port -------- Inet

    port 3 mikrotik ----- pfsense ------ inernet

    modem : 192.168.2.1

    topology mikrotik menggunakan 3 ethernet :
    port 1 = WAN  ( 192.168.2.2 )
    port 2 = CLIENTS ( 192.168.1.1 )
    port 3 = PROXY PFSENSE ( 192.168.3.1 )

    topology pfsense menggunakan 2 ethernet :
    port 1 = LAN ( port 3 mikrotik ) ( 192.168.3.2 )
    port 2 = WAN ( 192.168.2.3 )

    oke langsung kupas aja.
    asumsi mesin pfsense running well & tunning with LUSCA.
    oprekan & tune-up bisa open panduan dari om anto_DIGIT http://forum.pfsense.org/index.php/topic,29019.0.html

    sebagai manageable clients, baik itu hotspot & management bandwidht semua ada dimikrotik.
    Settingan hotspot disini tidak usah dibahas googling aja tutnya.
    settingan ini menggunakan L7 untuk filternya. Khusus untuk destination port 80, dibelokan ke arah pfsense sebagai proxy servernya port 3128.
    Maaf bung disini PFSense hanya dijadikan proxy server ( Maknyuss.... )

    setting nat :
    chain=dstnat action=dst-nat to-addresses=10.10.3.2 to-ports=3128 protocol=tcp in-interface=CLIENTS dst-port=80
    ( maksudnya semua request port 80 di arahkan ke address Proxy Server ( PFSense )

    bung ardy bisa lebih di jelaskan topologi di atas, sy masih bingung dgn pfsense 2 ether tersebut terutama di interface WAN (192.168.2.3) ….
    itu kan di set static. Kl u/ port 1 (192.168.3.2) nyambung ke port mikrotik ether3 PROXY PFSENSE ( 192.168.3.1 ) nah kl untuk port WAN nya nyambung ke mana?
    Trus modem na di set static juga kan ( pppoe di modem )?

    terima kasih

    Maaf bos baru sekarang kasih penjelasan.
    Pada intinya saya menggunakan 2 router yakni mikrotik & PFsense.
    kedua Wan baik Mikrotik & PFsense terhubung langsung ke modem. ( clientsnya modem )
    Fungsi mikrotik adalah untuk full management bandwidht, sedang PFsense hanya sebagai proxy ( semua firewall di non aktifkan )
    jadi pada dasarnya hanya membelokan request clients yg khusus port 80 ke arah router PFsense.
    coba baca sekali lagi tipology yang saya gunakan.

    salam.



  • Salam kenal sebelumnya, tuk temen-temen PFSI aq baru saja bergabung disini walaupun sudah sering kali melihat2 forum dan belajar dari forum ini.

    Maaf juga sebelumnya saya mo langsung bertanya mengenai setting pfsense di kombinasi dengan mikritink RB adapun topologi yang saya pake :

    internet –-- RB750 ---- Hub ---- Client
                          |
                          |
                          |
                    pfsense
    (web proxy dengan single interface)

    Untuk pfsense sudah dapat di akses dari client dan udah di update tuk squid dan juga lusca.

    Yang jadi pertanyaan saya dan masih belum ketemu cari sana sini, gimana setting mikrotiknya agar setiap koneksi masuk dulu keproxy.

    Maaf saya benar2 masih newbie baru usaha net kecil2an dengan modal pas2an jadi mo panggil yang expert biaya udah kebanyakan di modal, jadi lagi belajar sana-sini mengenai web proxy.

    Terimakasih sebelum dan sesudahnya.



  • mohon ijin om Moderator ( kambeeng ), just share….
    Untuk settingan L7 om Ardy, MANTEP  ???, sampe kepala jadi puyeng, lebih puyeng lagi klo terjadi eror di bagian proxy nya. Sedikit masukan... untuk games PB, saat loading awal, itu games menggunakan file exe, dat. Jika terjadi eror dibagian proxy, maka loading awalnya sangat lambat. Untuk mengatasinya, file dat, di disable.

    semoga bermanfaat,........ salam :)



  • @ardy_2006:

    Before, saya minta ijin sama Om Moderator ( kambeeng ) karena postingan saya tidak membahas PFSense.
    Tetapi Routing mikrotik, karena saya uda yakin  PFSense Lusca yg kita semua pakai uda mantap sebagai proxy server untuk dikawinkan sama mikrotik

    Dulu saya uda posting Cekek downloader dengan firewall layer7-protocol. Setelah saya amati & monitoring, ternyata firewall layer7-protocol yg saya gunakan terlalu memakan resource RB750G. Akhirnya setelah mencoba & terus mencoba macam macam regexp akhirnya temukan setting yg amat simple & akurat.

    just share, jika ada yg kasih masukan monggo, semoga menjadi lebih baik lagi.

    Tangkap semua extention file menggunakan L7 protocol (cuma satu file lebih ramping)
    /ip firewall layer7-protocol
    add name=download regexp="\.(zip|gz(a|i)|rar|raw|ram|7z|bz|bzip|gzip|tar.gz|tgz
       |iso|doc|pdf|cab|bin|xml|vcf|exe|app|vb|scr|avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(
       a|v)|og(x|v|a|g|m)|rm|r(a|p)m|vob|flv|x-flv|3gp|vcd|nrg|amr|klv|wav|DivX|mov
       |wmv|rmvb|aac|dat|amv|ifo|imovieproj|ivr|qt|swf)"

    Tandai dulu keluar masuknya paket dengan setting mngle.
    /ip firewall mangle
    add action=mark-packet chain=prerouting comment=download disabled=no layer7-protocol=download
       new-packet-mark=download passthrough=no protocol=tcp

    Sekarang kita set besarnya bandwidht yg kita alokasikan untuk mania download.
    Lebih hebatnya lagi kita bisa set sesuai schedule download, disini untuk jam download saya set tengah malam sampai menjelang pagi. full bypass download sepuas puasnya. jam tsb dilarang komplen cause uda pada bobo. heee… heee.... heee....

    /queue simple
    add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both
       disabled=no interface=all limit-at=0/0 max-limit=0/166k name=download
       packet-marks=download parent=none priority=8 queue=
       default-small/default-small time=7h-23h59m,sun,mon,tue,wed,thu,fri,sat
       total-queue=default-small

    untuk setting NAT dan lain lain masih seperti postingan awal dulu.

    Sementara ini dulu, ntar saya sambung, saat ini lagi mencoba regexp untuk limit youtube tetapi kalau uda masuk cache proxy tidak kelimit.( proxy hit )

    semoga bermanfaat

    Busyet.. simple trik yg hampir terlewatkan.. ma kasih om Ardy.. hemat resorce bgt nih.. :)


Log in to reply