Tuesday, February 17, 2015

Konfigurasi Mikrotik 2 WAN dan 3 LAN

Di bawah ini adalah sebuah network dimana ada 2 buah WAN Internet terhubung pada sebuah router Mikrotik RB450G. Kemudian ada 3 buah LAN juga terhubung ke Mikrotik. 2 buah LAN 1 menuju ke internet melalui WAN 1. Sedangkan LAN 2 terhubung ke internet melalui WAN 2. Jadi antar WAN dan antar LAN terpisah sama sekali ( Tidak load balancing).
Network 2 WAN and 3 LAN

Dan berikut ini adalah backup konfigurasi mikrotiknya, hasil dari command export pada terminal Mikrotik. Beberapa baris konfigurasi yang tidak penting / tidak digunakan, saya hilangkan, seperti routing ospf, queue type, hotspot dsbnya. Urutan dari konfigurasi juga saya sesuaikan kembali agar lebih mudah dipahami.


Warning…!!! Jika anda ingin mencoba/mengambil sebagian atau seluruh dari konfigurasi di bawah ini, berhati-hatilah. Perhatikan beberapa hal penting berikut ini.
  • Jangan mengcopy langsung mentah-mentah konfigurasi di bawah ini, ke Mikrotik anda. Perhatikan baik-baik setiap baris konfigurasi. Terutama pada baris yang bertanda bintang (****), yang berarti sengaja di-hide, dan harus disesuaikan dengan kondisi network anda.
  • Anda sudah tau dengan pasti tujuan atau fungsi dari konfigurasi yang akan anda ambil, dan resikonya jika terjadi fail. Resiko yang paling parah adalah router mikrotik tidak bisa diakses lagi.
  • Dan sekali lagi saya tidak bertanggung jawab atas resiko yang akan anda hadapi.

Mari kita mulai. Setting nama-nama setiap Interface.
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mtu=1500 name="ether1 (LAN 1)" \
    speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes \
    master-port=none mtu=1500 name="ether2 (LAN 1)" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes \
    master-port=none mtu=1500 name="ether3 (WAN 1)" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes \
    master-port=none mtu=1500 name="ether4 (LAN 2)" speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes \
    master-port=none mtu=1500 name="ether5 (WAN 2)" speed=100Mbps

Setting IP address setiap interface.
/ip address
add address=192.168.10.1/24 broadcast=192.168.10.255 comment="" disabled=no \
    interface="ether2 (LAN 1)" network=192.168.10.0
add address=192.168.100.2/24 broadcast=192.168.100.255 comment="" disabled=no \
    interface="ether3 (WAN 1)" network=192.168.100.0
add address=192.168.2.1/24 broadcast=192.168.2.255 comment="" disabled=no \
    interface="ether4 (LAN 2)" network=192.168.2.0
add address=192.168.1.100/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface="ether5 (WAN 2)" network=192.168.1.0
add address=192.168.11.1/24 broadcast=192.168.11.255 comment="" disabled=no \
    interface="ether1 (LAN 1)" network=192.168.11.0

Di modem ADSL disetting bridge. Yang akan men-dial adalah si Mikrotik. Cara untuk mensetting modem menjadi bridge, sangat mudah. Lihat urutan langkahnya pada gambar di bawah ini.
Setting bridge Mikrotik

Kembali ke Mikrotik. Setting pppoe-client di Mikrotik. Perlu diingat, mengenai settingan default route pppoe-client. Jangan kedua pppoe-client diset/dicentang default route. Cukup 1 saja default route, atau kedua duanya tidak dicentang default route (add-default-route=no). Jika keduanya dicentang default route, maka akan sering terjadi gangguan.
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
    "" dial-on-demand=yes disabled=no interface="ether3 (WAN 1)" max-mru=1480 \
    max-mtu=1480 mrru=disabled name="My Internet" password=***** \
    profile=default service-name="" use-peer-dns=no user=\
    17********@telkom.net
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
    dial-on-demand=yes disabled=no interface="ether5 (WAN 2)" max-mru=1480 \
    max-mtu=1480 mrru=disabled name="Trav Internet" password=***** \
    profile=default service-name="" use-peer-dns=no user=\
    17********@gold.telkom

Ini range IP address (pool dhcp) untuk user LAN 1.
/ip pool
add name=dhcp_pool1 ranges=192.168.11.100-192.168.11.200

Ini range IP address untuk user yang connect pptp.
/ip pool
add name=dhcp_pool2_pptp ranges=192.168.10.50-192.168.10.60

Setting DHCP server untuk user LAN 1.
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface="ether1 (LAN 1)" lease-time=3d name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.11.0/24 comment="" gateway=192.168.11.1

Setting DNS di Mikrotik
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=149.210.138.118,180.131.145.145

Setting Firewall NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
    192.168.100.0/24 out-interface="ether3 (WAN 1)" src-address=\
    192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
    192.168.1.0/24 out-interface="ether5 (WAN 2)" src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    "My Internet" src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    "Trav Internet" src-address=192.168.2.0/24

Buat mangle untuk mark routing. Tujuannya,
  • IP LAN 192.168.10.0/24 bisa akses ke modem 1, modem 2 dan internet (melalui WAN 1).
  • Dan IP LAN 2, 192.168.2.0/24 hanya bisa akses internet melalui jalurnya saja (WAN 2)

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no in-interface=\
    "ether4 (LAN 2)" new-routing-mark=travroute passthrough=yes src-address=\
    192.168.2.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
    192.168.100.1 in-interface="ether2 (LAN 1)" new-routing-mark=settingmodem \
    passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.1 in-interface="ether2 (LAN 1)" new-routing-mark=settingmodem2 \
    passthrough=yes src-address=192.168.10.0/24

Setting routing dari hasil mark routing mangle.
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "Trav Internet" routing-mark=travroute scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.100.1 routing-mark=settingmodem scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-mark=settingmodem2 scope=30 target-scope=10

Disetting hanya ada 3 routing. Tapi jika dicommand ip route print, akan ada banyak routing. Ini karena ada beberapa routing defaultnya.
IP route print

Mikrotik ini juga berfungsi sebagai PPTP Server. Apa itu PPTP server ? Penjelasannya, cari sendiri di internet :). Intinya dengan PPTP server ini, saya bisa absen online dari mana saja. Sedangkan yang terlihat di absen online adalah IP public yang sama (IP public kantor). Jadi orang kantor ketika melakukan pengecekan/investigasi, mengira saya sering ada di kantor, absen hadir dan pulang selalu tepat waktu di kantor. Hahaha…
/interface pptp-server
add comment="" disabled=no name=pptp-in1 user=*****
/ppp profile
set default change-tcp-mss=yes comment="" local-address=dhcp_pool2_pptp name=\
    default only-one=default remote-address=dhcp_pool2_pptp use-compression=\
    default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    name=***** password=***** profile=default routes="" service=pptp

Setting firewall address list.
/ip firewall address-list
add address=11*.**.**.***/27 comment="" disabled=no list=full-trust
add address=0.0.0.0/8 comment="" disabled=no list=local-untrust
add address=127.0.0.0/8 comment="" disabled=no list=local-untrust
add address=224.0.0.0/3 comment="" disabled=no list=local-untrust
add address=172.16.0.0/12 comment="" disabled=no list=local-untrust
add address=**0.0.0.0/8 comment="" disabled=no list=half-trust
add address=**5.0.0.0/8 comment="" disabled=no list=half-trust
add address=3*.0.0.0/8 comment="" disabled=no list=half-trust
add address=1**.0.0.0/8 comment="" disabled=no list=half-trust
add address=2**.0.0.0/8 comment="" disabled=no list=half-trust
add address=1**.1**.*4.8 comment="" disabled=no list=full-trust
add address=2**.1**.**4.16 comment="" disabled=no list=full-trust
add address=1**.2**.1**.1** comment="" disabled=no list=full-trust
add address=1**.1**.1**.1** comment="" disabled=no list=full-trust
add address=8.8.8.8 comment="" disabled=no list=full-trust
add address=8.8.4.4 comment="" disabled=no list=full-trust
add address=**2.0.0.0/8 comment="" disabled=no list=half-trust

Setting firewall filter.
/ip firewall filter
add action=drop chain=forward comment="Drop Local Untrust" disabled=no \
    src-address-list=local-untrust
add action=drop chain=forward comment="" disabled=no src-address-list=\
    local-untrust
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no src-address-list=local-untrust
add action=accept chain=forward comment="" connection-state=established \
    disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=input comment="" disabled=no src-address=\
    192.168.10.0/24
add action=accept chain=input comment="" disabled=no in-interface=\
    "My Internet" src-address-list=full-trust
add action=accept chain=input comment="" disabled=no in-interface=\
    "Trav Internet" src-address-list=full-trust
add action=drop chain=input comment="" disabled=no in-interface=\
    "Trav Internet" src-address-list=!half-trust
add action=drop chain=input comment="" disabled=no in-interface="My Internet" \
    src-address-list=!half-trust
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="Port scanners to list " \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="FIN/PSH/URG scan" \
    disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="NMAP NULL scan" disabled=\
    no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" disabled=no \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=3:3 limit=\
    5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=3:4 limit=\
    5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=8:0-255 \
    limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=11:0-255 \
    limit=5,5 protocol=icmp
add action=drop chain=icmp comment="" disabled=no protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22,8291 in-interface="My Internet" protocol=tcp \
    src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22,8291 in-interface="Trav Internet" protocol=tcp \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=12w6d chain=input comment="" connection-state=new \
    disabled=no dst-port=22,8291 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1d2h22m22s chain=input comment="" connection-state=\
    new disabled=no dst-port=22,8291 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1d2h22m22s chain=input comment="" connection-state=\
    new disabled=no dst-port=22,8291 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1d2h22m22s chain=input comment="" connection-state=\
    new disabled=no dst-port=22,8291 protocol=tcp src-address-list=half-trust

Settingan lainnya.
/snmp
set contact="" enabled=yes engine-boots=9 engine-id="" location="" \
    time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=192.168.10.0/24 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no

/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=192.168.10.0/24 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291

/system clock
set time-zone-name=Asia/Makassar

/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
    202.169.224.16

/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=no enabled=no max-sessions=100

/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=192.168.10.0/24 disabled=no interface=all store-on-disk=yes
/tool graphing resource
add allow-address=192.168.10.0/24 disabled=no store-on-disk=yes

Selesai…

1 comment: