Thursday, 11 February 2016

My Mikrotik Configuration (part 1)


This is my  Mikrotik configuration  that I have done some days ago. The network design is like image below.

network design

Note :
  • Mikrotik, have 2 interface. IP WAN (Public) : 1xx.9x.xx.xx/27 and the IP LAN: 10.17.123.5 & 10.17.123.6 And the version of mikrotik is 5.20 version, level 6
  • Hub or switch unmanageable.
  • Cacti : for making graph of network traffic. IP : 10.17.123.1
  • Cisco, actually is router, but there is no NAT (Network Address Translation). So the function of Cisco is like just a bridge. IP 10.17.123.1 & 10.254.128.1
  • Users, there are many users, get IP address from Cisco, 10.254.128.0/22 (DHCP).


My Mikrotik configuration is a result from command "export" in the new-terminal. Some lines have deleted, because it’s not important. IP Public has been changed etc…  (just to make secure my network :) ).  And I have changed the sequence of lines to classify according to the goal.  So that you can easily understand.
Warning…!!!
If you want to use my code configuration of Mikrotik, please be careful. Read the requirements below.
  1. You must understand the purpose of the configuration that you take.
  2. You should already understand the risks you take. Failure to do so may result in you being unable to access to the router or to access Internet.
  3. I am not responsible for your actions to perform copy and paste my code configuration.
Step 1. Basic Mikrotik Configuration.
Configuration the interface.
# feb/27/2014 11:31:59 by RouterOS 5.20
# software id = W5EY-LHT9
#
/interface ethernet
set 0 arp=enabled disable-running-check=yes disabled=no full-duplex=yes \
    mtu=1500 name=WAN speed=100Mbps
set 1 arp=enabled disable-running-check=yes disabled=no full-duplex=yes \
    mtu=1500 name=LAN speed=100Mbps

/ip address
add address=1xx.9x.xx.xx/27 disabled=no interface=WAN network=1xx.9x.xx.xx
add address=10.17.123.5/24 disabled=no interface=LAN network=10.17.123.0
add address=10.17.123.6/24 disabled=no interface=LAN network=10.17.123.0

I usually change the interface with name WAN and LAN, to make easy to remember and configure later. There are 2 IP addresses on the LAN interface.
IP address, 10.17.123.5 is gateway. Users client know this IP (if they know how to trace route the IP.), because this IP as gateway.
IP address 10.17.123.6, just administrator know about this IP. Users/client not need to know about this. This IP used to access the Mikrotik port 80, to find out the network traffic.

Configure Route (Default Gateway)
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1x.9x.xx.xx scope=\
    30 target-scope=10
add disabled=no distance=1 dst-address=10.254.128.0/22 gateway=LAN scope=30 \
    target-scope=10

gateway = 1x.9x.xx.xx” is a gateway for my Public IP address.
Look at carefully, I add network 10.254.128.0/22. This is the network of Users. And just this network ID that allowed to destination internet.

Configure NAT
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=\
    10.254.128.0/22

In my network design, Local area network (LAN) have 2 network. Yeah… 10.17.123.0/24 and 10.254.128.0/22. But, for my secure... just network 10.254.128.0/22 to be configured nat. and allowed to destination internet.

Configure IP DNS
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4

At this point, the client should be able internet. Test ping from the computer (make sure the client's IP address is correct). Users get IP address from Cisco, 10.254.128.0/22 (dhcp). Do not continue with next stage, if this step has not been successful.

Next