Sie sind auf Seite 1von 20

1.

Looking at the condition of the interface on Router Mikrotik

[Admin @ MikroTik]> interface print


Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500

[Admin @ MikroTik]>

If there is an X interface (disabled) after the number (0.1), then check again etherned card, should be R
(running).

a. Renaming interface
[Admin @ MikroTik]> interface (enter)

b. To rename a Public Interface ether1 (or whatever his name), then


[Admin @ MikroTik] interface> set 0 name = Public

c. Likewise for ether2, say his name changed to Local, then


[Admin @ MikroTik] interface> set 1 name = Local

d. or just from the position of the root directory, use the sign "/", without quotes
[Admin @ MikroTik]> / interface set 0 name = Public

e. Check again if the interface name had been changed.


[Admin @ MikroTik]> / interface print

Flags: X - disabled, D - dynamic, R - running


# NAME TYPE RX-RATE TX-RATE MTU
0 R Local ether 0 0 1500
1 R Public ether 0 0 1500

2. - Change the default password


To change the default password security
[Admin @ Mikrotik]> password
old password: *****
New password: *****
Retype new password: *****
[Admin @ Mikrotik]]>

3. - Renaming hostname
Renaming Mikrotik Router for easy configuration, in this step
server name will be changed to "myrouter"
[Admin @ MikroTik]> system identity set name = myrouter
[Admin @ myrouter]>

4. - Setting the IP Address, Gateway, and Name Server Masqureade

- [4.1] - IP Address

Order form configuration

ip address add address = {ip address / netmask} interfaces = {interface name}

a. Provides the IP address on the interface Mikrotik. Public suppose we will use to
connection to the Internet with IP 192.168.1.2 and the Local will be used for the LAN network
us with the IP 192.168.0.30 (See topology)

[Admin @ myrouter]> ip address add address = 192.168.1.2 \


netmask = 255.255.255.0 interface = Public comment = "IP to the Internet"

[Admin @ myrouter]> ip address add address = 192.168.0.30 \


netmask = 255 255 255 224 interface = Local comment = "IP to the LAN"

b. Viewing the IP address configuration we have given

[Admin @ myrouter]> ip address print


Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0;;; IP Address to the Internet
192.168.0.30/27 192.168.0.0 192.168.0.31 Local
1;;; IP Address to the LAN
192.168.1.2/24 192.168.0.0 192.168.1.255 Public
[Admin @ myrouter]>

- [4.2] - Gateway

Forms Configuration Commands

ip route add gateway = {ip gateway}

a. Providing default gateway, the gateway to the internet connection is assumed is


192.168.1.1

[Admin @ myrouter]> / ip route add gateway = 192.168.1.1

b. Viewing the routing table on MikroTik Routers


[Admin @ myrouter]> ip route print

Flags: X - disabled, A - active, D - dynamic,


C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE PREFSRC
0 ADC 192.168.0.0/24 192.168.0.30 Local
1 ADC 192.168.0.0/27 192.168.1.2 Public
2 A S 0.0.0.0 / 0 r 192.168.1.1 Public
[Admin @ myrouter]>

c. Ping test to the Gateway to ensure the configuration is correct

[Admin @ myrouter]> ping 192.168.1.1


192.168.1.1 64 byte ping: ttl = 64 time <1 ms 192.168.1.1 64 byte ping: ttl = 64 time <1 ms 2 packets
transmitted, 2 packets received, 0% packet loss round-trip min / avg / max = 0/0.0/0 ms [Admin @
myrouter]>

- [4.3] - NAT (Network Address Translation)

Forms Configuration Commands

ip firewall nat add chain = srcnat action = masquerade out-inteface = {ethernet


are directly connected to the Internet or Public}

a. Setup Masquerading, if Mikrotik will we use as a gateway server so that


client computer on the network can connect to the internet we need to masquerading.

[Admin @ myrouter]> ip firewall nat add chain = scrnat out-interface = Public action = masquerade
[Admin @ myrouter]>

b. Look at the configuration Masquerading

[Admin @ myrouter] ip firewall nat print


Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = Public action = masquerade
[Admin @ myrouter]>

- [4.4] Name servers

Forms Configuration Commands

ip dns set primary-dns = {primary} secondary-dns dns dns = {second}

a. Setup DNS on Mikrotik Routers, eg DNS with Ip Addressnya


Primary = 202.134.0.155, Secondary = 202.134.2.5
[Admin @ myrouter]> ip dns set primary-dns = 202.134.0.155 allow-remoterequests = yes
[Admin @ myrouter]> ip dns set secondary-dns = 202.134.2.5 allow-remoterequests = yes

b. Viewing the configuration control

[Admin @ myrouter]> ip dns print


primary-dns: 202.134.0.155
secondary-dns: 202.134.2.5
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB

[Admin @ myrouter]>

c. Tests for the access domain, for example with ping domain name

[Admin @ myrouter]> ping yahoo.com


216 109 112 135 64 byte ping: ttl = 48 time = 250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min / avg / max = 571/571.0/571 ms
[Admin @ myrouter]>

If you have successfully reply mean DNS settings are correct.

After this step can be done to check the connection from the local network. And if
means we have successfully managed to install Mikrotik Router as a Gateway
server. After connecting with Mikrotik network can be managed using the WinBox
can be downloaded from the server mikrotik Mikrotik.com or from us. Eg Ip address server
mikrotik we 192.168.0.30, via a browser open http://192.168.0.30. In the Browser will be displayed
in a web form with multiple menus, search and download text Download WinBox from there.
Save on the local hard drive. Winbox Run, enter the IP address, username and password.

5. - DHCP Server

DHCP stands for Dynamic Host Configuration Protocol, which is a program that
allows setting the IP Address on a network performed on a centralized server,
so the PC Client does not need to configure IP Address. DHCP allows an administrator
for addressing the ip address for the client.

Form of configuration commands

ip dhcp-server setup
dhcp server interfaces = {interface used}
dhcp server space = {network that will be in dhcp}
gateway for dhcp network = {ip gateway}
address to give out ip address = {range}
dns servers = {server name}
lease time = {} of the lease granted

If we want the client get IP address automatically then we need to setup


dhcp server on the Mikrotik. Here are the steps:

a. Add the IP address pool

/ Ip pool add name = dhcp-pool ranges = 192.168.0.1-192.168.0.30

b. Add a DHCP Network and gateway that will be distributed to the client.
In this example networknya gateway is 192.168.0.0/27 and 122.168.0.30

/ Ip dhcp-server network add address = 192.168.0.0/27 gateway = 192.168.0.30 dns-server =


192.168.0.30 \
comment = ""

c. Add a DHCP server (in this example applied to the Local interface dhcp)

/ Ip dhcp-server add interface = local address-pool = dhcp-pool

d. Check the status of the DHCP server


[Admin @ myrouter]> ip dhcp-server print
Flags: X - disabled, I - invalid

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

Local 0dhcp1

X states that the DHCP server has not enabled it is necessary first dienablekan
previously in step e.

e. Do not Forget made first enable dhcp server

/ Ip dhcp-server enable 0

then check back to the dhcp-server such as step 4, if X has no meaning


already active

f. Tests From the client

For example:
D: \> ping www.yahoo.com
6.- Transparent Proxy Server
Proxy server is a program that can speed up access to a web
that have been accessed by another computer, because it was in the store in
caching proxy server.Transparent profitable in client management,
because system administrators do not need to setup a proxy in
each client computer's browser for the automatic redirection is performed on the
server.

Form of configuration commands:


a. Web proxy settings:

- Ip proxy set enabled = yes


port = {port that will be used}
maximal-client-connections = 1000
maximal-server-connections = 1000

- Ip proxy direct add src-address = {network that will be


NAT} action = allow

- Ip web-proxy set parent-proxy = {proxy parent / optional}


hostname = {hostname for the proxy / optional}
port = {port that will be used}
src-address = {address will be used for connection
to the parent proxy / default 0.0.0.0}
transparent-proxy = yes
max-object-size = {maximum size file to be saved
as a cache / default 4096 in Kilobytes}
max-cache-size = {maximum size hard drive that will
used as a storage cache file / unlimited
| None | 12 in megabytes}
cache-administrator = {email administrator that will be used
if a proxy error, the status will be sent
to email}
enable == yes

Sample configuration
-------

a. Web proxy settings

/ Ip web-proxy
set enabled = yes src-address = 0.0.0.0 port = 8080 \
hostname = "proxy.myrouter.com" transparent-proxy = yes \
parent-proxy = 0.0.0.0:0 cache-administrator = "support@myrouter.com" \
max-object-size = 131072KiB cache-drive = system max-cache-size = unlimited \
max-ram-cache-size = unlimited

Nat Redirect, the rule should be added to deflect REDIRECTING


HTTP traffic to the WEB-PROXY.

b. Setting for Transparant proxy firewall

Form of configuration commands:

ip firewall nat add chain = dstnat


protocol = tcp
dst-port = 80
action = redirect
to-ports = {proxy port}

The command:

---------------------------
/ Ip firewall nat
add chain = dstnat protocol = tcp dst-port = 80 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 3128 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 8000 action = redirect to-ports = 8080 \
---------------------------

above command is intended, so that all traffic to Port 80,3128,8000


deflected toward the port 8080 is a Web-Proxy port.

NOTE:
Command

/ Ip web-proxy print {to see the results of a web-proxy configuration}


/ Ip web-proxy monitor for monitoring the work {web-proxy}

7. - Bandwidth Management

QoS plays an important role in terms of providing services good on the client. For that we need the
bandwidth management for each data set is passed, so the division of bandwidth into fair. In this case
also includes a packet RouterOS software for memanagement bandwidth.

Form of configuration commands:

queue simple add name = {name}


target-addresses = {ip address of the destination}
interfaces = {interface used to pass data}
max-limit = {out / in}

Below there is a configuration of traffic shaping or bandwidth management with Simple Queue
method, as the name implies, this type of queue is simple, but has a weakness, sometimes leak
bandwidth or bandwidth is not real in the monitor. Usage for 10 clients, Queue type is not a problem.

Client is assumed there are as many as 15 clients, and each client was given ration of 8kbps minimum
bandwidth, and a maximum of 48kbps. Whereas Total bandwidth of 192Kbps. For the upstream is not
given a rule, means each client can use the bandwidth uptream maximum. Note the priority
command, the range of priority in Mikrotik eight. Means from 1 to 8, priority 1 is highest priority, while
priority 8 is the lowest priority.

The following example kongirufasinya.


---------------------------
/ Queue simple
add name = "trafikshaping" target-addresses = 192.168.0.0/27 dst-address = 0.0.0.0 / 0 \
interface = all parent = none priority = 1 queue = default / default \
limit-at = 0 / 64 000 max-limit = 0 / 192 000 total-queue = default disabled = no
add name = "01" target-addresses = 192.168.0.1/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "02" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "03" target-addresses = 192.168.0.3/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "04" target-addresses = 192.168.0.4/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "10" target-addresses = 192.168.0.25/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "05" target-addresses = 192.168.0.5/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "06" target-addresses = 192.168.0.6/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "07" target-addresses = 192.168.0.7/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "08" target-addresses = 192.168.0.8/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "09" target-addresses = 192.168.0.9/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "10" target-addresses = 192.168.0.10/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "11" target-addresses = 192.168.0.11/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "12" target-addresses = 192.168.0.12/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "13" target-addresses = 192.168.0.13/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "14" target-addresses = 192.168.0.14/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "15" target-addresses = 192.168.0.15/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no

The command above because in the form of the command line, can also copy paste, then paste it into
the consol mikrotiknya. remember see first path or active directory. Please dipaste course, if the
position
direktorynya in Root.

-----------------------
Terminal vt102 detected, using multiline input mode
[Admin @ MikroTik]>
----------------------

Another option is the method of bandwidth management, if if wanted bandwidth is shared equally by
Mikrotik, such as bandwidth 256kbps downstream and 256kbps upstream. While the client will
access as many as 10 clients, each client automatically gets a small upstream and downstream
bandwidth of 256kbps divided by 10. So each one can be 25.6 kbps. If only 2 Client who access it each
can be 128kbps.

For that type used PCQ (Per Connection Queue), which can be automatically divide the traffic per
client. About the type of queue in mikrotik This can be read on the manual in
http://www.mikrotik.com/testdocs/
ros/2.9/root/queue.php.
Previously need to be made a rule in the mangle. Such as:

-----------------------
/ Ip firewall mangle add chain = forward src-address = 192.168.0.0/27 \
action = mark-connection new-connection-mark = users-con
/ Ip firewall mangle add connection-mark = users-con action = mark-packet \
new-packet-mark = users chain = forward
------------------------

Because type PCQ does not exist, then it needs to be added, there are two types of this PCQ. First
named pcq-download, which will regulate all traffic through the destination address / destination
address. Traffic is passing Local interface. So that all traffic download / downstream coming from the
network 192.168.0.0/27 will be shared automatically.

PCQ second type, called pcq-upload, to regulate all upstream traffic derived from the source address /
source address. Traffic is passing public interface. So that all traffic upload / upstream originating from
the network 192.168.0.0/27 will be shared automatically.

Command:
-------------------------
/ Queue type add name = pcq-download kind = pcq pcq-classifier = dst-address
/ Queue type add name = pcq-upload kind = pcq pcq-classifier = src-address
-------------------------

Once the rules for the PCQ and Mangle added, now for the rules traffic division. Queue Queue Tree is
used, ie:

-------------------------
/ Queue tree add parent = Local queue = pcq-download packet-mark = users
/ Queue tree add parent = Public queue = pcq-upload packet-mark = users
-------------------------

The command above assumes that if the bandwidth received from the provider Internet berflukstuasi
or changing. If we believe that the bandwidth received, for example can 256kbs downstream, and
256kbps upstream, then No more rules, such as:

For downstream traffic:


------------------------
/ Queue tree add name = Download parent = Local max-limit = 256k
/ Queue tree add parent = Download queue = pcq-download packet-mark = users
-------------------------

And upstream traffic:


-------------------------
/ Queue tree add name = Upload parent = Public max-limit = 256k
/ Queue tree add parent = Upload queue = pcq-upload packet-mark = users
-------------------------
8. - MRTG Monitor via Web
This facility is necessary for monitoring traffic in the form of graphs, can viewed using a browser.
MRTG (The Multi Router Traffic Grapher) has dibuild such a way that allows us to use it. Already
available packaged basically.

Example configuration

-------------------------
/ Tool graphing
set store-every = 5min
/ Tool graphing interface
add interface = all allow-address = 0.0.0.0 / 0 store-on-disk = yes disabled = no
-------------------------

The above command will display a graph of the traffic that passes through the interface good network
of Public Interface and Local Interface, which rendered every 5 minutes. Addresses can also be set
anything that can access MRTG is, the allow-address parameter.

9. - Security in Mikrotik

After some configuration above has been prepared, of course not forgetting our consider the security
of this mikrotik gateway machine, there are few facilities used. In this case will be discussed on the
firewall. Facilities
The underlying this firewall is similar to IP TABLES on Gnu / Linux only some commands have been
simplified but efficient.

In Mikrotik firewall command is contained in IP mode, ie

[Admin @ myrouter]> / ip firewall

There are several packet filters like mangle, nat, and filters.

-------------------------
[Admin @ myrouter] ip firewall>?

Firewall allows IP packet filtering on per packet basis.

.. - Go up to the ip
mangle / - The packet marking management
nat / - Network Address Translation
connection / - Active Connections
filter / - Firewall filters
address-list / -
service-port / - Service port management
export -
-------------------------

For this time we will see the ip firewall filter configuration.

Because the breadth of the firewall filter parameters for the discussion of Firewall Filters can be seen in
the manual mikrotik, in http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

Configuration below can block some of the Trojan, Virus, Backdoor which have been identified
previously used either Port Numbers and Protocols. It has also been configured to withstand the
flooding of the Network and Public Local network. As well as providing rules for access control in
order, Range only certain tissues that can perform remote or access the service Mikrotik specific to our
machine.

Sample Application filter


--------------------------
/ Ip firewall filter
add chain = input connection-state = invalid action = drop comment = "Drop Invalid \
connections "disabled = no
add chain = input src-address =! 192.168.0.0/27 protocol = tcp src-port = 1024-65535 \
dst-port = 8080 action = drop comment = "Block to Proxy" disabled = no
add chain = input protocol = udp dst-port = 12667 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 27665 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 31335 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 27444 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 34555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 35555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 27444 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 27665 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 31335 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 31846 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 34555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 35555 action = drop comment = "trinoo" \
disabled = no
add chain = input connection-state = established action = accept comment = "Allow \
Established connections "disabled = no
add chain = input protocol = udp action = accept comment = "Allow UDP" disabled = no
add chain = input protocol = icmp action = accept comment = "Allow ICMP" disabled = no
add chain = input src-address = 192.168.0.0/27 action = accept comment = "Allow access \
to router from known network "disabled = no
add chain = input action = drop comment = "Drop anything else" disabled = no
add chain = forward protocol = tcp connection-state = invalid action = drop \
comment = "drop invalid connections" disabled = no
add chain = forward connection-state = established action = accept comment = "allow \
already established connections "disabled = no
add chain = forward connection-state = related action = accept comment = "allow \
related connections "disabled = no
add chain = forward src-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward dst-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward src-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward dst-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward src-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no
add chain = forward dst-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no
add chain = forward protocol = tcp action = jump jump-target = tcp comment = "" \
disabled = no
add chain = forward protocol = udp action = jump jump-target = udp comment = "" \
disabled = no
add chain = forward protocol = icmp action = jump jump-target = icmp comment = "" \
disabled = no
add chain = tcp protocol = tcp dst-port = 69 action = drop comment = "deny TFTP" \
disabled = no
add chain = tcp protocol = tcp dst-port = 111 action = drop comment = "deny RPC \
portmapper "disabled = no
add chain = tcp protocol = tcp dst-port = 135 action = drop comment = "deny RPC \
portmapper "disabled = no
add chain = tcp protocol = tcp dst-port = 137-139 action = drop comment = "deny NBT" \
disabled = no
add chain = tcp protocol = tcp dst-port = 445 action = drop comment = "deny cifs" \
disabled = no
add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "deny NFS" \
disabled = no
add chain = tcp protocol = tcp dst-port = 12345-12346 action = drop comment = "deny \
NetBus "disabled = no
add chain = tcp protocol = tcp dst-port = 20034 action = drop comment = "deny NetBus" \
disabled = no
add chain = tcp protocol = tcp dst-port = 3133 action = drop comment = "deny \
BackOriffice "disabled = no
add chain = tcp protocol = tcp dst-port = 67-68 action = drop comment = "deny DHCP" \
disabled = no
add chain = udp protocol = udp dst-port = 69 action = drop comment = "deny TFTP" \
disabled = no
add chain = udp protocol = udp dst-port = 111 action = drop comment = "deny PRC \
portmapper "disabled = no
add chain = udp protocol = udp dst-port = 135 action = drop comment = "deny PRC \
portmapper "disabled = no
add chain = udp protocol = udp dst-port = 137-139 action = drop comment = "deny NBT" \
disabled = no
add chain = udp protocol = udp dst-port = 2049 action = drop comment = "deny NFS" \
disabled = no
add chain = udp protocol = udp dst-port = 3133 action = drop comment = "deny \
BackOriffice "disabled = no
add chain = input protocol = tcp psd = 21.3 s, 3.1 action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "Port \
scanners to list "disabled = no
add chain = input protocol = tcp tcp-flags = fin,! syn,! rst,! PSH,! ack,! URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "NMAP FIN Stealth scan" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "SYN / FIN \
scan "disabled = no
add chain = input protocol = tcp tcp-flags = syn, rst action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "SYN / RST \
scan "disabled = no
add chain = input protocol = tcp tcp-flags = FIN, PSH, URG,! syn,! rst,! ack \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "FIN / PSH / URG scan" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn, rst, PSH, ACK, URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "ALL / ALL scan" disabled = no
add chain = input protocol = tcp tcp-flags =! fin,! syn,! rst,! PSH,! ack,! URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "NMAP NULL scan" disabled = no
add chain = input src-address-list = "port scanners" action = drop comment = "dropping \
port scanners "disabled = no
add chain = icmp protocol = icmp icmp-options = 0:0 action = accept comment = "drop \
invalid connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 3:0 action = accept comment = "allow \
established connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 3:1 action = accept comment = "allow \
already established connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 4:0 action = accept comment = "allow \
source quench "disabled = no
add chain = icmp protocol = icmp icmp-options = 8:0 action = accept comment = "allow \
echo request "disabled = no
add chain = icmp protocol = icmp icmp-options = 11:0 action = accept comment = "allow \
time exceed "disabled = no
add chain = icmp protocol = icmp icmp-options = 12:0 action = accept comment = "allow \
parameter bad "disabled = no
add chain = icmp action = drop comment = "deny all other types" disabled = no
add chain = tcp protocol = tcp dst-port = 25 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 25 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = tcp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
--------------------------

- [10/01] - Service and Viewing the Active Service with PortScanner

To ensure that any active service in Machine mikrotik, we need to scan to a specific port, if there are
services that are not needed, better off alone.

To disable and enable servise, the command is:

We verify what services are active

----------------------------
[Admin @ myrouter]> ip service
[Admin @ myrouter] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
X 0 telnet 23 0.0.0.0 / 0
1 ftp 21 0.0.0.0 / 0
2 www 80 0.0.0.0 / 0
3 ssh 22 0.0.0.0 / 0
4 www-ssl 443 0.0.0.0 / 0 none
[Admin @ myrouter]ip service>
----------------------------

Suppose the FTP service is disabled, ie in the above list is located at


number 1 (see Flags) then:

---------------------------
[Admin @ myrouter] ip service> set 1 disabled = yes
---------------------------

We need to check again,

---------------------------
[Admin @ myrouter] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
X 0 telnet 23 0.0.0.0 / 0
1 X ftp 21 0.0.0.0 / 0
2 www 80 0.0.0.0 / 0
3 ssh 22 0.0.0.0 / 0
4 www-ssl 443 0.0.0.0 / 0 none
[Admin@myrouter] ip service>
---------------------------

Now the FTP service has been disabled.

Using nmap tool we can check what ports are active on the machine
gateway has been configured.

Command: nmap-vv-sS-sV-P0 192.168.0.30

Results:

-----------------------------
Starting Nmap 4.20 (http://insecure.org) at 2007-04-04 19:55 SE Asia Standard Time
Initiating ARP Ping Scan at 19:55
Scanning 192.168.0.30 [1 port]
Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:55
Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.0.30 [1697 ports]
Discovered open port 22/tcp on 192.168.0.30
Discovered open port 53/tcp on 192.168.0.30
Discovered open port 80/tcp on 192.168.0.30
Discovered open port 21/tcp on 192.168.0.30
Discovered open port 3986/tcp on 192.168.0.30
Discovered open port 2000/tcp on 192.168.0.30
Discovered open port 8080/tcp on 192.168.0.30
Discovered open port 3128/tcp on 192.168.0.30
Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)
Initiating Service scan at 19:55
Scanning 8 services on 192.168.0.30
Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)
Host 192.168.0.30 Appears to be up ... good.
Interesting ports on 192.168.0.30:
Not shown: 1689 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)
53/tcp open domain?
80/tcp open http MikroTik router http config
2000/tcp open callbook?
3128/tcp open http-proxy Squid webproxy 2.5.STABLE11
3986/tcp open mapper-ws_ethd?
8080/tcp open http-proxy Squid webproxy 2.5.STABLE11
2 services unrecognized despite returning data. If you know the service / version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi:

============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )==============


SF-Port53-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A03C% P = i686-pc-windows-windows% r
(D
SF: NSVersionBindReq, E, "\ x0c \ x06 \ x81 \ x84")% r (DNSStatusR
SF: equest, E, "\ x0c \ X90 \ x84");
============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )==============
SF-Port2000-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A037% P = i686-pc-windows-windows% r
SF: (NULL, 4, "\ x01")% r (GenericLines, 4, "\ x01")% r (GetRequest, 18, "\
SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (
SF: HTTPOptions, 18, "\ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ x
SF: b2F \ xff9 \ xb0 ")% r (RTSPRequest, 18," \ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x
SF: 1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (RPCCheck, 18," \ x01 \ x02d \? \
SF: xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (DNSVersionBindReq, 18," \
SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (
SF: DNSStatusRequest, 4, "\ x01")% r (Help, 4, "\ x01")% r (X11Probe, 4, "\
SF: x01 ")% r (FourOhFourRequest, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \
SF:] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (LPDString, 4," \ x01 ")% r (LDAP
SF: BindReq, 4, "\ x01")% r (LANDesk-RC, 18, "\ x01 \ x02 \ xb9 \ x15 & \
SF: xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (TerminalServer, 4," \ x01 \
SF: 0 ")% r (NCP, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0,
SF: \ xb0 \ xe1 \ xa5 ")% r (NotesRPC, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x1
SF: 1 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (NessusTPv10, 4," \ x01 ");
MAC Address: 00:90:4 C: 91:77:02 (Epigram)
Service Info: Host: myrouter; Device: router

Service detection performed. Please report any incorrect results at


http://insecure.org/nmap/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 123 031 seconds
Raw packets sent: 1706 (75.062KB) | rcvd: 1722 (79.450KB)

-------------------------

From the results of such scanning can we take the conclusion, that the service and active port is a FTP
version of the MikroTik router ftpd 2.9.27. To SSH with OpenSSH version 2.3.0 mikrotik 2.9.27
(protocol 1.99). And the Web use the Squid proxy in Squid version webproxy 2.5.STABLE11.

Of course, the vendor has to patch against mikrotik Hole or Vulnerabilities of the above Protocol
Version.

- [10/02] - Network Administration Tool

Practically speaking, there are some tools that can be utilized in mela do network troubleshooting,
such as tools ping, traceroute, ssh, etc.. Some tools are often used later in the day-to-day
administration
are:

o Telnet
o SSH
o Traceroute
o Sniffer

a. Telnet
Remote commands are almost the same machine with the use of the existing telnet
on Linux or Windows.

[Admin @myrouter]> system telnet?

Sekilias above command to see what parameters are there. For example
remote machine with IP address 192.168.0.21 and port 23. Then

[Admin @ myrouter]> system telnet 192.168.0.21

Use of telnet should be limited to certain conditions for reasons security, as we know, a packet of data
sent via telnet has not been encrypted. To be more safe we use SSH.

b. SSH
Together with the telnet command is also needed in the remote machine, and principle same
parameters with the command on Linux and Windows.

[Admin @myrouter]> system ssh 192.168.0.21

SSH parameters above, a slight difference with telnet. If you see helpnya
has an additional parameter of the user.

--------------------------
[Admin @ myrouter]> ssh system?
The SSH feature can be used with Various SSH Telnet clients to securely connect
to and administrate the router

-
user - User name
port - Port number

[Admin @ myrouter]>
--------------------------

Suppose we are going to be remotely on a machine with the system


Linux operation, which has the account, username and password Root
123 456 in the address 66.213.7.30. Then the command,

--------------------------
[Admin @ myrouter]> system 66.213.7.30 ssh user = root
root@66.213.7.30 's password:
--------------------------

c. Traceroute

Knowing what or router hops through which a packet until the packet
was sent to the destination, we usually use the traceroute. With this tool
can be routed anywhere in the analysis of the course packet.

Suppose want to know the path the packet to the server yahoo, then:

--------------------------
[Admin @ myrouter]> tool traceroute yahoo.com ADDRESS STATUS
1 63.219.6.nnn 00:00:00 00:00:00 00:00:00
2 222.124.4.nnn 00:00:00 00:00:00 00:00:00
3 192.168.34.41 00:00:00 00:00:00 00:00:00
4 61.94.1.253 00:00:00 00:00:00 00:00:00
5 203,208,143,173 00:00:00 00:00:00 00:00:00
6 203.208.182.5 00:00:00 00:00:00 00:00:00
7 203,208,182,114 00:00:00 00:00:00 00:00:00
8 203,208,168,118 00:00:00 00:00:00 00:00:00
9 203 208 168 134 timeout 00:00:00 00:00:00
Timeout timeout 10 00:00:00 216.115.101.34
11 216 115 101 129 0:00:00 timeout timeout
12 216.115.108.1 timeout timeout 00:00:00
13 216,109,120,249 00:00:00 00:00:00 00:00:00
14 216 109 112 135 0:00:00 timeout timeout
--------------------------

d. Sniffer

We can capture and packet-packet tap running in our network, this tool has been provided by
Mikrotik useful in analyzing the traffic.

--------------------------
[Admin @ myrouter]> sniffer tool
Packet sniffering

.. - Go up to tool
start - Start / reset sniffering
stop - Stop sniffering
save - Save currently sniffed packets
packet / - sniffed packets management
protocol / - Protocol management
host / - Host management
connection / - Connection management
print -
get - get value of property
set -
edit - edit the value of property
export -
--------------------------

To begin the process of sniffing can use the Start command, while
stop it can make use of the Stop command.