MTCNA-LAB

www.catatanteknisi.com catatan tentang belajar mikrotik by: teknisi_gaptek

MIKROTIK BASIC CONFIGURATION 1. Memberi Nama Router

/system identity set name=RouterKu. 2. Melihat Interface yang terpasang

/interface print 3. Memberi Nama pada Interface Ethernet

/interface ethernet set ether1 name=Public /interface Ethernet set ether2 name=Local /interface set 0 name=Public /interface set 1 name=Local [admin@RouterKu] / interface > set 0 name=Public; set 1 name=Local 4. Memberi IP Address pada interface Public dan Local

/ip address add address=192.168.67.100/24 interface=Public /ip address add address=167.16.10.100/24 interface=Local 5. Mengganti IP Address pada interface Local (1)

/ip address remove 1 /ip address add address=172.16.10.100/24 interface=Local 6. Tes Ping ke komputer Local ( IP=172.16.10.1/24) dan ke gateway (192.168.67.2/24)

[admin@RouterKu] > ping 172.16.10.1 -Hasil OK berarti koneksi antara interface sudah benar. 7. Menambahkan default gateway -tes ping dari komputer client ke IP Address Interface Public (192.168.67.10) OK -tambahkan default gateway

/ ip route add dst-address=0.0.0.0/0 gateway=192.168.67.2 Atau

/ip route add gateway=192.168.67.2 8. Menambahkan NAT Masquerade - tes ping dari komputer client ke Gateway (192.168.67.2) RTO -tambahkan NAT Masquerade, chain=srcnat bukan src-nat - chain srcnat, process trafict sent from and trough the router - action masquerade, change packet’s source address, router address and specified port, typically hide specific LAN resource behind one dynamic IP Address. 1

www.catatanteknisi.com catatan tentang belajar mikrotik by: teknisi_gaptek /ip firewall nat add chain=srcnat out-interface=Public action=masquerade -lakukan tes ping lagi dari computer client ke gateway (192.168.67.2) OK -lakukan tes ping dari router ke google.com  tidak bisa - lakukan tes ping dari router ke 74.125.235.52  OK -lakukan tes ping dari computer client ke 74.125.235.52  OK - buka b uka browser dengan alamat 74.135.235.52  OK 9. Menambahkan Primary DNS dan Secondary DNS

/ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remoterequest=yes -cek ping ke google.com  OK -cek ping dari computer client ke google  OK - ganti allow-remote-request=no

/ip dns set allow-remote-request=no -cek ping dari computer client ke google  masih bisa ???? 10. Menambahkan DHCP Server packet 1. Buat IP Pool /ip pool p ool add name = ippool1 ranges= 172.16.10.1-172.16.10.10 172.16.10.1-172.16.10.10 2. Setup DHCP Server /ip dhcp-server add interface=Local address=ippool1 3. Setup Netwok; Gateway, DNS Server,.. /ip dhcp-server network add address=172.16.10.0/24 address=172.16.10.0/24 gateway=172.16.10.100 gateway=172.16.10.100 s=dnss=dnsserver=203.78.115.222 11. Membackup & Restore System configuration c onfiguration /system backup save name=Backup1 /system backup load name=Backup1 name=Backup1

atau=Backup1.backup

12. User Management 1. Change Passsword [admin@RouterKu] > password Old password: New password: Retype new password: 2. Add User [admin@RouterKu] > user [admin@RouterKu] user > add user name=Raihan group=read

2


MIKROTIK ROUTEROS FIREWALL

Buat 3 interface di RouterKu: - Public, 192.168.67.10/24 - Local, 172.16.10.100/24 - Bridge, 192.168.10.100/24 Install 1 buah Virtual Virtual PC dengan IP IP 172.16.10.1/24 PC yang kita gunakan IP 192.168.10.200/24

(seting NAT-vmware) NAT-vmware) (lan segment) (seting Bridge-vmware) Bridge-vmware) (lan segment)

1. Chain & Action Firewall filter rules are organized in chains There are default and user-defined chains There are three default chains input – processes packets sent to the router output – processes packets sent by the router forward – processes packets sent through the router Every user-defined chain should subordinate to at least one of the default chains 2. Chain Input Protecting the router – allowing only necessaryservices from reliable source addresses with agreeable load Protecting Your Router To deny access to router to the router via Telnet (TCP port 23) /ip firewall filter add chain=input protocol=tcp dst -port=23 action=drop Setup Packet Filtering to protect router /ip firewall firewall add chain=input connection-state=invalid connection-state=invalid action=drop comment="Drop Invalid connection con nections" s" Create 3 rules to ensu ensure re that only connectionstate new packets will proceed through the input filter Drop all connection-state invalid packets Accept all connection-state established packets Accept all connection-state related packets Create 2 rules to ensure that only you will be able to connect to the router Accept all packets from your laptop IP Drop everything else 3. Chain Forward Protecting the customers from viruses and protecting the Internet from the customers customers 3


Protecting Your Customer Block IP addreses called "bogons": add add add add add add

chain=forward chain=forward chain=forward chain=forward chain=forward chain=forward

src-address=0.0.0.0/8 action=drop dst-address=0.0.0.0/8 action=drop src-address=127.0.0.0/8 action=drop dst-address=127.0.0.0/8 action=drop src-address=224.0.0.0/3 action=drop dst-address=224.0.0.0/3 action=drop

Create tcp chain and deny some tcp ports in it: add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny udp ports in udp chain: add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"

Allow only needed icmp codes in icmp chain: add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections" add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections" add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections" add chain=icmp action=drop comment="deny all other types"

Create 3 rules to ensu ensure re that only connectionstate new packets will proceed through the chain forward (same as in the Chain Input Lab) Create rules to close most popular ports of viruses po rt range 137-139 Drop TCP and UDP port Drop TCP and UDP port 445 4. Condition: Connection State Connection state is a status assigned to each packet by conntrack system: New – packet is opening a new connection Related – packet is also opening a new connection, but it is in some kind of relation to an already established connection connection Established – packet belongs to an already known connection Invalid – packet does not belong to any of the known connections Connection state ≠ TCP state s tate 5. Address List Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.

4


The address list records could be updated dynamically via the action=add-src-toaddress-list or action=add-dst-to-address-list items found in NAT mangle and filter facilities. The following example creates an address list of people thet are connecting to port 23 (telnet) on the router and drops all further traffic from them. Additionaly, the address list will contain one static entry of address=192.0.34.166/32 (www.example.com www.example.com)): /ip firewall address-list add list=drop_traffic address=192.0.34.166/32 /ip firewall mangle add chain=prerouting protocol=tcp dst- port=23 action=addsrc-to-address-list address-list=drop_traffic /ip firewall filter add action=drop chain=input src- address-list=drop_traffic

6. NAT Type As there are 2 IP addresses and ports in an IP packet header, there there are 2 types of NAT . 1. which rewrites rewrites source IP address address and/or port is called source NAT (src-nat) - performed on packet that are originated from natted network - a NAT router replace the private source address of an IP packet with anew public IP Address as it travel trough the router. 2. which rewrites destination IP address and/or port is called destination NAT (dst-nat) - performed on packet p acket that a destined to the natted network, - it’s most commonly used to make ahost on private network to be accessible from internet 7. Firewall NAT Structure Firewall NAT rules are organized in chains , There are two default chains dstnat – processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. srcnat – processes traffic sent from and through the router, after it merges from “output” and “forward” “forward” chain of firewall firewall filter. There are also user-defined chains, Firewall NAT rules process only the first packet of each connection (connection state “new” packets) 8. NAT Action (6 specific sp ecific action NAT) 1. dst-nat and redirect 2. src-nat and masquarade 3. netmap 4. same 9. Source NAT Action Action “src -nat” changes packet's source address and/or port to specified address and/or Port This action can take place only in chain srcnat Typical application: application: hide specific L AN resources behind specific public IP address 10. Masquerade Action

5


Action “masquerade” changes packet's source address router's address and specified port This action can take place only in chain srcnat Typical application: hide specific LAN resources behind one dynamic public IP address 11. Destination NAT Action Action “dst-nat” changes packet's destination address and port to specified address and port This action can take place only in chain dstnat Typical application: ensure access to local network services from public network

12. Redirect NAT Action Action “redirect” changes packet's destination address to router's address and specified port This action can take place only in chain dstnat Typical application: application: transparent proxying of network services (DNS,HTTP) 13. Netmap & Same Netmap - creates a static 1:1 mapping of one set of IP addresses addresses to another one. Often used to distribute public IP addresses to hosts on private networks source/destination IP address address from the Same - gives a particular client the same source/destination supplied range for any connection. Used for services that expect constant IP address for multiple connections from the same client 14. DNS Chache DNS cache is used to minimize DNS-requests to an external DNS server as well as to minimize DNS resolution time. This is a simple recursive DNS server without any local items. DNS protocol is described in RFC1035 and related documents The MikroTik router with DNS cache feature enabled can be set as primary DNS server for any DNS-compliant clients. Moreover, MikroTik router can be specified as primary DNS server under its dhcp-server settings. When the DNS cache is enabled, the MikroTik router responds to DNS requests on TCP and UDP ports 53. Make sure you do not block this port in the firewall setup!

The DNS cache feature is included in the dns-cache package. The package file dnswww.mikrotik.com. To To MikroTi k’s web page www.mikrotik.com. cache-2.6.x.npk can be downloaded from MikroTik’s install the package, please upload it with ftp in BINARY mode to the router and reboot. Use the /system package print command to see the list of installed packages.

DNS Cache Setup DNS cache management can be accessed under the /ip dns-cache submenu. DNS client configuration (accessible under /ip dns submenu) is not required. To enable DNS cache, use the set command, for example: ip dns-cache> set enabled=yes dns-server=159.148.60.2 [admin@MikroTik] [admin@MikroTik] ip dns-cache> print enabled: yes

6

www.catatanteknisi.com catatan tentang belajar mikrotik by: teknisi_gaptek size: 512 dns-server: 159.148.60.2

enabled - defines whether DNS cache (TCP and UDP port 53) is enabled or not size - maximum number of entries in the cache dns-server - parent DNS server that is used to resolve requests absent in the cache

1. Mengakases Web Local dari Internet Assume we have moved the server in our previous examples from the public network to our local one:

The server's address is now 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port: 1. Tambahkan sebuah komputer (10.0.0.2) yang terhubung dengan interface Public 2. Beri IP Address untuk masing-masing interface router 3. Set default gateway : /ip route add gateway=192.168.10.1

4. Set DSTNAT /ip firewall nat> add chain=dstnat action=dstnat protocol=tcp dst-address=10.0.0.217/32 dst-port=80 to-addresses=192.168.0.4 ip firewall nat pr Flags: X - disabled, I - invalid, D - dynamic

7

www.catatanteknisi.com catatan tentang belajar mikrotik by: teknisi_gaptek 0 chain=dstnat dst-address=10.0.0.217/32 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535

dstnat – processes traffic sent to and through the router dst-nat - changes packet's destination address and port to specified address address and port

5. Instal XAMPP di komputer 192.168.0.4 6. Dari komputer (IP Public) 10.0.0.2/24 , buka browser ketik alamat 10.0.0.1

LAB 01 TOPOLOGI JARINGAN

8


Setting MikroTik Router R0 2. Add IP Address Address /ip address add address=192.168.67.10/24 interface=ether1 /ip address add address=10.0.0.1/24 interface=ether2 3. Add default gateway -tes ping ke 192.168.67.2  Repply -tes ping ke 74.125.235.48  no route to host -add gateway /ip route add gateway=192.168.67.2 -tes ping ke 74.125.235.48  Repply 4. Add DNS -tes ping ke google.com  invalid value - add dns /ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remoterequest=yes -tes ping ke google.com  Repply 5. Set IP Address di Komputer XP0 (server) = 10.0.0.4/24 dns=203.78.115.215 -ping ke Router (R0) - 10.0.0.1  Repply - 192.168.67.10  Repply 6. Agar Komputer XP0 (server) bisa internetan, gunakan SRCNAT-Masquerade /ip firewall firewall add chain=srcnat out-interface=ether1 out-interface=ether1 action=masquerade -coba browsing dari komputer XP0  OK

Seting MikroTik Router R1 1. Add IP Address: Address: /ip address add address=10.0.0.217/24 interface=ether1 interface=ether1 /ip address add address=192.168.0.254/24 interface=ether2 2. Add default gateway: /ip route add gateway=10.0.0.1 gateway=10.0.0.1 3. Add DNS

9


/ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remoterequest=yes 4. Add SRCNAT-MASQUERADE /ip firewall firewall add chain=srcnat out-interface=ether1 out-interface=ether1 action=masquerade 5. Set IP Address dan DNS komputer Client XP1 IP Address : 192.168.0.1/24 DNS : 203.78.115.215 - 203.78.115.222

Agar Server di Jaringan Local bisa di akses dari jaringan Public 1. Install XAMPP di komputer XP1 (192.168.0.1) 2. Seting DSTNAT /ip firewall firewall nat> add chain=dstnat action=dst-nat protocol=tcp dst-address=10.0.0.0/24 dst-port=80 to-addresses=192.168.0.1 3. Buka Komputer XP0 -ping ke 192.168.0.1  No Repply -buka browser ketik: 10.0.0.217  Tampil Web Server XP1

dstnat – processes traffic sent to and through the router dst-nat - changes packet's destination address and port to specified address address and port

Setup DHCP-Server (Install DHCP Server di Router R1) 1. Buat IP Pool terlebih dahulu /ip pool add name= n ame=MyPool MyPool range=192.168.0.1-192.168.0.10 2. Add DHCP Network /ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.254 gateway=192.168.0.254 3. Add DHCP Server /ip dhcp-server add name=MyDHCP interfa in terface=ether2 ce=ether2 address-pool=MyPool disable=no

10

MTCNA-LAB

Recommend Documents