www.catatanteknisi.

com
catatan tentang belajar mikrotik by: teknisi_gaptek

MIKROTIK BASIC CONFIGURATION

1. Memberi Nama Router

/system identity set name=RouterKu.

2. Melihat Interface yang terpasang

/interface print

3. Memberi Nama pada Interface Ethernet

/interface ethernet set ether1 name=Public

/interface Ethernet set ether2 name=Local

/interface set 0 name=Public

/interface set 1 name=Local

[admin@RouterKu] / interface > set 0 name=Public; set 1 name=Local

4. Memberi IP Address pada interface Public dan Local

/ip address add address=192.168.67.100/24 interface=Public

/ip address add address=167.16.10.100/24 interface=Local

5. Mengganti IP Address pada interface Local (1)

/ip address remove 1

/ip address add address=172.16.10.100/24 interface=Local

6. Tes Ping ke komputer Local ( IP=172.16.10.1/24) dan ke gateway (192.168.67.2/24)

[admin@RouterKu] > ping 172.16.10.1

-Hasil OK berarti koneksi antara interface sudah benar.

7. Menambahkan default gateway

-tes ping dari komputer client ke IP Address Interface Public (192.168.67.10) OK
-tambahkan default gateway

/ ip route add dst-address=0.0.0.0/0 gateway=192.168.67.2

Atau

/ip route add gateway=192.168.67.2

8. Menambahkan NAT Masquerade

- tes ping dari komputer client ke Gateway (192.168.67.2) RTO
-tambahkan NAT Masquerade, chain=srcnat bukan src-nat
- chain srcnat, process trafict sent from and trough the router
- action masquerade, change packet’s source address, router address and specified port,
typically hide specific LAN resource behind one dynamic IP Address.

1
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

/ip firewall nat add chain=srcnat out-interface=Public action=masquerade

-lakukan tes ping lagi dari computer client ke gateway (192.168.67.2) OK
-lakukan tes ping dari router ke google.com  tidak bisa
- lakukan tes ping dari router ke 74.125.235.52  OK
-lakukan tes ping dari computer client ke 74.125.235.52  OK
- buka browser dengan alamat 74.135.235.52  OK

9. Menambahkan Primary DNS dan Secondary DNS

/ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remote-

request=yes

-cek ping ke google.com  OK

-cek ping dari computer client ke google  OK
- ganti allow-remote-request=no

/ip dns set allow-remote-request=no

-cek ping dari computer client ke google  masih bisa ????

10. Menambahkan DHCP Server packet

1. Buat IP Pool

/ip pool add name = ippool1 ranges= 172.16.10.1-172.16.10.10

2. Setup DHCP Server

/ip dhcp-server add interface=Local address=ippool1

3. Setup Netwok; Gateway, DNS Server,..

/ip dhcp-server network add address=172.16.10.0/24 gateway=172.16.10.100 s=dns-

server=203.78.115.222

11. Membackup & Restore System configuration

/system backup save name=Backup1

/system backup load name=Backup1 atau=Backup1.backup

12. User Management

1. Change Passsword
[admin@RouterKu] > password
Old password:
New password:
Retype new password:
2. Add User
[admin@RouterKu] > user
[admin@RouterKu] user > add user name=Raihan group=read

2
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

MIKROTIK ROUTEROS FIREWALL

Buat 3 interface di RouterKu:

- Public, 192.168.67.10/24 (seting NAT-vmware)
- Local, 172.16.10.100/24 (lan segment)
- Bridge, 192.168.10.100/24 (seting Bridge-vmware)
Install 1 buah Virtual PC dengan IP 172.16.10.1/24 (lan segment)
PC yang kita gunakan IP 192.168.10.200/24

1. Chain & Action

Firewall filter rules are organized in chains
There are default and user-defined chains
There are three default chains
input – processes packets sent to the router
output – processes packets sent by the router
forward – processes packets sent through the router
Every user-defined chain should subordinate to at least one of the default chains

2. Chain Input
Protecting the router – allowing only necessaryservices from reliable source addresses with
agreeable load

Protecting Your Router

To deny access to router to the router via Telnet (TCP port 23)

/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop

Setup Packet Filtering to protect router

/ip firewall add chain=input connection-state=invalid action=drop comment="Drop

Invalid connections"

Create 3 rules to ensure that only connectionstate new packets will proceed through the
input filter
Drop all connection-state invalid packets
Accept all connection-state established packets
Accept all connection-state related packets

Create 2 rules to ensure that only you will be able to connect to the router
Accept all packets from your laptop IP
Drop everything else

3. Chain Forward
Protecting the customers from viruses and protecting the Internet from the customers

3
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

Protecting Your Customer

Block IP addreses called "bogons":

add chain=forward src-address=0.0.0.0/8 action=drop

add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

Create tcp chain and deny some tcp ports in it:

add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"

add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny udp ports in udp chain:

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"

Allow only needed icmp codes in icmp chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop

invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow
established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow
already established connections"
add chain=icmp action=drop comment="deny all other types"

Create 3 rules to ensure that only connectionstate new packets will proceed through the
chain forward (same as in the Chain Input Lab)

Create rules to close most popular ports of viruses

Drop TCP and UDP port range 137-139
Drop TCP and UDP port 445

4. Condition: Connection State

Connection state is a status assigned to each packet by conntrack system:
New – packet is opening a new connection
Related – packet is also opening a new connection, but it is in some kind of relation
to an already established connection
Established – packet belongs to an already known connection
Invalid – packet does not belong to any of the known connections
Connection state ≠ TCP state

5. Address List
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall
filter, mangle and NAT facilities can use address lists to match packets against them.

4
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

The address list records could be updated dynamically via the action=add-src-to-
address-list or action=add-dst-to-address-list items found in NAT mangle and filter
facilities.

The following example creates an address list of people thet are connecting to port 23
(telnet) on the router and drops all further traffic from them. Additionaly, the address list
will contain one static entry of address=192.0.34.166/32 (www.example.com):

/ip firewall address-list add list=drop_traffic address=192.0.34.166/32

/ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 action=add-
src-to-address-list address-list=drop_traffic
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic

6. NAT Type
As there are 2 IP addresses and ports in an IP packet header, there are 2 types of NAT .
1. which rewrites source IP address and/or port is called source NAT (src-nat)
- performed on packet that are originated from natted network
- a NAT router replace the private source address of an IP packet with anew public IP
Address as it travel trough the router.

2. which rewrites destination IP address and/or port is called destination NAT (dst-nat)
- performed on packet that a destined to the natted network,
- it’s most commonly used to make ahost on private network to be accessible from
internet

7. Firewall NAT Structure

Firewall NAT rules are organized in chains, There are two default chains
dstnat – processes traffic sent to and through the router, before it divides in to
“input” and “forward” chain of firewall filter.
srcnat – processes traffic sent from and through the router, after it merges from
“output” and “forward” chain of firewall filter.

There are also user-defined chains, Firewall NAT rules process only the first packet of
each connection (connection state “new” packets)

8. NAT Action (6 specific action NAT)

1. dst-nat and redirect
2. src-nat and masquarade
3. netmap
4. same

9. Source NAT Action

Action “src-nat” changes packet's source address and/or port to specified address
and/or Port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources behind specific public IP address

10. Masquerade Action

5
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

Action “masquerade” changes packet's source address router's address and specified
port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources behind one dynamic public IP
address
11. Destination NAT Action
Action “dst-nat” changes packet's destination address and port to specified address
and port
This action can take place only in chain dstnat
Typical application: ensure access to local network services from public network

12. Redirect NAT Action

Action “redirect” changes packet's destination address to router's address and
specified port
This action can take place only in chain dstnat
Typical application: transparent proxying of network services (DNS,HTTP)

13. Netmap & Same

Netmap - creates a static 1:1 mapping of one set of IP addresses to another one.
Often used to distribute public IP addresses to hosts on private networks
Same - gives a particular client the same source/destination IP address from the
supplied range for any connection. Used for services that expect constant IP address
for multiple connections from the same client

14. DNS Chache

DNS cache is used to minimize DNS-requests to an external DNS server as well as to minimize
DNS resolution time. This is a simple recursive DNS server without any local items. DNS protocol
is described in RFC1035 and related documents

The MikroTik router with DNS cache feature enabled can be set as primary DNS server for any
DNS-compliant clients. Moreover, MikroTik router can be specified as primary DNS server under
its dhcp-server settings. When the DNS cache is enabled, the MikroTik router responds to DNS
requests on TCP and UDP ports 53. Make sure you do not block this port in the firewall setup!

The DNS cache feature is included in the dns-cache package. The package file dns-
cache-2.6.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To
install the package, please upload it with ftp in BINARY mode to the router and reboot.

Use the /system package print command to see the list of installed packages.

DNS Cache Setup

DNS cache management can be accessed under the /ip dns-cache submenu. DNS client
configuration (accessible under /ip dns submenu) is not required. To enable DNS cache, use the
set command, for example:

ip dns-cache> set enabled=yes dns-server=159.148.60.2

[admin@MikroTik] ip dns-cache> print

enabled: yes

6
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

size: 512
dns-server: 159.148.60.2

enabled - defines whether DNS cache (TCP and UDP port 53) is enabled or not
size - maximum number of entries in the cache
dns-server - parent DNS server that is used to resolve requests absent in the cache
1. Mengakases Web Local dari Internet
Assume we have moved the server in our previous examples from the public network to
our local one:

The server's address is now 192.168.0.4, and we are running web server on it that listens to
the TCP port 80. We want to make it accessible from the Internet at address:port
10.0.0.217:80.
This can be done by means of Static Network Address translation (NAT) at the MikroTik
Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port
192.168.0.4:80. One destination NAT rule is required for translating the destination address
and port:

1. Tambahkan sebuah komputer (10.0.0.2) yang terhubung dengan interface Public

2. Beri IP Address untuk masing-masing interface router
3. Set default gateway :
/ip route add gateway=192.168.10.1

4. Set DSTNAT
/ip firewall nat> add chain=dstnat action=dst-nat protocol=tcp
dst-address=10.0.0.217/32 dst-port=80 to-addresses=192.168.0.4

ip firewall nat pr
Flags: X - disabled, I - invalid, D - dynamic

7
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

0 chain=dstnat dst-address=10.0.0.217/32 protocol=tcp dst-port=80

action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535

dstnat – processes traffic sent to and through the router

dst-nat - changes packet's destination address and port to specified address and port

5. Instal XAMPP di komputer 192.168.0.4

6. Dari komputer (IP Public) 10.0.0.2/24 , buka browser ketik alamat 10.0.0.1

LAB 01
TOPOLOGI JARINGAN

8
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

Setting MikroTik Router R0

2. Add IP Address
/ip address add address=192.168.67.10/24 interface=ether1
/ip address add address=10.0.0.1/24 interface=ether2

3. Add default gateway

-tes ping ke 192.168.67.2  Repply
-tes ping ke 74.125.235.48  no route to host
-add gateway

/ip route add gateway=192.168.67.2

-tes ping ke 74.125.235.48  Repply

4. Add DNS
-tes ping ke google.com  invalid value
- add dns

/ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remote-

request=yes

-tes ping ke google.com  Repply

5. Set IP Address di Komputer XP0 (server) = 10.0.0.4/24 dns=203.78.115.215

-ping ke Router (R0) - 10.0.0.1  Repply
- 192.168.67.10  Repply

6. Agar Komputer XP0 (server) bisa internetan, gunakan SRCNAT-Masquerade

/ip firewall add chain=srcnat out-interface=ether1 action=masquerade

-coba browsing dari komputer XP0  OK

Seting MikroTik Router R1

1. Add IP Address:
/ip address add address=10.0.0.217/24 interface=ether1
/ip address add address=192.168.0.254/24 interface=ether2

2. Add default gateway:

/ip route add gateway=10.0.0.1

3. Add DNS

9
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek

/ip dns set primary-dns=203.78.115.215 secondary-dns=203.78.115.222 allow-remote-

request=yes

4. Add SRCNAT-MASQUERADE
/ip firewall add chain=srcnat out-interface=ether1 action=masquerade

5. Set IP Address dan DNS komputer Client XP1

IP Address : 192.168.0.1/24
DNS : 203.78.115.215 - 203.78.115.222

Agar Server di Jaringan Local bisa di akses dari jaringan Public

1. Install XAMPP di komputer XP1 (192.168.0.1)

2. Seting DSTNAT

/ip firewall nat> add chain=dstnat action=dst-nat protocol=tcp

dst-address=10.0.0.0/24 dst-port=80 to-addresses=192.168.0.1

3. Buka Komputer XP0

-ping ke 192.168.0.1  No Repply
-buka browser ketik: 10.0.0.217  Tampil Web Server XP1

dstnat – processes traffic sent to and through the router

dst-nat - changes packet's destination address and port to specified address and port

Setup DHCP-Server (Install DHCP Server di Router R1)

1. Buat IP Pool terlebih dahulu

/ip pool add name=MyPool range=192.168.0.1-192.168.0.10

2. Add DHCP Network

/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.254

3. Add DHCP Server

/ip dhcp-server add name=MyDHCP interface=ether2 address-pool=MyPool disable=no

10