Di
bawah ini adalah sebuah network dimana ada 2 buah WAN Internet terhubung pada
sebuah router Mikrotik RB450G. Kemudian ada 3 buah LAN juga terhubung ke
Mikrotik. 2 buah LAN 1 menuju ke internet melalui WAN 1. Sedangkan LAN 2
terhubung ke internet melalui WAN 2. Jadi antar WAN dan antar LAN terpisah sama
sekali ( Tidak load balancing).
Dan
berikut ini adalah backup konfigurasi mikrotiknya, hasil dari command export
pada terminal Mikrotik. Beberapa baris konfigurasi yang tidak penting / tidak
digunakan, saya hilangkan, seperti routing ospf, queue type, hotspot dsbnya. Urutan
dari konfigurasi juga saya sesuaikan kembali agar lebih mudah dipahami.
Warning…!!! Jika anda ingin
mencoba/mengambil sebagian atau seluruh dari konfigurasi di bawah ini,
berhati-hatilah. Perhatikan beberapa hal penting berikut ini.
- Jangan mengcopy langsung mentah-mentah konfigurasi di bawah ini, ke Mikrotik anda. Perhatikan baik-baik setiap baris konfigurasi. Terutama pada baris yang bertanda bintang (****), yang berarti sengaja di-hide, dan harus disesuaikan dengan kondisi network anda.
- Anda sudah tau dengan pasti tujuan atau fungsi dari konfigurasi yang akan anda ambil, dan resikonya jika terjadi fail. Resiko yang paling parah adalah router mikrotik tidak bisa diakses lagi.
- Dan sekali lagi saya tidak bertanggung jawab atas resiko yang akan anda hadapi.
Mari
kita mulai. Setting nama-nama setiap Interface.
/interface ethernet
set 0 arp=enabled auto-negotiation=yes
comment="" disabled=no full-duplex=yes \
mtu=1500
name="ether1 (LAN 1)" \
speed=100Mbps
set 1 arp=enabled auto-negotiation=yes
bandwidth=unlimited/unlimited comment=\
""
disabled=no full-duplex=yes \
master-port=none mtu=1500 name="ether2 (LAN 1)" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes
bandwidth=unlimited/unlimited comment=\
""
disabled=no full-duplex=yes \
master-port=none mtu=1500 name="ether3 (WAN 1)" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes
bandwidth=unlimited/unlimited comment=\
""
disabled=no full-duplex=yes \
master-port=none mtu=1500 name="ether4 (LAN 2)" speed=100Mbps
set 4 arp=enabled auto-negotiation=yes
bandwidth=unlimited/unlimited comment=\
""
disabled=no full-duplex=yes \
master-port=none mtu=1500 name="ether5 (WAN 2)" speed=100Mbps
Setting
IP address setiap interface.
/ip address
add address=192.168.10.1/24 broadcast=192.168.10.255
comment="" disabled=no \
interface="ether2 (LAN 1)" network=192.168.10.0
add address=192.168.100.2/24 broadcast=192.168.100.255
comment="" disabled=no \
interface="ether3
(WAN 1)" network=192.168.100.0
add address=192.168.2.1/24 broadcast=192.168.2.255
comment="" disabled=no \
interface="ether4 (LAN 2)" network=192.168.2.0
add address=192.168.1.100/24 broadcast=192.168.1.255
comment="" disabled=no \
interface="ether5 (WAN 2)"
network=192.168.1.0
add address=192.168.11.1/24 broadcast=192.168.11.255
comment="" disabled=no \
interface="ether1 (LAN 1)" network=192.168.11.0
Di
modem ADSL disetting bridge. Yang akan men-dial adalah si Mikrotik. Cara untuk
mensetting modem menjadi bridge, sangat mudah. Lihat urutan langkahnya pada gambar di bawah ini.
Kembali ke Mikrotik. Setting pppoe-client di Mikrotik.
Perlu
diingat, mengenai settingan default route pppoe-client. Jangan kedua pppoe-client
diset/dicentang default route. Cukup 1 saja default route, atau kedua duanya
tidak dicentang default route (add-default-route=no). Jika keduanya dicentang
default route, maka akan sering terjadi gangguan.
/interface pppoe-client
add ac-name="" add-default-route=yes
allow=pap,chap,mschap1,mschap2 comment=\
""
dial-on-demand=yes disabled=no interface="ether3 (WAN 1)"
max-mru=1480 \
max-mtu=1480
mrru=disabled name="My Internet" password=***** \
profile=default service-name="" use-peer-dns=no user=\
17********@telkom.net
add ac-name="" add-default-route=no
allow=pap,chap,mschap1,mschap2 comment="" \
dial-on-demand=yes disabled=no interface="ether5 (WAN 2)"
max-mru=1480 \
max-mtu=1480
mrru=disabled name="Trav Internet" password=***** \
profile=default service-name="" use-peer-dns=no user=\
17********@gold.telkom
Ini
range IP address (pool dhcp) untuk user LAN
1.
/ip pool
add name=dhcp_pool1 ranges=192.168.11.100-192.168.11.200
Ini
range IP address untuk user yang connect pptp.
/ip pool
add name=dhcp_pool2_pptp
ranges=192.168.10.50-192.168.10.60
Setting
DHCP server untuk user LAN 1.
/ip dhcp-server
add address-pool=dhcp_pool1
authoritative=after-2sec-delay bootp-support=\
static
disabled=no interface="ether1 (LAN 1)" lease-time=3d name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.11.0/24 comment=""
gateway=192.168.11.1
Setting DNS di Mikrotik
/ip dns
set
allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512
servers=149.210.138.118,180.131.145.145
Setting Firewall NAT
/ip firewall nat
add action=masquerade
chain=srcnat comment="" disabled=no dst-address=\
192.168.100.0/24 out-interface="ether3
(WAN 1)" src-address=\
192.168.10.0/24
add action=masquerade
chain=srcnat comment="" disabled=no dst-address=\
192.168.1.0/24 out-interface="ether5
(WAN 2)" src-address=192.168.10.0/24
add action=masquerade
chain=srcnat comment="" disabled=no out-interface=\
"My Internet" src-address=192.168.10.0/24
add action=masquerade
chain=srcnat comment="" disabled=no out-interface=\
"Trav Internet"
src-address=192.168.2.0/24
Buat mangle untuk mark routing. Tujuannya,
- IP LAN 192.168.10.0/24 bisa akses ke modem 1, modem 2 dan internet (melalui WAN 1).
- Dan IP LAN 2, 192.168.2.0/24 hanya bisa akses internet melalui jalurnya saja (WAN 2)
/ip firewall mangle
add action=mark-routing chain=prerouting
comment="" disabled=no in-interface=\
"ether4
(LAN 2)" new-routing-mark=travroute passthrough=yes src-address=\
192.168.2.0/24
add action=mark-routing chain=prerouting
comment="" disabled=no dst-address=\
192.168.100.1 in-interface="ether2 (LAN 1)"
new-routing-mark=settingmodem \
passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting
comment="" disabled=no dst-address=\
192.168.1.1
in-interface="ether2 (LAN 1)" new-routing-mark=settingmodem2 \
passthrough=yes src-address=192.168.10.0/24
Setting routing dari hasil mark routing mangle.
/ip route
add comment=""
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
"Trav Internet"
routing-mark=travroute scope=30 target-scope=10
add comment=""
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.100.1 routing-mark=settingmodem
scope=30 target-scope=10
add comment=""
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 routing-mark=settingmodem2
scope=30 target-scope=10
Disetting hanya ada 3 routing. Tapi jika dicommand ip
route print, akan ada banyak routing. Ini karena ada beberapa routing
defaultnya.
Mikrotik
ini juga berfungsi sebagai PPTP Server. Apa itu PPTP server ? Penjelasannya,
cari sendiri di internet :). Intinya dengan PPTP server ini, saya bisa absen
online dari mana saja. Sedangkan yang terlihat di absen online adalah IP public
yang sama (IP public kantor). Jadi orang kantor ketika melakukan
pengecekan/investigasi, mengira saya sering ada di kantor, absen hadir dan
pulang selalu tepat waktu di kantor. Hahaha…
/interface pptp-server
add comment=""
disabled=no name=pptp-in1 user=*****
/ppp profile
set default
change-tcp-mss=yes comment="" local-address=dhcp_pool2_pptp name=\
default only-one=default
remote-address=dhcp_pool2_pptp use-compression=\
default use-encryption=default
use-vj-compression=default
set default-encryption
change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default
use-encryption=yes \
use-vj-compression=default
/interface pptp-server
server
set authentication=mschap1,mschap2
default-profile=default-encryption \
enabled=yes keepalive-timeout=30
max-mru=1460 max-mtu=1460 mrru=disabled
/ppp secret
add caller-id=""
comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=***** password=***** profile=default
routes="" service=pptp
Setting firewall address list.
/ip firewall address-list
add address=11*.**.**.***/27
comment="" disabled=no list=full-trust
add address=0.0.0.0/8
comment="" disabled=no list=local-untrust
add address=127.0.0.0/8
comment="" disabled=no list=local-untrust
add address=224.0.0.0/3
comment="" disabled=no list=local-untrust
add address=172.16.0.0/12
comment="" disabled=no list=local-untrust
add address=**0.0.0.0/8
comment="" disabled=no list=half-trust
add address=**5.0.0.0/8
comment="" disabled=no list=half-trust
add address=3*.0.0.0/8
comment="" disabled=no list=half-trust
add address=1**.0.0.0/8
comment="" disabled=no list=half-trust
add address=2**.0.0.0/8
comment="" disabled=no list=half-trust
add address=1**.1**.*4.8
comment="" disabled=no list=full-trust
add address=2**.1**.**4.16
comment="" disabled=no list=full-trust
add address=1**.2**.1**.1**
comment="" disabled=no list=full-trust
add address=1**.1**.1**.1**
comment="" disabled=no list=full-trust
add address=8.8.8.8
comment="" disabled=no list=full-trust
add address=8.8.4.4
comment="" disabled=no list=full-trust
add address=**2.0.0.0/8
comment="" disabled=no list=half-trust
Setting firewall filter.
/ip firewall filter
add action=drop
chain=forward comment="Drop Local Untrust" disabled=no \
src-address-list=local-untrust
add action=drop
chain=forward comment="" disabled=no src-address-list=\
local-untrust
add action=drop
chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
src-address-list=local-untrust
add action=accept
chain=forward comment="" connection-state=established \
disabled=no
add action=accept
chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=accept
chain=input comment="" disabled=no src-address=\
192.168.10.0/24
add action=accept
chain=input comment="" disabled=no in-interface=\
"My Internet"
src-address-list=full-trust
add action=accept
chain=input comment="" disabled=no in-interface=\
"Trav Internet"
src-address-list=full-trust
add action=drop chain=input
comment="" disabled=no in-interface=\
"Trav Internet"
src-address-list=!half-trust
add action=drop chain=input
comment="" disabled=no in-interface="My Internet" \
src-address-list=!half-trust
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="FIN/PSH/URG scan" \
disabled=no protocol=tcp
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w1d chain=input
comment="NMAP NULL scan" disabled=\
no protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input
comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=icmp
comment="Limited Ping Flood" disabled=no \
icmp-options=0:0-255 limit=5,5
protocol=icmp
add action=accept chain=icmp
comment="" disabled=no icmp-options=3:3 limit=\
5,5 protocol=icmp
add action=accept chain=icmp
comment="" disabled=no icmp-options=3:4 limit=\
5,5 protocol=icmp
add action=accept chain=icmp
comment="" disabled=no icmp-options=8:0-255 \
limit=5,5 protocol=icmp
add action=accept chain=icmp
comment="" disabled=no icmp-options=11:0-255 \
limit=5,5 protocol=icmp
add action=drop chain=icmp
comment="" disabled=no protocol=icmp
add action=drop chain=input
comment="drop ssh brute forcers" disabled=no \
dst-port=22,8291 in-interface="My
Internet" protocol=tcp \
src-address-list=ssh_blacklist
add action=drop chain=input
comment="drop ssh brute forcers" disabled=no \
dst-port=22,8291 in-interface="Trav
Internet" protocol=tcp \
src-address-list=ssh_blacklist
add
action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=12w6d chain=input
comment="" connection-state=new \
disabled=no dst-port=22,8291 protocol=tcp
src-address-list=ssh_stage3
add
action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1d2h22m22s chain=input
comment="" connection-state=\
new disabled=no dst-port=22,8291
protocol=tcp src-address-list=ssh_stage2
add
action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1d2h22m22s chain=input
comment="" connection-state=\
new disabled=no dst-port=22,8291
protocol=tcp src-address-list=ssh_stage1
add
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1d2h22m22s chain=input
comment="" connection-state=\
new disabled=no dst-port=22,8291
protocol=tcp src-address-list=half-trust
Settingan lainnya.
/snmp
set contact=""
enabled=yes engine-boots=9 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0
trap-version=1
/snmp community
set public
address=192.168.10.0/24 authentication-password="" \
authentication-protocol=MD5
encryption-password="" encryption-protocol=\
DES name=public read-access=yes
security=none write-access=no
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=192.168.10.0/24 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none
disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/system clock
set time-zone-name=Asia/Makassar
/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8
secondary-ntp=\
202.169.224.16
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=no
enabled=no max-sessions=100
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=192.168.10.0/24 disabled=no
interface=all store-on-disk=yes
/tool graphing resource
add allow-address=192.168.10.0/24 disabled=no
store-on-disk=yes
can lan talk to each other
ReplyDeleteSalam kenal,
ReplyDeleteKalau settingannya dipetakan seperti itu, ternyata salah satu link internet nya down, apa bisa semua LAN nya memakai internet yg up ?