Script Queue tree Dan Mangle Raw

Add Addres List

/ip firewall address-list
add address=192.168.0.0/16 list=Lokal

add address=172.16.0.0/12 list=Lokal

add address=10.0.0.0/8 list=Lokal

Add address list layer7

/ip firewall layer7-protocol

add name=EXE regexp="\\x4d\\x5a(\\x90\\x03|\\x50\\x02)\\x04"

add name=ZIP regexp="pk\\x03\\x04\\x14"

add name=MP4 regexp="\\x18\\x66\\x74\\x79\\x70"

add name=RAR regexp="Rar\\x21\\x1a\\x07"

add name=youtube regexp="r[0-9]+---[a-z]+-+[a-z0-9-]+\\.googlevideo\\.com"

Add Raw Mangle

Facebook
/ip firewall raw

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting comment=FACEBOOK content=\

.facebook.com dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=.facebook.net \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=.fbcdn.net \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

 address-list-timeout=1d chain=prerouting content=.fbsbx.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=fb.com dst-address-list=\

!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=fb.gg dst-address-list=\

!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=fbwat.ch \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=messenger.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=FACEBOOK \

address-list-timeout=1d chain=prerouting content=m.me dst-address-list=\

!lokal src-address-list=lokal

INSTAGRAM
/ip firewall raw

add action=add-dst-to-address-list address-list=INSTAGRAM \

address-list-timeout=1d chain=prerouting comment=INSTAGRAM content=\

.instagram.com dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=INSTAGRAM \

address-list-timeout=1d chain=prerouting content=.cdninstagram.com \

dst-address-list=!lokal src-address-list=local
MARKETPLACE
add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting comment=MARKETPLACE content=\

tokopedia.com dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=tokopedia.net \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=shopee.co.id \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=bukalapak.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=lazada.co.id \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=blibli.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=MARKETPLACE \

address-list-timeout=1d chain=prerouting content=olx.co.id \

dst-address-list=!lokal src-address-list=local
SNACK VIDEO
add action=add-dst-to-address-list address-list=SNACKVIDEO \

address-list-timeout=1d chain=prerouting comment=SNACKVIDEO content=\

.snackvideo.com dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=SNACKVIDEO \

address-list-timeout=1d chain=prerouting content=.myqcloud.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=SNACKVIDEO \

address-list-timeout=1d chain=prerouting content=.snackvideo.in \

dst-address-list=!lokal src-address-list=local

TIKTOK
/ip firewall raw

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting comment=TIKTOK content=.tiktok.com dst-address-list=\

!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.tiktokv.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.tiktokcdn.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.byteoversea.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.ibyteimg.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.ibytedtos.com dst-address-list=!lokal \

src-address-list=lokal
add action=add-dst-to-address-list address-list=TIKTOK address-list-timeout=\

1d chain=prerouting content=.myqcloud.com dst-address-list=!lokal \

src-address-list=local

TWITTER
add action=add-dst-to-address-list address-list=TWITTER address-list-timeout=\

1d chain=prerouting comment=TWITTER content=.twitter.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=TWITTER address-list-timeout=\

1d chain=prerouting content=.twimg.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=TWITTER address-list-timeout=\

1d chain=prerouting content=t.co dst-address-list=!lokal \

src-address-list=local

YOUTUBE
/ip firewall raw

add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting comment=YOUTUBE content=.youtube.com \

dst-address-list=!lokal src-address-list=lokal

add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting content=.ytimg.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting content=.googlevideo.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting content=youtu.be dst-address-list=!lokal \

src-address-list=lokal
add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting content=yt3.ggpht.com dst-address-list=!lokal \

src-address-list=lokal

add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\

1d chain=prerouting content=youtubei.googleapis.com dst-address-list=\

!lokal src-address-list=lokal

Add Mangle
/ip firewall mangle

add action=accept chain=prerouting comment="Bypass Local Traffic" dst-address-list=Lokal src-address-list=Lokal

add action=accept chain=forward dst-address-list=Lokal src-address-list=Lokal

FACEBOOK
add action=mark-packet chain=forward comment="FACEBOOK" connection-mark=FACEBOOK in-interface="ether1 - Wan" new-
packet-mark=FACEBOOK_down passthrough=no

Trafic Games
add action=mark-connection chain=forward comment="Games Traffic" dst-port=39190-39200 new-connection-mark=games
passthrough=yes protocol=tcp src-address-list=Lokal

add action=mark-connection chain=forward dst-port=40000-40010 new-connection-mark=games passthrough=yes protocol=udp

src-address-list=Lokal

add action=mark-packet chain=forward connection-mark=games in-interface="ether1 - Wan" new-packet-mark=games_down

passthrough=no

add action=mark-packet chain=forward connection-mark=games in-interface="ether2 - Lan" new-packet-mark=games_up

passthrough=no
ICMP TRAFIC
add action=mark-connection chain=forward comment="ICMP Traffic" new-connection-mark=icmp passthrough=yes protocol=icmp
src-address-list=Lokal

add action=mark-packet chain=forward connection-mark=icmp in-interface="ether1 - Wan" new-packet-mark=icmp_down

passthrough=no protocol=icmp

add action=mark-packet chain=forward connection-mark=icmp in-interface="ether2 - Lan" new-packet-mark=icmp_up

passthrough=no protocol=icmp

DNS TRAFIC
add action=mark-connection chain=forward comment="DNS Traffic" dst-port=53 new-connection-mark=dns
passthrough=yes protocol=udp src-address-list=Lokal

add action=mark-packet chain=forward connection-mark=dns in-interface="ether1 - Wan" new-packet-mark=dns_down

passthrough=no protocol=udp

add action=mark-packet chain=forward connection-mark=dns in-interface="ether2 - Lan" new-packet-mark=dns_up passthrough=no

protocol=udp

REMOTE
add action=mark-connection chain=forward comment="Remote Traffic" dst-port=22,23,8291,5938,4899 new-connection-
mark=remote passthrough=yes protocol=tcp src-address-list=Lokal

add action=mark-packet chain=forward connection-mark=remote in-interface="ether1 - Wan" new-packet-mark=remote_down

passthrough=no

add action=mark-packet chain=forward connection-mark=remote in-interface="ether2 - Lan" new-packet-mark=remote_up

passthrough=no

MARKING TRAFIC
YOUTUBE
add action=mark-connection chain=forward comment="YouTube Traffic" layer7-protocol=youtube new-connection-mark=youtube
passthrough=yes src-address-list= Lokal

add action=mark-packet chain=forward connection-mark=youtube in-interface="ether1 - Wan" new-packet-mark=youtube_down

passthrough=no

add action=mark-packet chain=forward connection-mark=youtube in-interface="ether2 - Lan" new-packet-mark=youtube_up

passthrough=no
LAIN-LAIN
add action=mark-connection chain=forward comment="Extension Layer7" layer7-protocol=EXE new-connection-mark=extensi
passthrough=yes

add action=mark-connection chain=forward layer7-protocol=ZIP new-connection-mark=extensi passthrough=yes

add action=mark-connection chain=forward layer7-protocol=MP4 new-connection-mark=extensi passthrough=yes

add action=mark-connection chain=forward layer7-protocol=RAR new-connection-mark=extensi passthrough=yes

add action=mark-packet chain=forward connection-mark=extensi in-interface="ether1 - Wan" new-packet-mark=extensi_down

passthrough=no

add action=mark-packet chain=forward connection-mark=extensi in-interface="ether2 - Lan" new-packet-mark=extensi_up

passthrough=no

MARKING TRAFIC LAYER7

add action=mark-connection chain=forward comment="Browsing Traffic" connection-mark=!heavy_traffic new-connection-
mark=browsing passthrough=yes src-address-list=Lokal

add action=mark-connection chain=forward comment="Heavy Traffic" connection-bytes=1024000-0 connection-mark=browsing

connection-rate=256k-102400k new-connection-mark=heavy_traffic passthrough=yes protocol=tcp

add action=mark-connection chain=forward connection-bytes=1024000-0 connection-mark=browsing connection-rate=256k-

102400k new-connection-mark=heavy_traffic passthrough=yes protocol=udp

add action=mark-packet chain=forward connection-mark=heavy_traffic in-interface="ether1 - Wan" new-packet-

mark=heavy_browsing_down passthrough=no

add action=mark-packet chain=forward connection-mark=heavy_traffic in-interface="ether2 - Lan" new-packet-

mark=heavy_browsing_up passthrough=no

add action=mark-packet chain=forward connection-mark=browsing in-interface="ether1 - Wan" new-packet-

mark=small_browsing_down passthrough=no

add action=mark-packet chain=forward connection-mark=browsing in-interface="ether2 - Lan" new-packet-

mark=small_browsing_up passthrough=no

BROWSING TRAFIC
add action=mark-connection chain=forward comment="Browsing Traffic" connection-mark=!heavy_traffic new-connection-
mark=browsing passthrough=yes src-address-list= Lokal

add action=mark-connection chain=forward comment="Heavy Traffic" connection-bytes=1024000-0 connection-mark=browsing

connection-rate=256k-102400k new-connection-mark=heavy_traffic passthrough=yes protocol=tcp

add action=mark-connection chain=forward connection-bytes=1024000-0 connection-mark=browsing connection-rate=256k-

102400k new-connection-mark=heavy_traffic passthrough=yes protocol=udp

add action=mark-packet chain=forward connection-mark=heavy_traffic in-interface="ether1 - Wan" new-packet-

mark=heavy_browsing_down passthrough=no

add action=mark-packet chain=forward connection-mark=heavy_traffic in-interface="ether2 - Lan" new-packet-

mark=heavy_browsing_up passthrough=no

add action=mark-packet chain=forward connection-mark=browsing in-interface="ether1 - Wan" new-packet-

mark=small_browsing_down passthrough=no
add action=mark-packet chain=forward connection-mark=browsing in-interface="ether2 - Lan" new-packet-
mark=small_browsing_up passthrough=no

Queue Tree HTB

/queue type

add kind=pcq name=down_pcq pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=up_pcq pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

/queue tree

add name="Global Traffic" parent=global queue=default

add max-limit=10M name=Download parent="Global Traffic" queue=default

add max-limit=1M name=Upload parent="Global Traffic"

add limit-at=512k max-limit=3M name="1. Game" packet-mark=games_down parent=Download priority=1

queue=down_pcq

add limit-at=64k max-limit=3M name="2. Icmp" packet-mark=icmp_down parent=Download priority=1

queue=down_pcq

add limit-at=64k max-limit=3M name="3. Dns" packet-mark=dns_down parent=Download priority=1 queue=down_pcq

add max-limit=3M name="5. Download Traffic" parent=Download queue=default

add max-limit=3M name="1. Small Browsing" packet-mark=small_browsing_down parent="5. Download

Traffic" priority=5 queue=down_pcq

add max-limit=3M name="2. Heavy Browsing" packet-mark=heavy_browsing_down parent="5. Download

Traffic" priority=7 queue=down_pcq

add limit-at=512k max-limit=3M name="4. Remote" packet-mark=remote_down parent=Download priority=3

queue=down_pcq

add max-limit=3M name="3. YouTube" packet-mark=youtube_down parent="5. Download Traffic" priority=7

queue=down_pcq

add max-limit=3M name="4. Extensi" packet-mark=extensi_down parent="5. Download Traffic" queue=down_pcq

add limit-at=256k max-limit=1M name="1. game" packet-mark=games_up parent=Upload priority=1 queue=up_pcq

add limit-at=32k max-limit=1M name="2. icmp" packet-mark=icmp_up parent=Upload priority=1 queue=up_pcq

add limit-at=32k max-limit=1M name="3. dns" packet-mark=dns_up parent=Upload priority=1 queue=up_pcq

add limit-at=256k max-limit=1M name="4. remote" packet-mark=remote_up parent=Upload priority=3 queue=up_pcq

add max-limit=1M name="5. Upload Traffic" parent=Upload queue=default

add max-limit=1M name="1. small browsing" packet-mark=small_browsing_up parent="5. Upload Traffic" priority=5
queue=up_pcq

add max-limit=1M name="2. heavy browsing" packet-mark=heavy_browsing_up parent="5. Upload Traffic" priority=7
queue=up_pcq

add max-limit=1M name="3. youtube" packet-mark=youtube_up parent="5. Upload Traffic" priority=7 queue=up_pcq

add max-limit=1M name="4. extensi" packet-mark=extensi_up parent="5. Upload Traffic" queue=up_pcq

DEFENDER FIREWAL

Mencegah UDP Flood Attack

/ip firewall raw

add action=drop chain=prerouting comment="Mencegah UDP Flood Attack" dst-port=53 in-interface=pppoe-out1

protocol=udp

add action=accept chain=prerouting dst-port=53 in-interface=!pppoe-out1 limit=100,5:packet protocol=udp

add action=drop chain=prerouting dst-port=53 in-interface=!pppoe-out1 protocol=udp

jangan Lupa Set Allow Remote Request di IP > DNS

Mencegah Port Scanner

/ip firewall filter

add action=add-src-to-address-list address-list="Port Scan" address-list-timeout=4w2d chain=forward

comment="Mencegah port scanner" protocol=tcp psd=21,3s,3,1

add action=add-src-to-address-list address-list="Port Scan" address-list-timeout=4w2d chain=input protocol=tcp

psd=21,3s,3,1

add action=drop chain=forward src-address-list="Port Scan"

add action=drop chain=input src-address-list="Port Scan"