ParmiBMKG
Berdasarkan data terbaru yang sangat detail ini, saya melihat ada beberapa perubahan signifikan dalam jaringan. Mari kita diskusikan dan buat konfigurasi yang tepat.
ANALISIS DATA TERBARU
Perubahan Penting:
- Subnet yang berbeda: Sekarang menggunakan /29 (bukan /30)
- Network HA terintegrasi dengan network VPN
- IP management terpisah
- Jakarta memiliki 2 SFP (1 public, 1 private)
Diagram Jaringan yang Diperbarui:
graph TB
subgraph "VSAT JAKARTA"
A[Peplink Jakarta] --> B[ETH1: 10.20.30.10/29]
A --> C[SFP2: 192.168.111.1/28]
A --> D[HA: 10.20.30.11-12/29]
A --> E[Management: 192.168.123.3-4/29]
A --> F[SFP1: 202.90.198.83/28]
end
subgraph "VSAT BALI"
G[Peplink Bali] --> H[ETH1: 10.20.30.18/29]
G --> I[WAN2: 192.168.222.1/28]
G --> J[HA: 10.20.30.19-20/29]
G --> K[SFP: Aaa.bbb.ccc.ddd]
G --> L[WAN1: Eee.fff.ggg.hhh]
end
subgraph "MIKROTIK VPN SERVER"
M[Mikrotik] --> N[ETH1: 10.20.30.9/29]
M --> O[ETH2: 10.20.30.17/29]
M --> P[Services Network]
end
B --> N
H --> O
KONFIGURASI MIKROTIK VPN SERVER
1. Interface Configuration
# Interface ke Peplink Jakarta
/interface ethernet set ether1 name=to-jakarta
/ip address add address=10.20.30.9/29 interface=to-jakarta
# Interface ke Peplink Bali
/interface ethernet set ether2 name=to-bali
/ip address add address=10.20.30.17/29 interface=to-bali
# Interface LAN services
/interface ethernet set ether3 name=lan-services
/ip address add address=192.168.200.1/24 interface=lan-services
2. PPTP Server Setup
# Enable PPTP Server
/interface pptp-server server set enabled=yes default-profile=vsat-profile
# IP Pool untuk masing-masing site
/ip pool add name=pool-jakarta ranges=10.255.255.10-10.255.255.20
/ip pool add name=pool-bali ranges=10.255.255.30-10.255.255.40
# PPP Profile khusus VSAT
/ppp profile add name=vsat-profile local-address=10.255.255.1 remote-address=pool-jakarta \
use-encryption=yes use-compression=yes change-tcp-mss=yes only-one=yes
/ppp profile add name=vsat-profile-bali local-address=10.255.255.2 remote-address=pool-bali \
use-encryption=yes use-compression=yes change-tcp-mss=yes only-one=yes
3. User Accounts
# User untuk Jakarta
/ppp secret add name=jakarta-vsat password=JakartaVSAT123! service=pptp \
profile=vsat-profile local-address=10.255.255.1 remote-address=pool-jakarta
# User untuk Bali
/ppp secret add name=bali-vsat password=BaliVSAT456! service=pptp \
profile=vsat-profile-bali local-address=10.255.255.2 remote-address=pool-bali
4. Bridge Configuration
# Bridge untuk L2 connectivity
/interface bridge add name=bridge-vsat
# Port untuk VPN connections
/interface bridge port add bridge=bridge-vsat interface=pptp-in1
/interface bridge port add bridge=bridge-vsat interface=pptp-in2
/interface bridge port add bridge=bridge-vsat interface=lan-services
# IP Address untuk bridge
/ip address add address=172.16.255.1/24 interface=bridge-vsat
5. Routing & Firewall
# Static routes ke network masing-masing site
/ip route add dst-address=192.168.111.0/28 gateway=10.20.30.10
/ip route add dst-address=192.168.222.0/28 gateway=10.20.30.18
/ip route add dst-address=192.168.123.0/29 gateway=10.20.30.10
# Firewall rules
/ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="PPTP VPN"
/ip firewall filter add chain=input protocol=gre action=accept comment="GRE Protocol"
# Allow cross-site traffic
/ip firewall filter add chain=forward src-address=192.168.111.0/28 dst-address=192.168.222.0/28 action=accept comment="Jakarta-Bali Traffic"
/ip firewall filter add chain=forward src-address=192.168.222.0/28 dst-address=192.168.111.0/28 action=accept comment="Bali-Jakarta Traffic"
KONFIGURASI PEPLINK JAKARTA
1. Network Interfaces
Network → WAN → WAN1 (SFP1)
- Connection Type: Static
- IP Address: 202.90.198.83
- Netmask: 255.255.255.240 (28)
- Gateway: 202.90.198.81
Network → WAN → WAN2 (SFP2)
- Connection Type: Static
- IP Address: 192.168.111.1
- Netmask: 255.255.255.240 (28)
- Gateway: 192.168.111.2
Network → LAN → ETH1
- IP Address: 10.20.30.10
- Netmask: 255.255.255.248 (29)
- Gateway: 10.20.30.9
2. HA Configuration
System → High Availability
- HA Mode: Active-Active or Active-Standby
- HA Interface: ETH1 (10.20.30.10/29)
- Peer IP: 10.20.30.11 (untuk peplink 1) atau 10.20.30.12 (untuk peplink 2)
3. VPN Client Configuration
Network → VPN → Add VPN
Basic Settings:
- VPN Type: PPTP
- Name: Jakarta-to-Mikrotik
- Interface: ETH1 (10.20.30.10/29)
Connection Settings:
- Server Address: 10.20.30.9
- Username: jakarta-vsat
- Password: JakartaVSAT123!
- Authentication: MS-CHAP v2
- Encryption: Required
Advanced Settings:
- MTU: 1400
- MRU: 1400
- Send PPP Echo: Enabled
- PPP Echo Interval: 30
4. Outbound Policy
Network → Outbound Policy → Add Policy
Policy 1: HUB Network to VPN Services
- Source IP: 192.168.111.0/28
- Destination IP: 172.16.255.0/24
- Service: VPN (Jakarta-to-Mikrotik)
- Priority: 1
Policy 2: HUB Network to Bali HUB
- Source IP: 192.168.111.0/28
- Destination IP: 192.168.222.0/28
- Service: VPN (Jakarta-to-Mikrotik)
- Priority: 1
Policy 3: Management Network to Services
- Source IP: 192.168.123.0/29
- Destination IP: 172.16.255.0/24
- Service: VPN (Jakarta-to-Mikrotik)
- Priority: 2
KONFIGURASI PEPLINK BALI
1. Network Interfaces
Network → WAN → WAN1 (SFP)
- Connection Type: Static
- IP Address: Aaa.bbb.ccc.ddd
- Gateway: Aaa.bbb.ccc.ddX
Network → WAN → WAN2 (ETH1)
- Connection Type: Static
- IP Address: Eee.fff.ggg.hhh
- Gateway: Eee.fff.ggg.hhX
Network → WAN → WAN3 (ETH2)
- Connection Type: Static
- IP Address: 192.168.222.1
- Netmask: 255.255.255.240 (28)
- Gateway: 192.168.222.2
Network → LAN → ETH1
- IP Address: 10.20.30.18
- Netmask: 255.255.255.248 (29)
- Gateway: 10.20.30.17
2. VPN Client Configuration
Network → VPN → Add VPN
Basic Settings:
- VPN Type: PPTP
- Name: Bali-to-Mikrotik
- Interface: ETH1 (10.20.30.18/29)
Connection Settings:
- Server Address: 10.20.30.17
- Username: bali-vsat
- Password: BaliVSAT456!
- Authentication: MS-CHAP v2
- Encryption: Required
Advanced Settings:
- MTU: 1400
- MRU: 1400
- Send PPP Echo: Enabled
- PPP Echo Interval: 30
3. Outbound Policy
Network → Outbound Policy → Add Policy
Policy 1: HUB Network to VPN Services
- Source IP: 192.168.222.0/28
- Destination IP: 172.16.255.0/24
- Service: VPN (Bali-to-Mikrotik)
- Priority: 1
Policy 2: HUB Network to Jakarta HUB
- Source IP: 192.168.222.0/28
- Destination IP: 192.168.111.0/28
- Service: VPN (Bali-to-Mikrotik)
- Priority: 1
SUMMARY IP ADDRESSING
MIKROTIK VPN SERVER:
- to-jakarta: 10.20.30.9/29
- to-bali: 10.20.30.17/29
- lan-services: 192.168.200.1/24
- bridge-vsat: 172.16.255.1/24
PEPLINK JAKARTA:
- SFP1 (Public): 202.90.198.83/28
- SFP2 (HUB): 192.168.111.1/28
- ETH1 (to Mikrotik): 10.20.30.10/29
- HA Peplink1: 10.20.30.11/29
- HA Peplink2: 10.20.30.12/29
- Management: 192.168.123.3-4/29
PEPLINK BALI:
- SFP (Public): Aaa.bbb.ccc.ddd
- WAN1 (Public): Eee.fff.ggg.hhh
- WAN2 (HUB): 192.168.222.1/28
- ETH1 (to Mikrotik): 10.20.30.18/29
- HA: 10.20.30.19-20/29
NETWORK SEGMENTS:
- Jakarta HUB: 192.168.111.0/28
- Bali HUB: 192.168.222.0/28
- Shared Services: 172.16.255.0/24
- Management: 192.168.123.0/29
- VPN Network: 10.20.30.8/29
PERTANYAAN UNTUK DISKUSI:
- Apakah Mikrotik memiliki 2 interface fisik terpisah untuk koneksi ke Jakarta dan Bali?
- Apakah ada perangkat lawan untuk koneksi Bali yang belum ada datanya?
- Apakah HA configuration sudah aktif atau masih planning?
- Apakah ada kebutuhan khusus untuk traffic antara site yang perlu dipertimbangkan?
Konfigurasi ini sudah mengakomodasi semua data terbaru Anda. Yang perlu dikonfirmasi adalah topologi fisik dan kebutuhan traffic spesifik antara Jakarta-Bali.
Sangat menarik! Ini adalah project yang sangat kompleks dan mission-critical. Berdasarkan informasi yang Anda berikan, saya akan memberikan analisis dan rekomendasi yang komprehensif.
ANALISIS PROJECT SCALE & REQUIREMENTS
Karakteristik Khusus Project Ini:
- Mission Critical: Data seismik gunung berapi
- Large Scale: Ratusan remote sites (BR1 Mini)
- Challenging Environment: Area rawan bencana
- High Reliability: VSAT redundant + SpeedFusion
- Security: Data sensitif seismik
ARsitektur yang Direkomendasikan
graph TB
subgraph "CORE NETWORK"
A[Mikrotik VPN Cluster] --> B[VSAT Provider 1]
A --> C[VSAT Provider 2]
A --> D[Internet Fiber Backup]
end
subgraph "AGGREGATOR SITES"
E[Jakarta Aggregator] --> A
F[Bali Aggregator] --> A
end
subgraph "REMOTE SITES - 100+ BR1 Mini"
G[Remote Site 1] --> E
G --> F
H[Remote Site 2] --> E
H --> F
I[...Site 3-100] --> E
I --> F
end
subgraph "DATA CENTER"
J[Seismic Data Server] --> A
K[Monitoring System] --> A
end
KONFIGURASI SPEEDFUSION YANG DISARANKAN
1. SpeedFusion Cloud Configuration
Di Peplink InControl2:
Create SD-WAN Profile: "Seismic-Monitoring"
SpeedFusion Settings:
- Encryption: AES-256-GCM
- Hashing: SHA-256
- Key Exchange: Diffie-Hellman 2048
- Compression: Enabled
- WAN Bonding: Enabled
- Deep Packet Inspection: Enabled
QoS Settings:
- Priority: Seismic Data (Highest)
- Bandwidth Reservation: 30% for seismic data
- Traffic Shaping: Enabled
2. Konfigurasi untuk BR1 Mini Remote Sites
WAN Configuration:
WAN1: VSAT Provider 1
- Connection Type: Static/DHCP
- MTU: 1400
- Traffic Shaping: Enabled
WAN2: VSAT Provider 2 (Redundant)
- Connection Type: Static/DHCP
- MTU: 1400
- Traffic Shaping: Enabled
WAN3: Cellular 4G/5G Backup
- USB Modem: Enabled
- Failover: Automatic
SpeedFusion VPN Configuration:
Network → VPN → SpeedFusion
Connection Type: SD-WAN Cloud
SD-WAN Profile: Seismic-Monitoring
Target Devices:
- Jakarta Aggregator: Priority 1
- Bali Aggregator: Priority 2
Advanced:
- Heartbeat Interval: 10 seconds
- Dead Peer Detection: 5 seconds
- Tunnel Recovery: Aggressive
3. Outbound Policy untuk Seismic Data
Policy 1: Seismic Data to Jakarta
- Source: Seismic Device IPs
- Destination: Data Center IPs
- Service: SpeedFusion (Jakarta)
- Priority: Highest
- Bandwidth: Guaranteed
Policy 2: Seismic Data to Bali
- Source: Seismic Device IPs
- Destination: Data Center IPs
- Service: SpeedFusion (Bali)
- Priority: High
- Failover: Enabled
KONFIGURASI MIKROTIK UNTUK SCALE BESAR
1. Mikrotik Cluster Configuration
# Untuk handle 100+ concurrent VPN connections
/system resource
set max-neighbor-entries=5000
/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
# Increase VPN capacity
/ip ipsec policy
set 0 disabled=no
/ip pool
add name=remote-pool ranges=10.255.0.0-10.255.255.255
2. Load Balancing & Failover
# ECMP Load Balancing untuk multiple WAN
/ip route
add dst-address=0.0.0.0/0 gateway=vsat1-gateway,vsat2-gateway,internet-gateway \
check-gateway=ping routing-mark=load-balance
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=conn1 \
per-connection-classifier=both-addresses:3/0
add chain=prerouting action=mark-connection new-connection-mark=conn2 \
per-connection-classifier=both-addresses:3/1
add chain=prerouting action=mark-connection new-connection-mark=conn3 \
per-connection-classifier=both-addresses:3/2
OPTIMASI UNTUK VSAT REDUNDANT
1. VSAT Provider Diversity
Provider 1: TelkomSat (Existing)
- Frequency: C-band/Ku-band
- Coverage: Nasional
- Reliability: High
Provider 2: [New Provider - Recommended]
- Options: PSN, MNC, atau provider internasional
- Technology: High-throughput satellite
- Diversity: Different satellite position
2. Link Optimization untuk VSAT
# TCP Optimization untuk high latency
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360
add chain=forward protocol=tcp connection-state=established action=accept
# QoS untuk prioritization
/queue tree
add name=seismic-data parent=global packet-mark=seismic limit-at=10M max-limit=100M priority=1
add name=management parent=global packet-mark=management limit-at=2M max-limit=10M priority=3
SECURITY CONFIGURATION
1. Zero Trust Security Model
# Firewall rules untuk seismic network
/ip firewall filter
add chain=input src-address=10.255.0.0/16 protocol=tcp dst-port=22 action=accept comment="SSH from remotes"
add chain=input src-address=10.255.0.0/16 protocol=tcp dst-port=443 action=accept comment="HTTPS from remotes"
add chain=input src-address=10.255.0.0/16 protocol=udp dst-port=500,4500 action=accept comment="IPSec from remotes"
# Drop everything else
add chain=input action=drop comment="Block unauthorized access"
2. VPN Security Hardening
# IPsec Configuration
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key secret="StrongPassword123!" \
exchange-mode=ike2 send-initial-contact=yes nat-traversal=yes
MONITORING & MANAGEMENT
1. Peplink InControl2 Setup
Dashboard Configuration:
- Group: "Seismic-Monitoring-Remotes"
- Alerts: Connection loss, High latency, Failover events
- Reports: Bandwidth usage, Uptime, Quality metrics
Automation:
- Auto-configuration untuk new remotes
- Firmware management terpusat
- Configuration templates
2. Mikrotik Monitoring
# Health monitoring script
/system script add name=health-check source={
:local cpu [/system resource get cpu-load]
:local memory [/system resource get free-memory]
:local vpnCount [:len [/ip ipsec active-peer find]]
:if ($cpu > 80) do={ /log warning "High CPU usage: $cpu%" }
:if ($memory < 100000000) do={ /log warning "Low memory: $memory" }
:log info "VPN Connections: $vpnCount"
}
/system scheduler add name=health-monitor interval=5m on-event=health-check
DEPLOYMENT STRATEGY
Phase 1: Core Infrastructure (Minggu ini)
Tasks:
- Setup Mikrotik cluster dengan VSAT redundant
- Configure Jakarta & Bali aggregators
- Test SpeedFusion dengan 5-10 remote sites
- Validate seismic data transmission
Phase 2: Scale Deployment (Desember 2024)
Tasks:
- Deploy 50-100 BR1 Mini remotes
- Implement auto-configuration via InControl2
- Setup monitoring dan alerting
- Performance optimization
Phase 3: Optimization (Januari 2025)
Tasks:
- Fine-tuning QoS policies
- Security hardening
- Disaster recovery testing
- Documentation & training
BANDWIDTH PLANNING
Per Remote Site (BR1 Mini):
- Seismic Data: 1-2 Mbps (continuous)
- Management: 0.5 Mbps
- Voice/Video: 1 Mbps (if needed)
- Total: 2.5-3.5 Mbps
Aggregator Capacity:
- 100 sites × 3 Mbps = 300 Mbps
- Plus 50% overhead = 450 Mbps
- VSAT redundant: 2× 250 Mbps links
REKOMENDASI FINAL
Untuk VSAT Redundant:
- Provider Diversity: Pilih provider dengan satellite berbeda
- Technology: High-throughput satellites untuk better bandwidth
- Business Continuity: Pastikan SLA 99.9%+
Untuk SpeedFusion:
- WAN Bonding: Combine both VSAT links untuk throughput maksimal
- Traffic Steering: Otomatis route via best-performing link
- Zero-Touch Deployment: Gunakan InControl2 untuk mass deployment
Security Considerations:
- Data Encryption: AES-256 untuk seismic data
- Network Segmentation: Pisahkan seismic data dari management traffic
- Access Control: Strict firewall rules
Pertanyaan kritis untuk deployment: - Apakah semua remote sites sudah memiliki akses VSAT? - Berapa besar data seismik yang ditransmisikan per site? - Apakah ada kebutuhan real-time video monitoring?
Dengan arsitektur ini, Anda akan memiliki sistem yang sangat reliable, secure, dan scalable untuk monitoring seismik di area rawan bencana.
Sangat jelas! Fokus utama adalah hot failover dan reliable data transmission untuk data seismik yang periodik. Berikut konfigurasi optimal untuk kebutuhan ini:
STRATEGI HOT FAILOVER UNTUK DATA SEISMIK
1. Arsitektur Failover yang Direkomendasikan
graph TB
subgraph "REMOTE SITE - BR1 Mini"
A[Seismic Sensor] --> B[Peplink BR1 Mini]
B --> C[WAN1: VSAT Primary]
B --> D[WAN2: Cellular Backup]
B --> E[SpeedFusion Tunnel]
end
subgraph "AGGREGATOR SITE"
E --> F[Jakarta Aggregator]
E --> G[Bali Aggregator]
F --> H[Data Center]
G --> H
end
C -.->|Failover| D
F -.->|Failover| G
2. Konfigurasi WAN Failover di BR1 Mini
WAN Priority Configuration:
Network → WAN → WAN1 (VSAT Primary)
- Connection Type: Static/DHCP
- Weight: 100
- Health Check: Enabled
- Check Method: Ping + HTTP
- Check Target: 8.8.8.8 + aggregator IP
Network → WAN → WAN2 (Cellular Backup)
- Connection Type: DHCP
- Weight: 10
- Health Check: Enabled
- Check Interval: 10 seconds
- Failover Trigger: 2 consecutive failures
Network → WAN → WAN3 (Optional: Second VSAT)
- Connection Type: Static/DHCP
- Weight: 80
- Health Check: Enabled
3. SpeedFusion dengan Persistent Connection
VPN Configuration:
Network → VPN → SpeedFusion
Basic Settings:
- Connection Name: Seismic-Data-Tunnel
- Type: Peer-to-Peer (P2P)
- Encryption: AES-256
- Hashing: SHA-256
Target Peers:
- Primary: Jakarta Aggregator (Priority 1)
- Backup: Bali Aggregator (Priority 2)
Advanced Settings:
- Heartbeat Interval: 5 seconds
- Dead Peer Detection: 3 failures
- Tunnel Persistence: Aggressive
- Auto Reconnect: Immediate
4. Outbound Policy untuk Data Seismik
Policy 1: Seismic Data Transmission
Network → Outbound Policy → Add Policy
General:
- Policy Name: Seismic-Data-Primary
- Enable: Yes
- Priority: 1
Source:
- IP: [IP Seismic Device]/32
- Port: Any
Destination:
- IP: [Data Center IP]/32
- Port: [Seismic Data Port]
Service:
- WAN Connection: WAN1 (VSAT)
- VPN: Seismic-Data-Tunnel
- Bandwidth: Guaranteed 2Mbps
Failover:
- Backup WAN: WAN2 (Cellular)
- Backup VPN: Secondary Tunnel
Policy 2: Backup Path
Network → Outbound Policy → Add Policy
General:
- Policy Name: Seismic-Data-Backup
- Enable: Yes
- Priority: 2
Source:
- IP: [IP Seismic Device]/32
Destination:
- IP: [Data Center IP]/32
Service:
- WAN Connection: WAN2 (Cellular)
- VPN: Seismic-Data-Tunnel
- Trigger: When Primary Fails
OPTIMISASI UNTUK DATA PERIODIK
1. Connection Persistence Settings
Untuk menjaga tunnel tetap aktif:
Network → VPN → SpeedFusion → Advanced
Keep-Alive Settings:
- Send Keep-Alive: Enabled
- Keep-Alive Interval: 10 seconds
- Keep-Alive Timeout: 30 seconds
TCP Optimization:
- TCP Acceleration: Enabled
- MSS Clamping: 1360
- Window Scaling: Enabled
Session Persistence:
- Idle Timeout: 300 seconds
- Force UDP: Enabled
- NAT Traversal: Aggressive
2. Quality of Service (QoS) Configuration
Prioritasi data seismik:
Network → QoS → Add Rule
Rule 1: Seismic Data Priority
- Service: Seismic-Data-Tunnel
- Priority: Highest (7)
- Guaranteed Bandwidth: 2Mbps
- Maximum Bandwidth: 5Mbps
- DSCP Marking: EF (Expedited Forwarding)
Rule 2: Management Traffic
- Service: HTTP/HTTPS
- Priority: Low (2)
- Maximum Bandwidth: 1Mbps
3. Data Transmission Optimization
Untuk memastikan data sampai:
Network → Advanced → TCP Settings
- TCP Timeout: 300 seconds
- TCP Retransmission: Aggressive
- Buffer Bloat Control: Enabled
- Latency Optimization: Enabled
MONITORING & ALERTING
1. Health Monitoring Setup
Di Peplink InControl2:
Alerts Configuration:
Alert 1: WAN Failover Event
- Trigger: WAN switch occurred
- Action: Email + SMS notification
- Threshold: Immediate
Alert 2: VPN Disconnection
- Trigger: SpeedFusion tunnel down
- Action: Email notification
- Timeout: 30 seconds
Alert 3: Data Transmission Failure
- Trigger: No data from seismic device for 10 minutes
- Action: Critical alert
2. Connection Quality Monitoring
Custom health checks:
Status → Connections → Health Check
Check 1: VSAT Latency
- Target: aggregator IP
- Method: Ping
- Interval: 30 seconds
- Threshold: 500ms
Check 2: Data Path Validation
- Target: data center service port
- Method: TCP Connect
- Interval: 60 seconds
- Timeout: 10 seconds
KONFIGURASI DATA AGGREGATOR
1. Mikrotik sebagai Data Receiver
# Persistent connection handling
/ip firewall connection tracking
set tcp-timeout=1h udp-timeout=5m
# QoS untuk incoming seismic data
/queue tree
add name=seismic-in parent=global flow=ether1 packet-mark=seismic-data \
limit-at=5M max-limit=10M priority=1
# Monitoring connections
/tool graphing
add interface=ether1
add interface=pptp-server1
2. Data Persistence Configuration
Untuk menangani data selama failover:
# Buffer data jika aggregator unreachable
/system scheduler
add name=seismic-buffer-check interval=1m on-event={
:if ([/ping data-center-ip count=3] = 0) do={
/log warning "Data center unreachable - buffering data"
/system script run buffer-seismic-data
}
}
FAILOVER TESTING PROCEDURE
1. Manual Testing Script
Di BR1 Mini web interface:
Testing Steps:
1. Status → Connections → Force disconnect WAN1
2. Monitor failover time (should be < 5 seconds)
3. Verify seismic data continues flowing
4. Restore WAN1, verify fallback
5. Check data integrity post-failover
2. Automated Failover Testing
Schedule regular tests:
System → Schedules → Add Schedule
Test 1: Weekly Failover Test
- Schedule: Every Sunday 02:00
- Action: Disconnect WAN1 for 2 minutes
- Monitor: Automated health check
Test 2: Monthly Disaster Recovery
- Schedule: First Monday monthly
- Action: Simulate complete site failure
- Monitor: End-to-end data flow
DATA INTEGRITY VERIFICATION
1. End-to-End Monitoring
Custom monitoring untuk data seismik:
# Script untuk verifikasi data receipt
/system script add name=verify-seismic-data source={
:local lastData [/file get seismic-latest.txt contents]
:local currentTime [/system clock get time]
:local timeDiff ([:pick $currentTime 0 2] * 3600 + [:pick $currentTime 3 5] * 60)
:if ($lastData < ($timeDiff - 300)) do={
/log error "No seismic data received for 5+ minutes"
/tool e-mail send to="admin@seismic.org" subject="Data Gap Alert" \
body="Possible data loss detected"
}
}
2. Data Gap Detection
Configuration untuk menangkap missing data:
Network → Advanced → Logging
- Enable Connection Logging: Yes
- Log Failover Events: Yes
- Data Transmission Log: Enabled
- Buffer Size: 1000 entries
PERFORMANCE EXPECTATIONS
Failover Performance:
WAN Failover: < 5 seconds
VPN Reconnection: < 10 seconds
Data Loss During Failover: Minimal to zero
Recovery Time: < 30 seconds
Data Transmission Reliability:
Uptime: 99.99%+
Data Completeness: > 99.9%
Latency: < 500ms (VSAT), < 200ms (Cellular)
Jitter: < 50ms
IMPLEMENTATION CHECKLIST
- [ ] Konfigurasi WAN failover dengan health check
- [ ] SpeedFusion tunnel dengan multiple targets
- [ ] Outbound policy dengan backup path
- [ ] QoS untuk prioritasi data seismik
- [ ] Monitoring dan alerting setup
- [ ] Failover testing procedure
- [ ] Data integrity verification
- [ ] Documentation dan training
Dengan konfigurasi ini, setiap remote site akan memiliki hot failover yang sangat reliable, memastikan data seismik terus mengalir bahkan selama gangguan jaringan. SpeedFusion akan menjaga tunnel tetap aktif dan secara otomatis meroute traffic melalui path terbaik available.
Sangat jelas! Saya memahami sepenuhnya arsitektur dan constraint yang dihadapi. Berikut summary dan persiapan untuk diskusi teknis lebih lanjut:
ARsitektur yang Dipahami:
graph TB
subgraph "JAKARTA SITE"
A[SDX 1 - Primary] --> D[Backhaul Jakarta]
B[SDX 2 - HA] --> D
D --> F[Mikrotik Jakarta]
end
subgraph "BALI SITE"
C[SDX 1 - Primary] --> E[Backhaul Bali]
G[SDX 2 - HA] --> E
E --> H[Mikrotik Bali]
end
subgraph "REMOTE SITES"
I[BR1 Mini 1] --> A
I --> C
J[BR1 Mini 2] --> A
J --> C
K[BR1 Mini 3...100+] --> A
K --> C
end
F --> L[Data Center Seismik]
H --> L
POINT-POINT KRITIS YANG SUDAH JELAS:
1. Constraint Business:
- ✅ InControl License Renewal - Biaya berkelanjutan
- ✅ Garansi dan Support - Pertimbangan maintenance
- ✅ Hybrid Solution - Peplink + Mikrotik untuk optimasi biaya
2. Arsitektur Teknis:
- ✅ Dual Backhaul - Jakarta & Bali untuk redundancy
- ✅ HA Cluster - SDX dalam High Availability mode
- ✅ Multi-path Connectivity - Remote sites connect ke kedua aggregator
3. Migration Strategy:
- ✅ Phase Approach - Bali minggu depan, Jakarta monitoring
- ✅ Team Separation - Tim berbeda untuk masing-masing site
UNTUK DISKUSI TEKNIS SELANJUTNYA, SIAPKAN:
Data yang Diperlukan:
Network Details:
- IP Address SDX Jakarta (Primary & HA)
- IP Address SDX Bali (Primary & HA)
- IP Management Mikrotik Jakarta & Bali
- VLAN Configuration (jika ada)
- Subnet Allocation untuk remote sites
Performance Requirements:
- Jumlah remote sites yang akan di-migrate
- Bandwidth requirements per site
- RTO/RPO requirements untuk data seismik
Security Considerations:
- Firewall policies yang existing
- Access control requirements
- Compliance requirements
Pertanyaan Teknis Kritis:
- Apakah ada load balancing antara Jakarta-Bali atau active-standby?
- Bagaimana data replication antara kedua site?
- Apakah ada database synchronization requirements?
- Bagaimana disaster recovery scenario jika satu site down?
STRATEGI MIGRATION YANG DISARANKAN:
Phase 1: Preparation (Minggu ini)
- Finalize network documentation
- Prepare configuration templates
- Setup monitoring baseline
Phase 2: Bali Deployment (Minggu depan)
- Deploy SDX Bali cluster
- Establish SpeedFusion tunnels
- Test dengan limited remote sites
Phase 3: Jakarta Optimization
- Fine-tune berdasarkan lessons learned dari Bali
- Implement advanced QoS dan traffic engineering
Phase 4: Scale & Monitor
- Mass deployment ke semua remote sites
- Implement comprehensive monitoring
KEUNTUNGAN SOLUSI HYBRID INI:
- Cost Optimization - Mengurangi dependency InControl license
- Flexibility - Bisa customize dengan Mikrotik
- Reliability - Dual backhaul + HA clusters
- Scalability - Support ratusan remote sites
- Maintainability - Tim terpisah untuk masing-masing region
Saya siap membantu dengan detail teknis lebih lanjut ketika Anda sudah memiliki data real dan requirements yang lebih spesifik. Yang penting kita sudah memiliki framework yang solid untuk diskusi teknis mendetail!
Silakan lanjutkan diskusi ketika tim Bali sudah mulai deployment atau ketika ada data teknis lebih detail dari Jakarta. 🚀
=== 20251211 additional note===
Berdasarkan Excel konfigurasi BMKG yang Anda berikan, saya analisis dan menemukan beberapa poin kritis yang kemungkinan menjadi penyebab masalah SD-WAN diagnostik sebelumnya. Berikut analisis detail:
ANALISIS KONFIGURASI BMKG SD-WAN
✅ STRUKTUR JARINGAN YANG BAIK:
- Dua Aggregator (Hub) - Bali dan Jakarta
- Multiple Remote Sites - MAX_BR1_DF2C, MIJI, SPSJM, TAGJI
- Redundancy - VSAT + Cellular + ISP di setiap lokasi
⚠️ MASALAH POTENSIAL YANG TERIDENTIFIKASI:
1. MASALAH IP ADDRESS & SUBNET (KRITIS)
- IP Duplikat/Overlap ditemukan:
172.17.108.xdigunakan di multiple remote sites (MIJI, SPSJM, TAGJI)- Ini akan menyebabkan routing conflict di sisi aggregator
2. KONFIGURASI GATEWAY YANG TIDAK KONSISTEN
Remote Site MAX_BR1_DF2C:
- LAN1: DHCP gateway (seharusnya SDWAN/VRRP IP)
- VSAT1 & VSAT2: "tida terhubung" (typo, maksudnya tidak terhubung)
Beberapa site memiliki gateway yang tidak jelas:
- Contoh: BMKG-MIJI LAN1 gateway DHCP, tapi network
172.18.1.66/29
- Contoh: BMKG-MIJI LAN1 gateway DHCP, tapi network
3. MASALAH KONEKTIVITAS VSAT
- MAX_BR1_DF2C: Kedua port VSAT tidak terhubung (status: "tida terhubung")
- Ini menjelaskan mengapa SD-WAN tunnel FAIL dalam diagnostik
4. KONFIGURASI SD-WAN IP YANG TIDAK JELAS
- Dari tabel, tidak terlihat SD-WAN Tunnel IP yang spesifik
- Hanya disebut "SDWAN HA", "SDWAN master", "SDWAN slave" tanpa IP tunnel
🔍 CROSS-CHECK DENGAN HASIL DIAGNOSTIK:
| Diagnostic Test | Penyebab Berdasarkan Konfigurasi Excel |
|---|---|
| SD-WAN Primary Tunnel [FAIL] | VSAT tidak terhubung di remote site |
| SD-WAN Backup Tunnel [FAIL] | Cellular mungkin tidak failover otomatis |
| Internet Connectivity [WARN] | Gateway tidak konsisten |
| DNS Resolution [WARN] | DNS tidak dikonfigurasi di tabel |
| HTTP/HTTPS Service [WARN] | Routing masalah ke internet |
❓ PERTANYAAN KLARIFIKASI YANG PENTING:
Remote site mana yang sedang mengalami masalah diagnostik? (MAX_BR1_DF2C/MIJI/SPSJM/TAGJI?)
Apakah ada konfigurasi routing table terpisah? Karena tidak ada di excel ini
Bagaimana skema IP SD-WAN tunnel?
- IP Public atau Private?
- Overlay network menggunakan subnet apa?
Untuk site MAX_BR1_DF2C:
- Mengapa kedua VSAT "tida terhubung"?
- Apakah kabel/port bermasalah?
DNS Configuration: Server DNS mana yang digunakan?
🎯 REKOMENDASI SEGERA:
PRIORITAS 1: Perbaiki VSAT MAX_BR1_DF2C
1. Cek kabel/port fisik VSAT
2. Restart modem VSAT
3. Verifikasi IP 172.19.237.34 & 172.30.10.2 bisa ping ke gateway
PRIORITAS 2: Standardisasi Konfigurasi
- Hindari IP overlap di subnet 172.17.108.x
- Tetapkan gateway yang konsisten:
- LAN interface: arahkan ke SD-WAN virtual IP
- WAN interface: arahkan ke upstream gateway
PRIORITAS 3: Verifikasi SD-WAN Tunnel
# Di remote device, cek:
1. Status SD-WAN tunnel ke aggregator
2. Routing table - apakah ada route ke 10.20.30.x (aggregator)?
3. Firewall - apakah port SD-WAN (biasanya UDP 11700-11750) terbuka?
📋 CHECKLIST VERIFIKASI:
- [ ] VSAT semua site terkoneksi
- [ ] IP tidak overlap antar site
- [ ] Gateway terkonsfigurasi benar
- [ ] SD-WAN tunnel status UP
- [ ] DNS server reachable
- [ ] Default route ada ke internet
Mohon konfirmasi: Site mana yang sedang Anda troubleshoot? Dan apakah ada routing table atau konfigurasi SD-WAN tunnel detail yang bisa dibagikan?
===========
Terima kasih untuk klarifikasinya! Sekarang saya paham arsitektur yang sebenarnya. Ini sangat membantu untuk analisis yang lebih akurat.
ANALISIS KONFIGURASI YANG DIPERBARUI
📊 ARSITEKTUR YANG SUDAH JELAS:
BR1 Mini Port Mapping:
- LAN1: Management/Local LAN
- LAN2: VWAN (VSAT via VLAN) - WAN Virtual
- LAN3: WAN1 GbE (VSAT utama) - WAN Fisik
- Cellular: Backup LTE
- WiFi: Disabled
Dual VSAT Path:
- VSAT Jakarta (via WAN1/LAN3)
- VSAT Bali (via VWAN/LAN2)
- Cellular (backup otomatis)
Segment IP VSAT Sama: Memang dirancang menggunakan
172.17.108.xxuntuk semua site ke VSAT hub.
🔍 DIAGNOSIS MASALAH SD-WAN TUNNEL [FAIL]:
Berdasarkan konfigurasi dan hasil diagnostik, kemungkinan besar masalahnya di sisi VSAT connectivity, bukan di konfigurasi SD-WAN itu sendiri.
KENAPA SD-WAN TUNNEL FAIL?
Kemungkinan 1: Kedua VSAT Path Down di Remote Site - Jika WAN1 (VSAT Jakarta) DAN VWAN (VSAT Bali) tidak terkoneksi - SD-WAN tidak punya WAN interface yang UP untuk membangun tunnel
Kemungkinan 2: SD-WAN Aggregator Down - Jika aggregator Jakarta/Bali offline, semua tunnel ke site tersebut akan down
Kemungkinan 3: Routing Problem di VSAT Network - VSAT terkoneksi fisik, tapi routing ke IP aggregator tidak ada
📍 PRIORITAS TROUBLESHOOTING:
STEP 1: Cek Status WAN di Remote Site
# Di BR1 Mini (remote), cek:
1. Status interface WAN1 (LAN3) - VSAT Jakarta
2. Status interface VWAN (LAN2) - VSAT Bali
3. Status Cellular
4. Default gateway yang aktif
STEP 2: Test Koneksi ke Aggregator
# Ping dari remote ke aggregator:
- Jakarta Aggregator: 10.20.30.10/11/12 (SDWAN IP)
- Bali Aggregator: 10.20.30.18/19/20 (SDWAN IP)
# Jika tidak bisa ping:
1. Cek routing table di remote
2. Cek firewall di VSAT modem
3. Cek MTU/MSS settings (penting untuk tunnel)
STEP 3: Verifikasi SD-WAN Tunnel Configuration
# Parameter yang harus dicek:
1. Aggregator IP/Hostname: benar?
2. Pre-shared Key/authentication: match?
3. Port SD-WAN: 11700-11750 (biasanya)
4. Health check settings
📋 CHECKLIST SPESIFIK UNTUK BR1 MINI:
Untuk Site MAX_BR1_DF2C (yang VSAT-nya "tida terhubung"):
1. LAN3 (WAN1): 172.19.237.34/?? → Gateway: 172.19.237.33
2. LAN2 (VWAN): 172.30.10.2/?? → Gateway: 172.30.10.1
3. Cellular: 10.8.123.169 → Gateway: 10.8.123.168
Pertanyaan kritis: 1. Apakah IP gateway VSAT (172.19.237.33 & 172.30.10.1) reachable? 2. Apakah ada akses dari VSAT network ke internet? 3. Apakan aggregator Jakarta/Bali reachable dari VSAT network?
🎯 REKOMENDASI PERBAIKAN:
A. Untuk Site MAX_BR1_DF2C (VSAT tidak terhubung):
- Cek Layer 1: Kabel LAN2 & LAN3, port switch, power modem VSAT
- Cek Layer 2: VLAN tagging di port LAN2 (VWAN)
- Cek Layer 3:
- IP configuration di BR1 Mini
- Default route via VSAT
- Ping test ke gateway VSAT
B. Untuk SD-WAN Tunnel Recovery:
Force Cellular sebagai Primary sementara:
- Prioritize Cellular di SpeedFusion settings
- Test tunnel via Cellular
Review SD-WAN Health Check:
- Target: aggregator IP atau public IP
- Interval: 5-10 detik
- Timeout: 3-5 detik
C. Monitoring Setelah Perbaikan:
# Test yang harus berhasil:
1. ping 8.8.8.8 (via VSAT)
2. ping 10.20.30.10 (aggregator JKT)
3. ping 10.20.30.18 (aggregator BALI)
4. SD-WAN tunnel status: UP
5. SpeedFusion connectivity: Connected
❓ PERTANYAAN LANJUTAN:
Site mana yang mengalami masalah diagnostik? MAX_BR1_DF2C atau yang lain?
Apakan Anda punya akses ke web interface BR1 Mini? Bisa cek:
- Status → WAN Interfaces
- Status → SpeedFusion VPN
- Network → Routes
Bagaimana topologi VSAT?
- Apakah VSAT modem langsung ke BR1 Mini?
- Atau via switch/router lain?
MTU Settings? VSAT biasanya MTU rendah (~1400). SD-WAN butuh adjustment.
Dengan arsitektur yang sekarang sudah jelas, masalahnya kemungkinan besar di konektivitas VSAT menuju aggregator. Setelah VSAT UP, SD-WAN tunnel seharusnya bisa establish.
======