Scribd Logo
Upload

Welcome to Scribd!

  • Contoh Firewall Di Mikrotik

    Uploaded by

    alipans
    210 views5 pages
    This document configures the network interfaces, IP addresses, routing, and firewall policies of a router with three WAN connections (WAN1, WAN2, WAN3) and a local network. It sets IP addresses for the interfaces, default routes through each WAN, and firewall rules to mark and route traffic through the appropriate WAN based on source/destination addresses and ports. Traffic is also source NATted at each WAN to masquerade the local network.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    RTF, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document configures the network interfaces, IP addresses, routing, and firewall policies of a router with three WAN connections (WAN1, WAN2, WAN3) and a local network. It sets IP addresses for the interfaces, default routes through each WAN, and firewall rules to mark and route traffic through the appropriate WAN based on source/destination addresses and ports. Traffic is also source NATted at each WAN to masquerade the local network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    210 views5 pages

    Contoh Firewall Di Mikrotik

    Uploaded by

    alipans
    This document configures the network interfaces, IP addresses, routing, and firewall policies of a router with three WAN connections (WAN1, WAN2, WAN3) and a local network. It sets IP addresses for the interfaces, default routes through each WAN, and firewall rules to mark and route traffic through the appropriate WAN based on source/destination addresses and ports. Traffic is also source NATted at each WAN to masquerade the local network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    /interface

    set ether1 name=WAN1


    set ether2 name=WAN2
    set ether3 name=WAN3
    set ether5 name=Local

    /ip address
    add address=10.10.0.1/24 broadcast=10.10.0.255 disabled=no interface=Local network=10.10.0.0

    add address=41.x.x.114/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112


    add address=41.x.x.115/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
    add address=41.x.x.116/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
    add address=41.x.x.117/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
    add address=41.x.x.118/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112

    add address=41.x.x.2/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0


    add address=41.x.x.3/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
    add address=41.x.x.4/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
    add address=41.x.x.5/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
    add address=41.x.x.6/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0

    add address=192.168.10.2/24 broadcast=192.168.10.255 disabled=no interface=WAN3


    network=192.168.10.0

    /ip route
    add comment="MWeb" dst-address=196.2.63.110/32 gateway=41.x.x.113 scope=10
    add comment="Yahoo" dst-address=67.195.160.76/32 gateway=41.x.x.113 scope=10
    add comment="VodaCom" dst-address=41.1.224.101/32 gateway=41.x.x.1 scope=10
    add comment="Google" dst-address=74.125.230.146/32 gateway=41.x.x.1 scope=10
    add comment="MyADSL" dst-address=41.203.21.137/32 gateway=192.168.10.1 scope=10
    add comment="News24" dst-address=152.111.193.28/32 gateway=192.168.10.1 scope=10

    add dst-address=10.1.1.1 gateway=196.2.63.110 scope=10 target-scope=10 check-gateway=ping


    add dst-address=10.1.1.1 gateway=67.195.160.76 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.2.2.2 gateway=41.1.224.101 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.2.2.2 gateway=74.125.230.146 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.3.3.3 gateway=41.203.21.137 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.3.3.3 gateway=152.111.193.28 scope=10 target-scope=10 check-gateway=ping

    add distance=1 gateway=10.1.1.1 routing-mark=to_WAN1


    add distance=2 gateway=10.2.2.2 routing-mark=to_WAN1
    add distance=1 gateway=10.2.2.2 routing-mark=to_WAN2
    add distance=2 gateway=10.3.3.3 routing-mark=to_WAN2
    add distance=1 gateway=10.3.3.3 routing-mark=to_WAN3
    add distance=2 gateway=10.1.1.1 routing-mark=to_WAN3

    /ip firewall mangle


    # standard stuff for router traffic. Doesn't apply to our case since we will later firewall filter traffic that
    would be covered by this, but included as to be complete#
    add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
    add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
    add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn

    add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1


    add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
    add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3

    # don't mark traffic going to directly connected WAN networks#


    add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local

    # Server connections established from WAN to LAN coming in WAN1 accordingly. If you have static IPs,
    you can also refer to them here as dst-address.#
    add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.114
    dst-port=21,25,80,110,143,443,8080 action=mark-connection new-connection-mark=WAN1_conn
    add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.115
    dst-port=443 action=mark-connection new-connection-mark=WAN1_conn
    add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.118
    dst-port=80,8767,14534 action=mark-connection new-connection-mark=WAN1_conn

    # Server connections established from WAN to LAN coming in WAN2 accordingly#


    add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.2 dst-
    port=21,25,80,110,143,443,8080 action=mark-connection new-connection-mark=WAN2_conn
    add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.3 dst-
    port=80,443 action=mark-connection new-connection-mark=WAN2_conn
    add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.4 dst-
    port=80 action=mark-connection new-connection-mark=WAN2_conn

    # force traffic out WAN1#


    add chain=prerouting dst-address=196.2.16.216/32 in-interface=Local action=mark-connection new-
    connection-mark=WAN1_conn passthrough=yes protocol=tcp dst-port=25
    add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-
    connection-mark=WAN1_conn passthrough=yes protocol=tcp dst-port=80
    # force traffic out WAN2#
    add chain=prerouting dst-address=41.0.7.123/32 in-interface=Local action=mark-connection new-
    connection-mark=WAN2_conn passthrough=yes protocol=tcp dst-port=25
    add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-
    connection-mark=WAN2_conn passthrough=yes protocol=tcp dst-port=443

    # force traffic out WAN3#


    add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-
    connection-mark=WAN3_conn passthrough=yes protocol=tcp dst-port=81

    # apply PCC, but only to connections that aren't marked yet#


    add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-
    connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn
    passthrough=yes
    add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-
    connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn
    passthrough=yes
    add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-
    connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=WAN3_conn
    passthrough=yes

    # mark packets from LAN to WAN with routing marks according to their connection marks#
    add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-
    routing-mark=to_WAN1
    add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-
    routing-mark=to_WAN2
    add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-
    routing-mark=to_WAN3

    /ip firewall nat


    # forward tcp/80 and tcp/443 to 192.168.0.100 on both WAN interfaces#
    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=21,25,80,110,143,443,8080 action=dst-nat
    dst-address=41.x.x.114 to-addresses=10.10.0.250
    add chain=dstnat in-interface=WAN2 protocol=tcp dst-port=21,25,80,110,143,443,8080 action=dst-nat
    dst-address=41.x.x.2 to-addresses=10.10.0.250

    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=443 action=dst-nat dst-address=41.x.x.115


    to-addresses=10.10.0.232 to-ports=3389
    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80,8767,14534 action=dst-nat dst-
    address=41.x.x.118 to-addresses=10.10.0.247
    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80 action=dst-nat dst-address=41.x.x.3 to-
    addresses=10.10.0.246
    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=443 action=dst-nat dst-address=41.x.x.3 to-
    addresses=10.10.0.250 to-ports=22
    add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80 action=dst-nat dst-address=41.x.x.4 to-
    addresses=10.10.0.245

    # source NAT all traffic out to the Internet#


    add chain=srcnat out-interface=WAN1 action=masquerade
    add chain=srcnat out-interface=WAN2 action=masquerade
    add chain=srcnat out-interface=WAN3 action=masquerade

    /ip firewall address-list


    # create address list of hosts allowed to administrate the router#
    add list=admin_hosts address=10.10.0.232
    add list=admin_hosts address=10.10.2.10
    add list=admin_hosts address=10.10.0.2/24

    /ip firewall filter


    # statefully firewall traffic to the router#
    add chain=input connection-state=established action=accept
    add chain=input connection-state=related action=accept
    add chain=input connection-state=invalid action=drop

    # allow services for all LAN clients: DNS and NTP#


    add chain=input in-interface=Local protocol=udp dst-port=53,123 action=accept
    add chain=input in-interface=Local protocol=tcp dst-port=53 action=accept

    # allow all router access from admin hosts#


    add chain=input in-interface=Local src-address-list=admin_hosts action=accept
    add chain=input in-interface=WAN1 src-address-list=admin_hosts action=accept

    # default deny#
    add chain=input action=drop

    # SNMP #
    add action=log chain=forward comment="" disabled=no dst-port=25 log-prefix=smtp_ out-interface=!
    Local protocol=tcp src-address=!10.10.0.250
    add action=drop chain=forward comment="" disabled=no dst-port=25 out-interface=!Local protocol=tcp
    src-address=!10.10.0.250
    # statefully firewall traffic through the router#
    add chain=forward connection-state=established action=accept
    add chain=forward connection-state=related action=accept
    add chain=forward connection-state=invalid action=drop

    # allow all traffic from LAN to WAN#


    add chain=forward in-interface=Local action=accept

    # allow tcp/80 and tcp/443 to web server#


    add chain=forward dst-address=10.10.0.250 protocol=tcp dst-port=21,22,25,80,110,143,443,8080
    add chain=forward dst-address=10.10.0.232 protocol=tcp dst-port=3389
    add chain=forward dst-address=10.10.0.245 protocol=tcp dst-port=80
    add chain=forward dst-address=10.10.0.246 protocol=tcp dst-port=80
    add chain=forward dst-address=10.10.0.247 protocol=tcp dst-port=80,8767,14534

    # default deny#
    add chain=forward action=drop

    You might also like