Graphic Web Design, Computer Network, Balinese Culture

Proxy Server Side Clients with Various Connection Packets
After we have made the squid proxy server and do some configuration to optimize and tuning squid proxy server, now we are going to implement it into our network using mikrotik. The proxy servers that we will make is the external proxy side clients by activating the internal proxy mikrotik using parent proxy. Look at the topology of the proxy server side clients on the network as the above picture.

As usual you must know the name of the public and local interfaces are used, LAN IP, the IP and Port of proxy server that you have made, then all clients IP address if using the static IP. Why I use the proxy server side clients, it because I just only have one local interface on the mikrotik as the router. So this is my attempt to build a proxy server without having to buy an additional router again. I am a poor, is that not so?

1. I will make a list of  ip clients addresses at first, if you are using dynamic ip for your clients, just skip this steps. However, one the advantage of making the address list like this, at any time I could easily to exclude the connection via proxy server and directly connecting to the internet server to a particular IP of the clients. Ok, let's go the terminal console winbox and paste the script below!

/ip firewall address-list
add list=client address=
add list=client address=
add list=client address=
add list=client address=
add list=client address=
add list=client address=
add list=client address=
add list=client address=

2. Activate the internal proxy of mikrotik with the parent proxy that leads to the external proxy side clients, in this case the ip address that used and the port 3128, as we have made in the Squid proxy configuration.

/ip proxy
set enabled=yes 
set src-address= 
set port=3128
set parent-proxy=
set parent-proxy-port=3128
set max-cache-size=none
set cache-on-disk=no

Make sure the indication of web proxy is in running, as shown like the picture below!

3. In order for our client on the network can access the Internet simultaneously, you must already use masquerading the connection on the firewall nat, then you are going to make the process for transparent proxy, by redirecting port 80 and 8080 are used clients on the address list to access any sites to the proxy server port 3128, so in the firewall nat there are two rules, with the following script!

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1 src-address= disabled=no comment="Masquerade Public Traffic"
add action=redirect chain=dstnat protocol=tcp in-interface=ether1 src-address-list=client dst-port=80,8080  to-ports=3128 comment="Redirect Web Proxy"

Once you enter to the terminal console, the results would be like the picture below!

4. This is the basic things for the separation of connection packets to make upload and download, download via proxy packets. The request of the clients that uses TCP port 80 (http) and 8080 will be redirected to the proxy port 3128. Port 80 is commonly used to access the site. While the request to the port 443 (https) for example does not pass through the proxy. It is a weakness of the proxy server that is being developed by the squid and need the additional settings.

/ip firewall mangle
add action=change-dscp chain=output out-interface=ether1 new-dscp=4 comment="HIT TRAFFIC FROM PROXY"
add action=mark-packet chain=prerouting in-interface=ether1 src-address= new-packet-mark=up-pkt passthrough=no comment="UPLOAD TRAFFIC"
add action=mark-connection chain=forward src-address= new-connection-mark=down-conn passthrough=yes comment="DOWNLOAD CONNECTIONS"
add action=mark-packet chain=forward in-interface=wlan1 connection-mark=down-conn new-packet-mark=down-pkt passthrough=yes comment="DOWNLOAD TRAFFIC"
add action=mark-packet chain=output out-interface=ether1 dscp=4 dst-address= new-packet-mark=proxy-pkt passthrough=no comment="DOWN-VIA PROXY"

5. The Separation for download traffic into various kinds of connection packets, as I mentioned previously, for not make confused let me just put it here!

/ip firewall layer7-protocol
add comment="download" name=high regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"
add comment="download" name=document regexp="^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt).*\$"
add comment="video" name=youtube regexp="^.*get.+\\.(|||*\$"
add comment="video" name=streaming regexp="videoplayback|video"

/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=high new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment="CLIENT DOWNLOAD"
add action=mark-packet chain=forward layer7-protocol=document new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment=""

/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=youtube new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment="CLIENT VIDEO"
add action=mark-packet chain=forward layer7-protocol=streaming new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment=""

/ip firewall mangle
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=5340-5352,6000-6152,10001-10011,14009-14030,18901-18909 comment="CLIENT ONLINE GAMES"
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=39190,27780,29000,22100,10009,4300,15001,15002,7341,7451
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=40000,9300,9400,9700,7342,8005-8010,37466,36567,8822
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=47611,16666,20000,5105,29000,18901-18909,9015
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005,27015
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005-27020,13055,7800-7900,12060-12070
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=8005-8010,9068,1293,1479,9401,9600,30000
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=14009-14030,42051-42052,40000-40050,13000-13080

/ip firewall mangle
add action=mark-packet chain=forward connection-bytes=0-1000000 src-port=80,443 passthrough=no new-packet-mark=bpkt packet-mark=down-pkt protocol=tcp comment="CLIENT BROWSING"

/ip firewall layer7-protocol
add comment="BIT TORENT" name=bittorrent regexp="^(\13bittorrent protocol|azver1\$|get /scrape\\\\?info_hash=)|d1:ad2:id20:|8’7P\\)[RP]"
add comment="TORRENT WEBSITES" name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"

/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=bittorrent new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING BIT TORRENT"
add action=mark-packet chain=forward layer7-protocol=torrentsites new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING TORRENT WEBSITES"
add action=mark-packet chain=forward p2p=all-p2p new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING ALLP2P"
add action=mark-packet chain=forward dst-port=58561,58045,14948,58008,58816,59097 new-packet-mark=tpkt packet-mark=down-pkt passthrough=no protocol=tcp comment="BILLING TORRENT PORT"

6. The rest you just need to make the queue tree rules for all of the connection packets above completed with the proxy upload connection packets.

/queue type
add name=pcq_upstream kind=pcq pcq-classifier=src-address
add name=pcq_downstream kind=pcq pcq-classifier=dst-address
add name=pcq_game kind=pcq pcq-classifier=dst-address
add name=pcq_browsing kind=pcq pcq-classifier=dst-address
add name=pcq_download kind=pcq pcq-rate=1000k pcq-classifier=dst-address
add name=pcq_undefined kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_extensions kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_video kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_p2ptorrent kind=pcq pcq-rate=150k pcq-classifier=dst-address

/queue tree
add name=a.Upstream parent=global-in queue=pcq_upstream packet-mark=up-pkt priority=8 max-limit=2M
add name=b.Downstream parent=global-out queue=pcq_downstream packet-mark=down-pkt priority=8 max-limit=2M
add name=c.Proxystream parent=global-out queue=default packet-mark=proxy-pkt priority=8
add name=1.Games parent=b.Downstream queue=pcq_game packet-mark=gpkt priority=1 limit-at=256k max-limit=1000k
add name=2.Browsing parent=b.Downstream queue=pcq_browsing packet-mark=bpkt priority=2 limit-at=256k max-limit=1000k
add name=3.Download parent=b.Downstream queue=pcq_download packet-mark=down-pkt priority=3 limit-at=256k max-limit=1000k
add name=3.1.Undefined parent=3.Download queue=pcq_undefined packet-mark=down-pkt priority=4 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.2.Extensions parent=3.Download queue=pcq_extensions packet-mark=dpkt priority=5 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.3.Video parent=3.Download queue=pcq_video packet-mark=spkt priority=6 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.4.P2P&Torrent parent=3.Download queue=pcq_p2ptorrent packet-mark=tpkt priority=7 limit-at=128k max-limit=256k

For the proxy traffic packets, we do not make use of pcq on queue type, but rather use the default queue and not given the limit value on the queue tree. Then, because there is still any connection that passes from the proxy we still keep applying pcq on the connections packets other than the proxy traffic. For the connection packets that greedy on bandwidth, i think we need to apply burst limits on the queue tree such as undefined, extensions and video packets, the results are as shown below!

7. Using the proxy server like this is already closed for the access of ip addresses other than those listed in the client address list, to make it safer you need to insert the following security for the proxy server, so if any ip from network others that want to use the proxy server, this script will capture the ip and put to the block list then will dropped for the connection

/ip firewall filter
add chain=input in-interface=wlan1 protocol=tcp dst-port=3128 action=add-src-to-address-list address-list=block address-list-timeout=1d comment="filter proxy"
add chain=input action=drop src-address-list=block comment="drop ip-block"

Further for the proxy server security that we have made, we can create the security rules on web proxy access on mikrotik. If you want to block a certain url sites, you can do here!

/ip proxy access
add action=deny dst-port=23-25 comment="block telnet & spam e-mail relaying"
add action=deny dst-port=!443,563 method=connect comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]"

Ok that's all as the results of the implementation of the squid proxy server side clients for speed up  of our internet connection that will increased dramatically and make my clients at ease to linger in my internet shop. For more clearly, let's watch the video! I'll see you at the next experiment!

Additional :

This is the regexp on the layer 7 Protocols for the VOIP connection packets by wiki mikrotik, that need to be created the mangle rules. If the regexp fail to be inserted, please insert it manually on the the regexp entry!
/ip firewall layer7-protocol
add name=sip regexp="^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
add name=h323 regexp="^\03..\?\08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05"
add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?.\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\t.\?.\?.\?.\?.\?.\?.\?.\?\t|\n.\?.\?.\?.\?.\?.\?.\?.\?\n|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\r.\?.\?.\?.\?.\?.\?.\?.\?\r|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12.\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?.\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F| .\?.\?.\?.\?.\?.\?.\?.\? |!.\?.\?.\?.\?.\?.\?.\?.\?!|\".\?.\?.\?.\?.\?.\?.\?.\?\"|#.\?.\?.\?.\?.\?.\?.\?.\?#|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|%.\?.\?.\?.\?.\?.\?.\?.\?%|&.\?.\?.\?.\?.\?.\?.\?.\?&|'.\?.\?.\?.\?.\?.\?.\?.\?'|\\(.\?.\?.\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|,.\?.\?.\?.\?.\?.\?.\?.\?,|-.\?.\?.\?.\?.\?.\?.\?.\?-|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|/.\?.\?.\?.\?.\?.\?.\?.\?/|0.\?.\?.\?.\?.\?.\?.\?.\?0|1.\?.\?.\?.\?.\?.\?.\?.\?1|2.\?.\?.\?.\?.\?.\?.\?.\?2|3.\?.\?.\?.\?.\?.\?.\?.\?3|4.\?.\?.\?.\?.\?.\?.\?.\?4|5.\?.\?.\?.\?.\?.\?.\?.\?5|6.\?.\?.\?.\?.\?.\?.\?.\?6|7.\?.\?.\?.\?.\?.\?.\?.\?7|8.\?.\?.\?.\?.\?.\?.\?.\?8|9.\?.\?.\?.\?.\?.\?.\?.\?9|:.\?.\?.\?.\?.\?.\?.\?.\?:|;.\?.\?.\?.\?.\?.\?.\?.\?;|<.\?.\?.\?.\?.\?.\?.\?.\?<|=.\?.\?.\?.\?.\?.\?.\?.\?=|>.\?.\?.\?.\?.\?.\?.\?.\?>|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\?|@.\?.\?.\?.\?.\?.\?.\?.\?@|A.\?.\?.\?.\?.\?.\?.\?.\?A|B.\?.\?.\?.\?.\?.\?.\?.\?B|C.\?.\?.\?.\?.\?.\?.\?.\?C|D.\?.\?.\?.\?.\?.\?.\?.\?D|E.\?.\?.\?.\?.\?.\?.\?.\?E|F.\?.\?.\?.\?.\?.\?.\?.\?F|G.\?.\?.\?.\?.\?.\?.\?.\?G|H.\?.\?.\?.\?.\?.\?.\?.\?H|I.\?.\?.\?.\?.\?.\?.\?.\?I|J.\?.\?.\?.\?.\?.\?.\?.\?J|K.\?.\?.\?.\?.\?.\?.\?.\?K|L.\?.\?.\?.\?.\?.\?.\?.\?L|M.\?.\?.\?.\?.\?.\?.\?.\?M|N.\?.\?.\?.\?.\?.\?.\?.\?N|O.\?.\?.\?.\?.\?.\?.\?.\?O|P.\?.\?.\?.\?.\?.\?.\?.\?P|Q.\?.\?.\?.\?.\?.\?.\?.\?Q|R.\?.\?.\?.\?.\?.\?.\?.\?R|S.\?.\?.\?.\?.\?.\?.\?.\?S|T.\?.\?.\?.\?.\?.\?.\?.\?T|U.\?.\?.\?.\?.\?.\?.\?.\?U|V.\?.\?.\?.\?.\?.\?.\?.\?V|W.\?.\?.\?.\?.\?.\?.\?.\?W|X.\?.\?.\?.\?.\?.\?.\?.\?X|Y.\?.\?.\?.\?.\?.\?.\?.\?Y|Z.\?.\?.\?.\?.\?.\?.\?.\?Z|\\[.\?.\?.\?.\?.\?.\?.\?.\?\\[|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|_.\?.\?.\?.\?.\?.\?.\?.\?_|`.\?.\?.\?.\?.\?.\?.\?.\?`|a.\?.\?.\?.\?.\?.\?.\?.\?a|b.\?.\?.\?.\?.\?.\?.\?.\?b|c.\?.\?.\?.\?.\?.\?.\?.\?c|d.\?.\?.\?.\?.\?.\?.\?.\?d|e.\?.\?.\?.\?.\?.\?.\?.\?e|f.\?.\?.\?.\?.\?.\?.\?.\?f|g.\?.\?.\?.\?.\?.\?.\?.\?g|h.\?.\?.\?.\?.\?.\?.\?.\?h|i.\?.\?.\?.\?.\?.\?.\?.\?i|j.\?.\?.\?.\?.\?.\?.\?.\?j|k.\?.\?.\?.\?.\?.\?.\?.\?k|l.\?.\?.\?.\?.\?.\?.\?.\?l|m.\?.\?.\?.\?.\?.\?.\?.\?m|n.\?.\?.\?.\?.\?.\?.\?.\?n|o.\?.\?.\?.\?.\?.\?.\?.\?o|p.\?.\?.\?.\?.\?.\?.\?.\?p|q.\?.\?.\?.\?.\?.\?.\?.\?q|r.\?.\?.\?.\?.\?.\?.\?.\?r|s.\?.\?.\?.\?.\?.\?.\?.\?s|t.\?.\?.\?.\?.\?.\?.\?.\?t|u.\?.\?.\?.\?.\?.\?.\?.\?u|v.\?.\?.\?.\?.\?.\?.\?.\?v|w.\?.\?.\?.\?.\?.\?.\?.\?w|x.\?.\?.\?.\?.\?.\?.\?.\?x|y.\?.\?.\?.\?.\?.\?.\?.\?y|z.\?.\?.\?.\?.\?.\?.\?.\?z|\\{.\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\?.\?.\?.\?\\}|~.\?.\?.\?.\?.\?.\?.\?.\?~|\7F.\?.\?.\?.\?.\?.\?.\?.\?\7F|\80.\?.\?.\?.\?.\?.\?.\?.\?\80|\81.\?.\?.\?.\?.\?.\?.\?.\?\81|\82.\?.\?.\?.\?.\?.\?.\?.\?\82|\83.\?.\?.\?.\?.\?.\?.\?.\?\83|\84.\?.\?.\?.\?.\?.\?.\?.\?\84|\85.\?.\?.\?.\?.\?.\?.\?.\?\85|\86.\?.\?.\?.\?.\?.\?.\?.\?\86|\87.\?.\?.\?.\?.\?.\?.\?.\?\87|\88.\?.\?.\?.\?.\?.\?.\?.\?\88|\89.\?.\?.\?.\?.\?.\?.\?.\?\89|\8A.\?.\?.\?.\?.\?.\?.\?.\?\8A|\8B.\?.\?.\?.\?.\?.\?.\?.\?\8B|\8C.\?.\?.\?.\?.\?.\?.\?.\?\8C|\8D.\?.\?.\?.\?.\?.\?.\?.\?\8D|\8E.\?.\?.\?.\?.\?.\?.\?.\?\8E|\8F.\?.\?.\?.\?.\?.\?.\?.\?\8F|\90.\?.\?.\?.\?.\?.\?.\?.\?\90|\91.\?.\?.\?.\?.\?.\?.\?.\?\91|\92.\?.\?.\?.\?.\?.\?.\?.\?\92|\93.\?.\?.\?.\?.\?.\?.\?.\?\93|\94.\?.\?.\?.\?.\?.\?.\?.\?\94|\95.\?.\?.\?.\?.\?.\?.\?.\?\95|\96.\?.\?.\?.\?.\?.\?.\?.\?\96|\97.\?.\?.\?.\?.\?.\?.\?.\?\97|\98.\?.\?.\?.\?.\?.\?.\?.\?\98|\99.\?.\?.\?.\?.\?.\?.\?.\?\99|\9A.\?.\?.\?.\?.\?.\?.\?.\?\9A|\9B.\?.\?.\?.\?.\?.\?.\?.\?\9B|\9C.\?.\?.\?.\?.\?.\?.\?.\?\9C|\9D.\?.\?.\?.\?.\?.\?.\?.\?\9D|\9E.\?.\?.\?.\?.\?.\?.\?.\?\9E|\9F.\?.\?.\?.\?.\?.\?.\?.\?\9F|\A0.\?.\?.\?.\?.\?.\?.\?.\?\A0|\A1.\?.\?.\?.\?.\?.\?.\?.\?\A1|\A2.\?.\?.\?.\?.\?.\?.\?.\?\A2|\A3.\?.\?.\?.\?.\?.\?.\?.\?\A3|\A4.\?.\?.\?.\?.\?.\?.\?.\?\A4|\A5.\?.\?.\?.\?.\?.\?.\?.\?\A5|\A6.\?.\?.\?.\?.\?.\?.\?.\?\A6|\A7.\?.\?.\?.\?.\?.\?.\?.\?\A7|\A8.\?.\?.\?.\?.\?.\?.\?.\?\A8|\A9.\?.\?.\?.\?.\?.\?.\?.\?\A9|\AA.\?.\?.\?.\?.\?.\?.\?.\?\AA|\AB.\?.\?.\?.\?.\?.\?.\?.\?\AB|\AC.\?.\?.\?.\?.\?.\?.\?.\?\AC|\AD.\?.\?.\?.\?.\?.\?.\?.\?\AD|\AE.\?.\?.\?.\?.\?.\?.\?.\?\AE|\AF.\?.\?.\?.\?.\?.\?.\?.\?\AF|\B0.\?.\?.\?.\?.\?.\?.\?.\?\B0|\B1.\?.\?.\?.\?.\?.\?.\?.\?\B1|\B2.\?.\?.\?.\?.\?.\?.\?.\?\B2|\B3.\?.\?.\?.\?.\?.\?.\?.\?\B3|\B4.\?.\?.\?.\?.\?.\?.\?.\?\B4|\B5.\?.\?.\?.\?.\?.\?.\?.\?\B5|\B6.\?.\?.\?.\?.\?.\?.\?.\?\B6|\B7.\?.\?.\?.\?.\?.\?.\?.\?\B7|\B8.\?.\?.\?.\?.\?.\?.\?.\?\B8|\B9.\?.\?.\?.\?.\?.\?.\?.\?\B9|\BA.\?.\?.\?.\?.\?.\?.\?.\?\BA|\BB.\?.\?.\?.\?.\?.\?.\?.\?\BB|\BC.\?.\?.\?.\?.\?.\?.\?.\?\BC|\BD.\?.\?.\?.\?.\?.\?.\?.\?\BD|\BE.\?.\?.\?.\?.\?.\?.\?.\?\BE|\BF.\?.\?.\?.\?.\?.\?.\?.\?\BF|\C0.\?.\?.\?.\?.\?.\?.\?.\?\C0|\C1.\?.\?.\?.\?.\?.\?.\?.\?\C1|\C2.\?.\?.\?.\?.\?.\?.\?.\?\C2|\C3.\?.\?.\?.\?.\?.\?.\?.\?\C3|\C4.\?.\?.\?.\?.\?.\?.\?.\?\C4|\C5.\?.\?.\?.\?.\?.\?.\?.\?\C5|\C6.\?.\?.\?.\?.\?.\?.\?.\?\C6|\C7.\?.\?.\?.\?.\?.\?.\?.\?\C7|\C8.\?.\?.\?.\?.\?.\?.\?.\?\C8|\C9.\?.\?.\?.\?.\?.\?.\?.\?\C9|\CA.\?.\?.\?.\?.\?.\?.\?.\?\CA|\CB.\?.\?.\?.\?.\?.\?.\?.\?\CB|\CC.\?.\?.\?.\?.\?.\?.\?.\?\CC|\CD.\?.\?.\?.\?.\?.\?.\?.\?\CD|\CE.\?.\?.\?.\?.\?.\?.\?.\?\CE|\CF.\?.\?.\?.\?.\?.\?.\?.\?\CF|\D0.\?.\?.\?.\?.\?.\?.\?.\?\D0|\D1.\?.\?.\?.\?.\?.\?.\?.\?\D1|\D2.\?.\?.\?.\?.\?.\?.\?.\?\D2|\D3.\?.\?.\?.\?.\?.\?.\?.\?\D3|\D4.\?.\?.\?.\?.\?.\?.\?.\?\D4|\D5.\?.\?.\?.\?.\?.\?.\?.\?\D5|\D6.\?.\?.\?.\?.\?.\?.\?.\?\D6|\D7.\?.\?.\?.\?.\?.\?.\?.\?\D7|\D8.\?.\?.\?.\?.\?.\?.\?.\?\D8|\D9.\?.\?.\?.\?.\?.\?.\?.\?\D9|\DA.\?.\?.\?.\?.\?.\?.\?.\?\DA|\DB.\?.\?.\?.\?.\?.\?.\?.\?\DB|\DC.\?.\?.\?.\?.\?.\?.\?.\?\DC|\DD.\?.\?.\?.\?.\?.\?.\?.\?\DD|\DE.\?.\?.\?.\?.\?.\?.\?.\?\DE|\DF.\?.\?.\?.\?.\?.\?.\?.\?\DF|\E0.\?.\?.\?.\?.\?.\?.\?.\?\E0|\E1.\?.\?.\?.\?.\?.\?.\?.\?\E1|\E2.\?.\?.\?.\?.\?.\?.\?.\?\E2|\E3.\?.\?.\?.\?.\?.\?.\?.\?\E3|\E4.\?.\?.\?.\?.\?.\?.\?.\?\E4|\E5.\?.\?.\?.\?.\?.\?.\?.\?\E5|\E6.\?.\?.\?.\?.\?.\?.\?.\?\E6|\E7.\?.\?.\?.\?.\?.\?.\?.\?\E7|\E8.\?.\?.\?.\?.\?.\?.\?.\?\E8|\E9.\?.\?.\?.\?.\?.\?.\?.\?\E9|\EA.\?.\?.\?.\?.\?.\?.\?.\?\EA|\EB.\?.\?.\?.\?.\?.\?.\?.\?\EB|\EC.\?.\?.\?.\?.\?.\?.\?.\?\EC|\ED.\?.\?.\?.\?.\?.\?.\?.\?\ED|\EE.\?.\?.\?.\?.\?.\?.\?.\?\EE|\EF.\?.\?.\?.\?.\?.\?.\?.\?\EF|\F0.\?.\?.\?.\?.\?.\?.\?.\?\F0|\F1.\?.\?.\?.\?.\?.\?.\?.\?\F1|\F2.\?.\?.\?.\?.\?.\?.\?.\?\F2|\F3.\?.\?.\?.\?.\?.\?.\?.\?\F3|\F4.\?.\?.\?.\?.\?.\?.\?.\?\F4|\F5.\?.\?.\?.\?.\?.\?.\?.\?\F5|\F6.\?.\?.\?.\?.\?.\?.\?.\?\F6|\F7.\?.\?.\?.\?.\?.\?.\?.\?\F7|\F8.\?.\?.\?.\?.\?.\?.\?.\?\F8|\F9.\?.\?.\?.\?.\?.\?.\?.\?\F9|\FA.\?.\?.\?.\?.\?.\?.\?.\?\FA|\FB.\?.\?.\?.\?.\?.\?.\?.\?\FB|\FC.\?.\?.\?.\?.\?.\?.\?.\?\FC|\FD.\?.\?.\?.\?.\?.\?.\?.\?\FD|\FE.\?.\?.\?.\?.\?.\?.\?.\?\FE|\FF.\?.\?.\?.\?.\?.\?.\?.\?\FF)"
add name=skypetoskype regexp="^..\02............."
add name=teamspeak regexp="^\F4\BE\03.*teamspeak"
add name=ventrilo regexp="^..\?v\\\$\CF"
add name=stun regexp="^[\01\02]................\?\$"
Share This Article :
Related Articles


  1. Hi,
    I see that you finally came around to implementing a squid to a mikrotik netwok!
    I will try out your configurations and see if they work for me!
    But for me i use for my squid OpenSuse 12.3. do you have any squid conf file and also a firewall conf file that can work for me? i will be totally grateful!

  2. Hi,
    I see that your network flow/diagram is entirely different from mine.
    Is there a way i can paste my diagram for you tyoo see and then you can then advise me on how to implement your above model on it! i also noticed that your squid i believe runs on windows right? mine runs on Linux.
    What do we do at this stage?

    1. I just added a little bit change on step 4 to be more optimal result for the situation, I apologize if i can not or long to answer all questions, because the limitations of mine. Proxy server that you have is different, it is not proxy server side clients, it must be required an additional route because i think you have used different local interface between your network and proxy server, but the principle is how you can catch the connection from the proxy server, and then perform optimization or getting hit from the proxy server connection.

  3. Tinggal proxy externalx nih mas, proxy internal gg tllu ngefek.

    1. Ini adalah proxy external dengan mengaktifkan proxy internal mikrotik, dengan kata lain proxy internal yang menggunakan induk proxy external. Sebenarnya sih saya ingin menerapkan proxy external side router, tetapi karena situasi dengan optimasi seperti ini lumayan bisa menstabilkan dan menambah performa koneksi internet saya! situs2 yang sulit di load dengan sempurna bisa berjalan dengan lancar karena sudah tidak memakai cache browser yang terkadang bikin hang saat browsing apalagi saat traffic padat, ditambah dengan cache browser yang bermasalah.

    2. ini proxy nya sejajar dengn client jadi proxy internal di belokan ke proxy external,kalo pake RB750 rada bernapas,kalo salah tolong di koreksi.settingan akang saya padukan dengan handycache lumayan stabil cuman kedala kita tidak bisa ngontrol per ip

  4. iya nih buat donk tutorial mengenai load balancing mikrotik dengna external proxy

    1. Ini ceritanya begini, mikrotik saya tipe outdoor, jauh tinggi diatas, saya gak berani naik untuk memasang kabel lan tiga tiang ngeri juga. Mau beli router mikrotik belum ada dana. Jadi terpaksa saya memakai 1 interface yang disediakan ISP. Jadi topologi yang saya terapkan seperti gambar diatas. Sebenarnya sih saya ingin menerapkan pisah interface antara lan, proxy dan hotspot biar ketiga memiliki jalur yang berbeda seperti cara umumnya. Jadi sementara biar seperti ini dulu :)

  5. This comment has been removed by the author.

  6. gan bisa ngak di padui dengan settingan ini Full Bandwidth Management Parent Queue Tree..terima kasih

  7. It has been along time, i have come to my blog, so many comments here! I am still research somethings for further understanding of the limited facilities that might we have. I will come untuk membawakan hal yang baru disini! thanks for coming!

  8. Salam bli .....sudah saya coba..lancar cuma pada download ekstension ngak ngefek.dmna masalahnya ya bli .....mohon pencerahannya untuk pemula

  9. bli..mau tanya proxy sejajar client itu makan bandwith internet tidak ? klo ada request dari client yg belum tercache di proxy .. tks

  10. Pak Ketut, saya udah baca-baca beberapa artikel bandwith management yg ada di blog ini.. kan ada beberapa macem tuh..
    Nah, kalau seandainya dengan topologi seperti ini, (maaf skemanya saya coret-coret ya?), itu kira2 lebih cocok menggunakan Queue Tree yang mana ya?

    Jadi untuk kurang lebih 10 pc client dengan IP statik, ditambah 1 pc billing yang sekaligus berfungsi sebagai proxy server, dan juga 1 access point yg kemungkinan diakses ~ 10 client; dengan bw 3Mbps .

    Maaf klo pertanyaannya agak2 aneh.. Bener2 pemula soal mikrotik yg lagi nyoba2 mau bikin warnet nih Pak..

    Thank you!!

    1. jika bandwidth yang digunakan setelah dibagi dengan jumlah client menjadi kecil, misalnya idealnya dapet 100 kbps/per client, itu pake saja qos queue tree yang menggunakan pcq pada berbagai jenis koneksi yang ingin dibedakan

  11. Proxy websites - to use what areas and where to buy
    Where to buy domains for Proxy
    That's the easy part - usually the cheapest sites is monitored by . Beware of promotions and always in the mass that makes a big difference now. For example , if you buy 6 or Sites GoDaddy, you will pay less than a dollar on the page.

    Which area buy proxy site
    Now the hard bit is - . . Should I buy information , com, etc. As always, it depends ! There are some basic differences :

    a). Information proxy sites are automatically blocked in several countries or in some companies or schools .
    b ) the cost difference is important - . . Info often less than a dollar , how can cost ten times more .

    So what you need to decide what you want to the page. Is it to build a website with SEO you want to get long term build , is the answer. Distribute the additional costs over a greater earning periods .

    Passage through the effect that more traffic looks real , but at least on the basis of some experiments I've done. If you have a website that is a place for quick use - . Most of them , info is the answer. What I mean by that is the income of most pages are at the very beginning of his life. After the first days of life quickly blocked sites by country , schools and organizations , so it is very important for the lowest possible death.


  12. mas setelah saya coba, kenapa layer 7 ga bisa kelimit ? dan que tree ga berjalan

  13. "There is a loop in network for HTTP traffic. Check your network topology and proxy & firewall configuration", bisa bantu bli, dimana yang salah dengan proxy ekternal nya?

  14. Thanks for giving me information about my problem. I was searching the NET and here I found. Also if you want more work just click
    access FileCrop in UK

  15. thanks see more

  16. mau tanya Mas Ketut ( saya sudah pakai setingan MK ini sejak 5 bulan lalu untuk warnet,, selama saya pakai tdk ada kendala sama sekali,, tapi akhir2 ini sering troble ,, maslah nya limitan undefened selalu merah mengakibatkan tidak konek karna limitan undefened saya batasi 210 k browsing jadi dc, padahal user tidak ada yg sedang dwonload file apa pun saya cek semua pc ,,, flash player tdk saya auto update dan mozila nya juga,, user hanya buka fb & yutup & game tdk ada yg sdg dwonload,apakah yg bermasalah,, saya tdk pakai proxy saya hanya ambil script2 yg tdk mnuju proxy hanya limitan saja,, dan selama 5 bulan lantjar2 saja,, mohon masukan yg telah dilakukan reset MK buat setingan baru lagi dgn script sama script d atas,, hasil sama saja masih ttp troble,, firewal UNDEFENED /ip firewall layer7-protocol
    add comment="download" name=high regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"

  17. buenas tardes he puesto su configuracion sin embargo me surgen unas dudas, al poner en queue simple un max limit de down y de up al parecer no afecta nada pues nunca se ponen en amarillo o rojo un cliente. podria abordar mas al respecto? gracias

  18. ya entendi que las reglas de arbol de colas son priridad ante las reglas de simple queue

    ahora esta configuracion para cuanto ancho de banda esta pensado y para cuantos clientes?? gracias

  19. Just want to say your article is astounding. The clarity in your post is simply spectacular.FileCrop UK proxy

  20. Sore Bli, mohon pencerahan nya, jika tutor di atas di aplikasikan untuk mikrotik dengan fungsi hotspot pada interface ether1 kok nggak bisa ya Bli, selalu gateway error, tapi kl NAT proxy nya di disable bisa jalan Bli, mohon di bantu settingan nya agar tutor di atas dapat di aplikasi kan untuk hotspot pada interface ether1 nya Bli, Thanks untuk support nya. Di tunggu pencerahan nya Bli.

    1. Mohon pencerahan nya mas ketut untuk masalah ku ini...Thanks,

    2. Mas, masalah yang di atas sudah selesai, cuma ada pertanyaan lain, gimana caranya supaya simple queue bawaan hotspot bisa di baypass sehingga manajement bandwith nya bisa ikut di queue tree seperti yang sudah mas buat di atas. karena saya ingin ada ether 3 dengan fungsi hotspot, Makasih mas

  21. I really appreciate this blog and I will sure promote this blog to others in my circle
    eMp3World UK proxy

  22. "There is a loop in network for HTTP traffic. Check your network topology and proxy & firewall configuration",
    plz resolve this problam as soon as possible thanks :)

  23. Add src-address !(your proxy address) in your firewall NAT. Hope this will help you

  24. I like the resources which you mention in your blog but there are more resources which you can use. I hope in you next article you include these resources too.
    Torrentz UK proxy

  25. WOW!! Very informative blog and useful article. Please visit this site if you want more detail Holborn Assets

  26. sir plz send me full script Ecmp Load Balancing Failover with Proxy and DNS