Cryptography

Security is not a Product, its a Process

Setting Mikrotik

 

SETTING MICROTIK

 


  • pilihlah paket – paket dibawah ini untuk install OS Microtik :

System, dhcp, Advance Tools, RouTing, Security, Web – Proxy.

  • ganti nama system sesuai dengan selera anda :

[admin@microtik] > system identity set name=warnet

Selanjutnya promt shell akan berubah menjadi :
Seperti yg anda inginkan :
[admin@warnet] >

  • Ubahlah Password OS microtik anda dengan cara :

[admin@warnet] >user set admin password=………………………………

  • aktivkan kedua Ethernet pada PC yang telah anda install OS Microtik :

[admin@warnet] >interface ethernet enable ether1
[admin@warnet] >interface ethernet enable ether2

  • Berikan nama pada kedua ethernet untuk memudahkan konfigurasi :

[admin@warnet] >interface Ethernet set ether1 name=modem =====è Ethernet yg utk modem
[admin@warnet] >interface ethernet set ether2 name=local ===è Ethernet yg untuk ke HUB

  • Masukan IP pada kedua landcard :

[admin@warnet] >ip address add interface=modem address= ( Diisi IP address dari ISP ) / netmask
[admin@warnet] >ip address add interface=lokal address= 192.168.0.1/255.255.255.0

  • masukkan IP gateway yg di berikan dari ISP :

[admin@warnet] > ip route add gateway=10.11.1.1560

  • SETTING DNS :

[admin@warnet] >ip dns set primary-dns=10.11.155.1secondary-dns=10.11.155.2

setelah itu coba ping semua IP yang telah di setting di atas.

[b][font="]KONFIGURASI FIREWALL DAN NETWORK
ip firewall nat add action=masquerade chain=srcnat
ip firewall filter add chain=input connection-state=invalid action=drop
ip firewall filter add chain=input protocol=udp action=accept
ip firewall filter add chain=input protocol=icmp action=accept
[font="]/ip firewall filter add chain=input in-interface=(ethernet card yg ke lan) action=accept
/ip firewall filter add chain=input in-interface=(ethernet card yg ke internet) action=accept

ip firewall filter add chain=input action=drop

ip web-proxy set enabled=yes src-address=0.0.0.0. port=8080 hostname=”” yahuu.net=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \
max-ram-cache-size=unlimited

ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128 /ip firewall nat add in-interface=modem
dst-port=80 protocol=tcp action=redirect
to-ports=3128 chain=dstnat dst-address=!192.168.0.1/24

================================================== ================

yang 3128 semuanya di ganti 8080 : caranya :

ip web-proxy set enable=yes
/ip web-proxy set port=3128
/ip web-proxy set max-cache-size=3145728 ( 3 kali total ram )
/ip web-proxy set hostname=”proxy.prima”
/ip web-proxy set allow-remote-requests=yes
/ip web-proxy set cache-administrator: “primanet.slawi@yahoo.com”
================================================== ================================================== ========
FILTERING :
http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php/ ip firewall filter
add chain=input connection-state=invalid action=drop \comment=”Drop Invalid connections”
add chain=input connection-state=established action=accept \comment=”Allow Established connections”
add chain=input protocol=udp action=accept \ comment=”Allow UDP”
add chain=input protocol=icmp action=accept \ comment=”Allow ICMP”
add chain=input src-address=192.168.0.0/24 action=accept \ comment=”Allow access to router from known network”
add chain=input action=drop comment=”Drop anything else”

ANTI VIRUS UTK MICROTIK :
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain” ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++

add chain=forward protocol=icmp comment=”allow ping”add chain=forward protocol=udp comment=”allow udp”add chain=forward action=drop comment=”drop everything else”================================================== =====

SECURITY ROUTER MICROTIK ANDA :
/ ip firewall filteradd chain=input connection-state=established comment=”Accept established connections”add chain=input connection-state=related comment=”Accept related connections”add chain=input connection-state=invalid action=drop comment=”Drop invalid connections” add chain=input protocol=udp action=accept comment=”UDP” disabled=no add chain=input protocol=icmp limit=50/5s,2 comment=”Allow limited pings” add chain=input protocol=icmp action=drop comment=”Drop excess pings” add chain=input protocol=tcp dst-port=22 comment=”SSH for secure shell”add chain=input protocol=tcp dst-port=8291 comment=”winbox” # Edit these rules to reflect your actual IP addresses! # add chain=input src-address=159.148.172.192/28 comment=”From Mikrotikls network” add chain=input src-address=10.0.0.0/8 comment=”From our private LAN”# End of Edit #add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything else”add chain=input action=drop comment=”Drop everything else”
http://wiki.mikrotik.com/wiki/Securing_your_router
================================================== ========================================
SETTING KEAMANAN JARINGAN HANYA UNTUK LOKAL AREA ANDA :
/ip firewall filteradd chain=forward connection-state=established comment=”allow established connections” add chain=forward connection-state=related comment=”allow related connections”add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom” add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B” add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B” add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven” add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++

#MatikanPort yang Biasa di pakai Spam :
/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-p

diatas di cek di websitenya lagi : http://www.mikrotik.com/documentation/manual_2.7/
http://www.mikrotik.com/docs/ros/2.9/ip/webproxy

lihat di system resource
dan 2/3 dari system resource di gunakan atau di alokasikan untuk : system resource print

************************************************** ******************************************
Graphing /tool graphing set store-every=hour[admin@MikroTik] tool graphing> print store-every: hour[admin@MikroTik] tool graphing> [admin@MikroTik] tool graphing interface> add interface=ether1 \allow-address=192.168.0.0/24 store-on-disk=yes[admin@MikroTik] tool graphing interface> printFlags: X – disabled # INTERFACE ALLOW-ADDRESS STORE-ON-DISK 0 ether1 192.168.0.0/24 yes[admin@MikroTik] tool graphing interface> [admin@VLP InWay] tool graphing> export
# oct/12/2005 09:51:23 by RouterOS 2.9.5
# software id = 1TLC-xxx
#
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=10.8.2.99/32 store-on-disk=yes allow-target=yes disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=Inway allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add interface=LAN allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add interface=DMZ allow-address=0.0.0.0/0 store-on-disk=yes disabled=no

About these ads

February 2, 2007 - Posted by | Mikrotik

28 Comments »

  1. selamat siang,
    begini pak gimana caranya saya bisa tau cara membagikan bw untuk client yang menggunakan wireless radio link

    Comment by mustakim | March 12, 2007

  2. Alhamdullilah akhirnya saya dapat tempa untuk pencerahan.
    Saya belajar mikrotik dari user guide hasil download di situs mikrotik. saya seting firewall seperti yang ada di panduan tersebut. Masalahnya ada jaringan “liar” yang memanfaatkan router mikrotik yang masuk melalui ip gateway public (yang dikasih sama ISP)sehingga pemakaian bandwitch selalu penuh akibatnya koneksi jadi lambat sekali. Mas tolong bagaimana car ngebloknya. makasih banget.

    Comment by Denny | March 13, 2007

  3. @mustaqim

    untuk wireless link membagikan bw sama aja dengan kalo limit bw yang lewat kabel, karena limit bwnya kan per ip address, pake simpel queue ajah lebih gampang

    Comment by itemjabrik | March 16, 2007

  4. @Denny

    Kalau menggunakan seting sesuai pada security mikrotik diatas maka pihak dari luar nggak akan bisa menggunakan mikrotik anda karena limit network di luar subnet yg di pasang di “input” hanya dari network internal saja

    Comment by itemjabrik | March 16, 2007

  5. wah makasih uda membantu gw nambah ilmu mikrotik nih ^^

    klo boleh, minta ajarin cara klo koneksi dr ISP A kita down dia pindah nyedot bandwidth dr ISP B donk, gitu jg sebaliknya. makasih. gbu

    Comment by rendy | March 26, 2007

  6. halo , saya pingin kenal nich , sekaligus pingin tanya masalah mikrotik topologinya : isp–mikrotik–proxy–client
    shaping bw ada di mikrotik , mohon pencerahan nya gimana cara setting mikrotik supaya kalau client akses data yg ada di chace proxy tidak kena shaping (unlimited) sedang kalau akses data yang tidak ada di proxy baru kena limit , terima kasih

    Comment by Yohanes | March 27, 2007

  7. mosok ambek konco dewe gak gelem ngajarin , ndemo wae sampek mumet :P

    Comment by yohanes | March 27, 2007

  8. Saya pakai mikrotik 2.7, kenapa kalo di client pakai Outlook express dan receive email yang otorisasinya pake SSH (kaya gmail) selalu error ya?.

    Comment by ndoel | April 8, 2007

  9. @Yohaness
    Biar dari Client gak kena shapping harus di tambahi routing static yang mengarah ke client pak .. biar supaya traffik yang mengarah keluar dari client bisa lansung di kenali oleh routernya, itu juga tergantung dari topologi yang di aplikasikan.

    Comment by itemjabrik | April 10, 2007

  10. @ndoel
    Kalo yg bersifat otorisasi selalu error coba untuk aplikasi https prioritynya di tinggikan .. jadi di dahulukan .. ato bisa juga dengan cara mtu dari interfacenya di kecilkan misalkan menggunakan 576

    Comment by itemjabrik | April 10, 2007

  11. Bos gimana caranya blocking ads di mikrotik. Saya udah punya list ads server nya dari http://pgl.yoyo.org/as/. Gimana biar saya gak usah bikin rule satu2, tapi rule yang mengacu dari list ads server saja. Thx sebelumnya

    Comment by mohenjox | April 13, 2007

  12. thanks atas infonya..

    [QUOTE]
    Masukan IP pada kedua landcard :
    [admin@warnet] >ip address add interface=modem address= ( Diisi IP address dari ISP ) / netmask
    [admin@warnet] >ip address add interface=lokal address= 192.168.0.1/255.255.255.0
    [/QUOTE]

    btw kalo ip dari ISP sifatnya dinamis settingnya gimana?
    gw pake speedy soalnya..

    thank you..

    Comment by newbie | May 26, 2007

  13. salam :)
    ada ID ym nggak biar bisa sharing ilmu
    semoga ilmunya bermanfaat bagimu dan orang lain :)

    Comment by kivlin | September 17, 2007

  14. Ah… artikelnya banyak yang sama… jangan2 nyontek ya…. di larang membajak tuh… aku aja tau dari anak TK. malu donk ma title MAHASISWA…..

    Comment by hawa | October 13, 2007

  15. Dear all,

    gw pemula dlm hal mikrotik, tolong dong gw di bantu. gw udah bagi bandwidth per IP, tapi kadang ada client yg merubah-rubah IP nya sehingga dia bisa lolos sensor :(, pertanyaannya….
    gimana caranya ngeblok IP selain yang udah diatur dalam BW Managementnya mikrotik. jadi biarpun dia merubah2 ip nya tetep nggak bisa konek jaringan kecuali ip yg sudah diberikan tadi? tks

    Comment by EKO | October 18, 2007

  16. aku install mikrotik tapi gag tau setting buat SNMP nya, bisa kasih saran ?ditunggu. makasih

    Comment by sawoenk | November 10, 2007

  17. ak dah setting mikrotik. tapi kok tetep ga bisa konek, bisa ping tp cuma dengan menggunakan alamat ip(angka) tidak bisa melakukan ping domain (yahoo.com). tlg dunk……… thanks

    Comment by andi | January 6, 2008

  18. hi,, saya pemula dalam mikrotik. mo tanya gimana cara membagi akses dari dua ISP yang nantinya digunakan oleh user. sehingga router dapat menentukan akses mana yang akan digunakan oleh user. misal untuk browsing menggunakan akses dari ISP A, dan untuk game online menggunakan akses dari ISP B. terima kasih atas jawabannya.. :)

    Comment by n'cup | February 15, 2008

  19. [...] February 2, 2007 Posted by itemjabrik | Mikrotik | | 18 Comments [...]

    Pingback by Setting Mikrotik « setting mikrotik | June 18, 2008

  20. he’eh

    Comment by abdul | August 15, 2008

  21. [...] = http://crypt0gr4phy.wordpress.com/2007/02/02/setting-mikrotik/ Possibly related posts: (automatically generated)Proxy HTTP Dengan Squid Di FreeBSDTeknik Mudah 2 [...]

    Pingback by Setting Mikrotik « Dokumentasi Seorang Geek | November 3, 2008

  22. [...] Sumber [...]

    Pingback by SETTING MICROTIK | December 14, 2008

  23. thankssssss boss entar kalo aku masih bingung boleh konsultasikan

    mikroter

    Rohminan

    Comment by roh minan | March 22, 2009

  24. Nice blog post, a good read, i’ll be bookmarking this.

    Comment by Stuart | May 22, 2009

  25. mantap gan…..
    thankyu ya
    ….lebih jelas nech penjelasannya…
    hehehe….

    Comment by milanvortex | September 27, 2009

  26. Makasih atas tutorialnya……….

    Comment by Irsad | January 18, 2010

  27. wahh makasih mas aku jidi ngerti tentang cara Setting Mikrotik makasih baget loe mas..

    Comment by EDI KURNIAWAN | April 1, 2010

  28. duch.,.gw kurang ngerti ne cara diatas
    coba donk ajarin cara yang lebih di mengerti
    thank’s

    Comment by sam | September 3, 2010


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: