Command Mikrotik
Command Mikrotik
digunakan :
1. Perintah untuk shutdown dan restart computer , ketikkan :
[admin@MikroTik]>system shutdown (Untuk shutdown komputer )
[admin@MikroTik]>system reboot (Untuk restart computer )
[admin@MikroTik]>system reset (Untuk meret konfigurasi yang sudah dibuat sebelumnya).
Dan perlu diperhatikan bahwa perintah – perintah tersebut harus dilakukan pada direktori admin.
Sebagai contoh :
Jika password lama kosong dan password baru ABCD, maka perintahnya adalah sebagai berikut :
[admin@proxy]>/password
[admin@proxy]password>old password
[admin@proxy]password>new password ABCD
[admin@proxy]password>retype new password ABCD
Contoh :
Jika IP DNS primary ISP : 202.134.1.10 dan secondary:
202.134.0.0155, maka perintahnya adalah sebagai berikut :
[admin@proxy]./ip dns
[admin@proxy]ip dns>
Set primary-dns= 202.134.1.10
[admin@proxy]ip dns>
Set secondary-dns=202.134.0.155
Contoh :
jika network-id interface LAN :”192.168.0.0” dan subnet
Mask :”255.255.255.0”. untuk interface mesin MikroTik OS yang terhubung ke jaringan
WAN : “pubilk”, maka perintahnya sebagai berikut :
[admin@proxy] >/ip firewall nat
[admin@proxy[ ip firewall nat>
Add chain=srcnat out-interface=public
Scr-address=192.168.0.0/24 action=masquerade
/interface print
- Buat IP Pool
/ip pool add name = ippool1 ranges= 172.16.10.1-172.16.10.10
10. Membuat Mark Connection yang nantinya di pakai untuk memilah Paket
11. Membuat mark packet untuk Queue, yang didapat dari mark connection
/ ip firewall filter add chain=virus protocol= udp dst-port=135 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= udp dst-port=137 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= udp dst-port=138 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= udp dst-port=445 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= tcp dst-port=135 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= tcp dst-port=139 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= tcp dst-port=5933 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= tcp dst-port=445 action=drop comment=”Confiker” disabled=no
/ ip firewall filter add chain=virus protocol= tcp dst-port=4691 action=drop comment=”Confiker” disabled=no
Lanjut......
1. Looking at the condition of the interface on Router Mikrotik
[Admin @ MikroTik]>
If there is an X interface (disabled) after the number (0.1), then check again etherned card, should
be R (running).
a. Renaming interface
[Admin @ MikroTik]> interface (enter)
d. or just from the position of the root directory, use the sign "/", without quotes
[Admin @ MikroTik]> / interface set 0 name = Public
3. - Renaming hostname
Renaming Mikrotik Router for easy configuration, in this step
server name will be changed to "myrouter"
- [4.1] - IP Address
- [4.2] - Gateway
[Admin @ myrouter]> ip firewall nat add chain = scrnat out-interface = Public action = masquerade
[Admin @ myrouter]>
[Admin @ myrouter]>
c. Tests for the access domain, for example with ping domain name
After this step can be done to check the connection from the local network. And if
means we have successfully managed to install Mikrotik Router as a Gateway
server. After connecting with Mikrotik network can be managed using the WinBox
can be downloaded from the server mikrotik Mikrotik.com or from us. Eg Ip address server
mikrotik we 192.168.0.30, via a browser open http://192.168.0.30. In the Browser will be displayed
in a web form with multiple menus, search and download text Download WinBox from there.
Save on the local hard drive. Winbox Run, enter the IP address, username and password.
5. - DHCP Server
DHCP stands for Dynamic Host Configuration Protocol, which is a program that
allows setting the IP Address on a network performed on a centralized server,
so the PC Client does not need to configure IP Address. DHCP allows an administrator
for addressing the ip address for the client.
ip dhcp-server setup
dhcp server interfaces = {interface used}
dhcp server space = {network that will be in dhcp}
gateway for dhcp network = {ip gateway}
address to give out ip address = {range}
dns servers = {server name}
lease time = {} of the lease granted
b. Add a DHCP Network and gateway that will be distributed to the client.
In this example networknya gateway is 192.168.0.0/27 and 122.168.0.30
c. Add a DHCP server (in this example applied to the Local interface dhcp)
Local 0dhcp1
X states that the DHCP server has not enabled it is necessary first dienablekan
previously in step e.
/ Ip dhcp-server enable 0
For example:
D: \> ping www.yahoo.com
6.- Transparent Proxy Server
Proxy server is a program that can speed up access to a web
that have been accessed by another computer, because it was in the store in
caching proxy server.Transparent profitable in client management,
because system administrators do not need to setup a proxy in
each client computer's browser for the automatic redirection is performed on the
server.
Sample configuration
-------
a. Web proxy settings
/ Ip web-proxy
set enabled = yes src-address = 0.0.0.0 port = 8080 \
hostname = "proxy.myrouter.com" transparent-proxy = yes \
parent-proxy = 0.0.0.0:0 cache-administrator = "support@myrouter.com" \
max-object-size = 131072KiB cache-drive = system max-cache-size = unlimited \
max-ram-cache-size = unlimited
The command:
---------------------------
/ Ip firewall nat
add chain = dstnat protocol = tcp dst-port = 80 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 3128 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 8000 action = redirect to-ports = 8080 \
---------------------------
NOTE:
Command
7. - Bandwidth Management
QoS plays an important role in terms of providing services good on the client. For that we need the
bandwidth management for each data set is passed, so the division of bandwidth into fair. In this
case also includes a packet RouterOS software for memanagement bandwidth.
Below there is a configuration of traffic shaping or bandwidth management with Simple Queue
method, as the name implies, this type of queue is simple, but has a weakness, sometimes leak
bandwidth or bandwidth is not real in the monitor. Usage for 10 clients, Queue type is not a
problem.
Client is assumed there are as many as 15 clients, and each client was given ration of 8kbps
minimum bandwidth, and a maximum of 48kbps. Whereas Total bandwidth of 192Kbps. For the
upstream is not given a rule, means each client can use the bandwidth uptream maximum. Note the
priority command, the range of priority in Mikrotik eight. Means from 1 to 8, priority 1 is highest
priority, while priority 8 is the lowest priority.
The command above because in the form of the command line, can also copy paste, then paste it
into the consol mikrotiknya. remember see first path or active directory. Please dipaste course, if the
position
direktorynya in Root.
-----------------------
Terminal vt102 detected, using multiline input mode
[Admin @ MikroTik]>
----------------------
Another option is the method of bandwidth management, if if wanted bandwidth is shared equally
by Mikrotik, such as bandwidth 256kbps downstream and 256kbps upstream. While the client will
access as many as 10 clients, each client automatically gets a small upstream and downstream
bandwidth of 256kbps divided by 10. So each one can be 25.6 kbps. If only 2 Client who access it
each can be 128kbps.
For that type used PCQ (Per Connection Queue), which can be automatically divide the traffic per
client. About the type of queue in mikrotik This can be read on the manual in
http://www.mikrotik.com/testdocs/
ros/2.9/root/queue.php.
-----------------------
/ Ip firewall mangle add chain = forward src-address = 192.168.0.0/27 \
action = mark-connection new-connection-mark = users-con
/ Ip firewall mangle add connection-mark = users-con action = mark-packet \
new-packet-mark = users chain = forward
------------------------
Because type PCQ does not exist, then it needs to be added, there are two types of this PCQ. First
named pcq-download, which will regulate all traffic through the destination address / destination
address. Traffic is passing Local interface. So that all traffic download / downstream coming from
the network 192.168.0.0/27 will be shared automatically.
PCQ second type, called pcq-upload, to regulate all upstream traffic derived from the source
address / source address. Traffic is passing public interface. So that all traffic upload / upstream
originating from the network 192.168.0.0/27 will be shared automatically.
Command:
-------------------------
/ Queue type add name = pcq-download kind = pcq pcq-classifier = dst-address
/ Queue type add name = pcq-upload kind = pcq pcq-classifier = src-address
-------------------------
Once the rules for the PCQ and Mangle added, now for the rules traffic division. Queue Queue Tree
is used, ie:
-------------------------
/ Queue tree add parent = Local queue = pcq-download packet-mark = users
/ Queue tree add parent = Public queue = pcq-upload packet-mark = users
-------------------------
The command above assumes that if the bandwidth received from the provider Internet
berflukstuasi or changing. If we believe that the bandwidth received, for example can 256kbs
downstream, and 256kbps upstream, then No more rules, such as:
Example configuration
-------------------------
/ Tool graphing
set store-every = 5min
/ Tool graphing interface
add interface = all allow-address = 0.0.0.0 / 0 store-on-disk = yes disabled = no
-------------------------
The above command will display a graph of the traffic that passes through the interface good
network of Public Interface and Local Interface, which rendered every 5 minutes. Addresses can
also be set anything that can access MRTG is, the allow-address parameter.
9. - Security in Mikrotik
After some configuration above has been prepared, of course not forgetting our consider the
security of this mikrotik gateway machine, there are few facilities used. In this case will be
discussed on the firewall. Facilities
The underlying this firewall is similar to IP TABLES on Gnu / Linux only some commands have
been simplified but efficient.
There are several packet filters like mangle, nat, and filters.
-------------------------
[Admin @ myrouter] ip firewall>?
.. - Go up to the ip
mangle / - The packet marking management
nat / - Network Address Translation
connection / - Active Connections
filter / - Firewall filters
address-list / -
service-port / - Service port management
export -
-------------------------
Because the breadth of the firewall filter parameters for the discussion of Firewall Filters can be
seen in the manual mikrotik, in http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php
Configuration below can block some of the Trojan, Virus, Backdoor which have been identified
previously used either Port Numbers and Protocols. It has also been configured to withstand the
flooding of the Network and Public Local network. As well as providing rules for access control in
order, Range only certain tissues that can perform remote or access the service Mikrotik specific to
our machine.
To ensure that any active service in Machine mikrotik, we need to scan to a specific port, if there
are services that are not needed, better off alone.
----------------------------
[Admin @ myrouter]> ip service
[Admin @ myrouter] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
X 0 telnet 23 0.0.0.0 / 0
1 ftp 21 0.0.0.0 / 0
2 www 80 0.0.0.0 / 0
3 ssh 22 0.0.0.0 / 0
4 www-ssl 443 0.0.0.0 / 0 none
[Admin @ myrouter]ip service>
----------------------------
---------------------------
[Admin @ myrouter] ip service> set 1 disabled = yes
---------------------------
Using nmap tool we can check what ports are active on the machine
gateway has been configured.
Results:
-----------------------------
Starting Nmap 4.20 (http://insecure.org) at 2007-04-04 19:55 SE Asia Standard Time
Initiating ARP Ping Scan at 19:55
Scanning 192.168.0.30 [1 port]
Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:55
Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.0.30 [1697 ports]
Discovered open port 22/tcp on 192.168.0.30
Discovered open port 53/tcp on 192.168.0.30
Discovered open port 80/tcp on 192.168.0.30
Discovered open port 21/tcp on 192.168.0.30
Discovered open port 3986/tcp on 192.168.0.30
Discovered open port 2000/tcp on 192.168.0.30
Discovered open port 8080/tcp on 192.168.0.30
Discovered open port 3128/tcp on 192.168.0.30
Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)
Initiating Service scan at 19:55
Scanning 8 services on 192.168.0.30
Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)
Host 192.168.0.30 Appears to be up ... good.
Interesting ports on 192.168.0.30:
Not shown: 1689 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)
53/tcp open domain?
80/tcp open http MikroTik router http config
2000/tcp open callbook?
3128/tcp open http-proxy Squid webproxy 2.5.STABLE11
3986/tcp open mapper-ws_ethd?
8080/tcp open http-proxy Squid webproxy 2.5.STABLE11
2 services unrecognized despite returning data. If you know the service / version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi:
-------------------------
From the results of such scanning can we take the conclusion, that the service and active port is a
FTP version of the MikroTik router ftpd 2.9.27. To SSH with OpenSSH version 2.3.0 mikrotik
2.9.27 (protocol 1.99). And the Web use the Squid proxy in Squid version webproxy
2.5.STABLE11.
Of course, the vendor has to patch against mikrotik Hole or Vulnerabilities of the above Protocol
Version.
Practically speaking, there are some tools that can be utilized in mela do network troubleshooting,
such as tools ping, traceroute, ssh, etc.. Some tools are often used later in the day-to-day
administration
are:
o Telnet
o SSH
o Traceroute
o Sniffer
a. Telnet
Remote commands are almost the same machine with the use of the existing telnet
on Linux or Windows.
Sekilias above command to see what parameters are there. For example
remote machine with IP address 192.168.0.21 and port 23. Then
Use of telnet should be limited to certain conditions for reasons security, as we know, a packet of
data sent via telnet has not been encrypted. To be more safe we use SSH.
b. SSH
Together with the telnet command is also needed in the remote machine, and principle same
parameters with the command on Linux and Windows.
SSH parameters above, a slight difference with telnet. If you see helpnya
has an additional parameter of the user.
--------------------------
[Admin @ myrouter]> ssh system?
The SSH feature can be used with Various SSH Telnet clients to securely connect
to and administrate the router
-
user - User name
port - Port number
[Admin @ myrouter]>
--------------------------
--------------------------
[Admin @ myrouter]> system 66.213.7.30 ssh user = root
root@66.213.7.30 's password:
--------------------------
c. Traceroute
Knowing what or router hops through which a packet until the packet
was sent to the destination, we usually use the traceroute. With this tool
can be routed anywhere in the analysis of the course packet.
Suppose want to know the path the packet to the server yahoo, then:
--------------------------
[Admin @ myrouter]> tool traceroute yahoo.com ADDRESS STATUS
1 63.219.6.nnn 00:00:00 00:00:00 00:00:00
2 222.124.4.nnn 00:00:00 00:00:00 00:00:00
3 192.168.34.41 00:00:00 00:00:00 00:00:00
4 61.94.1.253 00:00:00 00:00:00 00:00:00
5 203,208,143,173 00:00:00 00:00:00 00:00:00
6 203.208.182.5 00:00:00 00:00:00 00:00:00
7 203,208,182,114 00:00:00 00:00:00 00:00:00
8 203,208,168,118 00:00:00 00:00:00 00:00:00
9 203 208 168 134 timeout 00:00:00 00:00:00
Timeout timeout 10 00:00:00 216.115.101.34
11 216 115 101 129 0:00:00 timeout timeout
12 216.115.108.1 timeout timeout 00:00:00
13 216,109,120,249 00:00:00 00:00:00 00:00:00
14 216 109 112 135 0:00:00 timeout timeout
--------------------------
d. Sniffer
We can capture and packet-packet tap running in our network, this tool has been provided by
Mikrotik useful in analyzing the traffic.
--------------------------
[Admin @ myrouter]> sniffer tool
Packet sniffering
.. - Go up to tool
start - Start / reset sniffering
stop - Stop sniffering
save - Save currently sniffed packets
packet / - sniffed packets management
protocol / - Protocol management
host / - Host management
connection / - Connection management
print -
get - get value of property
set -
edit - edit the value of property
export -
--------------------------
To begin the process of sniffing can use the Start command, while
stop it can make use of the Stop command.