Cara Setting Firewall MikroTik untuk IP Public

Cara Setting Firewall MikroTik untuk IP Public (Hardening)

oleh
📥 Butuh tampilan login MikroTik yang keren dan siap pakai? Cek koleksi template kami di 👉 Toko Kami atau 💬 Tanya-tanya dulu via WhatsApp 👉 Klik di sini

MikroTik yang terhubung menggunakan IP Public sangat rawan terhadap serangan dari internet seperti brute-force, port scanning, exploit service, dan DDoS ringan. Router tanpa firewall bisa diretas dalam hitungan menit. Karena itu, konfigurasi Firewall MikroTik untuk IP Public wajib dilakukan untuk menjaga server, perangkat, dan jaringan internal tetap aman.

Panduan ini adalah versi paling lengkap dan mendalam yang membahas seluruh langkah hardening MikroTik, mulai dari dasar sampai level professional.

Pahami Struktur Firewall MikroTik Sebelum Hardening

MikroTik memiliki tiga chain utama pada firewall:

  • INPUT → trafik menuju router (akses Winbox, SSH, WebFig)
  • FORWARD → trafik yang melewati router (LAN → internet / port forward)
  • OUTPUT → trafik keluar dari router

Untuk hardening IP Public, fokus kita ada pada:

  1. Mengamankan akses ke router (INPUT)
  2. Mengontrol traffic melewati router (FORWARD)
  3. Membatasi service internal (API, Winbox, SSH, WebFig)
  4. Melindungi port forwarding dan server lokal

1. Hardening Layanan MikroTik (Services)

Matikan layanan berbahaya secara default

/ip service disable telnet
/ip service disable ftp
/ip service disable www
/ip service disable www-ssl
/ip service set api disabled=yes

Ganti port Winbox & SSH agar lebih sulit discan

/ip service set winbox port=8291
/ip service set ssh port=2222

Batasi akses hanya dari IP tertentu

/ip service set winbox address=203.0.113.10/32
/ip service set ssh address=203.0.113.10/32

Metode ini membuat router jauh lebih aman karena bot internet tidak bisa melakukan brute-force.

2. Membuat Interface List (WAN & LAN)

Untuk mempermudah firewall yang rapi, buat interface list:

/interface list add name=WAN
/interface list add name=LAN

/interface list member add list=WAN interface=ether1
/interface list member add list=LAN interface=bridge

3. Firewall Dasar (Wajib Ada Pada Router IP Public)

A. Izinkan established & related

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established related"
/ip firewall filter add chain=forward connection-state=established,related action=accept

B. Drop invalid traffic

/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid"
/ip firewall filter add chain=forward connection-state=invalid action=drop

C. Allow akses dari LAN

/ip firewall filter add chain=input in-interface-list=LAN action=accept comment="Allow LAN access"

D. Blok semua traffic dari internet ke router (paling penting)

/ip firewall filter add chain=input in-interface-list=WAN action=drop comment="Drop WAN to router"

Dengan rule ini, router tidak bisa diakses dari internet kecuali kamu buat whitelist.

4. Menambahkan Whitelist Untuk Admin (Remote Akses Aman)

A. Tambahkan IP admin

/ip firewall address-list add list=admin address=203.0.113.10

B. Allow admin via WAN

/ip firewall filter add chain=input src-address-list=admin action=accept comment="Allow admin remote"

Whitelist ini adalah kunci keamanan utama router dengan IP Public.

5. Hardening NAT dan Port Forwarding

Banyak kasus router diretas karena buka port server lokal tanpa filter firewall.

A. Port Forward (Contoh: Web Server 80)

/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.10.111 to-ports=80

B. Allow forwarding khusus port yang diizinkan

/ip firewall filter add chain=forward protocol=tcp dst-port=80 dst-address=192.168.10.111 action=accept

C. Blok forward ilegal dari WAN

/ip firewall filter add chain=forward connection-nat-state=!dstnat in-interface-list=WAN action=drop

Ini mencegah orang memanfaatkan IP kamu untuk scanning internal LAN.

6. Anti Brute-Force Untuk Winbox & SSH

A. Winbox brute-force protection

/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=winbox_blacklist action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=8291 limit=3/1m,5:packet action=add-src-to-address-list address-list=winbox_blacklist timeout=1d

B. SSH brute-force protection

/ip firewall filter add chain=input protocol=tcp dst-port=2222 src-address-list=ssh_blacklist action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=2222 connection-state=new limit=3/1m,5:packet action=add-src-to-address-list address-list=ssh_blacklist timeout=1d

MikroTik langsung memblok attacker selama 24 jam.

7. Anti Port Scanning

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="Drop TCP Port Scan"
/ip firewall filter add chain=input protocol=udp action=drop comment="Drop UDP scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn rst,psh action=drop comment="Drop suspicious flag combo"

8. Hardening ICMP (Ping)

/ip firewall filter add chain=input protocol=icmp action=accept comment="Allow ICMP"
/ip firewall filter add chain=forward protocol=icmp action=accept

Disarankan untuk tetap allow karena berguna untuk troubleshooting.

9. Anti DDoS Ringan (SYN Flood)

/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=50,10 action=accept
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn action=drop

10. Hardening DNS (Jika Router Menggunakan DNS Forwarding)

A. Jangan izinkan query DNS dari internet

/ip firewall filter add chain=input protocol=udp dst-port=53 in-interface-list=WAN action=drop

Ini mencegah router dijadikan DNS amplifier oleh penyerang.

B. khusus LAN saja

/ip firewall filter add chain=input protocol=udp dst-port=53 in-interface-list=LAN action=accept

11. Hardening DHCP, ARP, dan Layer-2 Security

A. Gunakan ARP = reply-only

/ip arp set 0 reply-only

B. Blok DHCP rogue

/ip firewall filter add chain=input protocol=udp dst-port=67 in-interface-list=LAN action=accept
/ip firewall filter add chain=input protocol=udp dst-port=67 in-interface-list=WAN action=drop

12. Logging & Monitoring Aktivitas Firewall

Logging drop packet

/ip firewall filter add chain=input action=log log-prefix="FW-DROP: "

Logging brute-force

/ip firewall filter add chain=input src-address-list=winbox_blacklist action=log log-prefix="WINBOX-BRUTE:"

Log sangat penting untuk mendeteksi serangan berulang.

13. Struktur Firewall Ideal (FINAL ORDER)

Struktur terbaik adalah:

  1. Allow established/related
  2. Drop invalid
  3. Allow LAN
  4. Whitelist admin
  5. Open port tertentu
  6. Anti brute-force
  7. Anti scan
  8. Anti DDoS
  9. Drop the rest

14. Contoh Konfigurasi Firewall Final Version (Siap Pakai)


# -------------------------------------
# FIREWALL HARDENING MIKROTIK IP PUBLIC
# -------------------------------------

# 1. Allow established/related
/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=forward connection-state=established,related action=accept

# 2. Drop invalid
/ip firewall filter add chain=input connection-state=invalid action=drop
/ip firewall filter add chain=forward connection-state=invalid action=drop

# 3. Allow LAN
/ip firewall filter add chain=input in-interface-list=LAN action=accept

# 4. Whitelist admin
/ip firewall address-list add list=admin address=203.0.113.10
/ip firewall filter add chain=input src-address-list=admin action=accept

# 5. Allow port forwarding traffic
/ip firewall filter add chain=forward dst-address=192.168.10.111 protocol=tcp dst-port=80 action=accept

# 6. Block illegal forward
/ip firewall filter add chain=forward connection-nat-state=!dstnat in-interface-list=WAN action=drop

# 7. Anti brute-force Winbox
/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=winbox_blacklist action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=8291 limit=3/1m,5:packet action=add-src-to-address-list address-list=winbox_blacklist timeout=1d

# 8. Anti brute-force SSH
/ip firewall filter add chain=input protocol=tcp dst-port=2222 src-address-list=ssh_blacklist action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=2222 limit=3/1m,5:packet action=add-src-to-address-list address-list=ssh_blacklist timeout=1d

# 9. Anti port scan
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=drop

# 10. Anti DDoS ringan
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=50,10 action=accept
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn action=drop

# 11. Block DNS from WAN
/ip firewall filter add chain=input protocol=udp dst-port=53 in-interface-list=WAN action=drop

# 12. Allow ICMP (ping)
/ip firewall filter add chain=input protocol=icmp action=accept

# 13. Drop all WAN to router
/ip firewall filter add chain=input in-interface-list=WAN action=drop

15. Checklist Hardening MikroTik Dengan IP Public

  • ✔ Disable Telnet, FTP, WebFig publik
  • ✔ Gunakan firewall input yang ketat
  • ✔ Hanya izinkan akses router dari LAN / whitelist
  • ✔ Jangan buka port server tanpa filter khusus
  • ✔ Gunakan port custom untuk SSH/Winbox
  • ✔ Aktifkan brute-force & scan protection
  • ✔ Logging aktif untuk monitoring
  • ✔ Update RouterOS berkala

Dengan konfigurasi ini, MikroTik kamu sudah berada pada level keamanan profesional.

Tinggalkan komentar