Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Mikrotik Load Balancing 2 ISP Dengan LAN

    Загружено:

    Fanny Sispriadi
    294 просмотров5 страниц
    Mikrotik Load Balancing 2 ISP

    Оригинальное название

    Mikrotik Load Balancing 2 ISP

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    DOCX, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Mikrotik Load Balancing 2 ISP

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOCX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    294 просмотров5 страниц

    Mikrotik Load Balancing 2 ISP Dengan LAN

    Загружено:

    Fanny Sispriadi
    Mikrotik Load Balancing 2 ISP

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOCX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 5

    Mikrotik Load Balancing 2 ISP Dengan LAN

    IP Address List

    ether1 (ISP1) : 111.111.111.111


    ehter2 (ISP2) : 222.222.222.222
    ehter3 (LAN) : 192.168.17.1
    Tambahkan IP Address pada mikrotik box untuk keperluan diatas:
    /ip address
    add address=111.111.111.111/24 network=111.111.111.0 broadcast=111.111.111.255
    interface=ether1
    add address=222.222.222.222/24 network=222.222.222.0 broadcast=222.222.222.255
    interface=ether2
    add address=192.168.17.1/24 network=192.168.17.0 broadcast=192.168.17.255
    interface=ether3
    4 buah workstation dengan ip : 192.168.17.2 (WORKST-1),
    192.168.17.3(WORKST-2), 192.168.17.4(WORKST-3) dan 192.168.17.5(WORKST-3)

    1. Buat Adress List pada IP Firewall :

    /ip
    add
    add
    add
    add

    firewall address-list
    list=jalur1 address="192.168.17.2"
    list=jalur1 address="192.168.17.3"
    list=jalur2 address="192.168.17.4"
    list=jalur2 address="192.168.17.5"

    2. Konfigurasi NAT dan MANGLE

    /ip firewall nat


    add chain=srcnat action=masquerade to-addresses=111.111.111.111 src-addresslist=jalur1 comment="via ISP1"
    add chain=srcnat action=masquerade to-addresses=222.222.222.222 src-addresslist=jalur2 comment="via ISP2"
    /ip firewall mangle
    add chain=prerouting action=mark-routing new-routing-mark=jalur1-route
    passthrough=no\
    src-address-list=jalur1 in-interface=ether3 comment"Mark Routing Jalur1"
    add chain=prerouting action=mark-routing new-routing-mark=jalur2-route
    passthrough=no\
    src-address-list=jalur2 in-interface=ether3 comment"Mark Routing Jalur2"

    3. IP Routes dan Rule


    /ip route
    add dst-address=0.0.0.0/0 gateway=111.111.111.1
    scope=30\
    target-scope=10 routing-mark=jalur1-route
    add dst-address=0.0.0.0/0 gateway=222.222.222.1
    scope=30\
    target-scope=10 routing-mark=jalur1-route
    add dst-address=0.0.0.0/0 gateway=111.111.111.1
    scope=30\
    target-scope=10 routing-mark=jalur2-route
    add dst-address=0.0.0.0/0 gateway=222.222.222.1
    scope=30\
    target-scope=10 routing-mark=jalur2-route
    add dst-address=0.0.0.0/0 gateway=111.111.111.1
    scope=30\
    target-scope=10

    check-gateway=ping distance=1
    check-gateway=ping distance=1
    check-gateway=ping distance=1
    check-gateway=ping distance=1
    check-gateway=ping distance=1

    add dst-address=0.0.0.0/0 gateway=222.222.222.1 check-gateway=ping distance=1


    scope=30\
    target-scope=10
    /ip
    add
    add
    add
    add
    add
    add
    add

    route rule
    dst-address=111.111.111.0/24 action=lookup table=main
    dst-address=222.222.222.0/24 action=lookup table=main
    dst-address=192.168.17.0/24 action=lookup table=main
    src-address=111.111.111.0/24 action=lookup table=jalur1-route
    src-address=222.222.222.0/24 action=lookup table=jalur2-route
    routing-mark=jalur1-route action=lookup table=jalur1-route
    routing-mark=jalur2-route action=lookup table=jalur2-route

    Konfigurasi IP route rule diatas juga berguna untuk melakukan remote login dari internet, dengan
    syntax diatas router menjadi visible dari dua arah ISP yang berbeda, hasil akhir konfigurasi pada
    IP Route jika dilihat melalui winbox akan terlihat seperti gambar dibawah:

    Script yang otomatis nge blok ip yang coba: 3x login


    ======================================================
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    action=add-src-to-address-list address-list=bl_list_ssh1 address-list-timeout=1m comment="" \
    disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=bl_list_ssh1 action=add-src-to-address-list address-list=bl_list_ssh2 \
    address-list-timeout=1m \
    comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=bl_list_ssh2 action=add-src-to-address-list address-list=bl_list_ssh3 \
    address-list-timeout=1m \
    comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=bl_list_ssh3 action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d \
    comment="" disabled=no
    ======================================================

    ip nya di ban selama 1 hari


    / ip firewall filter
    add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
    comment="drop ssh brute forcers" disabled=no
    Cara 2:
    / ip firewall filter
    add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist\
    action=drop
    # accept 10 incorrect logins per minute
    / ip firewall filter
    add chain=output action=accept protocol=tcp content=530 Login incorrect \
    dst-limit=1/1m,9,dst-address/1m
    #add to blacklist
    add chain=output action=add-dst-to-address-list \
    protocol=tcp content=530 Login incorrect address-list=blacklist address-list-timeout=1d

    Вам также может понравиться