Mikrotik + IPCop + Juniper Netscreen … go i-net

Dear all of my friends,

After long week end and no time to write this blog, here we are, now we give you tutor for mixing between Mikrotik + IPCop + Juniper Netscreen as we use at my Network Infrastructures.

Some of resource from chatting with the geek, read the resource, trying on multiple virtual machine to create the multiple subnet. Looks like this mixed things is goods enough for me.

Why already use the JunNet still need the Mikrotik and IPCop as router and Web-Proxy. Our network infrastructure cannot be change due to WAN condition that has already built up using JunNet, in this case, i never ever think to remove this JunNet to prevent bad situations. So, we try to mixed it up together to make stronger and better the network infrastructure even some of network admin not recommended it, why ? too cost-inefficients 😀 but ? why think too hard the costs ? just management thinked it, that the one of managers rules and duty hehehehehe … 😀

Based on this reason, we mixed it up.

Figure that i configure :

mikrotik_ipcop_network

Now …

1. go get the Mikrotik free for 24 hours to test, click here
2. get the IPCop, click here

After downloading the ISO format, you can boot-up your PC’s or your Virtual Machine. In this blog we use the VirtualBox, go get here
Why virtualbox ?, need to running in multiple guest os including *nix and running with small memory consumptions and last one is very fast running.

Mikrotik:
1. Ether1 is LAN side
2. Ether2 is WAN side or Point to GREEN IP IPCop

Now, this configuration for Mikrotik :

—-  Mikrotik Configuration —-

ip address add address=192.168.5.1 netmask=255.255.0.0 interface=ether1 comment=”IP LAN”
ip address add address=192.168.3.1 netmask=255.255.0.0 interface=ether2 comment=”IP Internet”
ip route add dst-address=0.0.0.0/0 gateway=192.168.3.2 scope=255 target-scope=10 comment=”MT Gateway IPCop” disabled=no
ip dns set primary-dns=x.x.x.x secondary-dns=y.y.y.y allow-remote-requests=yes cache-size=2048Kib cache-max-ttl=1w

ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.3.2 to-ports=80 comment=”IPCop”
ip firewall nat add chain=dstnat protocol=tcp dst-port=445 action=dst-nat to-addresses=192.1683.2 to-ports=80 comment=”Https IPCop”
ip firewall nat add chain=dstnat src-address=!192.168.3.0/24 protocol=tcp dst-ports=80 action=dst-nat to-addresses=192.168.3.2 to-ports=878
ip firewall nat add chain=dstnat src-address=!192.168.0/24 protocol=tcp dst-ports=443 action=dst-nat to-addresses=192.168.3.2 to-ports=878
ip firewall nat add chain=srcnat src-address=192.168.5.0/24 action=masquerade
ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade

ip firewall mangle add chain=forward content=”X-Cache: HIT” action=mark-connection new-connection-mark=squid_con passthrough=yes
ip firewall mangle add chain=forward connection-mark=squid_con action=mark-packet new-packet-mark=squid_pkt passthrough=no
ip firewall mangle add chain=forward connection-mark=!squid_con action=mark-connection new-connection-mark=all_con passthrough=yes
ip firewall mangle add chain=forward protocol=tcp src-port=80 connection-mark=all_con action=mark-packet new-packet-mark=http_pkt passthrough=no
ip firewall mangle add chain=forward protocol=icmp connection-mark=all_con action=mark-packet new-packet-mark=icmp_pkt passthrough=no
ip firewall mangle add chain=forward connection-mark=all_con action=mark-packet new-packet-mark=test_pkt passthrough=no
ip firewall mangle add chain=forward dst-address=192.168.3.2 action=mark-connection new-connection-mark=ipcop

ip firewall filter add chain=input
dst-port=20,21,22,25,80,88,110,119,137-139,443,445 protocol=tcp src-mac=<mac-address> action=accept

ip firewall filter add chain=input dst-port=993,995,989,990,1723,8080,8291,3128 protocol=tcp src-mac=<mac-address> action=accept

queue simple add name=”IPCop” packet-mark=ipcop-pkt
queue simple add name=”Squid_HIT” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=squid_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small
queue simple add name=”Main_Link” dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=35000/256000 total-queue=default-small
queue simple add name=”Ping_queue” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp_pkt direction=both priority=2 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total=queue=default-small
queue simple add name=”Other_Port” target-adresses=192.168.3.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=http_pkt direction=both priority=8 queue=default-smal/default-small limit-at=5000/5000 max-limit=50000/256000 total-queue=default-small
queue simple add name=”Another_Port” target-addresses=192.168.5.0/24 dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=test_pkt direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/256000 total-queue=default-small

—- Mikrotik Configuration Finish —-

src-mac=<mac-address> you can change with src-address-list
Above scripts is mixing have i read, links … i’m forgot … sorry.

Now, you install the IPCop, and configure using the GREEN + RED network configurations.
The GREEN IP means your LAN side, the RED IP means your WAN side (connect to internet / modem )
In this example: Fill-up the GREEN IP with : 192.168.3.2 and RED IP with : 192.168.1.110

Don’t forget to set the Primary and Secondary DNS  same with Mikrotik DNS set, that we already mention above in command ip dns set primary-dns=x.x.x.x secondary-dns=y.y.y.y

And then, set the Gateway pointed to IP JunNet, for this example is: 192.168.1.200.

Go to the JunNet configuration and put this line for the IPCop GREEN IP allowed in JunNet :

—- Juniper Netscreen Configuration —-

set address “Trust” “IPCop” 192.168.3.2 255.255.255.255
set policy id 16 from “Trust” to “Untrust” “IPCop” “Any” “MAIL” permit log
set policy id 17 from “Trust” to “Untrust” “IPCop” “Any” “HTTP” permit log
set policy id 18 from “Trust” to “Untrust” “IPCop” “Any” “HTTPS” permit log
set policy id 19 from “Trust” to “Untrust” “IPCop” “Any” “FTP” permit log
set policy id 20 from “Trust” to “Untrust” “IPCop” “Any” “DNS” permit log
set policy id 21 from “Trust” to “Untrust” “IPCop” “Any” “NTP” permit log
set policy id 22 from “Trust” to “Untrust” “IPCop” “Any” “ANY” drop log

—- Juniper Netscren Configuration Finish —-

After that, clear the proxy option on client-browsers, and set the clients computer with :

IP: 192.168.5.2 ~ 192.168.5.254 => one subnet with Mikrotik
Netmask: 255.255.255.0
Gateway: 192.168.5.1 => Mikrotik ether1 or LAN Connection
Primary DNS: 192.168.5.1
Secondary DNS: 192.168.3.2 / 192.168.1.200 => GREEN IP IPCop or JunNet IP

For another future like IPCop user-auth, URL Filtering and other goto the http://www.advproxy.net/ for general web.
Advance Proxy download at : http://www.advproxy.net/download.html
URL Filtering download at : http://www.urlfilter.net/download.html

… done.

Surf with it, filter with it and shapping with it … with Mikrotik + IPCop + JunNet .. 😀

Oh ya … forgot something, you may use your IP to suitable with your network, this blog only for example.

See ya …

Cheers,
😎
Man’z

Advertisements

One thought on “Mikrotik + IPCop + Juniper Netscreen … go i-net

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s