Mikrotik Advance Setup Part 1
Disini bisa paham Mikrotik.
MIKROTIK Advance Setup Part - 1
If Mikrotik running with ESXi or VMware workstation, Bridge not forwarding traffic on ESXi host
for mikrotik bridge issue on esxi do this step
set promiscuous mode on interface port to bridge to accept by vshpere client on configuration -> networking -> on interface select Properties
on vSwitch select edit -> on tab security select promiscuous mode to accept
then reboot esxi
Open winbox
/interface list
add name=LAN
add name=WAN
/interface bridge
add add-dhcp-option82=yes arp=reply-only dhcp-snooping=yes name=brglan
/interface ethernet
set [ find default-name=ether3 ] name=lan1
set [ find default-name=ether4 ] name=wan1
After setting bridge port winbox autorestart
/interface bridge port
add bridge=brglan interface=lan1 trusted=yes
/interface list member
add interface=brglan list=LAN
add interface=wan1 list=WAN
add interface= lan1 list=LAN
/ip address
add address=192.168.0.2/24 comment=Tolan interface=brglan network=192.168.0.0
/ip pool
add name=pool-disiniaja ranges=192.168.0.100-192.168.0.254
add add-arp=yes address-pool=pool-disiniaja authoritative=after-2sec-delay \
disabled=no interface=brglan lease-time=6h name=dhcptoLAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2 domain=hotspot-disiniaja.org gateway=\
192.168.0.2 netmask=24 ntp-server=\
203.89.31.13,202.65.114.202,120.25.115.19
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN1" out-interface=\
wan1
WAN with dynamic IP
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan1
WAN with static IP
/ip address
add address=192.168.20.128/22 comment=Towan interface=wan1 network=192.168.20.0
/ip route
add comment=route_WAN1 distance=1 gateway=192.168.20.2
reboot, and plz test for WAN with static ip
SECURE YOUR ROUTER
DHCP ROGUE WITH ALERT SEND YOUR EMAIL
/ip dhcp-server alert
add alert-timeout=30m comment=bgrlan disabled=no interface=brglan on-alert=\
"/system script run rogue-dhcpbgrlan" valid-server=00:0C:29:DD:5F:A3
SETUP YOUR SENDER EMAIL AND ARRIVE EMAIL WITH MICROSOFT SMTP
/tool e-mail
set address=smtp.office365.com from=mikrotik password=youremailpass port=587 \
start-tls=yes user=youremail@outlook.com
MAKE SCRIPT FOR SENDING EMAIL
/system script
add dont-require-permissions=no name=rogue-dhcpbgrlan owner=amy policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_DHCP alert script\r\
\n:local verzija \"2 (09.04.2014).\";\r\
\n\r\
\n# e-mail parameters\r\
\n:local DeviceName [/system identity get name];\r\
\n:local sfrom \"youremail@outlook.com\";\r\
\n:local emlRcpt \"arriveemail@gmail.com\";\r\
\n:local emlSubject \"\\F0\\9F\\94\\B4 CRITICAL: *** Rogue DHCP server det\
ected on \$DeviceName ***\";\r\
\n:local emlBody \"\";\r\
\n\r\
\n# interface to use\r\
\n:local interfejs \"bgrlan\";\r\
\n:local cinterfejs \"Tolan\";\r\
\n\r\
\n#\r\
\n# ----- Don't change below this line!!! ------------------------\r\
\n#\r\
\n:set emlBody (\$emlBody.\"Sistem: \$[/system identity get name]\\n\\n\")\
;\r\
\n\r\
\n# DHCP server parameters\r\
\n:local validmac;\r\
\n:local valip;\r\
\n:local dhcpmac;\r\
\n:local dhcpip;\r\
\n\r\
\n# read the values of MAC, IP, hostaname with a rogue DHCP\r\
\n:set dhcpmac [/ip dhcp-server alert get [find comment=\$interfejs] unkno\
wn-server ];\r\
\n:set validmac [/ip dhcp-server alert get [find comment=\$interfejs] vali\
d ];\r\
\n:set dhcpip [/ip hotspot host get [find mac-address=\$dhcpmac] address];\
\r\
\n:set valip [/ip address get [find comment=\$cinterfejs] address ];\r\
\n\r\
\n# now we pack this\r\
\n# we're using . to concenate strings\r\
\n:set emlBody (\$emlBody.\"Unknown DHCP server detected on interface \$in\
terfejs\\n\\n\");\r\
\n:set emlBody (\$emlBody.\"MAC address ...........: \$dhcpmac\\r\\n\");\r\
\n:set emlBody (\$emlBody.\"IP address ............: \$dhcpip\\r\\n\");\r\
\n:set emlBody (\$emlBody.\"Valid Mac address is...: \$validmac\\r\\n\");\
\r\
\n:set emlBody (\$emlBody.\"Valid IP address is...: \$valip\\r\\n\");\r\
\n:set emlBody (\$emlBody.\"Detection time ........: \$[/system clock get \
date], Time alert = \$[/system clock get time]\\n\\n\");\r\
\n:set emlBody (\$emlBody.\"----------------------------------------------\
----------------------------\\r\\n\");\r\
\n:set emlBody (\$emlBody.\"DHCP alert script MODIFICATION by AMY v.\$verzija\");\r\
\n\r\
\n# we will send an email\r\
\n/tool e-mail send from=\$sfrom to=\$emlRcpt subject=\"\$emlSubject\" bod\
y=\$emlBody \r\
\n"
SETUP YOUR BRIDGE INTERFACE FOR DETECT DHCP ROGUE
/interface bridge filter
add action=accept chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip \
out-interface-list=LAN src-port=68
add action=drop chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip \
src-port=68
DROP FOR USER SCANNER PORT
/ip firewall address-list
add address=192.168.0.0/24 list=allhotspot-network
add address=192.168.20.2/32 list=ip-gw1
add address=192.168.0.212/32 list=ip-admin
/ip firewall filter
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="IP USER Port scanners to list " \
disabled=yes protocol=tcp psd=4,3s,3,1
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="NMAP FIN Stealth scan" \
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="SYN/FIN scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="SYN/RST scan" disabled=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="FIN/PSH/URG scan" disabled=\
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="ALL/ALL scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="ip-portscanners" \
address-list-timeout=12h chain=input comment="NMAP NULL scan" disabled=\
yes protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=yes \
src-address-list="ip-portscanners"
add action=drop chain=forward comment="END dropping port scanners" disabled=yes \
src-address-list="ip-portscanners"
USER CAN’T TETHERING
/ip firewall mangle
add action=change-ttl chain=postrouting comment="User Can't Tetehring" new-ttl=\
set:1 out-interface=brglan passthrough=no
USER CAN’T ACCES GATEWAY WAN1
/ip firewall filter
add action=accept chain=forward comment="\"ALLOW TO GW1\"" \
dst-address-list=ip-gw1 src-address-list=ip-admin
add action=accept chain=forward comment="\"ALLOW TO GW1\"" \
dst-address-list= ip-gw1 dst-port=53 protocol=tcp src-address-list=\
allhotspot-network
add action=accept chain=forward comment="\"ALLOW TO GW1\"" \
dst-address-list= ip-gw1 dst-port=53 protocol=udp src-address-list=\
allhotspot-network
add action=drop chain=forward comment="DROP TO GW1" disabled=yes \
dst-address-list= ip-gw1 src-address-list=allhotspot-network
DROP TRACEROUTE FROM LOCAL/USER
add action=drop chain=forward comment="Drop Traceroute from local" disabled=\
yes protocol=icmp src-address-list=allhotspot-network
IF YOU NEEDED FOR BLOCK DNS REQUEST FROM WAN
Setting external DNS requests may not be necessary because almost all websites use other web links for their content
/ip firewall filter
add action=drop chain=input comment="BLOCK DNS REQUEST FROM WAN" disabled=yes \
dst-port=53 in-interface=wan1 protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=wan1 \
protocol=udp
ALL SETUP 4 SECURE YOUR ROUTER
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
MAINTENANCE YOUR ROUTER FOR REBOOT EVERYDAY
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Jakarta
/system clock manual
set dst-end="may/30/2018 11:00:00" dst-start="may/30/2018 11:00:00"
/system identity
set name=mkdisiniaja
/system ntp client
set enabled=yes primary-ntp=202.65.114.202 secondary-ntp=120.25.115.19 \
server-dns-names=asia.pool.ntp.org
/system scheduler
add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/13/2023 start-time=01:20:27
You can watch this lesson on YouTube to understand better. Don't forget to help our channel to develope further so that, there is nothing that can't be done except https://disiniaja.id.
Greetings of good health and success always.
What's Your Reaction?
