Hey,
I have a problem opening a specific site : berniaga.com
This is sort of a craigslist but for indonesia.
when i click the “pasang iklan” button from the homepage, it goes to http://www2.berniaga.com/ai but “404 Not found”
other times i have seen “nginx 1.4.3” error.
I have a feeling its something wrong with the mikrotik rules. if i could get some help i will be very grateful.
Will put current settings in next post
/ip firewall layer7-protocol
add name=http://ts5.travian.co.id regexp=http://ts5.travian.co.id
add name=http://tx3.travian.co.id regexp=http://tx3.travian.co.id
add name=www.travian.co.id regexp=www.travian.co.id
add name=torrent regexp="^.*(get|GET).+(torrent|\
\n\
\nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|\
\n\
\ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\
\n\
\nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\
\n\
\nflixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=youtube regexp=youtube.com
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no \
list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" disabled=no list=\
bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=\
bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no \
list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\
no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no \
list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no \
list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow Established Connection" \
connection-state=established disabled=yes
add action=accept chain=input comment="Allow Related Connection" \
connection-state=related disabled=yes
add action=accept chain=forward comment=\
"allow already established connections" connection-state=established \
disabled=yes
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=yes
add action=accept chain=forward comment="Allow port 5060 for SIP" disabled=no \
dst-port=5060 protocol=udp
add action=accept chain=input comment="SQL Server" disabled=no dst-port=1433 \
protocol=tcp
add action=accept chain=input comment="SQL Server" disabled=no protocol=udp \
src-port=1434
add action=accept chain=input comment="LAN Messenger" disabled=no dst-port=\
14221 protocol=tcp
add action=accept chain=input comment="Allow OVPN" disabled=no dst-port=1194 \
protocol=tcp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \
protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no \
jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no \
dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no \
dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no \
dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 \
protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 \
protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept to related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" \
disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=\
0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no \
icmp-options=3:0-1 protocol=icmp
add action=accept chain=input comment="Allow Remote winbox dari Publik" \
disabled=yes dst-port=8291 in-interface=ether3-CentralOnline protocol=tcp
add action=accept chain=input comment="Allow NTP Traffic" disabled=no \
in-interface=ether3-CentralOnline protocol=udp src-port=123
add action=accept chain=input comment="Allow DNS Traffic" disabled=no \
in-interface=ether3-CentralOnline protocol=udp src-port=53
add action=drop chain=input comment="Drop Proxy Port From Outside" disabled=\
no dst-port=3128 in-interface=ether3-CentralOnline protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no protocol=tcp
add action=drop chain=forward comment="Block Bogon" disabled=yes src-address=\
0.0.0.0/8
add action=drop chain=forward comment="Block Bogon" disabled=yes dst-address=\
0.0.0.0/8
add action=drop chain=forward comment="Block Bogon" disabled=yes src-address=\
127.0.0.0/8
add action=drop chain=forward comment="Block Bogon" disabled=yes dst-address=\
127.0.0.0/8
add action=drop chain=forward comment="Block Bogon" disabled=yes src-address=\
224.0.0.0/3
add action=drop chain=forward comment="Block Bogon" disabled=yes dst-address=\
224.0.0.0/3
add action=add-src-to-address-list address-list=spam address-list-timeout=30m \
chain=input comment="Log Ip Yang Di Tolak" connection-state=new disabled=\
yes in-interface=ether3-CentralOnline
add action=drop chain=input comment="Drop Semua Akses yang tidak di ijinkan" \
disabled=yes in-interface=ether3-CentralOnline
add action=jump chain=forward comment="jump to the virus chain" disabled=yes \
jump-target=virus
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=virus comment="add to spammer list" connection-limit=30,32 \
disabled=yes dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 \
protocol=tcp src-address-list=spammer
add action=accept chain=forward disabled=yes
/ip firewall mangle
add action=mark-connection chain=forward comment="Clients Connection" \
disabled=no new-connection-mark=Clients-con passthrough=yes protocol=tcp \
src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=Clients-con disabled=no \
new-packet-mark=Clients passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1-Local
add action=masquerade chain=srcnat disabled=no out-interface=\
ether3-CentralOnline
add action=masquerade chain=srcnat disabled=no out-interface=ovpn-out1
add action=masquerade chain=srcnat disabled=no out-interface=ether2-Local
add action=masquerade chain=srcnat disabled=no out-interface=ether4-Server
add action=dst-nat chain=dstnat disabled=no dst-address=203.77.247.228 \
dst-port=80,8081 protocol=tcp to-addresses=192.168.3.2 to-ports=8081
add action=dst-nat chain=dstnat disabled=no dst-address=203.77.247.229 \
dst-port=80,8082 protocol=tcp to-addresses=192.168.3.2 to-ports=8082
add action=dst-nat chain=dstnat disabled=no dst-address=203.77.247.230 \
dst-port=80,8083 protocol=tcp to-addresses=192.168.3.2 to-ports=8083
add action=dst-nat chain=dstnat disabled=no dst-address=203.77.247.231 \
dst-port=80,8081 protocol=tcp to-addresses=192.168.0.203 to-ports=8081
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.6 dst-port=\
80,8081 protocol=tcp to-addresses=192.168.3.2 to-ports=8081
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.7 dst-port=\
80,8082 protocol=tcp to-addresses=192.168.3.2 to-ports=8082
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.8 dst-port=\
80,8083 protocol=tcp to-addresses=192.168.3.2 to-ports=8083
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.9 dst-port=\
80,8084 protocol=tcp to-addresses=192.168.3.2 to-ports=8084
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.51 \
dst-port=80,8085 protocol=tcp to-addresses=192.168.3.2 to-ports=8085
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.52 \
dst-port=80,8086 protocol=tcp to-addresses=192.168.3.2 to-ports=8086
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.53 \
dst-port=80,8087 protocol=tcp to-addresses=192.168.3.2 to-ports=8087
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.3.54 \
dst-port=80,8088 protocol=tcp to-addresses=192.168.3.2 to-ports=8088
add action=redirect chain=dstnat comment="Route To Proxy" disabled=no \
dst-port=80 in-interface=ether2-Local protocol=tcp src-address=\
192.168.1.0/24 to-ports=3128
add action=redirect chain=dstnat comment="Force to use mikrotik dns" \
disabled=no dst-port=53 in-interface=ether2-Local protocol=tcp to-ports=\
53
add action=redirect chain=dstnat comment="Force to use mikrotik dns" \
disabled=no dst-port=53 in-interface=ether2-Local protocol=udp to-ports=\
53
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
1 DS dst-address=0.0.0.0/0 gateway=192.168.75.5 gateway-status=192.168.75.5 reachable via ovpn-out1 distance=1 scope=30 target-scope=10
2 A S dst-address=118.97.85.98/32 gateway=ether3-CentralOnline gateway-status=ether3-CentralOnline reachable distance=1 scope=30 target-scope=10
3 A S dst-address=192.168.0.0/24 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable distance=1 scope=30 target-scope=10
4 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether2-Local gateway-status=ether2-Local reachable distance=0 scope=10
5 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.1 gateway=ether4-Server gateway-status=ether4-Server reachable distance=0 scope=10
6 ADC dst-address=192.168.5.0/24 pref-src=192.168.5.1 gateway=ether1-Local gateway-status=ether1-Local unreachable distance=0 scope=200
7 ADC dst-address=192.168.6.0/24 pref-src=192.168.6.1 gateway=ether2-Local gateway-status=ether2-Local reachable distance=0 scope=10
8 ADC dst-address=192.168.25.0/24 pref-src=192.168.25.1 gateway=ether2-Local gateway-status=ether2-Local reachable distance=0 scope=10
9 A S dst-address=192.168.50.0/24 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable distance=1 scope=30 target-scope=10
10 ADS dst-address=192.168.75.0/24 gateway=192.168.75.5 gateway-status=192.168.75.5 reachable via ovpn-out1 distance=0 scope=30 target-scope=10
11 ADC dst-address=192.168.75.5/32 pref-src=192.168.75.6 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable distance=0 scope=10
12 ADC dst-address=203.77.247.224/28 pref-src=203.77.247.227 gateway=ether3-CentralOnline gateway-status=ether3-CentralOnline reachable distance=0 scope=10
/ip proxy
set always-from-cache=no cache-administrator=Administrator cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 max-fresh-time=3d \
max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=3128 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=deny disabled=no dst-host=www.youtube.com dst-port="" src-address=192.168.1.0/24
add action=deny disabled=no dst-host=www.travian.co.id dst-port="" redirect-to=nanagsu.files.wordpress.com/2008/02/31.jpg src-address=192.168.1.0/24
add action=deny disabled=no dst-host=www.ts5.travian.co.id dst-port="" redirect-to=nanagsu.files.wordpress.com/2008/02/31.jpg src-address=192.168.1.0/24
add action=deny disabled=no dst-host=http://ts5.travian.co.id/ dst-port="" redirect-to=nanagsu.files.wordpress.com/2008/02/31.jpg src-address=192.168.1.0/24
add action=deny disabled=no dst-host=www.facebook.com dst-port="" src-address=192.168.1.0/24
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default \
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21