com
catatan tentang belajar mikrotik by: teknisi_gaptek
/interface print
Atau
1
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
-lakukan tes ping lagi dari computer client ke gateway (192.168.67.2) OK
-lakukan tes ping dari router ke google.com tidak bisa
- lakukan tes ping dari router ke 74.125.235.52 OK
-lakukan tes ping dari computer client ke 74.125.235.52 OK
- buka browser dengan alamat 74.135.235.52 OK
2
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
2. Chain Input
Protecting the router – allowing only necessaryservices from reliable source addresses with
agreeable load
Create 3 rules to ensure that only connectionstate new packets will proceed through the
input filter
Drop all connection-state invalid packets
Accept all connection-state established packets
Accept all connection-state related packets
Create 2 rules to ensure that only you will be able to connect to the router
Accept all packets from your laptop IP
Drop everything else
3. Chain Forward
Protecting the customers from viruses and protecting the Internet from the customers
3
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
Create 3 rules to ensure that only connectionstate new packets will proceed through the
chain forward (same as in the Chain Input Lab)
5. Address List
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall
filter, mangle and NAT facilities can use address lists to match packets against them.
4
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
The address list records could be updated dynamically via the action=add-src-to-
address-list or action=add-dst-to-address-list items found in NAT mangle and filter
facilities.
The following example creates an address list of people thet are connecting to port 23
(telnet) on the router and drops all further traffic from them. Additionaly, the address list
will contain one static entry of address=192.0.34.166/32 (www.example.com):
6. NAT Type
As there are 2 IP addresses and ports in an IP packet header, there are 2 types of NAT .
1. which rewrites source IP address and/or port is called source NAT (src-nat)
- performed on packet that are originated from natted network
- a NAT router replace the private source address of an IP packet with anew public IP
Address as it travel trough the router.
2. which rewrites destination IP address and/or port is called destination NAT (dst-nat)
- performed on packet that a destined to the natted network,
- it’s most commonly used to make ahost on private network to be accessible from
internet
There are also user-defined chains, Firewall NAT rules process only the first packet of
each connection (connection state “new” packets)
5
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
Action “masquerade” changes packet's source address router's address and specified
port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources behind one dynamic public IP
address
11. Destination NAT Action
Action “dst-nat” changes packet's destination address and port to specified address
and port
This action can take place only in chain dstnat
Typical application: ensure access to local network services from public network
The MikroTik router with DNS cache feature enabled can be set as primary DNS server for any
DNS-compliant clients. Moreover, MikroTik router can be specified as primary DNS server under
its dhcp-server settings. When the DNS cache is enabled, the MikroTik router responds to DNS
requests on TCP and UDP ports 53. Make sure you do not block this port in the firewall setup!
The DNS cache feature is included in the dns-cache package. The package file dns-
cache-2.6.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To
install the package, please upload it with ftp in BINARY mode to the router and reboot.
Use the /system package print command to see the list of installed packages.
6
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
size: 512
dns-server: 159.148.60.2
enabled - defines whether DNS cache (TCP and UDP port 53) is enabled or not
size - maximum number of entries in the cache
dns-server - parent DNS server that is used to resolve requests absent in the cache
1. Mengakases Web Local dari Internet
Assume we have moved the server in our previous examples from the public network to
our local one:
The server's address is now 192.168.0.4, and we are running web server on it that listens to
the TCP port 80. We want to make it accessible from the Internet at address:port
10.0.0.217:80.
This can be done by means of Static Network Address translation (NAT) at the MikroTik
Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port
192.168.0.4:80. One destination NAT rule is required for translating the destination address
and port:
4. Set DSTNAT
/ip firewall nat> add chain=dstnat action=dst-nat protocol=tcp
dst-address=10.0.0.217/32 dst-port=80 to-addresses=192.168.0.4
ip firewall nat pr
Flags: X - disabled, I - invalid, D - dynamic
7
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
LAB 01
TOPOLOGI JARINGAN
8
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
2. Add IP Address
/ip address add address=192.168.67.10/24 interface=ether1
/ip address add address=10.0.0.1/24 interface=ether2
4. Add DNS
-tes ping ke google.com invalid value
- add dns
1. Add IP Address:
/ip address add address=10.0.0.217/24 interface=ether1
/ip address add address=192.168.0.254/24 interface=ether2
3. Add DNS
9
www.catatanteknisi.com
catatan tentang belajar mikrotik by: teknisi_gaptek
4. Add SRCNAT-MASQUERADE
/ip firewall add chain=srcnat out-interface=ether1 action=masquerade
10