Mikrotik
MY REVIEW ABOUT MIKROTIK WORLD
REMOTE ADMINISTRATION
1. FTP Client dan FTP Server
2. Mac Telnet and Mac winbox
3. Serial Console
IP ADDRESS AND ROUTING
1. Setting IP address
2. Routing Static
3 Routing Dynamic OSPF and BGP
4. Routing Loadbalancing
VIRTUAL PRIVATE NETWORK
1. EoIP
2. IP Security
3. IPIP Tunnel
4. L2TP Tunnel
5. PPPoE
6. PPTP
7. VLAN
FIREWALL DAN QoS
1. Bandidth Management
2. Filtering
3. IP address-List
4. Mangle
5. NAT
6. Packet Flow
7. Knowing Services, Protokol and Port
PNP NETWORK
1. DHCP Server and Relay
2. DNS Client and Cache
3. Hotspot Gateway
4. HTTP Proxy / Open Proxy
5. NTP Server and Client
6. system Resource Management
DIAGNOSTIC TOOLS
1. Bandwidth Tools
2. ICMP Bandwidth Estimation
3. Packet Sniffer
4. Ping, Torch and Traceroute
MONITORING AND AUTENTICATION
1. Graphing like MRTG
2. Hostspot User AAA
3. IP Accounting
4. PPP User AAAs
5. Router USer AAA
6. Log Management
Mikrotik Hotspot dan User Manager
beberapa langkah untuk membangun sebuah system hotspot dan user manager
1. rename interface eth :LAN, LOCAL, INT
[admin@test-Router] > interface print
Flags: X – disabled, D – dynamic, R – running
# NAME TYPE RX-RATE TX-RATE MTU
0 R lan ether 0 0 1500
1 R int ether 0 0 1500
2 R local ether 0 0 1500
[admin@Fery-Router] >
2. setting ip address ketiga interface
[admin@test-Router] > ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.8.8.45/24 10.8.8.0 10.8.8.255 local
1 192.168.10.1/24 192.168.10.0 192.168.10.255 lan
2 202.47.77.24x/28 202.47.77.240 202.47.77.255 int
[admin@test-Router] >
3. setting ip route / gateway
[admin@test-Router] > ip route print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 r 10.8.8.1 1 local
1 A S 0.0.0.0/0 r 202.47.77.24x 1 int
2 ADC 10.8.8.0/24 10.8.8.45 0 local
3 ADC 192.168.10.0/24 192.168.10.1 0 lan
4 ADC 202.47.77.240/28 202.47.77.249 0 int
[admin@test-Router] >
4. setting dns
[admin@test-Router] > ip dns print
primary-dns: 202.47.78.8
secondary-dns: 202.47.78.9
allow-remote-requests: yes
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 21KiB
[admin@test-Router] >
5. setting nat / masquerading
[admin@test-Router] > ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat action=masquerade
1 chain=srcnat action=masquerade src-address=192.168.10.0/24
2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.10.0/24
[admin@test-Router] >
6. input address-list nice
7. marking-connection dan marking-routing
[admin@test-Router] > ip firewall mangle print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=output action=mark-connection new-connection-mark=mark-local-con passthrough=yes dst-address-list=nice
1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-local-con
[admin@test-Router] >
8. marking gateway
9. test traceroute situs local dan international
10. setup hotspot system [ACTIVATE HOTSPOT SYSTEM]
11. activate RADIUS pada hotspot server profile [use radius = yes]
12. add Radius
services = hotspot
address = 202.47.77.24x [IP dimana radius / user-manager berada]
secret = 123456 [secret harus sama dengan user-manager]
SETTING USER-MANAGER [PAKET DIANGGAP TERPISAH DARI SISTEM HOTSPOT]
1. install paket user-manager
2. buat account user-manager
[admin@MikroTik] > tool user-manager customer add login=”man” password=”password″ permissions=owner
3. untuk mengakses user-manager di >> http://202.47.77.24x/userman
username = user
password = password
4. setting router
name = test-router
ip address = 202.47.77.24x [ip address sendiri bisa juga 127.0.0.1]
secret = 123456 [secret ini harus sama dengan router]
OK
5. add user account untuk dapat akses hotspot system dari client
>> account setting lebih lengkap
6. pelajari menu aplikasi user-manager
user-manager juga bisa digunakan untuk login RouterOS
1. konfigurasi user AAA pada sisi routerOS
#/ user aaa set use-radius=yes
2. permission pada default group harus full
#/ user aaa set default-group=full
3. setting ip radius dan secret harus sama dengan user-manager
#/ radius add service=login address=202.47.77.24x secret=123456
4. test login menggunakan account user-manager [radius]
MIKROTIK QoS [bandwidth management]
MIKROTIK QoS
Simple Queue
untuk menggunakan simple Queue
- aktifkan max-limit
- upload = 256k
- download = 256k
Simple Queue with Burst
1.aktifkan max-limit
- target address = host address
= max-limit
>> upload = 64k
>> download = 256k
= burst-limit
>> upload = 128k
>> download = 256k
= bust-treshold
>> upload = 32k
>> download = 64k
= time burst
>> 20 sec
Queue With Dual Limitation
1. Parent Queue
> aktifkan parent-Queue
- name = main_queue
- max-limit = 256k / 256k
> advance tab = optional
kombinasikan simple Queue with burst dengan menambahkan dual-limitation tau parent-queue [main-queue]
Simple Queue With Time
1. jalankan Simple Queue with Burst
2. aktifkan time range for limit
- office_hours
- after_office_hours
- holiday
Graphing Traffic
1. cara kerja mirip seperti mrtg
Queue Disciplines [Schaduler dan Shapes]
1. Scheduler
> Limit the number of waiting packet
2. Traffic Shapes
> control data flow speed also can
do schaduling task
1. contoh Scheduler Queue :
- BFIFO – PFIFO | Byte or Packet
- RED – SFQ
2. contoh Shaper Queue :
- PCQ – HTB
what is :
1. RED ?
2. SFQ ?
3. PCQ ?
Per Connection Queue [PCQ]
1. Memory comsumtive
2. not limit the number sub flow
PCQ-Algorithm
1. jika Limit-at and Max-limit set = 0 maka sub-queue bisa mendapatkan semua bandwidth
yang tersedia di paren. artinya mereka bisa menggunakan
semua bandwidth secara rata.
Contoh PCQ
MARKING
1. marking-connection
- chain = forward
- src-address = 192.168.10.0
- out-interface = WAN
- action = mark-connection
- new-connection-mark = pcq-con
- passtrought = yes
2. marking-packet
- chain = forward
- connection-mark = pcq-con
- action = mark-packet
- new-packet-mark = pcq-packet
- passtrought = no
Create New Pcq-type
1. >> Queue >> Queue-Type >> add
- name = pcq-download
- kind = pcq
- rate = 32k
- limit = 50
- total limit = 2000
- dst-address = yes
Make Queue for Download Traffic
1. >> Queue >> Queue Tree >> add
- name = client-download
- parent = local
- parent-mark = pcq-packet
- queue-type = pcq-download
- priority = 8
## cara sama untuk buat traffic UPLOAD
>> untuk buat pcq with no limit
>> PCQ with no rate
rate = 0
max-limit = 256k
HTB State
*********
1. GREEN
>> sama atau kurang dari Limit-at
2. YELLOW
>> lebih besar dari Limit-at
3. RED
>> melewati Limit-at
>>> attibute HTB
- limit-at
- max-limit
- priority
example for advanced bandwidth management :
misal kita beli bandwidth 128kbps
atur untuk setiap host untuk dapat bandwidth berapa?
1. buat queue simple parent = total bandwidht yang didapat
Name = TOTAL-BANDWIDTH
max-limit = upload=128k | download=128k
Advance
interface = lan
limit-at = 32k / 32k
2. buat queue untuk host
name = host_A
target address = 192.168.10.5 [ip host]
max-limit = 32k / 32k
Advance
interface = lan
limit at = 8k / 8k
queue-type = BAGI-RATA / BAGI-RATA
parent = TOTAL-BANDWIDTH
3. buat pcq connection
name = BAGI-RATA
kind = pcq
rate = 16k >> kalo traffic lagi full semua dapet 16k rata
limit= 20
MIKROTIK VIRTUAL PRIVATE NETWORK
PPTP and L2TP
PPP
PPTP Server : ( PPTP server enable=yes)
ADD Secret : ( Username, password and service = pptp or l2tp )
Profile (Default) : ( settting local address, Remote address and dns )
Kemudian test VPN Client dari windows New-Connection-Wizard (Default syndrom Next)
>> Perbedaan setting yang diperlukan untuk L2TP client adalah
Windows 2000 automatically creates an IPsec policy if an L2TP/IPsec VPN link is established. The IPsec policy requires that you install computer certificates on both the Routing and Remote Access VPN server and the VPN client. You can obtain certificates from a Microsoft Certificate server or from a third-party provider.
If you are a security administrator, you may want to disable the default automatic L2TP/IPsec policy because an established Public Key Infrastructure (PKI) is not present. You may also want to disable the automatic IPsec policy for testing purposes. You can establish pure L2TP tunnels if you disable the policy. However, these tunnels are not secure because IPsec is responsible for tunnel security.
disable the automatic L2TP/IPsec policy
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. On the Edit menu, click Add Value.
4. Type prohibitipsec in the Value Name box, click REG_DWORD in the Data Type box, and then click OK.
5. Type 1 in the Data box, and then click OK.
6. Quit Registry Editor, and then restart the computer.
MIKROTIK WIRELESS CONFIGURATION
POINT TO MULTI POINT
SISI BASE STATION
Interface
- eth1
- wlan
- bridge1
wlan setting
Radio-name = nama_radio_base
mode = AP-Bridge
ss-id = rahasia_21
band = 5GHz –
freq = 5180
Security Profile = Amankan_dong
Default Autentication = yes
Default Forward = yes
wds setting
wds mode = dynamic
wds de bridge = bridge1
Security Profile Setting
name = Amankan_dong
mode = dynamic key
WPA – PSK = yes
WPA2 – PSK = yes
WPA – Pre-Share-Key = test-dong-passwd
WPA2- Pre-Share-Key = test-dong-passwd
Bridging Setting
interface yang di bridge
- Eth1
- wlan
- wds
ip setting
interface yang di setting ip
bridge = 10.17.10.10
SISI CLIENT
Interface
- eth1
- wlan
- bridge
wlan setting
radio-name = nama_radio_client_remote
mode = station_wds
ss-id = rahasia_21
band = 5GHz –
freq = 5180
Security Profile = Amankan_dong
Default Autentication = yes
Default Forward = yes
wds setting
wds mode = dynamic
wds de bridge = bridge1
Security Profile Setting
name = Amankan_dong
mode = dynamic key
WPA – PSK = yes
WPA2 – PSK = yes
WPA – Pre-Share-Key = test-dong-passwd
WPA2- Pre-Share-Key = test-dong-passwd
Bridging Setting
- Eth1
- wlan
ip setting
interface yang di setting ip
bridge = 10.17.10.11
SETTING HOTSPOT SYSTEM DI BANYAK VLAN
SETTING HOTSPOT SYSTEM DI BANYAK VLAN
1. RENAME INTERFACE
- LAN
>> add sub interface VLAN100
VLAN200
VLAN30
- LOCAL
- INT
2. SETTING IP ADDRESS KE 3 INTERFACE DAN Sub-interface VLAN
3. SETTING GATEWAY
4. SETTING DNS
5. SETTING NAT / MASQUAREADING
6. ADD FIREWALL ADDRESS-LIST
7. ADD MARKING-CONNECTION
8. ADD MARKING-ROUTING
9. SETTING GATEWAY >> MARK-ROUTING
10. TEST TRACERT SITUS LOCAL DAN INTERNATIONAL
11. ACTIVATE AND ADD USER-MANAGER USER LOGIN
12. SETTING RADIUS =
- LOGIN
- HOTSPOT
- POINTING IP SERVER RADIUS
13. SETTING USER-MANAGER
ADD-ROUTER
- ROUTER GATEWAY IP ADDRESS
- SECRET HARUS SAMA DENGAN ROUTER
ADD-USER HOTSPOT
14. ACTIVATE HOTSPOT SYSTEM DI INTERFACE
- VLAN100 >> 192.168.100.1/24
- VLAN200 >> 192.168.200.1/24
- VLAN30 >> 192.168.30.1/24
15. KONFIGURASI SWITCH MASING-MASING PORT UNTUK MASUK VLAN YANG DI INGINKAN
16. DARI ROUTER YANG DIHUBUNGKAN KE SWITCH ADALAH
INTERFACE LAN KARENA VLAN-VLAN ADA DIBAWAH INTERFACE INI.
JIKA AKAN DIDISTRIBUSIKAN KE SWITCH LAIN MAKA DIBUATKAN TRUNKING
|SWITCH|———–trunking————|SWITCH|
Setting Memisahkan Gateway Local dan international
[admin@MikroTik] > ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN
1 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL
[admin@MikroTik] > system identity set name=”test-Router”
[admin@test-Router] > ip address add address=202.47.77.xx/28 interface=INT disabled=no
[admin@test-Router] > ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN
1 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL
2 202.47.77.24x/24 202.47.77.24x 202.47.77.255 INT
[admin@test-Router] >
[admin@test-Router] > ip route print
Flags: X – disabled, A – active, D – dynamic,
C – connect, S – static, r – rip, b – bgp, o – ospf,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL
1 ADC 192.168.10.0/24 192.168.10.1 0 LAN
2 ADC 202.47.77.0/24 202.47.77.xxx 0 INT
[admin@test-Router] > ip route add gateway=202.47.77.xx
[admin@test-Router] > ip route print
Flags: X – disabled, A – active, D – dynamic,
C – connect, S – static, r – rip, b – bgp, o – ospf,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 r 202.47.77.24x 1 INT
1 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL
2 ADC 192.168.10.0/24 192.168.10.1 0 LAN
3 ADC 202.47.77.0/24 202.47.77.24x 0 INT
[admin@test-Router] > ip route add gateway=10.8.8.1
[admin@test-Router] > ip route print
Flags: X – disabled, A – active, D – dynamic,
C – connect, S – static, r – rip, b – bgp, o – ospf,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 r 202.47.77.24x 1 INT
1 S 0.0.0.0/0 r 10.8.8.1 1 LOCAL
2 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL
3 ADC 192.168.10.0/24 192.168.10.1 0 LAN
4 ADC 202.47.77.0/24 202.47.77.24x 0 INT
[admin@test-Router] > ip dns set primary-dns=202.47.78.8 allow-remote-requests=yes
[admin@test-Router] > ip dns set secondary-dns=202.47.78.9 allow-remote-requests=yes
[admin@test-Router] > ip firewall nat add chain=srcnat dst-address
dst-address dst-address-list dst-address-type
[admin@test-Router] > ip firewall nat add chain=srcnat dst-address=192.168.10.0/24 action=masquerade
[admin@test-Router] > ip firewall nat add chain=srcnat out-interface=LOCAL action=masquerade
[admin@test-Router] > ip firewall nat add chain=srcnat out-interface=INT action=masquerade
[admin@test-Router] >
[admin@test-Router] > ip firewall nat print all
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat action=masquerade dst-address=192.168.10.0/241 chain=srcnat action=masquerade out-interface=LOCAL2 chain=srcnat action=masquerade out-interface=INT
[admin@test-Router] >[admin@test-Router] > ip firewall mangle add chain=output
new-connection-mark=mark-con-local dst-address-list=nice action=mark-connection
[admin@test-Router] > ip firewall mangle add chain=output connection-mark=mark-con-local
action=mark-routing new-routing-mark=mark-routing-local[admin@test-Router] > ip firewall mangle print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=output action=mark-connection new-connection-mark=mark-con-local passthrough=yes dst-address-list=nice
1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-con-local
[admin@test-Router] >
[admin@test-Router] > tool traceroute http://www.yahoo.com
ADDRESS STATUS
1 202.47.68.249 1ms 1ms 1ms
2 202.47.79.35 2ms 1ms 1ms
3 202.93.245.153 23ms 26ms 22ms
4 121.52.62.193 20ms 20ms 22ms
5 202.152.245.165 23ms 23ms 22ms
6 202.152.245.130 27ms 27ms 25ms
7 203.208.192.45 61ms 27ms 25ms
8 203.208.182.1 27ms 22ms 27ms
9 0.0.0.0 timeout timeout timeout
[admin@test-Router] > tool traceroute http://www.kompas.co.id
ADDRESS STATUS
1 202.47.79.69 1ms 1ms 1ms
2 202.47.79.212 4ms 5ms 5ms
3 218.100.27.147 4ms 4ms 6ms
4 202.146.5.33 5ms 5ms 5ms
[admin@test-Router] >
[admin@test-Router] > tool traceroute http://www.google.com
ADDRESS STATUS
1 202.47.68.249 1ms 2ms 1ms
2 202.47.79.35 1ms 1ms 1ms
3 202.93.245.153 23ms 23ms 21ms
4 121.52.62.193 22ms 21ms 20ms
5 202.152.245.165 23ms 26ms 22ms
6 202.152.245.130 24ms 21ms 24ms
7 203.208.192.45 21ms 24ms 21ms
8 203.208.182.1 20ms 25ms 22ms
9 203.208.182.110 27ms 23ms 23ms
10 203.208.149.166 21ms 56ms 60ms
11 0.0.0.0 timeout timeout timeout
[admin@test-Router] >
TEKNIK BACKUP KONFIGURASI MIKROTIK
TEKNIK BACKUP KONFIGURASI MIKROTIK
management system backup adalah salah satu bagian yang paling vital dari router, bayangkan bila konfigurasi pada router yang cukup rumit tiba-tiba bermasalah. Solusi yang ditawarkan oleh mikrotik adalah dengan melakukan proses backup
Proses backup dapat dilakukan secara manual dan juga dapat dilakukan secara otomatis dengan scheduling melalui email.
berikut beberapa teknik backup yaitu :
1. PROSES BACKUP SECARA MANUAL
2. PROSES BACKUP MANUAL DAN SEND KE ALAMAT EMAIL ANDA
3. PROSES BACKUP DENGAN MENGGUNAKAN SCRIPT
4. PROSES BACKUP SECARA OTOMATIS / SCHEDULER DENGAN MENGGUNAKAN SCRIPT
Berikut langkah-langkah dalam proses backup manual dan backup otomatis dengan menggunakan script :
1. PROSES BACKUP SECARA MANUAL
[admin@test-dev] > system backup save-backup
Saving system configuration
Configuration backup saved
[admin@test-dev] >
1. cek hasil file backup
[admin@test-dev] > file print
11 test-backup.backup backup 40347 feb/17/2008 13:19:53
[admin@test-dev] >
2. test dengan me-load file backup yang dibuat
[admin@test-dev] > system backup load-backup
Restore and reboot? [y/N]: y
Restoring system configuration
System configuration restored, rebooting now
[admin@test-dev] >
Router Akan restart dan file backup akan menggantikan konfigurasi sebelum nya
2. PROSES BACKUP MANUAL DAN SEND KE ALAMAT EMAIL ANDA
[admin@test-dev] > tool e-mail send to=dubian_si@yahoo.com server=”xx.xx.xx.xx”
from=jack@yahoo.com file=test-backup.b
subject=backup-mikrotik
server=”202.xx.xx.xx” adalah alamat smtp dari isp yang digunakan
3. PROSES BACKUP DENGAN MENGGUNAKAN SCRIPT
1. setting smtp server email
[admin@test-dev] > tool e-mail set server=202.47.78.55 from=jack@yahoo.com
2. buat script untuk send by email
[admin@test-dev] >system script
add name=”backup_mail” source=”/system backup save name=test-backup \n/tool \
e-mail send file=test-backup.backup to=\”dubian_si@yahoo.com\” body=\”Lihat File Backup System Mikrotik \
\” subject=\(\[/system identity get name\] \
. \” \” . \[/system clock get time\] . \” \” . \[/system clock get date\] \
. \” Backup\”\)\n”
[admin@test-dev] >
3. Run backup_mail
[admin@test-dev] system script> run backup_mail
[admin@test-dev] system script>
4. Cek mailbox, jika file masuk berarti proses backup dengan menggunakan script sudah berhasil
5. SELESAI
4. PROSES BACKUP SECARA OTOMATIS / SCHEDULER DENGAN MENGGUNAKAN SCRIPT
1. Buat Script scheduler backup setiap minggu Sederhana
[admin@test-dev] > system scheduler add name=”jadwal_backup_by-email” on-event=“backup_mail”
start-date=feb/17/2008 start-time=07:30:00 interval=7d
comment=”” disabled=no
[admin@test-dev] > system scheduler print
Flags: X – disabled
# NAME ON-EVENT START-DATE START-TIME INTERVAL RUN-COUNT
0 jadwal_backup_by-email feb/17/2008 07:30:00 1w 0
[admin@test-dev] >
2. Buat Script scheduler backup setiap minggu untuk tingkat advance :
[admin@test-dev] > /system script add name=backup-mingguan source={/system backup save name=([/system identity get name] . “-” . \
[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); \
/tool e-mail send to=”dubian_si@yahoo.com” subject=([/system identity get name] . ” Backup ” . \
[/system clock get date]) file=([/system identity get name] . “-” . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . “.backup”); :delay 10; \
/file rem [/file find name=([/system identity get name] . “-” . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . “.backup”)]; \
:log info (”System Backup emailed at ” . [/sys cl get time] . ” ” . [/sys cl get date])}
keterangan script :
1. nama backup dari router system dilengkapi tanggal dan waktu
2. di asumsikan smtp mail sudah dibuat dan proses kirim email dilakukan ke alamat ; dubian_si@yahoo.com
3. setelah proses pengiriman email berhasil, beri waktu router 10 detik dan secara otomatis menghapus file backup yang dibuat
untuk menghemat space di router
4. katakan ke system log bahwa proses send email sudah berhasil
VPN dengan menggunakan MikroTik RouterOS
VPN dengan menggunakan MikroTik RouterOS
Berikut langkah-langkah untuk setting tunnel PPTP dengan menggunakan mikrotik
1. setting identity name
2. setting ip address
3. setting ip dns
4. setting ip route
5. setting nat / masquerading
6. add ip firewall address-list
7. mark-connection
8. mark-routing
9. marking gateway
10. test traceroute
11. activate PPTP Server
- MTU 1460
- MRU 1460
>> PAP, CHAP, MSCHAP1, MSCHAP2
12. add secret
- Username = man
- password = password
- services = pptp
13. setting profile (default profile)
- local address = 10.0.0.1
- remote address = 10.0.0.2
- dns server = 202.47.78.8
= 202.47.78.9
Setting PC untuk VPN
1. pastikan sudah bisa ping ke gateway server PPTP
2. setting vpn dengan mengarahkan IP address ke gateway server
3. login dengan menggunakan username dan password yang sudah dibuat
Capture Konfigurasi VPN dan memisahkan gateway local dan international
1. setting identity name
[admin@test-Router1] > system identity print
name: “test-Router1″
[admin@test-Router1] >
2. setting ip address
[admin@test-Router1] > ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL
1 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN
2 202.47.77.249/28 202.47.77.240 202.47.77.255 INT
3 D 10.0.0.1/32 10.0.0.2 0.0.0.0 <pptp-test>
[admin@test-Router1] >
3. setting ip dns
[admin@test-Router1] > ip dns print
primary-dns: 202.47.78.8
secondary-dns: 202.47.78.9
allow-remote-requests: yes
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 20KiB
[admin@test-Router1] >
4. setting ip route
[admin@test-Router1] > ip route print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 r 10.8.8.1 1 LOCAL
1 A S 0.0.0.0/0 r 202.47.77.241 15 INT
2 ADC 10.0.0.2/32 10.0.0.1 0 <pptp-test>
3 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL
4 ADC 192.168.10.0/24 192.168.10.1 0 LAN
5 ADC 202.47.77.240/28 202.47.77.249 0 INT
[admin@test-Router1] >
5. setting nat / masquerading
[admin@test-Router1] > ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat action=masquerade
[admin@test-Router1] >
7. mark-connection and 8. mark-routing
[admin@test-Router1] > ip firewall mangle print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=output action=mark-connection new-connection-mark=mark-local-con passthrough=yes dst-address-list=nice
1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-local-con
[admin@test-Router1] >
11. activate PPTP Server
12. add secret
[admin@test-Router1] > ppp secret print
Flags: X – disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 man pptp password default
[admin@test-Router1] >
13. setting profile (default profile)
[admin@test-Router1] > ppp profile print
Flags: * – default
0 * name=”default” local-address=10.0.0.1 remote-address=10.0.0.2 use-compression=default use-vj-compression=default use-encryption=default
only-one=default change-tcp-mss=yes dns-server=202.47.78.8,202.47.78.9
1 * name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes
[admin@test-Router1] >
