Agratitudesign Impression | Graphic Web Design, Computer Network, Balinese Culture

Loading...
No comments

On this occasion, I’d like to explain how to build web hosting server as our own, at our home on our PC. This is Part II of Building Web Hosting Server but now we are using double or multiple router port forwarding technique using Mikrotik as the router of local network. The script automatic update dynamic public IP that most probably we have to the No-IP sub domain. The script will run automatically by system scheduler, and check our current public IP every time its changed the script will send the current IP to the noip.com server, and noip.com will know that the sub domain that we have should be updated to the current IP, and finally your sub domain still keep represent as your current public IP. So we don’t need “Dynamic Update Client” app of noip.com because this job will be handle by the script that will run on mikrotik, without burdening the web hosting server with the application.

Perhaps amongst of you will ask, why we need to use double router or multiple router ? so the reason is depending on your needs. Personally for me as you can see like the picture above ZTE Optical Router by ISP I have limited to manage everything to my network clients. Other than me as just the user of the ISP router that have limited to manage the router, Mikrotik is the programable router, I can manage my Bandwidth of my web hosting server amongst of other network clients as I see fit. I don’t want my web hosting server lack of bandwidth because of the internet purpose of other Pc clients on my local network.


1. The First Router Port Forwarding for TCP and UDP Protocol

In this case I am using ZTE Optical Router from ISP, I still have the access to the router as user login. I can setup port forwarding configuration of the public IP router ISP that is using port:80 to the Public IP wan interface my Mikrotik router that is using the some port:80. As you can see as the above schematic picture, dynamic public IP 36.85.254.229:80 will be forwarding to private public IP Mikrotik 192.168.1.2:80 that is using TCP and UDP protocol. 



Try to find port forwarding feature if your ISP is not using ZTE optical router, it should be any on many kind of the router. But if you have Mikrotik as the first router, you can add the rules on firewall NAT like this! Please change public interface name and public/wan IP that will be the second router!

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=tcp to-addresses=192.168.1.2 to-ports=80 comment="TCP port forwarding"
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=udp to-addresses=192.168.1.2 to-ports=80 comment="UDP port forwarding"

It means the incoming connection that comes from public IP that is using port 80 will be forwarding to private public IP of the public/wan interface of the second router.

2. The Second Router Port Forwarding for TCP and UDP Protocol

Next we have plan to put our web hosting server as the PC client of local network of Mikrotik as the second router. We need to setup the second router port forwarding that will fowarding connection from public/wan IP on the second router Mikrotik that is using port 80 to the IP web hosting server as the client of local network second router mikrotik that is using port 8080. So we need add 2 rules on firewall NAT of the second router mikrotik like this!

/ip firewall nat
add chain=dstnat dst-address=192.168.1.2 action=dst-nat protocol=tcp to-addresses=192.168.2.254 to-ports=8080 comment="port forwarding router IP to the client"
add chain=dstnat dst-address=192.168.1.2 action=dst-nat protocol=udp to-addresses=192.168.2.254 to-ports=8080


At this time we have done to setup double router port forwarding on the two router. The condition now is if any incoming connection that comes from public IP on the first router that is using port 80 will be forwarding to the IP of web hosting server by double router port forwarding.

3. Adjustment Server Configuration on Local Network As Web Hosting Server

If you follow the previous article, its nothing different then what we have done to Build Web Hosting Server that used Single Router. Just make sure, the IP address of web hosting server should be set 192.168.2.254 as the static IP on the ethernet adapter configuration of LAN related to the second port forwarding. The windows firewall should not block wamp server as the web server application, and create the rules that allow TCP and UDP Port 8080. On Apache httpd.conf of wamp server

httpd.conf  : C:\wamp64\bin\apache\apache2.4.23\conf

Find the text with “Listen” and change

Listen 0.0.0.0:80 -> Listen 0.0.0.0:8080
Listen [::0]:80 -> Listen [::0]:8080

Find the text with “ServerName” and change

ServerName localhost:80 -> ServerName 192.168.2.254:80
Find the text with “onlineoffline” and change
Require local -> Require all granted

Optional:

DocumentRoot "${INSTALL_DIR}/www/agratitudesign"
<Directory "${INSTALL_DIR}/www/agratitudesign/">

phpmyadmin.conf  : “C:\wamp64\alias”

Require local -> Require all granted

4. Script for Automatic Update Dynamic Public IP to No-IP Domain on Mikrotik.

The second router Mikrotik as the programmable router that allow us to do the job like Dynamic Update Client to keep update your sub domain noip.com related to the dynamic Public IP ISP that would be changed at anytime. The System Script for Automatic Update Dynamic Public IP to No-IP will be join with system scheduler.

/system script
add name=no-ip_ddns_update policy=read,write,test source={
:local noipuser "agratitudesign"
:local noippass "Password"
:local noiphost "agratitudesign.sytes.net,agratitudesign.ddns.net"
:local inetinterface "internet"
:global previousIP
:if ([/interface get $inetinterface value-name=running]) do={
:log info "Fetching current IP"
/tool fetch url="https://www.trackip.net/ip" mode=http dst-path=mypublicip.txt
:local currentIP [/file get mypublicip.txt contents]
:log info "Fetched current IP as $currentIP"
:for i from=( [:len $currentIP] - 1) to=0 do={
:if ( [:pick $currentIP $i] = "/") do={
:set currentIP [:pick $currentIP 0 $i]
}
}
:if ($currentIP != $previousIP) do={
:log info "No-IP: Current IP $currentIP is not equal to previous IP, update needed"
:set previousIP $currentIP
:local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP"
:local noiphostarray
:set noiphostarray [:toarray $noiphost]
:foreach host in=$noiphostarray do={
:log info "No-IP: Sending update for $host"
/tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
:log info "No-IP: Host $host updated on No-IP with IP $currentIP"
}
}  else={
:log info "No-IP: Previous IP $previousIP is equal to current IP, no update needed"
}
} else={
:log info "No-IP: $inetinterface is not currently running, so therefore will not update."
}
}

/system scheduler
add interval=5m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test comment="Update No-IP DDNS" disabled=no



Insert the script above to the new terminal winbox! the system script and scheduler should be set with policy=read,write,test. Change on the script that I have marked as red color, depending on your noip.com account and the public interface name on your mikrotik router as the second router. The system schedule will run every 5 menit as the interval that we set to execute the related system script. Then the system script will watch your current public IP, if it is changed from the previous public IP, the script will send the request to your noip.com account to update the related IP for sub domain that we have setup. But if the current public IP is not changed is nothing to send request to noip.com server.

Actually build web hosting server, its not such a big deal. It doesn’t matter, perhaps you need triple or multiple router port forwarding. We just only understand the principle Port forwarding techniques and how to make the firewall is not blocking the port forwarding process running on the server. That’s it… let’s see the video for more clearly, good job!


No comments

At this moment I am going continue my experiment in order to build Web Hosting Server as my  own self on my personal computer (PC). Web Hosting Server that I am going to build is on our PC server which is one of my PC client on my network that is using just one router port forwarding at this time. Here The equipment environment  that I used:

a. Wamp Server : Windows Web development environment with 3 packages in one, that is Apache, MySQL, PHP.  Wamp Server itself require its dependency that is The Visual C++ Redistributable Packages that must be installed before you install wamp server to make it run on windows.

b. Network Router : It is depending on your network environment of the internet connection that you have use from your ISP (Internet Service Provider). In this case the ISP using their router to provide internet connection that is ZTE optical router. But it doesn’t matter If you use Mikrotik that directly connected to Public IP of internet.

c. No-IP Account: This is for you who no have IP from ISP. No-IP means that you have no private or static public IP. Of course you have public IP but always changed at anytime. Using noip.com will make it possible to create any domain still keep related to your dynamic Public IP.

d. Website Project Files: the files of your website that you have build and need to launch so that you can access the website from outside using internet. In this case I have use wordpress for the complete example the website that using PHP and database Mysql to test Web Hosting Server that we are going to make it.

Before we begin lets take a look the image schema above! I am using the ISP router directly connected to the switch/hub before connected to the local network PC clients. The Web Hosting Server as the PC client can be connected directly to the router or use switch/hub in between if you more than one PC clients. The Web Hosting Server get the IP from ZTE Optical Router with dhcp server inside the router system by ISP. After thay we need to set the IP of Web Hosting Server to be static. We can setup or define the static IP through windows ethernet adapter.

As you can see, the Web Hosting Server as of the client local network already set to be static IP 192.168.1.9 and use the IP gateway 192.168.1.1 of the  local network of the router, in this case ZTE Optical router. After that we need to setup  port forwarding from the router in order to access the Web Hosting Server through public IP of our internet connection.

Ok lets begin step by step in detail how to build Web Hosting Server for Dynamic Public IP using single router. If you have different kind of the router by your ISP, try to find the port forwarding feature that allow you to setup port forwarding!


1. Get Free Sub Domain noip.com as the Domain Name your Public IP

If you have no the account yet, let you register first to make your account on noip.com, then define any sub domain that you will use as the domain name of website project that you want to launch as live web server.

Noip.com has nice domain name, its easy to remember. But as free user we have limited to create the sub domain on it, and has expiration date. But we still have chance to update the sub domain that we have created every month. If you have more funds you can upgrade to be premium user of the noip.com account.

As you can see, the sub domain is related to the IP target that is our current Public IP right the way. But how about when the public IP has changed. Noip.com has provide the app that you must be install on one of PC clients as the client of the local internet network that still using the same Public IP.


You can download Dynamic Update Client app from the site and install it to PC client on the local network. Using this app will keep the sub domain that we have just created still related to our dynamic Public IP. Every time our Public IP is changed, this app will get our current IP and send the request to noip.com to update the sub domain IP from the previous IP to current IP of our public IP. Please keep this app running as the background.

2.  Setup Router Port Forwarding Public IP to the Web Hosting Server


Don’t worry If you have another kind of the router, try to find where the port forwarding feature is. The principle is you setup port forwarding for TCP and UDP protocol of public interface router on port 80 to the IP local network client as the web hosting server on port 8080. We can not using port 80 of the web hosting server, cause most probably port 80 on it is busy.

ZTE router is such kind of the instant or simple router. As you can see, how easy to setup port forwarding on it. But for you Mikrotik lover, perhaps ask to me, why not using Mikrotik. Ok assuming you have use Mikrotik as your router and connected directly to the external/public IP. Or maybe your ISP use mikrotik router to provide their internet connection to you. So this is single mikrotik router port forwarding rules that you must add to the nat firewall as follow:

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=tcp to-addresses=192.168.1.9 to-ports=8080 comment="TCP port forwarding"
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=udp to-addresses=192.168.1.9 to-ports=8080 comment="UDP port forwarding"

We require two rules on firewall nat, change in-interface name, it depends on public interface name on your mikrotik configuration. So that we also create port forwarding for TCP and UDP protocol. 

3. Installing Wamp Server According to Public IP and Port Forwarding

The process for the Installation of Wamp Server on windows its not such a big deal that I should be explain explicitly. Just go immediately to http://www.wampserver.com/en/, then you can download Wamp Server for the latest version that now is including with php 7.0.10. Don’t forget before install Wamp Server, you must be install its dependency Visual Studio 2012 : VC 11 vcredist_x64/86.exe


After this you can install Wamp Server itself, before finish the installation, I suppose you to allow Apache http server of Wamp Server running on private and public network on the app windows firewall. Remember we have plan to access Wamp Server as Web Hosting Server through public IP or external IP. So we don’t want app windows firewall blocked Wamp Server.


 4. Adjust Wamp Server Configuration and Windows Firewall Rules

We have done to create port forwarding rules on the router, but our job is not finish yet, still need to Add Windows Firewall rules for TCP and UDP port on windows firewall with advanced security and adjust Wamp Server Configuration.

Adjustment Windows Firewall:

It is the very common way but its required. Most probably we fail in building web hosting server because of it, so that we need to add 2 rules to the port 8080 for each TCP and UDP protocols on windows firewall with advanced security like the picture below!


And don't forget to make sure that Wamp Server is allowed to communicate through windows firewall as private and public on app windows firewall like the picture below!


Adjustment Wamp Server Configuration:

Before we adjust Wamp Server Configuration, let you check everything is working properly. Run Wamp Server App and make sure Wamp Server System Tray Icon should be green.



Type localhost, 127.0.0.1, and The IP address 192.168.1.9 as you set as static IP for the server, all should be able to access from your browser to open Wamp Server.

After that you begin to find httpd.conf of Apache configuration file on Wamp Server installation directory. It is according to the place where you put the Wamp Server installation files on your PC. “C:\wamp64\bin\apache\apache2.4.23\conf”. Open httpd.conf with your favorite editor then

Find the text with “Listen” and change

Listen 0.0.0.0:80 -> Listen 0.0.0.0:8080
Listen [::0]:80 -> Listen [::0]:8080
Find the text with “ServerName” and change
ServerName localhost:80 -> ServerName 192.168.1.9:80

Find the text with “onlineoffline” and change

Require local -> Require all granted

For phpmyadmin of Web Server in order to access it through public IP, find phpmyadmin.conf on Wamp Server installation directory “C:\wamp64\alias”. Open phpmyadmin.conf and change

Require local -> Require all granted

This is just an option, in order to access the web project directly rather then access directory root www just by typing public IP or domain name. We need to set DocumentRoot and Directory, still on httpd.conf like this:

DocumentRoot "${INSTALL_DIR}/www/agratitudesign"
<Directory "${INSTALL_DIR}/www/agratitudesign/">

"agratitudesign" is a directory name of the web project files

You have done to adjust Wamp Server Configuration according to router port forwarding. Then you need to restart all the wamp server services, you can do it from Wamp Server System Tray Icon. Everything should be working properly. At this you can access Wamp Server through public IP or your sub domain that you have created on noip.com. 

4. Adjust Wordpress Sites from Localhost to Live Web Hosting Server

In this case I am using Wordpress CMS as the example of the Website Project that uses database to work with. Its so many tutorial about how to install wordpress, here I just explain  how to adjust Wordpress Website from local configuration to the live web hosting server configuration. Our aim is to test the Web Hosting Server that we have just created.

Ok assuming that you have build Website Wordpress Project to the directory “www” as default document root of Wamp Server. In this example is agratitudesign directory, and I have been move the document root to this directory itself. So that we can access agratitudesign web project just by typing the subdomain of noip.com, that is agratitudesign.sytes.net or agratitudesign.ddns.net. If you don’t how to install wordpress please watching the video of this tutorial for more details.

The most important that I have to tell you, consider that our Wamp Server its not localhost that only can be access from you’re the PC server, but now is the live server that can be access anywhere as long as connected to the internet. Usually we leave “localhost/phpmyadmin” with user root with no password. Imagine that someone type “yoursubdomain/phpmyadmin” they can access the website database with the common login like this. So we are going to create a new login for phpmyadmin of Wamp Server


Create a new user login for phpmyadmin don’t forget activate all global privileges for the user login, after that you can remove the root login, because almost everyone already knows as the default user login for phpmyadmin on windows.

So when we build website wordpress project, we have database name of the site, user login for the database, user login for admin backend for that wordpress site. As usually we do, when we move wordpress project from local to the live web hosting server, we need to adjust wp-config file of wordpress site files



After that we login to the database of this wordpress site, by typing “subdomain/phpmyadmin” with the new login that we have just created. Open the database of the wordpress site and find “wp_options” table and change siteurl and home from localhost to subdomain that we have. Lets see the picture below!


Most probably wordpress website was using hyperlink refers to localhost but now we must change ro subdomain. It would be very painful to do manually one by one to check the database tables. Go to the related database and on SQL tab we insert sql query as follow

UPDATE wp_posts SET post_content = REPLACE(post_content, 'localhost/agratitudesign', 'agratitudesign.sytes.net');

The last is go to wp-admin of the backend wordpress website then select setting > permalinks and update the permalink on the backend.



Well done we have successful to build web hosting server by own self on our local network using dynamic public IP and single router. I have already test the subdomain access, admin backend of wordpess site, the database. Everything is working good, and finally Web Hosting Server is own hands. For more clearly lets watch the video, see you!


1 comment

As one of the IT staff in a company I have any request for me. How can we manage some local networks using just 1 network address but different subnets. In other word, we use the same network address that will divided by sub network. Yet I just think about when I want to manage some networks in different local port interface router so I divided into different network mask for the local network. But actually we can manage our networks into single network multiple subnets. So this implementation is about the understanding subnetting in ip address of the network. If you already knew it, just forget it! I just go to continue my notes.

For the example about Subnetting Ip Address C Class :

NETWORK ADDRESS = 192.168.1.0/26
Subnet Mask /26 = 11111111.11111111.11111111.11000000 = 255.255.255.192
Number of Subnet = 2^x = 2^2 = 4 segments
Number Host/Subnet = 2^y-2 = 2^6 – 2 = 62 host
Subnet block = 256 – 192 = 64, 64 + 64 = 128, 128+64=192 =  0, 64, 128, 192

x : number of binary 1 of the last 2nd octet 
y : number of binary 0 of the last 2nd octet

For more clearly about subnetting IP address you can go to boossit.wordpress.com and for you who want  automatic calculation of it, you can go to http://jodies.de/ipcalc

Ok lets get furthermore how we implement it into our Mikrotik router. 

Lets say we have the internet connection with the modem that has

IP gateway = 192.168.1.1

We have plan to share the internet connection to our local network

Number of Localnet = 4

The forth local network will be divided into 4 subnets in the same network address

Network Address = 192.168.2.0/24 so our subnets will be
Subnet Localnet1 : 192.168.2.0/26
Subnet Localnet2 : 192.168.2.64/26 
Subnet Localnet3 : 192.168.2.128/26
Subnet Localnet4 : 192.168.2.192/26

Reset your router with no default configuration, then we can start how to configure our mikrotik using 1 network address divided by 4 subnets of our local network.

1. Setup identity, DNS server, and NTP client of the Mikrotik router

We begin by setup identity of your router. Sometimes if you have some mikrotik routers, its better we give the name of router to prevent  the mistake which one of mikrotik router that now you setup or change. Then we chose the dns server reference and NTP client at first.

/system identity
set name=Agratitudesign
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

2. Setup Interface Port Names for all the Ports that will used

Just the name, you can give any interface port names as you like. In this case I was using internet for wan or gateway, and localnet-1, localnet-2, localnet-3, localnet-4 for the local network interface names.

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4


As the picture above, we use just 1 wan or internet whatever you say, and 2 local port interfaces. No matter if we just use 2 local port, the rest is just spare ports that will ready to use.

3. Setup Network IP address for the Interface Ports and the Route Gateway

For wan or internet interface we use 192.168.1.2/24, start from 192.168.1.2 its because our IP gateway from the ISP router is using 192.168.1.1. So don’t use 192.168.1.1/24 unless the router will not find the gateway of the internet.

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/26 interface=localnet-1 network=192.168.2.0
add address=192.168.2.65/26 interface=localnet-2 network=192.168.2.0
add address=192.168.2.129/26 interface=localnet-3 network=192.168.2.0
add address=192.168.2.193/26 interface=localnet-4 network=192.168.2.0
/ip route
add distance=1 gateway=192.168.1.1


As you can see, we use 192.168.2.1/26, 192.168.2.65/26, 192.168.2.129/26, 192.168.2.193/26 as the Network IP address for local port interfaces. /26 will has 4 subnets or segments of the total range network address hosts.

4. Setup DHCP Server and IP Pools for Our Local Subnet Interfaces

So 1 dhcp server and ip pool is for 1 local subnet interfaces. Because we have 4 local port subnet interfaces, we must create 4 dhcp servers with ip pools.

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.62
add name=dhcp_pool2 ranges=192.168.2.66-192.168.2.126
add name=dhcp_pool3 ranges=192.168.2.130-192.168.2.190
add name=dhcp_pool4 ranges=192.168.2.194-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.2.64/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.65
add address=192.168.2.128/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.129
add address=192.168.2.192/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.193



5. Create Localnets Masquerade Nat rules on Firewall Nat 

We have 4 masquerading nat rules on firewall nat. If you want to make off of or disable the internet connections for those local port subnet interfaces, you can do it by disable this rules that you want to make off.

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/26 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.64/26 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.128/26 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.192/26 disabled=no comment="localnet-4" 



For any new of the mikrotik router configuration, we should try to reboot the router, for all the rules on it is working stable and actual like we were setup before. After this, you should can use the internet connection from each local port subnet interfaces. Then from the clients side, you can see what the IP number and IP gateway they get from.


6. Setup Bridge for Local Network Port Subnet Interfaces

Obviously the clients on different network or sub network that use different interface  can not communicate the data one another thorough local networks. This is why we have to setup the bridge for those clients that was using different port interface on your router. 


The picture above is client subnet 1 is remote client subnet 2 that is using chrome remote desktop thorough internet connection. Client 1 and Client 2 are using different interface of the router. Event we share the file folder on the clients, we still could not see the file folder that have shared thorough local network.

So what will we do now is setup the bridge for each local subnet interface on mikrotik router. Open your winbox and insert this kind rules.

/interface bridge
add name=bridge_localnet
/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

Setup bridge on each interface is like you merge the interfaces and follow dhcp server of the bridge interface that you have to setup. If you stop in this step, of course it will make all local network broken, because the clients using dhcp server for each interface that now already merge. 


What we have to do is change one of localnet dhcp server to the bridge interface name, in this case bridge_localnet like the picture below. Or you can create a new rule for the bridge dhcp server like this

/ip address
add interface=bridge_localnet address=192.168.2.1/24
/ip pool
add name=dhcp_pool_bridge ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool_ disabled=no bridge interface=bridge_localnet
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1


The local subnet network will working again which is no longer using each own subnet dhcp server, otherwise is using one of the bridge dhcp server. Lets check the client get the IP, and now you can share the file folder that you want it. As the picture below the network sharing for each client across the interface router.


That’s all that I can inform you depending on experiment about implementing subnet on local port interfaces and setup the bridge interfaces on dhcp server Mikrotik router. For more clearly lets the video!



Related to this topic here the complete rules if we don’t require to use subnetting for the local port interfaces Mikrotik router!

/system identity
set name=Agratitudesign

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/24 interface=localnet-1 network=192.168.2.0
add address=192.168.3.1/24 interface=localnet-2 network=192.168.3.0
add address=192.168.4.1/24 interface=localnet-3 network=192.168.2.0
add address=192.168.5.1/24 interface=localnet-4 network=192.168.2.0

/ip route
add distance=1 gateway=192.168.1.1

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool4 ranges=192.168.5.2-192.168.5.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/24 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.3.0/24 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.4.0/24 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.5.0/24 disabled=no comment="localnet-4"

/interface bridge
add name=bridge_localnet

/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

/ip address
add interface=bridge_localnet address=192.168.2.1/24

/ip pool
add name=dhcp_pool5 ranges=192.168.2.2-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=bridge_localnet

/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
1 comment

For everyone who have an internet connection from an ISP that is using PPPoE connection (Point to Point Protocol over Ethernet) it may be slightly different with how to setup it into Mikrotik router to your local internet network. Here we do not need to setup rule Ip address for the internet gateway as WAN. Instead we will use the PPPoE Client setup as a virtual interface of the gateway or wan. For you who want to learn more about the PPPoE connection, please read wiki.mikrotik.com.

Well I think you don’t waste time, lets go how to setup PPPoE Connection to Mikrotik. In here, I am using Biznet ISP as the axample for ISP that uses PPPoE Connection for their Internet. Its most commonly the same as how we setup the internet connection to mikrotik as usuall. Ok let you reset your mikrotik with no default configuration at first, before we can start.

1.  Set the name for the interface Ethernet

We put the gateway/wan cable on port1 and the local network cable on port2 on the router. So then the name of ether1 will be biznet-internet and ether2 will be lan-localnet, the rest of the ethernet ports just leave it.  Again as usual we just need two rules on it.

/interface ethernet
set [ find default-name=ether1 ] name=biznet-internet
set [ find default-name=ether2 ] name=lan-localnet 


2. Setup ip address just for local networks

It is not like usual since we were using internet connection for the ISP that was using IP gateway such as Indosat. We don’t need to setup ip address for wan network mask, instead we are going to define the route for internet gateway with PPPoE Client later. In this case we just have 1 local network so the rule is just one.

/ip address
add address=192.168.1.1/24 interface=lan-localnet network=192.168.1.0


3. Setup PPPoE client for the ISP Connection on the Router

It would be the core of PPPoE setup on Mikrotik router. In this case we set MikroTik RouterOS to be a PPPoE client, we define the interface name here. Obviously we must to know the login or authentication for PPPoE connection for the ISP.

/interface pppoe-client
add add-default-route=yes disabled=no interface=biznet-internet name=BIZNET password=xxxxxxxx user=yyyyyyyyyy


4. Dns server on the routerOS for PPPoE Connection

Yet we can know that sometimes we don’t need to setup dns server on the RouterOS. It will be created automatically during we were setting PPPoE client configuration. But in another case we still need to set the dns server on the routerOS. The only thing that we can do is make sure that the routerOS have already get Dns Server from PPPoE ISP dns itself. Optionally we can add static Dns Server manually.

/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=203.142.82.222,203.142.84.222


If we already insert the rules for dns server, try to remove all the static dns server until the routerOS has dynamic dns server. This will be the cause of the setup PPPoE intenet connection on Mikrotik router fails.

5. Masquerade Public Traffic for Lan and Setup DHCP server

This configuration rule is like usually we do, but let me give you the note. Masquerade Public Traffic on as NAT rule is using out-interface  BIZNET not biznet-internet. It must take the interface name from the PPPoE client that we have just setup.

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Public Traffic" out-interface=BIZNET src-address=192.168.1.0/24

the rest is creating dhcp server to provide the IP address for our local network clients

/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=lan-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1


I think it is enough already. If it is not so clear for you, lets see the video below!


Related to this Topic

Somebody ask me about how to setup CCTV on mikrotik that using PPPoE Configuration Network with fixed public IP.

Ok assuming what we have is

DVR IP : 192.168.1.5 on the local network 1 : 192.168.1.0/24
TCP port : 7774
Mobile Port: 8888
Fixed Public IP: 103.12.160.202

The noted that I can suggest to avoid the problem during the CCTV setup:

1. make sure that no rules on firewall filter that probably will block connection CCTV from public IP. So you must know all the rules that you define, especially for firewall filter rules.
2. make sure that the local network has already masquerade for interface port that you were connected the DVR CCTV to that network.
3. Some kind like port forwarding divice port, DVR port on our local network with NAT rules

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=7774 protocol=tcp to-addresses=192.168.3.5 to-ports=7774 comment="CCTV Local Inbound"
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=8888 protocol=tcp to-addresses=192.168.3.5 to-ports=8888 comment="CCTV Mobile Inbound"

4. make sure that DVR port is already open. You may use yougetsignal.com from IP public.
1 comment

I am happy at this occasion, I have time to share one of the other article about how to manage the internet bandwidth from the ISP to the local network for some kind internet purposes effectively. I hope it can be one of the reference for you to manage the internet connection as you intended. Of course you have to understand about your internet network environment that you have, so that you can implemented my article as you needed.

What I explain this time is about the effective Way about Bandwidth Management of Mikrotik router with the new feature rules on ROS version 6.xx using Fasttrack Firewall Filter rules. This method will combining with Mangle, Queue Tree and PCQ rules, so that we can manage the internet connection to our network ideally, and prioritization the connection packet that we want to get priority as we like.

1. Upgrade Mikrotik Router OS to the Latest Version


Fasttrack Firewall Filter is the new feature rules of the router OS version 6.xx. At this time I am using ROS version 6.39.2. If you still use version 5.xx, please upgrade your router OS to the latest version at first before we can implemented this rules! In the other hand, upgrading the router OS can fix any problem in the router system that caused by any bug on the system that need to be fixed by upgrade or update to the latest of ROS. Don’t know how to upgrade ROS let’s see this video!

2. Basic Configuration Of Mikrotik Router

In this implementation, I don’t want any conflict between many rules that we don’t understand exactly what they do. So better we begin from scratch of the basic configuration router by resetting the previous  router configuration. Open winbox  the System > Reset Configuration, don’t forget, given the check mark on default configuration. Router will reboot automatically and reset the configuration, Let see the picture below!


After this we can start from scratch, assuming that you put gateway/wan at port 1 and localnet/lan at port 2 of your router. No matter how much localnet that you have planned, in this case I just use 1 localnet. So here it the rules that you must insert as the basic configuration of your router!

/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
set [ find default-name=ether2 ] name=ether2-localnet
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip address
add address=192.168.1.2/24 interface=ether1-internet network=192.168.1.0
add address=192.168.88.1/24 interface=ether2-localnet network=192.168.88.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.1.1
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-internet src-address=192.168.88.0/24 disabled=no comment="ether2-localnet"
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

I think no need explanation about it, but yeah… just reminding. Maybe If you have two localnet, just give the name of the interface, add IP address for the network, add dhcp server configuration and masquerade for that network. If internet connection still not available, reboot your router and you can access your router again from the gateway localnet IP. Until this step, make sure you can access the internet from localnet!

3. Fasttrack Firewall Filter Rules for Prioritizing Typical Connection Packets

The new feature rules in router firewall filter that you can setup depending on your needs. It will Fasttracked packets bypass firewall of Typical Connection Packets that you intended. Ok I give the example how that rules on the router.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=udp comment="Bypass Voip UDP SIP"
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=xxx.xxx.xxx.xxx dst-port=10000-20000 protocol=udp comment="Bypass Voip UDP RTP"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=4569,5036 protocol=udp comment="Bypass Voip UDP IAX"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=tcp comment="Bypass Voip TCP SIP"

The above rules are how you can fasttracked or bypass the Voip connection packet. The Important things here is, you have to know the port number, the protocol type, and the IP of the Voip Server that you use. Please contact the Voip server services, if you don’t know about it!

For another example, here it is how to fasttrack Lostsaga online games. Whatever the tools that you use to get the port number which is using by Lostsaga game server, please cross check the port number that was used! I have captured the port lostsaga connection server.

/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14009,14010,14017,14019,14024,14025,14042,14113,14120 protocol=udp comment="UDP PORT LOSTSAGA I"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14245,14263,15494,21530,22317,22561,26019,30146,32629,45693 protocol=udp comment="UDP PORT LOSTSAGA II"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=9000,14009,14010,61031,61034,61035,61037,61046,61047,61048,61049,61051,61058 protocol=tcp comment="TCP PORT LOSTSAGA"


Still on firewall filter rules, let’s complete our router rules with Router protection and Clients Protection to avoid something that we don’t want! For more explanation please visit wiki.mikrotik.com.

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1-internet src-address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

4. Mark Connection Packets Upload and Download based on Bytes Connection

We going to mark the connection packets for total upload and download as usual. This rules will not effect with fasttrack-connection that we have just created above. After that we create the connection packets mark based on bytes size of the connection packets.

Assuming that the client download any files with different sizes. We don’t want that the client who download the big size file spend a lot of the bandwidth spare that we have. So we have plan that the connection packets priority is down, and change Its speed is lowered. Of course its not just for download files, its for all connection packets types based on bytes sizes. Ok lets see the rules below!

/ip firewall mangle
add action=mark-connection chain=forward in-interface=ether1-internet new-connection-mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then 1000000"
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-3000000"
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-6000000"
add action=mark-packet chain=forward connection-bytes=6000000-0 new-packet-mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then 6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-interface=ether1-internet comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-mark=upkt-isp comment="Packets Total Upsteam"

The above mangle rules means we separate connection packets into download and upload, then we separate download packets about less then 1M, 1-3M, 3-6M, more then 6M.

5. Queue tree with PCQ to manage the priority and speed limitation

Assuming we have total bandwidth 20M, we want to spread the internet connection equal for all clients using PCQ for every separated packets byte sizes that we have defined on mangle rules.  In this case I use pcq-download-default, pcq-upload-default. Change the total limit PCQ as you like, or you can create a new rule for PCQ, then use it on queue tree.

/queue tree
add max-limit=20M name=Downsteam-ISP packet-mark=dpkt-isp parent=global queue=pcq-download-default
add limit-at=1M max-limit=20M name=1.light-isp packet-mark=dpkt-light-isp parent=Downsteam-ISP priority=1 queue=pcq-download-default
add limit-at=1M max-limit=10M name=2.fair-isp packet-mark=dpkt-fair-isp parent=Downsteam-ISP priority=2 queue=pcq-download-default
add limit-at=1M max-limit=5M name=3.weight-isp packet-mark=dpkt-weight-isp parent=Downsteam-ISP priority=3 queue=pcq-download-default
add limit-at=1M max-limit=1M name=4.very-isp packet-mark=dpkt-very-isp parent=Downsteam-ISP priority=4 queue=pcq-download-default
add max-limit=20M name=Upsteam-ISP packet-mark=upkt-isp parent=global queue=pcq-upload-default

So that’s all about the Effective Way Bandwidth Management with Fasttrack Firewall Filter, I hope can be useful, and for more clearly lets see the video below! Happy exploring!


71 comments
Building Squid 3.5.4 Transparent Proxy on Ubuntu Server.

This is continuation of the previous article beginning to install Squid 3.5.4…, that is about the preparation before ready to install 3.5.4 on Ubuntu server virtual machine using VMware on windows. This method  can be implemented to the Ubuntu Server Virtual Machine or to the real machine. As you may  know on Ubuntu Server Virtual Machine using VMware we can not divide the hard drive into some partitions as manually. The partitions is created automatically by VMware itself. With this conditions we can start to build squid 3.5.4 as the transparent proxy on Ubuntu Server.
Back to Top