Simulation Network Firewall and Server – GNS3 Lab41

Simulasi Network Firewall dan Server – GNS3 Lab41

  • Spesifikasi PC yang digunakan: 16 Core CPU, 32GB RAM. Dengan pembagian sebagai berikut:
  • Router Mikrotik WAN, Mikrotik LAN, ISP-1, ISP-2, ISP-3, ISP-4, m4, m5, m6, DNS: 1 Core CPU & 128 MB Ram
  • Firewall FortiGate: 3core cpu 2gb ram
  • Server WEB LB, WEB1, WEB2, WEB3, NFS, DB LB, DB1, DB2, DB3, Web-X: 2 Core CPU & 1 GB Ram
  • Server Terminal: 2 Core CPU & 2 GB Ram
  • Server Monitoring: 1 Core CPU & 1 GB Ram
  • Client User1, User2, User3, User4: 2 Core CPU & 2 GB Ram
  • Versi MikroTik: 6.49.6
  • Versi FortiGate: 7.0.5 (Trial License)

  • Pembatasan Konfigurasi:
  • Router MikroTik WAN akan mempunyai 3 jalur untuk akses ke internet yang terhubung ke router ISP-1, ISP-2, ISP-3
  • Load Balancing pada MikroTik WAN menggunakan PCC, dengan akses yang dari FortiGate akan diarahkan ke ISP-1 dan ISP-2, akses dari Terminal akan diarahkan ke ISP-2, dan akses dari LAN akan diarahkan ke ISP-2 dan ISP-3
  • Port yang terbuka dan dapat diakses dari internet pada MikroTik WAN: port tcp 80, 443, 53, dan udp 1701.
  • Simulasi internet pada router ISP-1, ISP-2, ISP-3, ISP-4, m4, m5, m6, DNS menggunakan routing OSPF multi area.
  • MikroTik WAN yang menarah ke ISP-1: 172.1.1.10/24, yang mengarah ke ISP-2: 172.1.2.20/24, yang mengarah ke ISP-3: 172.1.3.30/24, yang mengarah ke FortiGate: 10.10.100.1/24, yang mengarah ke terminal: 10.100.100.1/24, yang mengarah ke LAN: 10.10.200.1/24
  • FortiGate yang mengarah ke MikroTik WAN: 10.10.100.2/24, yang mengarah ke SW-WEB: 192.168.10.1/24, yang mengarah ke SW-DB: 192.168.20.1/24
  • MikroTik LAN yang mengarah ke SW-IT: 10.10.10.1/24, yang mengarah ke SW-STAFF: 10.10.20.1/24, yang mengarah ke SW-WIFI: 10.10.30.1/24
  • Port forwarding dari IP: 172.1.1.10 dan 172.1.2.20 ke IP: 10.10.100.100 (virtual IP WEBLB) dengan port yang digunakan 80 dan 443.
  • Server web dan server hanya bisa di remote akses (ssh) lewat terminal saja.
  • Domain untuk akses website: web.sys-ops.id dengan pointing address ke: 172.1.1.10 dan 172.1.2.20
  • DNS server menggunakan mikrotik dengan mengaktifkan static dns, dan untuk failover dns menggunakan netwatch. (Untuk kondisi real bisa menggunakan DNS Made Easy ataupun Cloudflare)

Konfigurasi Router Internet

  • Router ISP-1
/ip address
add address=192.168.50.11/24 interface=ether4 network=192.168.50.0
add address=172.1.1.1/24 interface=ether5-wan1 network=172.1.1.0
add address=172.1.4.1/24 interface=ether1-m4 network=172.1.4.0
add address=172.1.5.1/24 interface=ether2-m5 network=172.1.5.0

/routing ospf area
add area-id=1.1.1.1 name=area1
/routing ospf instance
set [ find default=yes ] router-id=1.1.1.1
/routing ospf interface
add cost=100 interface=ether1-m4
add cost=50 interface=ether2-m5 priority=3
add cost=100 interface=ether5-wan1
/routing ospf network
add area=area1 network=172.1.1.0/24
add area=area1 network=172.1.4.0/24
add area=area1 network=172.1.5.0/24

/queue simple
add max-limit=2M/2M name=queue1 target=ether5-wan1
  • Router ISP-2
/ip address
add address=192.168.50.12/24 interface=ether5 network=192.168.50.0
add address=172.1.2.1/24 interface=ether1-wan2 network=172.1.2.0
add address=172.1.6.1/24 interface=ether2-m4 network=172.1.6.0
add address=172.1.7.1/24 interface=ether3-m5 network=172.1.7.0

/routing ospf area
add area-id=2.2.2.2 name=area2
/routing ospf instance
set [ find default=yes ] router-id=2.2.2.2
/routing ospf interface
add cost=100 interface=ether2-m4
add cost=50 interface=ether3-m5 priority=3
add cost=100 interface=ether1-wan2
/routing ospf network
add area=area2 network=172.1.2.0/24
add area=area2 network=172.1.6.0/24
add area=area2 network=172.1.7.0/24

/queue simple
add max-limit=2M/2M name=queue1 target=ether1-wan2
  • Router ISP-3
/ip address
add address=192.168.50.13/24 interface=ether5 network=192.168.50.0
add address=172.1.3.1/24 interface=ether1-wan3 network=172.1.3.0
add address=172.1.8.1/24 interface=ether2-m4 network=172.1.8.0
add address=172.1.9.1/24 interface=ether3-m5 network=172.1.9.0

/routing ospf area
add area-id=3.3.3.3 name=area3
/routing ospf instance
set [ find default=yes ] router-id=3.3.3.3
/routing ospf interface
add cost=100 interface=ether2-m4
add cost=50 interface=ether3-m5 priority=3
add cost=100 interface=ether1-wan3
/routing ospf network
add area=area3 network=172.1.3.0/24
add area=area3 network=172.1.8.0/24
add area=area3 network=172.1.9.0/24

/queue simple
add max-limit=2M/2M name=queue1 target=ether1-wan3
  • Router M4
/ip address
add address=192.168.50.14/24 interface=ether6 network=192.168.50.0
add address=192.100.1.1/24 interface=ether5-m6 network=192.100.1.0
add address=192.100.3.1/24 interface=ether8-m5 network=192.100.3.0
add address=172.1.4.2/24 interface=ether2-isp1 network=172.1.4.0
add address=172.1.6.2/24 interface=ether3-isp2 network=172.1.6.0
add address=172.1.8.2/24 interface=ether4-isp3 network=172.1.8.0
add address=88.88.88.82/24 interface=ether1-dns network=88.88.88.0

/routing ospf area
add area-id=1.1.1.1 name=area1
add area-id=2.2.2.2 name=area2
add area-id=3.3.3.3 name=area3
/routing ospf interface
add interface=ether1-dns
add cost=100 interface=ether2-isp1
add cost=100 interface=ether3-isp2
add cost=100 interface=ether4-isp3
add cost=100 interface=ether8-m5
add cost=50 interface=ether5-m6 priority=3
/routing ospf network
add area=backbone network=88.88.88.0/24
add area=backbone network=192.100.1.0/24
add area=backbone network=192.100.3.0/24
add area=area1 network=172.1.4.0/24
add area=area2 network=172.1.6.0/24
add area=area3 network=172.1.8.0/24
  • Router M5
/ip address
add address=192.168.50.15/24 interface=ether6 network=192.168.50.0
add address=192.100.3.2/24 interface=ether8-m4 network=192.100.3.0
add address=192.100.2.1/24 interface=ether5-m6 network=192.100.2.0
add address=88.88.88.83/24 interface=ether1-dns network=88.88.88.0
add address=172.1.5.2/24 interface=ether2-isp1 network=172.1.5.0
add address=172.1.7.2/24 interface=ether3-isp2 network=172.1.7.0
add address=172.1.9.2/24 interface=ether4-isp3 network=172.1.9.0

/routing ospf area
add area-id=1.1.1.1 name=area1
add area-id=2.2.2.2 name=area2
add area-id=3.3.3.3 name=area3
/routing ospf instance
set [ find default=yes ] router-id=5.5.5.5
/routing ospf interface
add interface=ether1-dns priority=3
add cost=200 interface=ether2-isp1 priority=3
add cost=200 interface=ether3-isp2 priority=3
add cost=200 interface=ether4-isp3 priority=3
add cost=100 interface=ether5-m6
add cost=50 interface=ether8-m4 priority=3
/routing ospf network
add area=area1 network=172.1.5.0/24
add area=area2 network=172.1.7.0/24
add area=area3 network=172.1.9.0/24
add area=backbone network=192.100.2.0/24
add area=backbone network=192.100.3.0/24
add area=backbone network=88.88.88.0/24
  • Router M6
/ip address
add address=192.168.50.16/24 interface=ether6 network=192.168.50.0
add address=172.50.1.1/24 interface=ether4-isp4 network=172.50.1.0
add address=192.100.1.2/24 interface=ether2-m4 network=192.100.1.0
add address=192.100.2.2/24 interface=ether3-m5 network=192.100.2.0
add address=88.88.88.81/24 interface=ether1-dns network=88.88.88.0

/routing ospf area
add area-id=4.4.4.4 name=area4
/routing ospf interface
add interface=ether1-dns priority=2
add cost=100 interface=ether2-m4
add cost=100 interface=ether3-m5
add cost=100 interface=ether4-isp4
/routing ospf network
add area=backbone network=88.88.88.0/24
add area=backbone network=192.100.1.0/24
add area=backbone network=192.100.2.0/24
add area=area4 network=172.50.1.0/24
  • Router DNS
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/ip address
add address=192.168.50.17/24 interface=ether3 network=192.168.50.0
add address=88.88.88.88/24 interface=bridge1 network=88.88.88.0

/routing ospf network
add area=backbone network=88.88.88.0/24

/ip dns static
add address=172.1.1.10 name=web.sys-ops.id
add address=172.1.2.20 name=web.sys-ops.id
add address=172.50.1.2 name=abc.sys-ops.id
add address=88.88.88.88 name=dns.sys-ops.id

/tool netwatch
add down-script="/ip dns static disable 0" host=172.1.1.10 interval=5s \
    timeout=3s up-script="/ip dns static enable 0"
add down-script="/ip dns static disable 1" host=172.1.2.20 interval=5s \
    timeout=3s up-script="/ip dns static enable 1"

Konfigurasi Router Client

  • Router ISP-4
/ip address
add address=192.168.50.20/24 interface=ether5 network=192.168.50.0
add address=172.50.1.2/24 interface=ether1-m6 network=172.50.1.0
add address=192.168.100.1/24 interface=ether2-lan network=192.168.100.0

/ip dns
set servers=88.88.88.88

/ip route
add distance=1 gateway=172.50.1.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-m6 src-address=\
    192.168.100.0/24
add action=dst-nat chain=dstnat dst-address=172.50.1.2 dst-port=80 protocol=\
    tcp to-addresses=192.168.100.252 to-ports=80

Konfigurasi Router Server

Router LAN

  • Setting local network & internet gateway
/ip address
add address=10.10.200.2/24 interface=ether2-wan network=10.10.200.0
add address=10.10.10.1/24 interface=ether3-it network=10.10.10.0
add address=10.10.20.1/24 interface=ether4-staff network=10.10.20.0
add address=10.10.30.1/24 interface=ether5-wifi network=10.10.30.0

/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool2 ranges=10.10.30.2-10.10.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3-it lease-time=10h10m \
    name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether4-staff lease-time=\
    10h10m name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=ether5-wifi lease-time=\
    10h10m name=dhcp3
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.10.20.0/24 dns-server=10.10.20.1 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1

/ip dns
set allow-remote-requests=yes servers=88.88.88.88

/ip route
add distance=1 gateway=10.10.200.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-wan
  • Setting Firewall RAW untuk membatasi akses antar network
  • Dari LAN IT (10.10.10.0/24) bisa mengakses Terminal (10.100.100.0/24)
  • Dari LAN IT (10.10.10.0/24) bisa mengakses ke LAN Staff (10.10.20.0/24) dan LAN WIFI (10.10.30.0/24)
  • Dari LAN Staff tidak bisa mengakses LAN IT dan LAN WIFI
  • Dari LAN WIFI tidak bisa mengakses LAN IT dan LAN Staff
/ip firewall raw
add action=accept chain=prerouting dst-address=10.100.100.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.30.0/24 src-address=\
    10.10.10.0/24
add action=drop chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.20.0/24
add action=drop chain=prerouting dst-address=10.10.30.0/24 src-address=\
    10.10.20.0/24
add action=drop chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.30.0/24
add action=drop chain=prerouting dst-address=10.100.100.0/24 src-address=\
    10.10.20.0/24
add action=drop chain=prerouting dst-address=10.100.100.0/24 src-address=\
    10.10.30.0/24

Router WAN

  • Setting Interface & IP Address
/interface
set ether6 name=ether1-remote
set ether7 name=ether2-wan1
set ether1 name=ether3-wan2
set ether2 name=ether4-forti
set ether3 name=ether5-lan
set ether4 name=ether6-terminal
set ether5 name=ether7-wan3

/interface list
add name=SERVER
add name=WAN

/interface list member
add interface=ether4-forti list=SERVER
add interface=ether6-terminal list=SERVER
add interface=ether2-wan1 list=WAN
add interface=ether3-wan2 list=WAN
add interface=ether7-wan3 list=WAN

/ip address
add address=172.1.1.10/24 interface=ether2-wan1 network=172.1.1.0
add address=172.1.2.20/24 interface=ether3-wan2 network=172.1.2.0
add address=10.10.100.1/24 interface=ether4-forti network=10.10.100.0
add address=10.10.200.1/24 interface=ether5-lan network=10.10.200.0
add address=10.100.100.1/24 interface=ether6-terminal network=10.100.100.0
add address=172.1.3.30/24 interface=ether7-wan3 network=172.1.3.0

/ip dns
set allow-remote-requests=yes servers=\
    88.88.88.88,10.10.100.1,10.100.100.1,10.10.200.1
  • Setting VPN L2PT/IPsec
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default enabled=yes \
    ipsec-secret=123456789 keepalive-timeout=disabled use-ipsec=required

/ppp profile
set *0 dns-server=88.88.88.88 local-address=192.168.88.1 remote-address=192.168.88.10
/ppp secret
add name=admin password=admin
  • Setting Load Balancing PCC
  • Allow traffic yang ada pada local network
/ip firewall mangle
add action=accept chain=forward comment="Terminal to Server" connection-mark=\
    no-mark connection-state=established,related,new in-interface=\
    ether6-terminal out-interface=ether4-forti
add action=accept chain=prerouting comment="Allow to Gateway Local" \
    dst-address=10.10.100.1
add action=accept chain=prerouting dst-address=10.10.200.1
add action=accept chain=prerouting dst-address=10.100.100.1
add action=accept chain=prerouting comment="LAN to Terminal" dst-address=\
    10.100.100.100 src-address=10.10.200.2
add action=accept chain=prerouting comment="Allow LAN to WAN" dst-address=\
    172.1.1.10 src-address=10.10.100.0/24
add action=accept chain=prerouting dst-address=172.1.2.20 src-address=\
    10.10.100.0/24
add action=accept chain=prerouting dst-address=172.1.3.30 src-address=\
    10.10.100.0/24
add action=accept chain=prerouting dst-address=172.1.1.10 src-address=\
    10.10.200.0/24
add action=accept chain=prerouting dst-address=172.1.2.20 src-address=\
    10.10.200.0/24
add action=accept chain=prerouting dst-address=172.1.3.30 src-address=\
    10.10.200.0/24
add action=accept chain=prerouting dst-address=172.1.1.10 src-address=\
    10.100.100.0/24
add action=accept chain=prerouting dst-address=172.1.2.20 src-address=\
    10.100.100.0/24
add action=accept chain=prerouting dst-address=172.1.3.30 src-address=\
    10.100.100.0/24
add action=accept chain=prerouting comment="Allow to Server" dst-address=\
    10.10.100.0/24
add action=accept chain=prerouting comment="Allow Forward LAN to LAN" \
    dst-address=10.10.100.0/24 src-address=10.10.100.0/24
add action=accept chain=prerouting dst-address=10.100.100.0/24 src-address=\
    10.100.100.0/24
add action=accept chain=prerouting dst-address=10.10.200.0/24 src-address=\
    10.10.200.0/24
add action=accept chain=prerouting dst-address=10.10.200.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.200.0/24 src-address=\
    10.10.30.0/24
add action=accept chain=prerouting dst-address=10.10.200.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting comment="Allow Server to Terminal" \
    dst-address=10.100.100.0/24 log-prefix=LOCAL src-address=10.10.100.0/24
add action=accept chain=prerouting comment="Server to WAN" dst-address=\
    172.1.1.0/24 in-interface=ether4-forti
add action=accept chain=prerouting dst-address=172.1.2.0/24 in-interface=\
    ether4-forti
  • Allow traffic yang masuk dan keluar agar melalui jalur yang sama saat masuk dan keluar
/ip firewall mangle
add action=mark-connection chain=prerouting comment="IN OUT to WAN" \
    connection-mark=no-mark in-interface=ether2-wan1 new-connection-mark=\
    con-wan-1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether3-wan2 new-connection-mark=con-wan-2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether7-wan3 new-connection-mark=con-wan-3 passthrough=yes
add action=mark-routing chain=output connection-mark=con-wan-1 \
    new-routing-mark=route-wan-1 out-interface=ether2-wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=con-wan-2 \
    new-routing-mark=route-wan-2 out-interface=ether3-wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=con-wan-3 \
    new-routing-mark=route-wan-3 out-interface=ether7-wan3 passthrough=yes
  • Tandai Koneksi yang masuk dari network 10.10.100.0/24 agar bisa diarahkan ke ISP-1 dan ISP-2
  • Tandai Koneksi yang masuk dari network 10.100.100.0/24 agar bisa diarahkan ke ISP-2
  • Tandai Koneksi yang masuk dari network 10.10.200.0/24 agar bisa diarahkan ke ISP-3 dan ISP-2
/ip firewall mangle
add action=jump chain=prerouting comment="Mark Connection to Server" \
    jump-target=SERVER src-address=10.10.100.0/24
add action=mark-connection chain=SERVER in-interface=ether4-forti \
    new-connection-mark=con-wan-1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=SERVER in-interface=ether4-forti \
    new-connection-mark=con-wan-2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=return chain=SERVER
add action=jump chain=prerouting comment="Mark Connection to Terminal" \
    jump-target=TERMINAL src-address=10.100.100.0/24
add action=mark-connection chain=TERMINAL in-interface=ether6-terminal \
    new-connection-mark=con-wan-2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:1/0
add action=return chain=TERMINAL
add action=jump chain=prerouting comment="Mark Connection to LAN" \
    jump-target=LAN src-address=10.10.200.0/24
add action=mark-connection chain=LAN in-interface=ether5-lan \
    new-connection-mark=con-wan-3 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=LAN in-interface=ether5-lan \
    new-connection-mark=con-wan-2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=return chain=LAN
  • Arahkan koneksi yang sudah ditandai agar bisa diproses untuk routing
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Routing to WAN" \
    connection-mark=con-wan-1 in-interface-list=SERVER new-routing-mark=\
    route-wan-1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=con-wan-2 \
    in-interface-list=SERVER new-routing-mark=route-wan-2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=con-wan-3 \
    in-interface=ether5-lan new-routing-mark=route-wan-3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=con-wan-2 \
    in-interface=ether5-lan new-routing-mark=route-wan-2 passthrough=no
  • Firewall NAT untuk akses ke internet
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to WAN (NAT)" \
    connection-mark=con-wan-1 out-interface=ether2-wan1
add action=masquerade chain=srcnat connection-mark=con-wan-2 out-interface=\
    ether3-wan2
add action=masquerade chain=srcnat connection-mark=con-wan-3 out-interface=\
    ether7-wan3
add action=return chain=srcnat comment="Bypass NAT to Server" dst-address=\
    10.10.100.0/24 log-prefix=RETURN src-address=10.100.100.0/24
add action=masquerade chain=srcnat comment="Global NAT"
  • Tambahkan rule port forwarding agar server bisa diakses dari internet
/ip firewall nat
add action=dst-nat chain=dstnat comment="WAN to Server" dst-address=\
    172.1.1.10 dst-port=80 protocol=tcp to-addresses=10.10.100.100 to-ports=\
    80
add action=dst-nat chain=dstnat dst-address=172.1.1.10 dst-port=443 protocol=\
    tcp to-addresses=10.10.100.100 to-ports=443
add action=dst-nat chain=dstnat dst-address=172.1.2.20 dst-port=80 protocol=\
    tcp to-addresses=10.10.100.100 to-ports=80
add action=dst-nat chain=dstnat dst-address=172.1.2.20 dst-port=443 protocol=\
    tcp to-addresses=10.10.100.100 to-ports=443
  • Tambahkan table routing berdasarkan packet yang sudah di tandai pada firewall mangle dan priority failover gateway. Tambahkan static routing ke arah LAN network, agar saat menggunakan vpn, komputer yang berada di LAN bisa diakses.
/ip route
add check-gateway=ping distance=1 gateway=172.1.1.1 routing-mark=route-wan-1
add check-gateway=ping distance=1 gateway=172.1.2.1 routing-mark=route-wan-2
add check-gateway=ping distance=1 gateway=172.1.3.1 routing-mark=route-wan-3
add check-gateway=ping distance=1 gateway=172.1.1.1
add check-gateway=ping distance=2 gateway=172.1.2.1
add check-gateway=ping distance=3 gateway=172.1.3.1
add distance=1 dst-address=10.10.10.0/24 gateway=10.10.200.2
add distance=1 dst-address=10.10.20.0/24 gateway=10.10.200.2
add distance=1 dst-address=10.10.30.0/24 gateway=10.10.200.2
  • Proteksi Router MikroTik WAN
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes
add action=jump chain=forward comment="Detect DDoS" connection-state=new \
    jump-target=detect-ddos
add action=jump chain=input connection-state=new dst-port=53 \
    in-interface-list=WAN jump-target=detect-ddos protocol=udp
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/30s
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=1h chain=detect-ddos

/ip firewall raw
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting comment="Block Port Scanner" \
    protocol=tcp psd=5,3s,2,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=prerouting protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=prerouting src-address-list=port_scanners
add action=drop chain=prerouting comment="Block DDoS" src-address-list=\
    ddos-attackers
add action=accept chain=prerouting comment="Allow ICMP" limit=1,5:packet \
    protocol=icmp
add action=accept chain=prerouting comment="Allow SSH/RDP from Terminal" \
    dst-port=22,3389 protocol=tcp src-address=10.100.100.100
add action=accept chain=prerouting comment=\
    "Allow 80,53,443 from all interface" dst-port=80,53,443 \
    in-interface-list=all protocol=tcp
add action=drop chain=prerouting comment="Block Port  from WAN" dst-port=\
    21,22,23,138,139,445,3389 in-interface-list=WAN protocol=tcp
add action=accept chain=prerouting comment="Allow L2PT to Terminal" \
    dst-address=10.100.100.0/24 src-address=192.168.88.0/24
add action=drop chain=prerouting dst-address=10.10.100.0/24 src-address=\
    192.168.88.0/24
add action=drop chain=prerouting dst-address=10.10.200.0/24 src-address=\
    192.168.88.0/24
add action=drop chain=prerouting comment="Block L2PT from WAN1 WAN3" \
    dst-port=1701 in-interface=ether2-wan1 protocol=udp
add action=drop chain=prerouting dst-port=1701 in-interface=ether7-wan3 \
    protocol=udp

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=\
    192.168.119.0/24,10.100.100.100/32,192.100.10.2/32,10.10.200.2/32
set api-ssl disabled=yes

Firewall FortiGate

  • Setting IP Address & Static Route
FortiGate # config system interface 
FortiGate (interface) # show 
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.119.130 255.255.255.0
        set allowaccess ping http
        set alias "Port1-MGMT"
    next
    edit "port2"
        set ip 10.10.100.2 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set alias "Port2-WAN"
        set monitor-bandwidth enable
        set role wan
    next
    edit "port3"
        set ip 192.168.10.1 255.255.255.0
        set allowaccess ping
        set alias "Port3-WEB"
        set monitor-bandwidth enable
        set role dmz
    next
    edit "port4"
        set ip 192.168.20.1 255.255.255.0
        set allowaccess ping
        set alias "Port4-DB"
        set monitor-bandwidth enable
        set role dmz
    next 
    edit "port5"
        set ip 192.168.30.1 255.255.255.0
        set allowaccess ping
    next 
end 

FortiGate # config router static 
FortiGate (static) # show
config router static
    edit 1
        set gateway 10.10.100.1
        set device "port2"
    next
end
  • Setting Object Address
FortiGate # config firewall address 
FortiGate (address) # show 
config firewall address
    edit "WEB"
        set associated-interface "port3"
        set color 6
        set subnet 192.168.10.0 255.255.255.0
    next 
    edit "DB"
        set associated-interface "port4"
        set color 6
        set subnet 192.168.20.0 255.255.255.0
    next 
    edit "Terminal"
        set color 19
        set subnet 10.100.100.100 255.255.255.255
    next 
    edit "MGMT"
        set associated-interface "port1"
        set color 6
        set subnet 192.168.119.130 255.255.255.255
    next 
    edit "Monitoring"
        set color 19
        set subnet 10.100.100.150 255.255.255.255
    next 
end 
  • Setting Object Virtual IP
FortiGate # config firewall vip 
FortiGate (vip) # show
config firewall vip
    edit "WAN to WEB-LB"
        set extip 10.10.100.100
        set mappedip "192.168.10.100"
        set extintf "port2"
        set color 18
    next
    edit "WAN to WEB-1"
        set extip 10.10.100.101
        set mappedip "192.168.10.101"
        set extintf "port2"
        set color 9
    next
    edit "WAN to WEB-2"
        set extip 10.10.100.102
        set mappedip "192.168.10.102"
        set extintf "port2"
        set color 9
    next
    edit "WAN to WEB-3"
        set extip 10.10.100.103
        set mappedip "192.168.10.103"
        set extintf "port2"
        set color 9
    next
    edit "WAN to NFS"
        set extip 10.10.100.104
        set mappedip "192.168.10.104"
        set extintf "port2"
        set color 21
    next 
    edit "WAN to DB-LB"
        set extip 10.10.100.110
        set mappedip "192.168.20.100"
        set extintf "port2"
        set color 18
    next 
    edit "WAN to DB-1"
        set extip 10.10.100.111
        set mappedip "192.168.20.101"
        set extintf "port2"
        set color 13
    next 
    edit "WAN to DB-2"
        set extip 10.10.100.112
        set mappedip "192.168.20.102"
        set extintf "port2"
        set color 13
    next 
    edit "WAN to DB-3"
        set extip 10.10.100.113
        set mappedip "192.168.20.103"
        set extintf "port2"
        set color 13
    next 
end
  • Setting Firewall NAT dan Port Forwarding
  • Dari server web dan db bisa mengakses internet, jika tidak diperlukan bisa di matikan akses NAT-ya.
  • Server web dan db hanya bisa diakses dari Terminal dan server monitoring.
  • Semua IP yang berasal dari WAN interface hanya bisa akses ke server WEB-LB (icmp, dan port 80/443), selebihnya semua akses ke server web dan db dari WAN interface akan di block.
  • Karena menggunakan Trial License, jadi rule firewall terbatas hanya boleh 10 rule saja.
FortiGate # config firewall policy 
FortiGate (policy) # show 
config firewall policy
    edit 1
        set name "WEB to WAN"
        set srcintf "port3"
        set dstintf "port2"
        set action accept
        set srcaddr "WEB"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 2
        set name "DB to WAN"
        set srcintf "port4"
        set dstintf "port2"
        set action accept
        set srcaddr "DB"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 4
        set name "WEB to DB"
        set srcintf "port3"
        set dstintf "port4"
        set action accept
        set srcaddr "WEB"
        set dstaddr "DB"
        set schedule "always"
        set service "ALL_ICMP" "MYSQL"
        set utm-status enable
        set av-profile "default"
    next 
    edit 6
        set name "DB to WEB"
        set srcintf "port4"
        set dstintf "port3"
        set action accept
        set srcaddr "DB"
        set dstaddr "WEB"
        set schedule "always"
        set service "ALL_ICMP"
        set utm-status enable
        set av-profile "default"
    next 
    edit 7
        set name "Terminal to WEB"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "Terminal" "Monitoring"
        set dstaddr "WAN to WEB-LB" "WAN to WEB-1" "WAN to WEB-2" "WAN to WEB-3" "WAN to NFS"
        set schedule "always"
        set service "ALL_ICMP" "HTTP" "HTTPS" "SSH" "TCP9100"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set ips-sensor "default"
    next 
    edit 8
        set name "Terminal to DB"
        set srcintf "port2"
        set dstintf "port4"
        set action accept
        set srcaddr "Terminal" "Monitoring"
        set dstaddr "WAN to DB-LB" "WAN to DB-1" "WAN to DB-2" "WAN to DB-3"
        set schedule "always"
        set service "ALL_ICMP" "MYSQL" "SSH" "TCP9100"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set ips-sensor "default"
    next 
    edit 10
        set name "WAN to WEB"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "WAN to WEB-LB"
        set schedule "always"
        set service "ALL_ICMP" "HTTP" "HTTPS"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set ips-sensor "default"
        set comments "Allow access WEB from WAN"
    next 
    edit 9
        set name "WAN to DB (Block)"
        set srcintf "port2"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "WAN to DB-LB" "WAN to DB-1" "WAN to DB-2" "WAN to DB-3"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next 
end
  • Whitelist login user admin fortigate dari IP tertentu saja
FortiGate # config system admin 
FortiGate (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.119.0 255.255.255.0
        set trusthost2 10.100.100.100 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2BHHApSG5RbcHLU3yqptuVb7B8AP27wpaQDX19sSlItmCAuicVpZRJctGlZk=
    next
end

Dashboard Monitoring


HAproxy

  • Konfigurasi load balancer HAproxy, untuk testing pada artikel ini hanya menggunakan port 80 (http)
global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
   tune.ssl.default-dh-param 2048

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5s
   timeout client 30s
   timeout server 30s
   maxconn 50000
   fullconn 50000
   retries 5
   option redispatch
   timeout http-request 10s
   timeout http-keep-alive 2s
   timeout queue 5s
   timeout tunnel 2m
   timeout client-fin 1s
   timeout server-fin 1s

listen stats
   bind *:8080
   stats enable
   stats uri /
   stats realm Haproxy\ Statistics
   stats auth admin:admin
   check maxconn 25000

frontend http_front
   mode http
   bind *:80
   http-response set-header Access-Control-Allow-Origin "*"
   http-response set-header Access-Control-Max-Age 3628800
   http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"
   http-response set-header X-XSS-Protection 1;mode=block
   http-response set-header X-Frame-Options SAMEORIGIN
   http-response set-header X-Content-Type-Options nosniff
   http-response set-header Referrer-Policy strict-origin-when-cross-origin
   default_backend http_back

backend http_back
   mode http
   balance roundrobin
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   option forwardfor
   option abortonclose
   server server_web01 192.168.10.101:80 check cookie server_web01 check maxconn 25000 check fall 2 inter 1s
   server server_web02 192.168.10.102:80 check cookie server_web02 check maxconn 25000 check fall 2 inter 1s
   server server_web03 192.168.10.103:80 check cookie server_web03 check maxconn 25000 check fall 2 inter 1s

Web Server

  • Konfigurasi nfs client pada web1, web2, web3
  • Edit file /etc/fstab
192.168.10.104:/var/www/html /var/www/web.sys-ops.id nfs defaults,soft,intr,rsize=32768,wsize=32768 0 0
---
root@web01:~# df -h
Filesystem                    Size  Used Avail Use% Mounted on
tmpfs                          97M  1.1M   96M   2% /run
/dev/mapper/ubuntu--vg-root    59G  5.5G   51G  10% /
tmpfs                         485M     0  485M   0% /dev/shm
tmpfs                         5.0M     0  5.0M   0% /run/lock
/dev/sda2                     2.0G  127M  1.7G   7% /boot
192.168.10.104:/var/www/html   59G  5.5G   51G  10% /var/www/web.sys-ops.id
tmpfs                          97M  4.0K   97M   1% /run/user/0

NFS Server

  • Konfigurasi nfs, edit file /etc/exports
/var/www/html/ 192.168.10.0/24(rw,sync,no_subtree_check,no_root_squash,no_all_squash)

MaxScale

  • Konfigurasi load balancer MaxScale
#Global MaxScale Settings
[maxscale]
threads=auto

#Define Server Nodes
[db01]
type=server
address=192.168.20.101
port=3306
protocol=MariaDBBackend

[db02]
type=server
address=192.168.20.102
port=3306
protocol=MariaDBBackend

[db03]
type=server
address=192.168.20.103
port=3306
protocol=MariaDBBackend

#Define Monitoring Service
[Galera-Monitor]
type=monitor
module=galeramon
servers=db01,db02,db03
user=lb_admin
password=lb_P@ssw0rd!
monitor_interval=1000

#Define Galera Service
[Galera-RoundRobin-Service]
type=service
router=readconnroute
router_options=synced
servers=db01,db02,db03
user=lb_admin
password=lb_P@ssw0rd!

[Galera-ReadWrite-Service]
type=service
router=readwritesplit
servers=db01,db02,db03
user=lb_admin
password=lb_P@ssw0rd!

#Galera cluster listener
[Galera-RoundRobin-Listener]
type=listener
service=Galera-RoundRobin-Service
protocol=MariaDBClient
address=0.0.0.0
port=3306

[Galera-ReadWrite-Listener]
type=listener
service=Galera-ReadWrite-Service
protocol=MariaDBClient
address=0.0.0.0
port=3307

Database

  • Konfigurasi MariaDB Galera Cluster
[mysqld]
log_error=/var/log/mariadb.log
innodb_large_prefix = ON
key-buffer-size = 64M
max-heap-table-size = 64M
max-allowed-packet = 48M
tmp-table-size = 128M
max_connections = 256
thread-cache-size = 50
thread_stack=2M
open-files-limit = 500000
table-definition-cache = 4096
table-open-cache = 8192
innodb-log-files-in-group = 2
innodb-log-file-size = 1G
innodb-file-per-table = 1
innodb-buffer-pool-size = 256M
innodb-buffer-pool-instances = 8
innodb-io-capacity = 5000
innodb-read-io-threads = 16
innodb-write-io-threads = 16
innodb_doublewrite = 1
innodb_adaptive_hash_index = False
transaction_isolation = READ-COMMITTED
innodb-thread-concurrency = 64
wait_timeout = 300
sort_buffer_size = 8M
read_buffer_size = 8M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
query_cache_size= 64M
skip-name-resolve
open_files_limit = 64000

ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/server-cert.pem
ssl-key=/etc/ssl/mysql/server-key.pem

[client]
ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/client-cert.pem
ssl-key=/etc/ssl/mysql/client-key.pem

[galera]
# Mandatory settings
wsrep_on=ON
wsrep_provider=/usr/lib/galera/libgalera_smm.so
wsrep_cluster_name="galeracluster_sys-ops-id"
wsrep_cluster_address="gcomm://192.168.20.101,192.168.20.102,192.168.20.103"
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2
wsrep_sst_method=rsync
wsrep_node_address="192.168.20.101"
wsrep_node_name="node_1"
bind-address=0.0.0.0
wsrep_provider_options="gcache.size = 512M; gcache.page_size = 256M; gcache.recover = yes; socket.ssl_key=/etc/ssl/mysql/server-key.pem;socket.ssl_cert=/etc/ssl/mysql/server-cert.pem;socket.ssl_ca=/etc/ssl/mysql/ca.pem"

Pengujian

  • Akses web server akan reply (mempunyai) 2 IP publik dari 2 ISP yang berbeda.
  • Jika salah-satu jalur ISP-1 atau ISP-2 bermasalah (mati), web server akan tetap bisa diakses dengan menggunakan jalur yang masih aktif, dan failover dns (dalam artikel ini menggunakan netwatch pada dns server) akan berfungsi dan mengarahkan ke IP yang masih reply.
  • Traceroute dari web server ke ISP-4 akan di arahkan ke ISP-1 dan ISP-2
root@haproxy:~# traceroute abc.sys-ops.id
traceroute to abc.sys-ops.id (172.50.1.2), 30 hops max, 60 byte packets
 1  _gateway (192.168.10.1)  0.923 ms 
 2  10.10.100.1 (10.10.100.1)  3.967 ms 
 3  172.1.1.1 (172.1.1.1)  3.798 ms 
 4  172.1.7.2 (172.1.7.2)  4.749 ms 
 5  88.88.88.81 (88.88.88.81)  9.528 ms 
 6  abc.sys-ops.id (172.50.1.2)  10.601 ms 

root@haproxy:~# traceroute abc.sys-ops.id
traceroute to abc.sys-ops.id (172.50.1.2), 30 hops max, 60 byte packets
 1  _gateway (192.168.10.1)  0.832 ms 
 2  10.10.100.1 (10.10.100.1)  1.664 ms 
 3  172.1.2.1 (172.1.2.1)  3.343 ms 
 4  172.1.5.2 (172.1.5.2)  4.343 ms
 5  88.88.88.81 (88.88.88.81)  7.582 ms 
 6  abc.sys-ops.id (172.50.1.2)  8.865 ms 
  • Traceroute dari terminal ke ISP-4 akan diarahkan ke ISP-2
C:\Users\Administrator>tracert abc.sys-ops.id
Tracing route to abc.sys-ops.id [172.50.1.2]
over a maximum of 30 hops:
  1     1 ms     1 ms    <1 ms  10.100.100.1
  2     2 ms     2 ms     1 ms  172.1.2.1
  3     2 ms     2 ms     2 ms  172.1.7.2
  4     6 ms     5 ms     5 ms  88.88.88.81
  5     7 ms     6 ms     6 ms  abc.sys-ops.id [172.50.1.2]
  • Traceroute dari LAN ke ISP-4 akan diarahkan ke ISP-3 dan ISP-2
C:\Users\Administrator>tracert abc.sys-ops.id
Tracing route to abc.sys-ops.id [172.50.1.2]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  10.10.10.1
  2     1 ms     1 ms     1 ms  10.10.200.1
  3     2 ms     2 ms     2 ms  172.1.2.1
  4     3 ms     3 ms     3 ms  172.1.7.2
  5     6 ms     5 ms     6 ms  88.88.88.81
  6     7 ms     7 ms     7 ms  abc.sys-ops.id [172.50.1.2]

C:\Users\Administrator>tracert abc.sys-ops.id
Tracing route to abc.sys-ops.id [172.50.1.2]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  10.10.10.1
  2     1 ms     1 ms     1 ms  10.10.200.1
  3    37 ms    43 ms    43 ms  172.1.3.1
  4    57 ms    42 ms    46 ms  172.1.9.2
  5    47 ms    42 ms    40 ms  88.88.88.81
  6    50 ms    52 ms    37 ms  abc.sys-ops.id [172.50.1.2]
  • Jika salah satu jalur ISP bermasalah (mati) maka jalur lain yang masih aktif akan saling membackup agar akses ke internet tetap berjalan.
C:\Users\Administrator>tracert abc.sys-ops.id
Tracing route to abc.sys-ops.id [172.50.1.2]
over a maximum of 30 hops:
  1     1 ms    <1 ms    <1 ms  10.100.100.1
  2     1 ms     1 ms     1 ms  172.1.3.1
  3     2 ms     2 ms     2 ms  172.1.9.2
  4     6 ms     5 ms     5 ms  88.88.88.81
  5     6 ms     6 ms     5 ms  abc.sys-ops.id [172.50.1.2]

root@haproxy:~# traceroute abc.sys-ops.id
traceroute to abc.sys-ops.id (172.50.1.2), 30 hops max, 60 byte packets
 1  _gateway (192.168.10.1)  0.755 ms 
 2  10.10.100.1 (10.10.100.1)  2.185 ms 
 3  172.1.3.1 (172.1.3.1)  3.216 ms 
 4  172.1.9.2 (172.1.9.2)  4.975 ms
 5  88.88.88.81 (88.88.88.81)  7.217 ms 
 6  abc.sys-ops.id (172.50.1.2)  8.543 ms  
  • Pengujian failover dns, traceroute dari User4
C:\Users\Administrator>tracert web.sys-ops.id
Tracing route to web.sys-ops.id [172.1.2.20]
over a maximum of 30 hops:
  1     1 ms     1 ms     1 ms  192.168.100.1
  2     2 ms     1 ms     2 ms  172.50.1.1
  3     5 ms     4 ms     5 ms  88.88.88.82
  4     7 ms     6 ms     5 ms  172.1.7.1
  5     6 ms     6 ms     6 ms  web.sys-ops.id [172.1.2.20]

  • Referensi :
  • https://sys-ops.id/category/load-balancing/
  • https://sys-ops.id/tag/mariadb-galera-cluster/
  • https://sys-ops.id/category/gns3/

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.