1. The document provides steps to configure load balancing and failover between two ISPs on a Mikrotik router. It describes assigning IP addresses to the router's interfaces, setting up firewall rules to mark traffic for load balancing, configuring static routes and a script to monitor gateway status.
2. Client networks are set up for 50 internet clients and 50 game clients, using different subnets and DNS servers depending on the active ISP connection.
3. A script is created to check the gateway status of each ISP using Netwatch and dynamically update the default route depending on availability, providing failover capability between the two connections.
1. Setup router
//to create a name for network card
//to assign ip address to network card
//to create NAT rule
//to assign gateway
//to assign dns
//to create dhcp
2.Create login page(Hotspot)
How to link from Mikrotik to Radius server
-Configure DHCP (Create LAN Server and LAN Client) on Windows Server 2008R2
-Configure Relay on SuSE Linux Enterprise Server 11
-Allow Client Use DHCP IP for each LAN
Basic Security
@ Updates
-Update manager
-Enable automatic security updates(Update Setting)
=> Super windows => type the key word (System Setting) =>
@ Firewall
-In Ubuntu all ports are block by default
-Default firewall-ufw (turned off by default)
+sudo ufw status
+sudo ufw enable/disable
-Firestarter for graphical interface (recommanded)
+sudo apt-get install firestarter
+Preferences
@ User Accounts
-User & Groups
+Disable user guest
-Do not use root user (Disable by default)
+sudo passwd
+sudo passwd -l root (disable/changed expiry password)
-Use sudo instead of root (/etc/sudoers)
+sudo visudo OR sudo gedit /etc/sudoers(To set the privilege user authorized)
+sudo adduser tolaleng sudo
-Deleting Users
+sudo deluser canamall
-Removing world readable permission to home directory
+sudo chmod 0750 /home/username
-Locking/Unlocking user
+sudo passwd -l username (enable user expiry)
+sudo passwd -u username (disable user expiry)
-passwords
+sudo chage canamall (Set the password expiration)
+sudo chage-l canamall (show the password expiration)
@ Antivirus
-Clam TK (Under Accessories), other anti-virus
@ Unistall Applications
-Ubuntu Software Center-> Installed software section-> Select application and click remove
@ Processes
-To see processes
+ps aux or top
+system monitor(cacti, nagios,)
-
@ Logs
-Some of logs
+ /var/log/messages : general log messages
+ /var/log/boot : system boot log
+ /var/log/debug/ : debugging log messages
+ /var/log/auth.log : user login and authentication logs
+ /var/log/daemon.log : running services such as squid,ntpd and other log message to this file
+ /var/log/kern.log : kernel log file
-Viewing logs
+ tail, more, cat, less, grep
+ GNOME system log viewer
@Firewall
ufw
=> Security Host
* Create Standard User and enable user passwd (complexity password, strong passwd, passwd expired, invalid day of passwd, Lock and Unlock user, disable user Guest, )
* Secure remote network and host
-Telnet(Secure with the host and address connection)
-SSH (Secure with the authentication encryption key)
=> Security Backup (Data Hosting)
*Make a Full Backup of Your Machine
-Aptik (backup application)
-rsync (Remote synce)
-Gsync (Remote)
-Amanda
-Rsnapshot
1. Setup router
//to create a name for network card
//to assign ip address to network card
//to create NAT rule
//to assign gateway
//to assign dns
//to create dhcp
2.Create login page(Hotspot)
How to link from Mikrotik to Radius server
-Configure DHCP (Create LAN Server and LAN Client) on Windows Server 2008R2
-Configure Relay on SuSE Linux Enterprise Server 11
-Allow Client Use DHCP IP for each LAN
Basic Security
@ Updates
-Update manager
-Enable automatic security updates(Update Setting)
=> Super windows => type the key word (System Setting) =>
@ Firewall
-In Ubuntu all ports are block by default
-Default firewall-ufw (turned off by default)
+sudo ufw status
+sudo ufw enable/disable
-Firestarter for graphical interface (recommanded)
+sudo apt-get install firestarter
+Preferences
@ User Accounts
-User & Groups
+Disable user guest
-Do not use root user (Disable by default)
+sudo passwd
+sudo passwd -l root (disable/changed expiry password)
-Use sudo instead of root (/etc/sudoers)
+sudo visudo OR sudo gedit /etc/sudoers(To set the privilege user authorized)
+sudo adduser tolaleng sudo
-Deleting Users
+sudo deluser canamall
-Removing world readable permission to home directory
+sudo chmod 0750 /home/username
-Locking/Unlocking user
+sudo passwd -l username (enable user expiry)
+sudo passwd -u username (disable user expiry)
-passwords
+sudo chage canamall (Set the password expiration)
+sudo chage-l canamall (show the password expiration)
@ Antivirus
-Clam TK (Under Accessories), other anti-virus
@ Unistall Applications
-Ubuntu Software Center-> Installed software section-> Select application and click remove
@ Processes
-To see processes
+ps aux or top
+system monitor(cacti, nagios,)
-
@ Logs
-Some of logs
+ /var/log/messages : general log messages
+ /var/log/boot : system boot log
+ /var/log/debug/ : debugging log messages
+ /var/log/auth.log : user login and authentication logs
+ /var/log/daemon.log : running services such as squid,ntpd and other log message to this file
+ /var/log/kern.log : kernel log file
-Viewing logs
+ tail, more, cat, less, grep
+ GNOME system log viewer
@Firewall
ufw
=> Security Host
* Create Standard User and enable user passwd (complexity password, strong passwd, passwd expired, invalid day of passwd, Lock and Unlock user, disable user Guest, )
* Secure remote network and host
-Telnet(Secure with the host and address connection)
-SSH (Secure with the authentication encryption key)
=> Security Backup (Data Hosting)
*Make a Full Backup of Your Machine
-Aptik (backup application)
-rsync (Remote synce)
-Gsync (Remote)
-Amanda
-Rsnapshot
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
Panduan diatas dikhusukan untuk siswa dan guru TKJ yang hendak mempraktekkan tentang panduan untuk membangun sebuah server gateway dengan fitur proxy, webserver dan dhcp
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
As you might know, Cisco ASA can not terminate GRE tunnels. However, you can pass GRE traffic through a Cisco ASA 5500 firewall as described in this tutorial.
Make an IPSEC VPN which will be a redundant one with two VyOS firewalls per site.
I made this document so that people who check for vpns/ipsec has a place to implement a free router/firewall appliance virtually on any hardware and have the necessity going on.
VyOS is a fork from Vyatta which happily runs on a Intel Atom based hardware with at least 256 MB RAM and a HDD with 500 GB storage.
It supports dot1q VLANs, IPSec Site-to-Site/Remote Access VPNs over GRE for B2B connectivity. It supports RIP/OSPF/BGP dynamic protocols. It has support for both interface based and zone based firewalls.
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
Panduan diatas dikhusukan untuk siswa dan guru TKJ yang hendak mempraktekkan tentang panduan untuk membangun sebuah server gateway dengan fitur proxy, webserver dan dhcp
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
As you might know, Cisco ASA can not terminate GRE tunnels. However, you can pass GRE traffic through a Cisco ASA 5500 firewall as described in this tutorial.
Make an IPSEC VPN which will be a redundant one with two VyOS firewalls per site.
I made this document so that people who check for vpns/ipsec has a place to implement a free router/firewall appliance virtually on any hardware and have the necessity going on.
VyOS is a fork from Vyatta which happily runs on a Intel Atom based hardware with at least 256 MB RAM and a HDD with 500 GB storage.
It supports dot1q VLANs, IPSec Site-to-Site/Remote Access VPNs over GRE for B2B connectivity. It supports RIP/OSPF/BGP dynamic protocols. It has support for both interface based and zone based firewalls.
Openstack 3 node setup using RDO on top of RHEL 7.
Complete steps which will give you more convenience to work on top of Openstack without any installation issues.
deep understanding of howto packet would reach to destination and basic understanding of network protocols.
learn howto manipulate with linux network and know howto manipulate with linux iptables.
1. Tutorial Load Balancing With Fail Over menggunakan Mikrotik 2.9.6
Husam Suhaemi (husam.suhaemi@gmail.com)
Pengantar
Sesuaikan skenario dengan yang anda hadapi. Baca dahulu dengan teliti. Diasumsikan server Mikrotik memiliki 3 (tiga)
buah interfaces (NIC) dan dalam kondisi fresh install.
Skenario:
1. ISP Telkom-Speedy (ADSL)
IP Router ADSL(LAN): 192.168.0.254
IP DNS1: 202.134.0.155
IP DNS2: 202.134.2.5
2. ISP Diginet (Wireless)
IP: 203.81.187.62
IP Gateway: 203.81.187.62
IP DNS1: 203.81.185.12
IP DNS2: 203.81.185.13
Jumlah Komputer Internet: 50 pc -->
Network: 192.168.3.0/26 (Ip Address: 192.168.3.1 - 192.168.3.63 Netmask: 255.255.255.192)
Jumlah Komputer Games: 50 pc -->
Network: 192.168.3.64/26 (Ip Address: 192.168.3.65 - 192.168.3.128 Netmask: 255.255.255.192)
Skema Network:
Diginet---, ,---Speedy
| |
| |
203.81.187.62(ether2) 192.168.0.253(ether1)
[M i k r o t i k 2 . 9 . 6]
192.168.3.254/24 (ether3)
|
|
192.168.3.0/24
| |
Games: Internet:
192.168.3.64/26 192.168.3.0/26
Langkah-langkah:
1. Beri nama Interfaces Ether1-3 di [Interfaces]
Command:
/interface set ether1 name=Telkom
/interface set ether2 name=Diginet
/interface set ether3 name=Local
admin@BlueSky.Net] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R Telkom ether 0 0 1500
1 R Diginet ether 0 0 1500
2 R Local ether 0 0 1500
http://suhaemi.tk Halaman 1 dari 3
2. Tutorial Load Balancing With Fail Over menggunakan Mikrotik 2.9.6
Husam Suhaemi (husam.suhaemi@gmail.com)
2. Beri IP Address untuk masing-masing ethernet. [Ip - Interfaces]
Command:
/ip address add address=192.168.0.253/24 interface=Telkom
/ip address add address=203.81.187.62/24 interface=Diginet <--- karena gak tahu netmasknya brp..
/ip address add address=192.168.3.0/24 interface=Local
[admin@BlueSky.Net] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.253/24 192.168.0.0 192.168.0.255 Telkom
1 192.168.3.254/24 192.168.3.0 192.168.3.255 Local
2 203.81.187.62/24 203.81.187.0 203.81.187.255 Diginet
3. Buat rule di [IP – Firewall - Mangle]:
- chain=prerouting src-address=192.168.3.0/26 action=mark-routing new-routing-mark=Internet
"untuk menandai paket yang berasal dari 192.168.3.0/26 dengan nama=Internet"
- chain=prerouting src-address=192.168.3.64/26 action=mark-routing new-routing-mark=Games
"untuk menandai paket yang berasal dari 192.168.3.64/26 dengan nama=Games"
Command:
/ip firewall mangle add chain=prerouting src-address=192.168.3.0/26
action=mark-routing new-routing-mark=Internet
/ip firewall mangle add chain=prerouting src-address=192.168.3.64/26
action=mark-routing new-routing-mark=Games
[admin@BlueSky.Net] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting src-address=192.168.3.0/26 action=mark-routing
new-routing-mark=Internet passthrough=yes
1 chain=prerouting src-address=192.168.3.64/26 action=mark-routing
new-routing-mark=Games passthrough=yes
4. Set Gateway untuk masing-masing network. [IP - Route]
Command:
/ip route add gateway=192.168.0.254 dst-address=0.0.0.0/0 routing-mark=Internet
/ip route add gateway=203.81.187.1 dst-address=0.0.0.0/0 routing-mark=Games
[admin@BlueSky.Net] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DIS INTE...
0 ADC 192.168.0.0/24 192.168.0.253 Telkom
1 ADC 192.168.3.0/24 192.168.3.254 Local
2 ADC 203.81.187.0/24 203.81.187.62 Diginet
3 A S 0.0.0.0/0 r 192.168.0.254 Telkom
4 A S 0.0.0.0/0 r 203.81.187.1 Diginet
http://suhaemi.tk Halaman 2 dari 3
3. Tutorial Load Balancing With Fail Over menggunakan Mikrotik 2.9.6
Husam Suhaemi (husam.suhaemi@gmail.com)
5. Buat rule nat-masquerade untuk network 192.168.3.0/24 [IP - Firewall - Nat]
Command:
/ip firewall nat add chain=srcnat src-address=192.168.3.0/24 action=masquerade
[admin@BlueSky.Net] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade Network 192.168.3.0/24
chain=srcnat src-address=192.168.3.0/24 action=masquerade
6. Buat script untuk melakukan cek gw dengan tools netwatch:
command
/system script add name=check-gw source={
:local R1
:local R2
:if ([/tool netwatch get R1 status]=up) do={:set R1 192.168.0.254}
:if ([/tool netwatch get R2 status]=up) do={:set R2 203.81.187.1}
/ip route set [/ip route find dst-address=0.0.0.0/0]
gateway=($R1 . , . $R2)
}
/tool netwatch add comment=R1 host=192.168.0.254 interval=5s up-script=check-gw
down-script=check-gw
/tool netwatch add comment=R2 host=203.81.187.1 interval=5s up-script=check-gw
down-script=check-gw
Setting di Mikrotik sudah selesai.
Berikutnya, isikan IP address untuk tiap client Internet dengan IP Address mulai dari: 192.168.3.1 sampai 192.168.3.63.
Gunakan Netmask 255.255.255.192 agar workgroup terpisah dengan Games.
Jangan lupa berikan IP DNS Telkom di network-properties client Internet sesuai skenario di atas (202.134.0.155 dan
202.134.2.5).
Gateway diarahkan ke: 192.168.3.254.
Untuk Client Games isikan IP Address mulai dari: 192.168.3.65 sampai dengan 192.168.3.128.
Gunakan juga Netmask 255.255.255.192 jika menginginkan workgroup yang terpisah dengan Client untuk Internet.
Berikan IP DNS Diginet (203.81.185.12 dan 203.81.185.13) di network-propertiesnya.
Gateway diisikan dengan 192.168.3.254.
Selamat mencoba...
Bogor, 22 Juli 2006
Husam Suhaemi
http://suhaemi.tk Halaman 3 dari 3