Ros V4.9
Sesuaikan ip dijaringan anda
10.0.0.0/24 = ip_local client
192.168.1.100 = ip proxy Ext <-Kalo Ada
10.0.0.30 = ip router
/ip firewall address-list
add address=10.0.0.30 comment="" disabled=no list=bypass
add address=192.168.1.100 comment="" disabled=no list=bypass
add address=192.168.1.100 comment="" disabled=no list=skip_content_download
add address=10.0.0.0/24 comment="" disabled=no list=skip_content_download
Penjelasan:
Buat dulu ip di address_list buat pisahin agar tidak ketangkap oleh rule difilter dan mangle
/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .rar \"" regexp="\\.(rar)"
add comment="" name="Extension \" .zip \"" regexp="\\.(zip)"
add comment="" name="Extension \" .7z \"" regexp="\\.(7z)"
add comment="" name="Extension \" .cab \"" regexp="\\.(cab)"
add comment="" name="Extension \" .asf \"" regexp="\\.(asf)"
add comment="" name="Extension \" .mov \"" regexp="\\.(mov)"
add comment="" name="Extension \" .wmv \"" regexp="\\.(wmv)"
add comment="" name="Extension \" .mpg \"" regexp="\\.(mpg)"
add comment="" name="Extension \" .mpeg \"" regexp="\\.(mpeg)"
add comment="" name="Extension \" .mkv \"" regexp="\\.(mkv)"
add comment="" name="Extension \" .avi \"" regexp="\\.(avi)"
add comment="" name="Extension \" .flv \"" regexp="\\.(flv)"
add comment="" name="Extension \" .pdf \"" regexp="\\.(pdf)"
add comment="" name="Extension \" .wav \"" regexp="\\.(wav)"
add comment="" name="Extension \" .rm \"" regexp="\\.(rm)"
add comment="" name="Extension \" .mp3 \"" regexp="\\.(mp3)"
add comment="" name="Extension \" .mp4 \"" regexp="\\.(mp4)"
add comment="" name="Extension \" .ram \"" regexp="\\.(ram)"
add comment="" name="Extension \" .rmvb \"" regexp="\\.(rmvb)"
add comment="" name="Extension \" .dat \"" regexp="\\.(dat)"
add comment="" name="Extension \" .daa \"" regexp="\\.(daa)"
add comment="" name="Extension \" .iso \"" regexp="\\.(iso)"
add comment="" name="Extension \" .nrg \"" regexp="\\.(nrg)"
add comment="" name="Extension \" .bin \"" regexp="\\.(bin)"
add comment="" name="Extension \" .vcd \"" regexp="\\.(vcd)"
add comment="" name="Extension \" .mp2 \"" regexp="\\.(mp2)"
add comment="" name="Extension \" .3gp \"" regexp="\\.(3gp)"
add comment="" name="Extension \" .mpe \"" regexp="\\.(mpe)"
add comment="" name="Extension \" .qt \"" regexp="\\.(qt)"
add comment="" name="Extension \" .raw \"" regexp="\\.(raw)"
add comment="" name="Extension \" .wma \"" regexp="\\.(wma)"
add comment="" name="Extension \" .ogg \"" regexp="\\.(ogg)"
add comment="" name="Extension \" .doc \"" regexp="\\.(doc)"
Penjelasan:
Regex content Layer7
/ip firewall filter
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.mp3 \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .avi \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.flv \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .iso \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.pdf \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .mpeg \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.exe \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .rar \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.zip \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .mp4 \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.mp2 \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .3gp \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.mov \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .mpe \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.mpg \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .qt \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.ram \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .rm \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.raw \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .wav \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.wmv \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .wma \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.ogg \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .doc \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.7z \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .asf \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.bin \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .cab \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.daa \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .dat \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.mkv \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .nrg \"" protocol=tcp
add
action=add-dst-to-address-list address-list=content_download
address-list-timeout=5s chain=forward comment="" disabled=no
dst-address-list=!skip_content_download layer7-protocol="Extension \"
.rmvb \"" protocol=tcp
add action=add-dst-to-address-list
address-list=content_download address-list-timeout=5s chain=forward
comment="" disabled=no dst-address-list=!skip_content_download
layer7-protocol="Extension \" .vcd \"" protocol=tcp
Penjelasan:
filter buat nangkap ip content L7
/ip firewall mangle
add
action=mark-connection chain=prerouting comment=Content_download
disabled=no dst-address-list=content_download
new-connection-mark=Bw_Download passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting comment=""
connection-bytes=262146-4294967295 disabled=no dst-address-list=!bypass
new-connection-mark=Bw_Download passthrough=yes protocol=!icmp
add
action=mark-packet chain=prerouting comment=""
connection-mark=Bw_Download disabled=no dst-address-list=!bypass
new-packet-mark=Paket_Download passthrough=no
add
action=mark-connection chain=prerouting comment=Content_browsing
disabled=no dst-address-list=!bypass new-connection-mark=Bw_Browsing
passthrough=yes protocol=!icmp
add action=mark-packet
chain=prerouting comment="" connection-mark=Bw_Browsing disabled=no
dst-address-list=!bypass new-packet-mark=Paket_Browsing passthrough=no
Penjelasan:
Kita
buat manglenya buat nandain keneksi download pake connbyte digabungin
dgn ip_content L7 yg kita tangkap tadi + nandain koneksi browsing
/queue type
add kind=pcq name=pcq-down pcq-classifier=dst-address pcq-limit=50 pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name=Pcq_Browsing_Down pcq-classifier=dst-address pcq-limit=50 pcq-rate=0 pcq-total-limit=200
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DOWN parent=LOCAL priority=8
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=Browsing_Down packet-mark=Paket_Browsing parent=DOWN
priority=5 queue=Pcq_Browsing_Down
add burst-limit=0
burst-threshold=0 burst-time=0s disabled=no max-limit=256k
name=Regular_Down packet-mark=Paket_Download parent=DOWN priority=8
queue=pcq-down
Penjelasan:
Masalah
limit download udah selesai sampai disini, skarang tinggal rule untuk
Drop koneksi IDM (tetap nangkapnya memakai content L7
/ip firewall filter
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .exe \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .3gp \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .7z \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .asf \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .avi \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .bin \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .cab \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .daa \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .dat \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .doc \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .flv \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .iso \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mkv \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mov \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mp2 \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mp3 \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mp4 \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mpe \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mpeg \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .mpg \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .nrg \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .ogg \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .pdf \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .qt \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .ram \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .rar \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .raw \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .rm \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .rmvb \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .vcd \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .wav \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .wma \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .wmv \"" protocol=tcp
add
action=drop chain=forward comment="" connection-limit=4,32 disabled=no
in-interface=LOCAL layer7-protocol="Extension \" .zip \"" protocol=tcp
Penjelasan:
Langsung Filter
aja pake conn_limit trus di Drop (perhatikan in-interfacenya sesuaikan
dgn nama interface yg menuju Local client anda