Mikrotik Load Balancing 2 ISP

Mikrotik Load Balancing 2 ISP Dengan LAN IP Address List

ether1 (ISP1) : 111.111.111.111 ehter2 (ISP2) : 222.222.222.222 ehter3 (LAN) : 192.168.17.1 Tambahkan IP Address pada mikrotik box untuk keperluan diatas: /ip address add address=111.111.111.111/24 network=111.111.111.0 broadcast=111.111.111.255 interface=ether1 add address=222.222.222.222/24 network=222.222.222.0 broadcast=222.222.222.255 interface=ether2 add address=192.168.17.1/24 network=192.168.17.0 broadcast=192.168.17.255 interface=ether3 4 buah workstation dengan ip : 192.168.17.2 (WORKST-1), 192.168.17.3(WORKST-2), 192.168.17.4(WORKST-3) dan 192.168.17.5(WORKST-3)

1. Buat Adress List pada IP Firewall :

/ip add add add add

firewall address-list list=jalur1 address="192.168.17.2" list=jalur1 address="192.168.17.3" list=jalur2 address="192.168.17.4" list=jalur2 address="192.168.17.5"

2. Konfigurasi NAT dan MANGLE

/ip firewall nat add chain=srcnat action=masquerade to-addresses=111.111.111.111 src-addresslist=jalur1 comment="via ISP1" add chain=srcnat action=masquerade to-addresses=222.222.222.222 src-addresslist=jalur2 comment="via ISP2" /ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=jalur1-route passthrough=no\ src-address-list=jalur1 in-interface=ether3 comment"Mark Routing Jalur1" add chain=prerouting action=mark-routing new-routing-mark=jalur2-route passthrough=no\ src-address-list=jalur2 in-interface=ether3 comment"Mark Routing Jalur2"

3. IP Routes dan Rule /ip route add dst-address=0.0.0.0/0 gateway=111.111.111.1 scope=30\ target-scope=10 routing-mark=jalur1-route add dst-address=0.0.0.0/0 gateway=222.222.222.1 scope=30\ target-scope=10 routing-mark=jalur1-route add dst-address=0.0.0.0/0 gateway=111.111.111.1 scope=30\ target-scope=10 routing-mark=jalur2-route add dst-address=0.0.0.0/0 gateway=222.222.222.1 scope=30\ target-scope=10 routing-mark=jalur2-route add dst-address=0.0.0.0/0 gateway=111.111.111.1 scope=30\ target-scope=10

check-gateway=ping distance=1 check-gateway=ping distance=1 check-gateway=ping distance=1 check-gateway=ping distance=1 check-gateway=ping distance=1

add dst-address=0.0.0.0/0 gateway=222.222.222.1 check-gateway=ping distance=1 scope=30\ target-scope=10 /ip add add add add add add add

route rule dst-address=111.111.111.0/24 action=lookup table=main dst-address=222.222.222.0/24 action=lookup table=main dst-address=192.168.17.0/24 action=lookup table=main src-address=111.111.111.0/24 action=lookup table=jalur1-route src-address=222.222.222.0/24 action=lookup table=jalur2-route routing-mark=jalur1-route action=lookup table=jalur1-route routing-mark=jalur2-route action=lookup table=jalur2-route

Konfigurasi IP route rule diatas juga berguna untuk melakukan remote login dari internet, dengan syntax diatas router menjadi visible dari dua arah ISP yang berbeda, hasil akhir konfigurasi pada IP Route jika dilihat melalui winbox akan terlihat seperti gambar dibawah:

Script yang otomatis nge blok ip yang coba: 3x login ====================================================== add chain=input protocol=tcp dst-port=22 connection-state=new \ action=add-src-to-address-list address-list=bl_list_ssh1 address-list-timeout=1m comment="" \ disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=bl_list_ssh1 action=add-src-to-address-list address-list=bl_list_ssh2 \ address-list-timeout=1m \ comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=bl_list_ssh2 action=add-src-to-address-list address-list=bl_list_ssh3 \ address-list-timeout=1m \ comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=bl_list_ssh3 action=add-src-to-address-list address-list=black_list \ address-list-timeout=1d \ comment="" disabled=no ======================================================

ip nya di ban selama 1 hari / ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \ comment="drop ssh brute forcers" disabled=no Cara 2: / ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist\ action=drop # accept 10 incorrect logins per minute / ip firewall filter add chain=output action=accept protocol=tcp content=530 Login incorrect \ dst-limit=1/1m,9,dst-address/1m #add to blacklist add chain=output action=add-dst-to-address-list \ protocol=tcp content=530 Login incorrect address-list=blacklist address-list-timeout=1d