RSS

Mikrotik

MY REVIEW ABOUT MIKROTIK WORLD

REMOTE ADMINISTRATION

1. FTP Client dan FTP Server

2. Mac Telnet and Mac winbox

3. Serial Console

IP ADDRESS AND ROUTING

1. Setting IP address

2. Routing Static

3 Routing Dynamic OSPF and BGP

4. Routing Loadbalancing

VIRTUAL PRIVATE NETWORK

1. EoIP

2. IP Security

3. IPIP Tunnel

4. L2TP Tunnel

5. PPPoE

6. PPTP

7. VLAN

FIREWALL DAN QoS

1. Bandidth Management

2. Filtering

3. IP address-List

4. Mangle

5. NAT

6. Packet Flow

7. Knowing Services, Protokol and Port

PNP NETWORK

1. DHCP Server and Relay

2. DNS Client and Cache

3. Hotspot Gateway

4. HTTP Proxy / Open Proxy

5. NTP Server and Client

6. system Resource Management

DIAGNOSTIC TOOLS

1. Bandwidth Tools

2. ICMP Bandwidth Estimation

3. Packet Sniffer

4. Ping, Torch and Traceroute

MONITORING AND AUTENTICATION

1. Graphing like MRTG

2. Hostspot User AAA

3. IP Accounting

4. PPP User AAAs

5. Router USer AAA

6. Log Management

Mikrotik Hotspot dan User Manager

beberapa langkah untuk membangun sebuah system hotspot dan user manager

1. rename interface eth :LAN, LOCAL, INT

[admin@test-Router] > interface print

Flags: X – disabled, D – dynamic, R – running

# NAME TYPE RX-RATE TX-RATE MTU

0 R lan ether 0 0 1500

1 R int ether 0 0 1500

2 R local ether 0 0 1500

[admin@Fery-Router] >

2. setting ip address ketiga interface

[admin@test-Router] > ip address print

Flags: X – disabled, I – invalid, D – dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.8.8.45/24 10.8.8.0 10.8.8.255 local

1 192.168.10.1/24 192.168.10.0 192.168.10.255 lan

2 202.47.77.24x/28 202.47.77.240 202.47.77.255 int

[admin@test-Router] >

3. setting ip route / gateway

[admin@test-Router] > ip route print

Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf,

B – blackhole, U – unreachable, P – prohibit

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 r 10.8.8.1 1 local

1 A S 0.0.0.0/0 r 202.47.77.24x 1 int

2 ADC 10.8.8.0/24 10.8.8.45 0 local

3 ADC 192.168.10.0/24 192.168.10.1 0 lan

4 ADC 202.47.77.240/28 202.47.77.249 0 int

[admin@test-Router] >

4. setting dns

[admin@test-Router] > ip dns print

primary-dns: 202.47.78.8

secondary-dns: 202.47.78.9

allow-remote-requests: yes

cache-size: 2048KiB

cache-max-ttl: 1w

cache-used: 21KiB

[admin@test-Router] >

5. setting nat / masquerading

[admin@test-Router] > ip firewall nat print

Flags: X – disabled, I – invalid, D – dynamic

0 chain=srcnat action=masquerade

1 chain=srcnat action=masquerade src-address=192.168.10.0/24

2 ;;; masquerade hotspot network

chain=srcnat action=masquerade src-address=192.168.10.0/24

[admin@test-Router] >

6. input address-list nice

7. marking-connection dan marking-routing

[admin@test-Router] > ip firewall mangle print

Flags: X – disabled, I – invalid, D – dynamic

0 chain=output action=mark-connection new-connection-mark=mark-local-con passthrough=yes dst-address-list=nice

1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-local-con

[admin@test-Router] >

8. marking gateway

9. test traceroute situs local dan international

10. setup hotspot system [ACTIVATE HOTSPOT SYSTEM]

11. activate RADIUS pada hotspot server profile [use radius = yes]

12. add Radius

services = hotspot

address = 202.47.77.24x [IP dimana radius / user-manager berada]

secret = 123456 [secret harus sama dengan user-manager]

SETTING USER-MANAGER [PAKET DIANGGAP TERPISAH DARI SISTEM HOTSPOT]

1. install paket user-manager

2. buat account user-manager

[admin@MikroTik] > tool user-manager customer add login=”man” password=”password″ permissions=owner

3. untuk mengakses user-manager di >> http://202.47.77.24x/userman

username = user

password = password

4. setting router

name = test-router

ip address = 202.47.77.24x [ip address sendiri bisa juga 127.0.0.1]

secret = 123456 [secret ini harus sama dengan router]

OK

5. add user account untuk dapat akses hotspot system dari client

>> account setting lebih lengkap

6. pelajari menu aplikasi user-manager

user-manager juga bisa digunakan untuk login RouterOS

1. konfigurasi user AAA pada sisi routerOS

#/ user aaa set use-radius=yes

2. permission pada default group harus full

#/ user aaa set default-group=full

3. setting ip radius dan secret harus sama dengan user-manager

#/ radius add service=login address=202.47.77.24x secret=123456

4. test login menggunakan account user-manager [radius]

MIKROTIK QoS [bandwidth management]

MIKROTIK QoS

Simple Queue

untuk menggunakan simple Queue

- aktifkan max-limit

- upload = 256k

- download = 256k

Simple Queue with Burst

1.aktifkan max-limit

- target address = host address

= max-limit

>> upload = 64k

>> download = 256k

= burst-limit

>> upload = 128k

>> download = 256k

= bust-treshold

>> upload = 32k

>> download = 64k

= time burst

>> 20 sec

Queue With Dual Limitation

1. Parent Queue

> aktifkan parent-Queue

- name = main_queue

- max-limit = 256k / 256k

> advance tab = optional

kombinasikan simple Queue with burst dengan menambahkan dual-limitation tau parent-queue [main-queue]

Simple Queue With Time

1. jalankan Simple Queue with Burst

2. aktifkan time range for limit

- office_hours

- after_office_hours

- holiday

Graphing Traffic

1. cara kerja mirip seperti mrtg

Queue Disciplines [Schaduler dan Shapes]

1. Scheduler

> Limit the number of waiting packet

2. Traffic Shapes

> control data flow speed also can

do schaduling task

1. contoh Scheduler Queue :

- BFIFO – PFIFO | Byte or Packet

- RED – SFQ

2. contoh Shaper Queue :

- PCQ – HTB

what is :

1. RED ?

2. SFQ ?

3. PCQ ?

Per Connection Queue [PCQ]

1. Memory comsumtive

2. not limit the number sub flow

PCQ-Algorithm

1. jika Limit-at and Max-limit set = 0 maka sub-queue bisa mendapatkan semua bandwidth

yang tersedia di paren. artinya mereka bisa menggunakan

semua bandwidth secara rata.

Contoh PCQ

MARKING

1. marking-connection

- chain = forward

- src-address = 192.168.10.0

- out-interface = WAN

- action = mark-connection

- new-connection-mark = pcq-con

- passtrought = yes

2. marking-packet

- chain = forward

- connection-mark = pcq-con

- action = mark-packet

- new-packet-mark = pcq-packet

- passtrought = no

Create New Pcq-type

1. >> Queue >> Queue-Type >> add

- name = pcq-download

- kind = pcq

- rate = 32k

- limit = 50

- total limit = 2000

- dst-address = yes

Make Queue for Download Traffic

1. >> Queue >> Queue Tree >> add

- name = client-download

- parent = local

- parent-mark = pcq-packet

- queue-type = pcq-download

- priority = 8

## cara sama untuk buat traffic UPLOAD

>> untuk buat pcq with no limit

>> PCQ with no rate

rate = 0

max-limit = 256k

HTB State

*********

1. GREEN

>> sama atau kurang dari Limit-at

2. YELLOW

>> lebih besar dari Limit-at

3. RED

>> melewati Limit-at

>>> attibute HTB

- limit-at

- max-limit

- priority

example for advanced bandwidth management  :

misal kita beli bandwidth 128kbps

atur untuk setiap host untuk dapat bandwidth berapa?

1. buat queue simple parent = total bandwidht yang didapat

Name = TOTAL-BANDWIDTH

max-limit =    upload=128k | download=128k

Advance

interface = lan

limit-at  = 32k / 32k

2. buat queue untuk host

name = host_A

target address = 192.168.10.5 [ip host]

max-limit = 32k / 32k

Advance

interface = lan

limit at = 8k / 8k

queue-type = BAGI-RATA / BAGI-RATA

parent        = TOTAL-BANDWIDTH

3. buat pcq connection

name = BAGI-RATA

kind = pcq

rate = 16k >> kalo traffic lagi full semua dapet 16k rata

limit= 20

MIKROTIK VIRTUAL PRIVATE NETWORK

PPTP and L2TP

PPP

PPTP Server : ( PPTP server enable=yes)

ADD Secret : ( Username, password and service = pptp or l2tp )

Profile (Default) : ( settting local address, Remote address and dns )

Kemudian test VPN Client dari windows New-Connection-Wizard (Default syndrom Next)

>> Perbedaan setting yang diperlukan untuk L2TP client adalah

Windows 2000 automatically creates an IPsec policy if an L2TP/IPsec VPN link is established. The IPsec policy requires that you install computer certificates on both the Routing and Remote Access VPN server and the VPN client. You can obtain certificates from a Microsoft Certificate server or from a third-party provider.

If you are a security administrator, you may want to disable the default automatic L2TP/IPsec policy because an established Public Key Infrastructure (PKI) is not present. You may also want to disable the automatic IPsec policy for testing purposes. You can establish pure L2TP tunnels if you disable the policy. However, these tunnels are not secure because IPsec is responsible for tunnel security.

disable the automatic L2TP/IPsec policy

1. Start Registry Editor.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

3. On the Edit menu, click Add Value.

4. Type prohibitipsec in the Value Name box, click REG_DWORD in the Data Type box, and then click OK.

5. Type 1 in the Data box, and then click OK.

6. Quit Registry Editor, and then restart the computer.

MIKROTIK WIRELESS CONFIGURATION

POINT TO MULTI POINT

SISI BASE STATION

Interface

- eth1

- wlan

- bridge1

wlan setting

Radio-name = nama_radio_base

mode = AP-Bridge

ss-id = rahasia_21

band = 5GHz –

freq = 5180

Security Profile = Amankan_dong

Default Autentication = yes

Default Forward = yes

wds setting

wds mode = dynamic

wds de bridge = bridge1

Security Profile Setting

name = Amankan_dong

mode = dynamic key

WPA – PSK = yes

WPA2 – PSK = yes

WPA – Pre-Share-Key = test-dong-passwd

WPA2- Pre-Share-Key = test-dong-passwd

Bridging Setting

interface yang di bridge

- Eth1

- wlan

- wds

ip setting

interface yang di setting ip

bridge = 10.17.10.10

SISI CLIENT

Interface

- eth1

- wlan

- bridge

wlan setting

radio-name = nama_radio_client_remote

mode = station_wds

ss-id = rahasia_21

band = 5GHz –

freq = 5180

Security Profile = Amankan_dong

Default Autentication = yes

Default Forward = yes

wds setting

wds mode = dynamic

wds de bridge = bridge1

Security Profile Setting

name = Amankan_dong

mode = dynamic key

WPA – PSK = yes

WPA2 – PSK = yes

WPA – Pre-Share-Key = test-dong-passwd

WPA2- Pre-Share-Key = test-dong-passwd

Bridging Setting

- Eth1

- wlan

ip setting

interface yang di setting ip

bridge = 10.17.10.11

SETTING HOTSPOT SYSTEM DI BANYAK VLAN

SETTING HOTSPOT SYSTEM DI BANYAK VLAN

1. RENAME INTERFACE

- LAN

>> add sub interface VLAN100

VLAN200

VLAN30

- LOCAL

- INT

2. SETTING IP ADDRESS KE 3 INTERFACE DAN Sub-interface VLAN

3. SETTING GATEWAY

4. SETTING DNS

5. SETTING NAT / MASQUAREADING

6. ADD FIREWALL ADDRESS-LIST

7. ADD MARKING-CONNECTION

8. ADD MARKING-ROUTING

9. SETTING GATEWAY >> MARK-ROUTING

10. TEST TRACERT SITUS LOCAL DAN INTERNATIONAL

11. ACTIVATE AND ADD USER-MANAGER USER LOGIN

12. SETTING RADIUS =

- LOGIN

- HOTSPOT

- POINTING IP SERVER RADIUS

13. SETTING USER-MANAGER

ADD-ROUTER

- ROUTER GATEWAY IP ADDRESS

- SECRET HARUS SAMA DENGAN ROUTER

ADD-USER HOTSPOT

14. ACTIVATE HOTSPOT SYSTEM DI INTERFACE

- VLAN100 >> 192.168.100.1/24

- VLAN200 >> 192.168.200.1/24

- VLAN30 >> 192.168.30.1/24

15. KONFIGURASI SWITCH MASING-MASING PORT UNTUK MASUK VLAN YANG DI INGINKAN

16. DARI ROUTER YANG DIHUBUNGKAN KE SWITCH ADALAH

INTERFACE LAN KARENA VLAN-VLAN ADA DIBAWAH INTERFACE INI.

JIKA AKAN DIDISTRIBUSIKAN KE SWITCH LAIN MAKA DIBUATKAN TRUNKING

|SWITCH|———–trunking————|SWITCH|

Setting Memisahkan Gateway Local dan international

[admin@MikroTik] > ip address print

Flags: X – disabled, I – invalid, D – dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN

1 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL

[admin@MikroTik] > system identity set name=”test-Router”

[admin@test-Router] > ip address add address=202.47.77.xx/28 interface=INT disabled=no

[admin@test-Router] > ip address print

Flags: X – disabled, I – invalid, D – dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN

1 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL

2 202.47.77.24x/24 202.47.77.24x 202.47.77.255 INT

[admin@test-Router] >

[admin@test-Router] > ip route print

Flags: X – disabled, A – active, D – dynamic,

C – connect, S – static, r – rip, b – bgp, o – ospf,

B – blackhole, U – unreachable, P – prohibit

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL

1 ADC 192.168.10.0/24 192.168.10.1 0 LAN

2 ADC 202.47.77.0/24 202.47.77.xxx 0 INT

[admin@test-Router] > ip route add gateway=202.47.77.xx

[admin@test-Router] > ip route print

Flags: X – disabled, A – active, D – dynamic,

C – connect, S – static, r – rip, b – bgp, o – ospf,

B – blackhole, U – unreachable, P – prohibit

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 r 202.47.77.24x 1 INT

1 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL

2 ADC 192.168.10.0/24 192.168.10.1 0 LAN

3 ADC 202.47.77.0/24 202.47.77.24x 0 INT

[admin@test-Router] > ip route add gateway=10.8.8.1

[admin@test-Router] > ip route print

Flags: X – disabled, A – active, D – dynamic,

C – connect, S – static, r – rip, b – bgp, o – ospf,

B – blackhole, U – unreachable, P – prohibit

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 r 202.47.77.24x 1 INT

1 S 0.0.0.0/0 r 10.8.8.1 1 LOCAL

2 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL

3 ADC 192.168.10.0/24 192.168.10.1 0 LAN

4 ADC 202.47.77.0/24 202.47.77.24x 0 INT

[admin@test-Router] > ip dns set primary-dns=202.47.78.8 allow-remote-requests=yes

[admin@test-Router] > ip dns set secondary-dns=202.47.78.9 allow-remote-requests=yes

[admin@test-Router] > ip firewall nat add chain=srcnat dst-address

dst-address dst-address-list dst-address-type

[admin@test-Router] > ip firewall nat add chain=srcnat dst-address=192.168.10.0/24 action=masquerade

[admin@test-Router] > ip firewall nat add chain=srcnat out-interface=LOCAL action=masquerade

[admin@test-Router] > ip firewall nat add chain=srcnat out-interface=INT action=masquerade

[admin@test-Router] >

[admin@test-Router] > ip firewall nat print all

Flags: X – disabled, I – invalid, D – dynamic

0 chain=srcnat action=masquerade dst-address=192.168.10.0/241 chain=srcnat action=masquerade out-interface=LOCAL2 chain=srcnat action=masquerade out-interface=INT

[admin@test-Router] >[admin@test-Router] > ip firewall mangle add chain=output

new-connection-mark=mark-con-local dst-address-list=nice action=mark-connection

[admin@test-Router] > ip firewall mangle add chain=output connection-mark=mark-con-local

action=mark-routing new-routing-mark=mark-routing-local[admin@test-Router] > ip firewall mangle print

Flags: X – disabled, I – invalid, D – dynamic

0 chain=output action=mark-connection new-connection-mark=mark-con-local passthrough=yes dst-address-list=nice

1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-con-local

[admin@test-Router] >

[admin@test-Router] > tool traceroute http://www.yahoo.com

ADDRESS STATUS

1 202.47.68.249 1ms 1ms 1ms

2 202.47.79.35 2ms 1ms 1ms

3 202.93.245.153 23ms 26ms 22ms

4 121.52.62.193 20ms 20ms 22ms

5 202.152.245.165 23ms 23ms 22ms

6 202.152.245.130 27ms 27ms 25ms

7 203.208.192.45 61ms 27ms 25ms

8 203.208.182.1 27ms 22ms 27ms

9 0.0.0.0 timeout timeout timeout

[admin@test-Router] > tool traceroute http://www.kompas.co.id

ADDRESS STATUS

1 202.47.79.69 1ms 1ms 1ms

2 202.47.79.212 4ms 5ms 5ms

3 218.100.27.147 4ms 4ms 6ms

4 202.146.5.33 5ms 5ms 5ms

[admin@test-Router] >

[admin@test-Router] > tool traceroute http://www.google.com

ADDRESS STATUS

1 202.47.68.249 1ms 2ms 1ms

2 202.47.79.35 1ms 1ms 1ms

3 202.93.245.153 23ms 23ms 21ms

4 121.52.62.193 22ms 21ms 20ms

5 202.152.245.165 23ms 26ms 22ms

6 202.152.245.130 24ms 21ms 24ms

7 203.208.192.45 21ms 24ms 21ms

8 203.208.182.1 20ms 25ms 22ms

9 203.208.182.110 27ms 23ms 23ms

10 203.208.149.166 21ms 56ms 60ms

11 0.0.0.0 timeout timeout timeout

[admin@test-Router] >

TEKNIK BACKUP KONFIGURASI MIKROTIK

TEKNIK BACKUP KONFIGURASI MIKROTIK

management system backup adalah salah satu bagian yang paling vital dari router, bayangkan bila konfigurasi pada router yang cukup rumit tiba-tiba bermasalah. Solusi yang ditawarkan oleh mikrotik adalah dengan melakukan proses backup

Proses backup dapat dilakukan secara manual dan juga dapat dilakukan secara otomatis dengan scheduling melalui email.

berikut beberapa teknik backup yaitu :

1. PROSES BACKUP SECARA MANUAL

2. PROSES BACKUP MANUAL DAN SEND KE ALAMAT EMAIL ANDA

3. PROSES BACKUP DENGAN MENGGUNAKAN SCRIPT

4. PROSES BACKUP SECARA OTOMATIS / SCHEDULER DENGAN MENGGUNAKAN SCRIPT

Berikut langkah-langkah dalam proses backup manual dan backup otomatis dengan menggunakan script :

1. PROSES BACKUP SECARA MANUAL

[admin@test-dev] > system backup save-backup

Saving system configuration

Configuration backup saved

[admin@test-dev] >

1. cek hasil file backup

[admin@test-dev] > file print

11 test-backup.backup backup 40347 feb/17/2008 13:19:53

[admin@test-dev] >

2. test dengan me-load file backup yang dibuat

[admin@test-dev] > system backup load-backup

Restore and reboot? [y/N]: y

Restoring system configuration

System configuration restored, rebooting now

[admin@test-dev] >

Router Akan restart dan file backup akan menggantikan konfigurasi sebelum nya

2. PROSES BACKUP MANUAL DAN SEND KE ALAMAT EMAIL ANDA

[admin@test-dev] > tool e-mail send to=dubian_si@yahoo.com server=”xx.xx.xx.xx”

from=jack@yahoo.com file=test-backup.b

subject=backup-mikrotik

server=”202.xx.xx.xx” adalah alamat smtp dari isp yang digunakan

3. PROSES BACKUP DENGAN MENGGUNAKAN SCRIPT

1. setting smtp server email

[admin@test-dev] > tool e-mail set server=202.47.78.55 from=jack@yahoo.com

2. buat script untuk send by email

[admin@test-dev] >system script

add name=”backup_mail” source=”/system backup save name=test-backup \n/tool \

e-mail send file=test-backup.backup to=\”dubian_si@yahoo.com\” body=\”Lihat File Backup System Mikrotik \

\” subject=\(\[/system identity get name\] \

. \” \” . \[/system clock get time\] . \” \” . \[/system clock get date\] \

. \” Backup\”\)\n”

[admin@test-dev] >

3. Run backup_mail

[admin@test-dev] system script> run backup_mail

[admin@test-dev] system script>

4. Cek mailbox, jika file masuk berarti proses backup dengan menggunakan script sudah berhasil

5. SELESAI

4. PROSES BACKUP SECARA OTOMATIS / SCHEDULER DENGAN MENGGUNAKAN SCRIPT

1. Buat Script scheduler backup setiap minggu Sederhana

[admin@test-dev] > system scheduler add name=”jadwal_backup_by-email” on-event=“backup_mail”

start-date=feb/17/2008 start-time=07:30:00 interval=7d

comment=”” disabled=no

[admin@test-dev] > system scheduler print

Flags: X – disabled

# NAME ON-EVENT START-DATE START-TIME INTERVAL RUN-COUNT

0 jadwal_backup_by-email feb/17/2008 07:30:00 1w 0

[admin@test-dev] >

2. Buat Script scheduler backup setiap minggu untuk tingkat advance :

[admin@test-dev] > /system script add name=backup-mingguan source={/system backup save name=([/system identity get name] . “-” . \

[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); \

/tool e-mail send to=”dubian_si@yahoo.com” subject=([/system identity get name] . ” Backup ” . \

[/system clock get date]) file=([/system identity get name] . “-” . [:pick [/system clock get date] 7 11] . \

[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . “.backup”); :delay 10; \

/file rem [/file find name=([/system identity get name] . “-” . [:pick [/system clock get date] 7 11] . \

[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . “.backup”)]; \

:log info (”System Backup emailed at ” . [/sys cl get time] . ” ” . [/sys cl get date])}

keterangan script :

1. nama backup dari router system dilengkapi tanggal dan waktu

2. di asumsikan smtp mail sudah dibuat dan proses kirim email dilakukan ke alamat ; dubian_si@yahoo.com

3. setelah proses pengiriman email berhasil, beri waktu router 10 detik dan secara otomatis menghapus file backup yang dibuat

untuk menghemat space di router

4. katakan ke system log bahwa proses send email sudah berhasil

VPN dengan menggunakan MikroTik RouterOS

VPN dengan menggunakan MikroTik RouterOS

Berikut langkah-langkah untuk setting tunnel PPTP dengan menggunakan mikrotik

1. setting identity name

2. setting ip address

3. setting ip dns

4. setting ip route

5. setting nat / masquerading

6. add ip firewall address-list

7. mark-connection

8. mark-routing

9. marking gateway

10. test traceroute

11. activate PPTP Server

- MTU 1460

- MRU 1460

>> PAP, CHAP, MSCHAP1, MSCHAP2

12. add secret

- Username = man

- password = password

- services = pptp

13. setting profile (default profile)

- local address = 10.0.0.1

- remote address = 10.0.0.2

- dns server = 202.47.78.8

= 202.47.78.9

Setting PC untuk VPN

1. pastikan sudah bisa ping ke gateway server PPTP

2. setting vpn dengan mengarahkan IP address ke gateway server

3. login dengan menggunakan username dan password yang sudah dibuat

Capture Konfigurasi VPN dan memisahkan gateway local dan international

1. setting identity name

[admin@test-Router1] > system identity print

name: “test-Router1″

[admin@test-Router1] >

2. setting ip address

[admin@test-Router1] > ip address print

Flags: X – disabled, I – invalid, D – dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.8.8.45/24 10.8.8.0 10.8.8.255 LOCAL

1 192.168.10.1/24 192.168.10.0 192.168.10.255 LAN

2 202.47.77.249/28 202.47.77.240 202.47.77.255 INT

3 D 10.0.0.1/32 10.0.0.2 0.0.0.0 <pptp-test>

[admin@test-Router1] >

3. setting ip dns

[admin@test-Router1] > ip dns print

primary-dns: 202.47.78.8

secondary-dns: 202.47.78.9

allow-remote-requests: yes

cache-size: 2048KiB

cache-max-ttl: 1w

cache-used: 20KiB

[admin@test-Router1] >

4. setting ip route

[admin@test-Router1] > ip route print

Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf,

B – blackhole, U – unreachable, P – prohibit

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 r 10.8.8.1 1 LOCAL

1 A S 0.0.0.0/0 r 202.47.77.241 15 INT

2 ADC 10.0.0.2/32 10.0.0.1 0 <pptp-test>

3 ADC 10.8.8.0/24 10.8.8.45 0 LOCAL

4 ADC 192.168.10.0/24 192.168.10.1 0 LAN

5 ADC 202.47.77.240/28 202.47.77.249 0 INT

[admin@test-Router1] >

5. setting nat / masquerading

[admin@test-Router1] > ip firewall nat print

Flags: X – disabled, I – invalid, D – dynamic

0 chain=srcnat action=masquerade

[admin@test-Router1] >

7. mark-connection and 8. mark-routing

[admin@test-Router1] > ip firewall mangle print

Flags: X – disabled, I – invalid, D – dynamic

0 chain=output action=mark-connection new-connection-mark=mark-local-con passthrough=yes dst-address-list=nice

1 chain=output action=mark-routing new-routing-mark=mark-routing-local passthrough=yes connection-mark=mark-local-con

[admin@test-Router1] >

11. activate PPTP Server

12. add secret

[admin@test-Router1] > ppp secret print

Flags: X – disabled

# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS

0 man pptp password default

[admin@test-Router1] >

13. setting profile (default profile)

[admin@test-Router1] > ppp profile print

Flags: * – default

0 * name=”default” local-address=10.0.0.1 remote-address=10.0.0.2 use-compression=default use-vj-compression=default use-encryption=default

only-one=default change-tcp-mss=yes dns-server=202.47.78.8,202.47.78.9

1 * name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes

[admin@test-Router1] >

 

Komentar ditutup.

 
Ikuti

Get every new post delivered to your Inbox.

%d bloggers like this: