1. install mikrotik

2. set ip address

/ip address
add address=192.168.12.22/24 network=192.168.12.0 broadcast=192.168.12.255 interface=lan comment="" disabled=no
add address=192.168.2.3/24 network=192.168.2.0 broadcast=192.168.2.255 interface=line1 comment="" disabled=no
add address=192.168.3.11/24 network=192.168.3.0 broadcast=192.168.3.255 interface=line2 comment="" disabled=no

3. set mangel
/ip firewall mangle
add chain=prerouting in-interface=lan connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=one passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=lan connection-mark=satu action=mark-routing new-routing-mark=one passthrough=no comment="" disabled=no
add chain=prerouting in-interface=lan connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=two passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=lan connection-mark=dua action=mark-routing new-routing-mark=two passthrough=no comment="" disabled=no

4. set Nat
/ip firewall nat
add chain=srcnat connection-mark=one action=src-nat to-addresses=192.168.2.3 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=two action=src-nat to-addresses=192.168.3.11 to-ports=0-65535 comment="" disabled=no

5. Set Route
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=one comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.3.2 scope=255 target-scope=10 routing-mark=two comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.3.2 scope=255 target-scope=10 comment="" disabled=no <<--default route

1. After mikrotik  Router Os had install

2. set mikrotik as gateway server

3. set firewall mikrotik

4. set web proxy

[admin@mikrotik] >ip web-proxy
[admin@mikrotik] ip web-proxy >set enable=yes
[admin@mikrotik] ip web-proxy >set transparent-proxy=yes
[admin@mikrotik] ip web-proxy >set max-object-size=1200KiB
5. Afterwards added rule to the client yg used port 80 would in switched to web-proxy
[admin@mikrotik] >ip firewall nat
[admin@mikrotik] ip firewall nat >add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128
6. next set dns
[admin@mikrotik] >ip dns
[admin@mikrotik] ip dns >set primary-dns=xxx.xxx.xxx.xxx
[admin@mikrotik] ip dns >set secondary-dns=xxx.xxx.xxx.xxx

7. complete

After we arranged the limit rapidshare, YM, and other now we arrange the limit to youtube

1.  Make http-video layer7-protocol

/ip firewall layer7-protocol
add name=http-video regexp="http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(conte
nt-type: video)"

2. Make Mangle Mark Packet http-video

/ip frewall mangle
add action=mark-packet chain=prerouting comment="http-video mark-packet" \
    disabled=no layer7-protocol=http-video new-packet-mark=http-video \
    passthrough=no

3. Make Queue Simple http-video

/queue simple
add max-limit=0/64000 name=http-video packet-marks=http-video

Many viruses that after infecting our computer will send thousands of emails through our computer went out. This was very damaging we, apart from finished bandwidth we, also very annoying from the side of this email recipient.

We could prevent this matter with firewall Mikrotik

Make 3 Rule in Firewall

1.  Firewall Rule
- Chain : Forward
- Protocol : TCP
- Dst. Port : 25
- Src. Address List : SMTP-EMAIL
- Action : Accept

2. Next Rule

- Chain : Forward
- Protocol : TCP
- Dst. Port : 25
- Action : add src to address list
- Address List : SMTP-EMAIL
- Timeout : 00:05:00

3. Next Rule

- Chain : Forward
- Protocol : TCP
- Dst. Port : 25
- Action : Drop

You can block YM in firewall mikrotik,

.  This ip YM

66.94.226.0/24
66.218.70.0/24
68.142.194.0/24
68.142.213.0/24
68.142.233.0/24
72.232.19.0/24
72.246.51.0/24
72.246.53.0/24
206.190.35.0/24
209.62.176.0/24
209.73.166.0/24
209.191.93.0/24
216.152.122.0/24
216.155.193.0/24

2. Make Firewall

Chain : Forward
Src Address : [  IP client  ]

Advanced
Dst Address List : [  address list  ]

Action : pilih DROP.

You can block YM in firewall mikrotik,

1.  This ip YM

209.11.168.112
209.11.168.113
209.11.168.122
209.11.168.123
209.11.168.133
209.11.168.121
2. Make Firewall

Chain : Forward
Src Address : [  IP client  ]

Advanced
Dst Address List : [  address list  ]

Action : pilih DROP.

To avoid the Port Scanner action from Hacker, then we could arrange in firewall mikrotik, by means of :

1. Make Filter

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=no

2. Make Chain

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP FIN Stealth scan”

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/FIN scan”

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/RST scan”

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”FIN/PSH/URG scan”

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”ALL/ALL scan”

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP NULL scan”

3.  Drop Ip scanning

add chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=no

You could arrange him in firewall mikrotik, to avoid Traceroute and ping, Along With was the method that most was easy:

/ip firewall filter add chain=forward protocol=icmp icmp-options=11:0 action=drop comment=”Drop Traceroute”
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:3 action=drop comment=”Drop Traceroute”

next you can block ping

/ip firewall filter add chain=input action=accept protocol=icmp limit=50/5s,2

/ip firewall filter add chain=forward \
src-address=[ip Local ] protocol=tcp content=.exe \
action=add-dst-to-address-list address-list=cekek \
address-list-timeout=01:00:00
/ip firewall filter add chain=forward \
src-address=[ip Local ] protocol=tcp content=.iso \
action=add-dst-to-address-list address-list=cekek \
address-list-timeout=01:00:00
/ip firewall filter add chain=forward \
src-address=[ip Local ] protocol=tcp content=.mpg \
action=add-dst-to-address-list address-list=cekek \
address-list-timeout=01:00:00
/ip firewall filter add chain=forward \
src-address=[ip Local ] protocol=tcp content=.mp3 \
action=add-dst-to-address-list address-list=cekek \
address-list-timeout=01:00:00

make mangel

/ip firewall mangle add chain=forward \
protocol=tcp src-address-list=cekek \
action=mark-packet new-packet-mark=cekek-bw

Now, You can Limit

/queue simple add name=download-files \
max-limit=64000/64000 packet-marks=cekek-bw

Apart from Protected router from the virus with configuration in firewall mikrotik , the network administrator also could protect router from scan winbox and neighbor. this was the matter that was important in the network, Along With was the method that most was easy:

copy and paste this script in console mikrotik

admin@mikrotik] interface bridge> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
1 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
2 ;;; block discovery mikrotik
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop
3 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
4 ;;; block winbox mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
5 ;;; block request DHCP
chain=input mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
6 ;;; block request DHCP
chain=forward mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
7 ;;; block request DHCP
chain=output mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
2. Recorded all of IP scanner

To be able to router recorded all of IP scanner and afterwards was put into the IP Address list and was named in group “port scanner”, along with rule in firewall him:

- Script First

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”Port scanners to list ” disabled=no

- Script two

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP FIN Stealth scan”

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/FIN scan”

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/RST scan”

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”FIN/PSH/URG scan”

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”ALL/ALL scan”

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP NULL scan”

3. Script Three

add chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=no’

——————**——————