This
is my Mikrotik configuration that I have done some days ago. The network
design is like image below.
Note
:
- Mikrotik, have 2 interface. IP WAN (Public) : 1xx.9x.xx.xx/27 and the IP LAN: 10.17.123.5 & 10.17.123.6 And the version of mikrotik is 5.20 version, level 6
- Hub or switch unmanageable.
- Cacti : for making graph of network traffic. IP : 10.17.123.1
- Cisco, actually is router, but there is no NAT (Network Address Translation). So the function of Cisco is like just a bridge. IP 10.17.123.1 & 10.254.128.1
- Users, there are many users, get IP address from Cisco, 10.254.128.0/22 (DHCP).
My
Mikrotik configuration is a result from command "export" in the
new-terminal. Some lines have deleted, because it’s not important. IP Public
has been changed etc… (just to make
secure my network :) ). And I have
changed the sequence of lines to classify according to the goal. So that you can easily understand.
Warning…!!!
If
you want to use my code configuration of Mikrotik, please be careful. Read the
requirements below.
- You must understand the purpose of the configuration that you take.
- You should already understand the risks you take. Failure to do so may result in you being unable to access to the router or to access Internet.
- I am not responsible for your actions to perform copy and paste my code configuration.
Step 1. Basic Mikrotik
Configuration.
Configuration the interface.
# feb/27/2014 11:31:59 by RouterOS 5.20
# software id = W5EY-LHT9
#
/interface ethernet
set 0 arp=enabled disable-running-check=yes
disabled=no full-duplex=yes \
mtu=1500 name=WAN speed=100Mbps
set 1 arp=enabled disable-running-check=yes
disabled=no full-duplex=yes \
mtu=1500 name=LAN speed=100Mbps
/ip address
add address=1xx.9x.xx.xx/27 disabled=no
interface=WAN network=1xx.9x.xx.xx
add address=10.17.123.5/24 disabled=no
interface=LAN network=10.17.123.0
add address=10.17.123.6/24 disabled=no
interface=LAN network=10.17.123.0
I usually change the interface with name WAN and LAN, to
make easy to remember and configure later. There are 2 IP addresses on the LAN
interface.
IP address, 10.17.123.5 is gateway. Users client know
this IP (if they know how to trace route the IP.), because this IP as gateway.
IP address 10.17.123.6, just administrator know
about this IP. Users/client not need to know about this. This IP used to access
the Mikrotik port 80, to find out the network traffic.
Configure
Route (Default Gateway)
/ip route
add disabled=no distance=1
dst-address=0.0.0.0/0 gateway=1x.9x.xx.xx scope=\
30
target-scope=10
add disabled=no distance=1
dst-address=10.254.128.0/22 gateway=LAN scope=30 \
target-scope=10
“gateway = 1x.9x.xx.xx”
is a gateway for
my Public IP
address.
Look at carefully, I add network 10.254.128.0/22. This is
the network of Users. And just this network ID that allowed to destination
internet.
Configure
NAT
/ip firewall nat
add action=masquerade chain=srcnat
disabled=no out-interface=WAN src-address=\
10.254.128.0/22
In my network design, Local area network (LAN) have 2
network. Yeah… 10.17.123.0/24 and 10.254.128.0/22. But, for my secure... just
network 10.254.128.0/22 to be
configured nat. and allowed to destination internet.
Configure IP DNS
/ip dns
set allow-remote-requests=yes
cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
At this point, the client should be able internet. Test
ping from the computer (make sure the client's IP address is correct). Users
get IP address from Cisco, 10.254.128.0/22 (dhcp). Do not continue with next
stage, if this step has not been successful.
Helloo mate nice post
ReplyDelete