Mikrotik and Wireless Interference – Deploying High Density WiFi with CAPsMAN

Mikrotik and Wireless Interference – Deploying High Density WiFi with CAPsMAN

This post is brought to you by over 100 hours of blood, sweat, and maybe a few tears, in making an optimal Mikrotik-based high density wireless system. One of the hardest projects I’ve ever done, but wow it feels good to be at the end. How to configure a wireless network using Mikrotik Access Points, and handling the wireless interference that comes from high-density deployments.

Overview

Controlled Access Point System Manager, what a mouthful. It can be your best friend in managing a very complex wireless network. When it’s set up correctly, you can just connect a WAP, it will automatically pull its settings based on it’s name, with multiple SSIDs going to separate networks (datapaths), able to cut through interference and give your clients a positive wireless experience.

When setup poorly, expect a world of pain to crash down on you, from intermittent connectivity (which plagues all wireless systems with interference), non-automatically provisioning devices, and bogged down WAPs.

The goal of this very long post is to set everything up correctly.

We will cover the following:

  1. Configuring CAPsMAN
    1. Dynamic Provisioning by Regular Expressions (RegExp)
    2. Datapaths
      1. Local Forwarding / Client to Client Forwarding
    3. Configurations
    4. Channels
    5. Security Cfg
    6. Access List
  2. Access Rates – The Answer to High Density interference
  3. Setting Mikrotik WAP to CAP mode by button presses

Configuring CAPsMAN

Make sure your device is updated to the newest BugFix or Current release: System > Packages > Check for Updates. Once done, you’ve got CAPsMAN v2.

 

  • For starters, turn on CAPsMAN:
    • CAPsMAN > Interfaces > CHECK: Enabled > OK

Dynamic Provisioning

  • Provisioning is the rules of assignment of settings to a WAP. Basically, if the device asking for settings (a WAP/CAP) matches these rules, it will be given these settings.
    • Example: If the AP is named, “AP06”, it will be dynamically-enabled (approved/adopted), and given the master config “Private WiFi” and the slave config “Guest WiFi”.
  • If you set your Radio MAC to the default of: 00:00:00:00:00:00, it will accept connections on any of the router’s interfaces.
    • Action: Create Dynamic Enabled, will accept any CAP device asking for a config.
  • Regular Expressions
    • For this purpose, Regexp is a rule that allows you to approve devices by name.
    • Example:
      • I have 15 APs, numbered: AP01-AP15
      • I want APs 01-08 to have config1, and APs 09-15 to have config2.
      • Regexp Example (Config1): AP0[1-8]
        • AP0 is static, this must match the first part of the identity.
        • [1-8] means the character after 0, can be different, but within the range 1-8.
      • Regexp Example (Config2): AP09|AP1[0-5]
        • AP09 is static, this matches the AP with the exact identity of “AP09”
        • The Pipe Symbol ‘|’, above the enter key, stands for “or”.
        • AP1 is static, range for the character after 1 can be 0-5, so this matches APs 10-15
  • Master Configuration
    • You’ll need to define your configurations later, but a config is the “profile” of everything from SSID to password to channel used to transmit power. You can stack configurations as slaves, the master defines the major settings though, like channel used to broadcast and transmit power.
  • Slave Configuration: The slaves are more for data-paths (where network traffic will be routed to) and different SSIDs/Passwords. You could have one master config, and for example, 3 other SSIDs as slave configs.
    • It is recommended to not use more than 4 SSIDs per WAP to reduce on beacon-time (gobbles up a good chunk of usable broadcasting frames).
  • Name Format
    • I recommend always using Identity. This will make it much easier to figure out which Radios belong to what device. You will need to edit the identity though of each AP, under System > Identity. (Add a password to each AP while you’re at it! System > Password).

Datapaths

In short, traffic connected to this SSID, will go into this network/bridge. This feature through CAPsMAN was a life saver for a multi-subnet network, because some SSIDs had to be isolated from each other, rather than having to VLAN every SSID to each WAP through switches to get to their respective networks, the Mikrotik Router/CCR simply pops the traffic into it’s respective bridge.

subfloor-datapath

Local forwarding means all of the traffic from the client goes directly to the master router for well, routing.

Client-to-Client forwarding means clients connected to the same AP can talk directly to each other, no need to go all the way through the network just to talk to someone in the same room as you.

I recommend having Local Forwarding off: This means click on the arrow that unlocks the setting, and leave the box unchecked.

I recommend having Client to Client forwarding on: expand the setting, and check the box.

 

Configurations

A configuration is a profile containing other settings, like SSID, channel, and password (Security Cfg).

In your configuration, define your SSID, I also recommending setting a Max Station Count to keep your APs from getting overloaded. Use the “rule of 15”, that is, 15 clients per physical antenna max. You’ve got a 2×2 wireless access point? Great! After you have more than 30 clients connected, your WAP will be brought to its knees and all clients will be miserable with poor connectivity. Add up your antennas, and reduce by a few. For example, on a Mikrotik WAP, which is 2×2, I set my Max Station Count to 25.

  • HW Retries
    • In the event a wireless frame fails or is dropped, how many times the WAP will attempt to resend the frame before moving on. Default is 15, I recommend using 4 if you are in high-density.

Channels

Though you can define your frequencies explicitly, and it can help a lot with interference, it can be very challenging to manage. If you do decide to define your frequencies, only use channels 1, 6, and 11, as they offer full spatial separation from one another — less interference. If you don’t manually specific channels, the AP will do a frequency scan and look for the least-busy channel, and select that.

Always use 20MHz for 2.4GHz. This is the width of the channel a client can use to transmit speed, the larger the width, the higher the maximum speed can be. In reality, unless your clients need more than 54Mbps of traffic, there is no benefit of going 40MHz. You really start to see gains in the 5GHz spectrum, or in point-to-point links over large distances. 20MHz is an absolute must for high-density.

I recommend having a few different power levels, here is my go-to example:

  • 12dB-20MHz-nchannel
    • Frequency: Blank (automatic based on channel scan)
    • Width: 20MHz
    • Band: 2ghz-onlyn
      • By not allowing a or b clients you allow for much more efficient bandwidth utilization. If you need some older equipment connected, you may need to use 2ghz-g/n.
    • Extension Channel: Disabled
      • Extension Channel is 20Mhz + another range.  Mainly useful in very small offices or homes, effectively bumps you up to 40MHz for higher speeds.
    • Tx Power: 12dB
      • Depends on your device, if you’ve got your own external antennas, don’t go too high or risk burning out the amplifiers.
  • 16dB-20MHz-n
    • Everything is the same except Tx Power is 16dB.
  • 18dB-20MHz-n
    • Everything is the same except Tx Power is 18dB.

More power does not mean better WiFi. Just as you amplify your signal, you also amplify noise. As power goes up, sensitivity goes down, and vice versa. You will have much better coverage and usable WiFi with more WAPs running at lower power, rather than just one super-powerful WAP.

If you have overlapping APs, less is more, counter-intuitive of what you may naturally think. “Signal is bad and I’m dropping packets, boost the range, that will help!” — Wrong! Higher loads require more ability to get the signal through the noise. If you’ve got high density loads, lower power will give you FAR better results, at the expense of reduced range.

Security Config

The password and security type that will be assigned to a config. If there is no security config applied to a config, it will be an open network.

Recommended settings:

  • WPA2 PSK
  • Encryption: AES CCM
  • Group Encryption: AES CCM
  • Passphrase: YourPassword

One important note — Group Key Timeout, a critical setting for Apple devices like iPhones or MacBook Pros, can only be set via the Winbox terminal. I recommend using 1 hour as your minimum. This setting was added to CAPsMAN in 6.38.5.

Example terminal code:

/caps-man security set Security-Config group-key-update=1h

To confirm:
/caps-man security get Security-Config
print

 Access List

For “ghetto-roaming”. That is, non-zero-handoff. If you want seamless roaming, you’ll need to spend more than $40/Mikrotik WAP, and even Ubiquiti’s $200 WAPs are incredibly unreliable for zero-handoff. To get true seamless roaming you’re looking at $400/WAP minimum. However, if you are ok with a 0.5s-3s drop while switching from WAP to WAP, this has what you need:

Access List, at the top add an accept rule:

  • -88..120
    • Action: Accept
    • If your signal is between -88dB and +120dB, you are allowed to connect.
  • -120..-89
    • Action: Reject
    • If your signal drops below -89dB, you’re kicked from this AP, go find another AP to connect to that has a stronger signal.

Your usable signal depends on the equipment you are using. With Ubiquiti, expect signal to become unusable after -75dB. For Mikrotik, I tend to get unusable signal ariybd -86dB. The reject rule goes into effect once the client signal drops below the defined strength for about 2 seconds.

From here, it’s entirely on the client to choose how aggressively (quickly) to roam to another AP. General results are between 1-3 seconds, but some very crappy old (<2004)equipment can take up to 8-10s to flip over to another available AP.

Access Rates — How to Handle Massive Interference

This is the big one, your very definition of handling high-density interference. By default, all access rates are approved, everything from 1Mbps to 54Mbps. This is the difference between standing 5 feet from the WAP, and being unable to connect or having 90% packet loss due to interference, and everything working flawlessly.

You could get a Ph.D. on access rates alone, but I’ll do my best to explain what is going on.

The issue is time, you only have so long to transmit a signal between your WAP and client devices. Let’s use some fake numbers, in reality, it’s in the microsecond timescale, but let’s use a scale of 10 seconds.

Remember, there is only one “wire” — the air! So only one device can talk at a time.

  1. T+1s
    1. The beacon (announcement of the SSID) takes up 1 second.
  2. T+3s
    1. The WAP speaks, sending data to your laptop for 2 seconds, the laptop listens.
  3. T+5s
    1. The laptop responds for 2 seconds, the WAP listens.
  4. T+7s
    1. A cell-phone receives data from the WAP.
  5. T+9s
    1. The cell-phone responds with data to the WAP.
  6. T+10s
    1. The WAP announces the frame is over, we have 10 more seconds to talk.

 

What if we were able to let everyone speak faster. So the laptop doesn’t require 2 full seconds to speak its sentence/frame (1Mbps), it only needs 0.1s (54Mbps). Because devices are talking more quickly, we can squeeze in more conversations — more devices, more load!

 

This is the essence behind access rates. The faster you can talk, the more load you can handle. The downside is you must have a good signal to speak quickly and have the WAP still understand you. If you’re 200 feet away with -85dB signal, you can’t talk as quickly, maybe 6Mbps, you’re taking up more time…. load is reduced and interference goes up if there are a lot of people or cell-phones idling in pockets, transmitting at 1Mbps….

So how do we handle this? — Add more access points for the range issue, and require everyone who wants to speak/communicate to only speak quickly.

 

Enter: Basic and Supported Rates.

Basic means minimum. This is the minimum speed the WAP will speak with your device. If it’s your house, 1Mbps is fine. If it’s a stadium with 10,000 people, try 24Mbps or 36Mbps as the minimum. You only check a single box for basic. From there, how high do you want to go? I personally recommend for a high-density, high-interference environment, to use 36Mbps as your minimum, and 36, 48, and 54 as your supported rates.

MCS Rates: MCS are a group of rates in a single number. I recommend turning these off if you can, even though some wireless standards require them. To have them be disabled in a Mikrotik, drop down the arrow, expanding the field to show all of the boxes — just don’t check or enable any boxes… now they are disabled.

VHT MCS: same as above, but it’s for 5GHz rather than 2GHz. Picture shown for my ideal settings for 2.4GHz only.

Many cell-phones idle at 1Mbps to stay connected to their WAP but not use much power. However, we don’t want 20 cell phones in pockets, not transmitting, to take up active slots on our WAPs. If your phone tries idling for low power, it gets kicked off because it’s access rate is low. The moment you wake up the phone, you’ll reconnect back at the full-power rates and be able to browse the internet.

 

Mikrotik – Enter CAP Mode

You need to upgrade your packages in order for an AP in CAP mode to be adopted by a CAPsMAN controller. If under “System > Packages”, everything shows 2015, you’re on CAPsMAN v1, your device will not be adoptable by a CAPsMAN v2 controller. Manually update the packages on the Mikrotik AP, the next time it reboots, it will provision according to your CAPsMAN provisioning rules.

This is a step that was surprisingly difficult to learn, hard to find any clear notes on it. Though there is “Quick Set: CAP” option, it never seems to work for me no matter how many devices I try. The best method I’ve found to put a WAP into CAP mode — ready to be adopted by a CAPsMAN controller, is a special set of holding the reset button at boot.

For the WAP:

  1. Unplug power/PoE.
  2. While holding down the reset button, connect power/PoE.
  3. All 4 lights will turn on (booting).
  4. The middle two lights will begin blinking
  5. The CAP light will turn on
    1. LET GO OF RESET!
  6. The middle two lights will flash very quickly for 1 second, and the WAP will reboot, now as DHCP Client (rather than a DHCP Server) and CAP mode enabled, ready to be adopted.

You will know if you are in CAP mode upon logging into an AP, it takes a good 30 full seconds to come back up after going into CAP mode. After it’s been reset, it will either say “ap-bridge” mode — the default for a router, or “cap mode”, ready for being adopted. Now give it a name through System > Identity, such as AP05 or CompanyAP12, whatever naming format you want. Set a password. The CAP should be auto-adopted by your CAPsMAN Controller and pull SSIDs and other settings.

That’s it for now, have fun and good luck!

Mikrotik – Cloud Router Switch – Switch Chip VLANs

 

Mikrotik – CRS – Switch Chip VLANs

Well, this all came in last week — 8x Cloud Router Switches (CRS125-24G-1S), 33x WAPs, 4x BaseBox 2s, and a 12 Port Fiber Switch (CRS212-1G-10S-1S+), enough gear to hook together an a minor-league baseball stadium, fun stuff!

TWhat did I get myself into with this much gear?his post is regarding how to use the CRS Switch Chip. The CRS series operates very differently than the standard RouterOS featureset. The CPU is very weak in these devices — any heavy lifting should be handled internally by the switch chip. Think of it as a separate processor specialized for passing traffic contained entirely within the switch-chip — it can understand VLANs, protocols, and the data passing through without burdening the CPU, but is not intended for functions like firewall rules or Layer3 (IP) routing.

If you are using a CRS, the Switch menu has six additional submenus under it, not visible under a standard RouterOS Router.

  1. ACL – Access Control List — Allow/Deny rules based on MAC Addresses
  2. FDB – Forwarding Database — Cache / Remembered MAC addresses for which ports — E.g. your laptop is connected on ETH23, your desktop on ETH5.
  3. Ports – Physical Ports – A lot fo settings here, the most important is how the ethernet interfaces are linked together.
  4. QoS – Quality of Service – Priority of Traffic under load (VOIP is more important than bulk data)
  5. Settings – Definitions for the switch to use, pretty advanced
  6. VLAN – Virtual Local Area Network — The rules affecting traffic as they pass through the switch, for separating traffic through the use of trunk ports.

We are going to focus on #6, as that is the submenu I find most useful, and have spent too much time working on 😉

 

Trunk vs Access

Let’s start with a simple picture of a trunk port, vs access ports.

Trunk: A “master” wire, that carries the data of multiple VLANs to another destination to be split up — on the other side is another smart/managed switch or a router able to understand VLANs.

Access: A “standard” wire, that carries data to/from devices like computers or printers.

In this very simple example — not including a router to transfer traffic between VLANs or to the internet– computers on VLAN100 can only talk to other computers in VLAN100, computers in VLAN300 to other machines in VLAN300, and they all share a single trunk fiber (SFP) carrying the data of all three VLANs.

VLAN Tagging

A VLAN Tag is an ID number assigned to data as it travels through an interface. The tags are used to define where the traffic ends up — what network it belongs to. Most commonly, traffic comes in as untagged access traffic (VLAN 0,) the switch then “tags” the traffic with a VLAN ID (e.g. VLAN100) as it passes through a specific port. Now that the switch has a tag, the traffic will be directed somewhere depending on what rules the Switch Chip or Router follow.

Ingress (Inbound) and Egress (Outbound)

Ingress simply means traffic going into the switch, and Egress means traffic leaving the switch. The reason these terms are used instead of inbound or outbound, is Egress/Ingress contains ALL of the data passing through, not just the data that matters, but headers, VLAN tags, MAC addresses, every single 1 and 0 related to the traffic going through. Inbound/Outbound are often related to traffic going into/leaving your site via the internet. Ingress/Egress can be for example, leaving (egress) the master router to be received (ingress) by a switch, which then sends data (egress) to your desktop (ingress).

Configuring VLANs via the Switch Chip

There are three things that matter to get a VLAN working on a Mikrotik Cloud Router Switch.

  • The VLAN Table – What VLANs are allowed to communicate on which ports. It’s a rule-list for which VLANs can talk on which physical plugs.
    • The ports allowed to “Speak” VLAN800 are ETH1, ETH8-20, and SFP1.
    • The ports allowed to “Speak” VLAN900 are ETH1, ETH8, ETH21-24, SFP1.
  • Ingress VLAN Translation – If it comes in (Access) with VLAN X, tag it with VLAN Y.
    • Ingress VLAN Translation, traffic on ports ETH21-24 coming in with a Customer VLAN ID of 0 (Access), will be tagged with Customer VLAN ID 900. Ports ETH9-20 coming in as VLAN0 (access) will be tagged with VLAN800.
  • Egress VLAN Tagging – If it goes out this physical plug (Trunk), add on this VLAN tag.
    • I am using ports ETH1 and SFP1 – either can be used as the trunk port.

That’s all that is needed for the switch chip to assign VLANs. If it comes in on an access (ingress) port, add on a VLAN ID tag, then send out the tag through the trunk (egress). It then depends on the receiving switch/router to understand the traffic it is getting.

If I plugged my laptop into ETH21, I would be on VLAN900. If I plugged my laptop into ETH9, I would be on VLAN800.

 

In this “in-production scenario”, the traffic was going out SFP1, and into SFP2 into a Fiber Switch, which then passed traffic via it’s one ethernet port (ETH1), to the Router’s ETH3.

Getting the traffic to flow between ports is quite straight-forward. Interfaces > VLAN > Add > ID# – apply to each physical interface.

For example, if I want Fibers SFP2, SFP3, and ETH1 to all communicate on the VLAN800 network, I just make a VLAN tag and apply to each physical interface. Each physical interface with that tag on it will be “on that VLAN ID’s network”, able to talk with each other.

In addition, you can still have standard access traffic — for Example, the Cloud Router Switch if it has an IP on it, will still speak “access, VLAN0” on it’s primary port. This can be helpful for standard switching, or managing your switches from a central point. You can stick an IP address onto your trunk (access), in addition to having VLANs assigned under that trunk. Powerful stuff. In my example, ports ETH2-ETH7 are not given a VLAN tag — those are standard access ports, and they will communicate over SFP1 with everything else. In this example, I was connected to ETH5, I would be on standard access traffic. Since SFP1 and ETH are in the switching interfaces I’m just another part of the network, no VLANs involved.

By default, your VLANs are isolated, but the Master Router (which knows everything that is inside the network), may let traffic be visible between them. To stop this, simply use firewall rules on your master router, and block by inbound/outbound bridges, interfaces/VLANS, or IP ranges — depending on what setup you are using.

 

Hoping that was helpful, good luck, and have fun!

Office 365 Powershell – Configure Permissions

Microsoft’s Office 365 is basically Exchange 2016 through a web-page. A lot of the buttons you used to have are now hidden, and can only be access through Powershell.

This post contains raw Powershell code to connect in to your Office 365 instance, and change user permissions over individual parts of mailboxes — either the entire thing, or just a calendar, contacts, or email.

#Define the Office 365 Admin Account credentials. Use an Office 365 admin account (user@onmicrosoft.domain.com/password)
$LiveCred = Get-Credential

#Define the Office 365 Powershell server you are connecting to and which credentials to use
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

#Connect / Dial-In to Office 365 Powershell
Import-PSSession $Session



#Ways to check permissions. If you want to assign, just switch out the "Get" at the start to "Add" for new permissions, or "Set" for changing existing permissions.
#For Calendar
Get-MailboxFolderPermission -Identity user1@domain.com:\calendar
#For Mail
Get-MailboxFolderPermission -identity user1@domain.com:\inbox
#For contacts
Get-MailboxFolderPermission -identity user1@domain.com:\contacts
#For the entire account
Get-MailboxFolderPermission -identity user1@domain.com

#If the user is yet added
Add-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userABC@domain.com -AccessRights Owner

#If the user needs full control
Set-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userA@domain.com -AccessRights Owner
Set-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userB@domain.com -AccessRights Owner
Set-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userC@domain.com -AccessRights Owner
Set-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userD@domain.com -AccessRights Owner
Set-MailboxFolderPermission -Identity user123@domain.com:\calendar -user userE@domain.com -AccessRights Owner

#AccessRights Types
Owner (Full Permissions)
Delegate (Owner, but cannot see private)
PublishingEditor (Read/Write/Modify/New)
Editor (Read/Write/Modify)
Reviewer (Read Only)
Contributor (Write Only)

#Reference
https://technet.microsoft.com/en-us/library/dd298062(v=exchg.160).aspx

 

Mikrotik Security Script

Mikrotik Security Script – Protecting a Mikrotik Internet Facing Router

There are a lot of Mikrotik security scripts out there, showing off bells and whistles of how to block extremely specific attacks. Many of these are additional layers of security, the more layers, the safer you can be, at the expense of CPU power.

I needed a security script to protect a small business. The only publicly facing internet services are TCP443 for an internally hosted web-site, and TCP25 with a restricted access rule (whitelist only). The design philosophy is to minimize the number of IP filters. For example, instead of having separate block rules for TCP22, UDP53, TCP3389, TCP5900, etc, load them into a single rule blocking via address list. Invalid traffic used by port-scanners and DDoS’ers will be tarpitted.

Goals

  1. Provide a high level of protection without going over-kill on firewall rules (CPU load).
  2. Redirect client requested DNS queries (UDP 53 to 8.8.8.8 for example) to be forced to use a DNS server of my choosing, in this case, OpenDNS.
  3. Block as much torrent-related activity as we can. Combination of OpenDNS, and interrupting DNS lookups with Layer7 Protocol packet marking.
  4. Block WAN DNS lookups, and block and log LAN based SMTP mailbots and port scanning (NETBIOS).

Hoping this script can be of use to you.

#Disable Unnecessary Services (Winbox only)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

#Disable unused packages
/system package disable hotspot
/system package disable mpls

####WAN Rules####
#Don’t let Winbox access (TCP8291) be broadcast to neighbors via WAN
/ip neighbor discovery
set ether1 discover=no

#Blacklist Common Port Lookups for 3 days
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect Port Scanners" dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=ether1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=ether1 src-address-list=BlackList

#Blacklist NMAP Stealth Port Scanners for 3 days (can be abused for DDoS as well)
/ip firewall filter
add action=drop chain=input comment="Drop port scanners" src-address-list=PortScanners
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add Port scanners to blacklist" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add NMAP FIN Stealth scan to list" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add SYN/FIN scan to list" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add SYN/RST scan to list" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add FIN/PSH/URG scan to list" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add ALL/ALL scan to list" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add NMAP NULL scan to list" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

#Port Knocking Entry
add action=add-src-to-address-list address-list=AccessRouter1 address-list-timeout=10s chain=input comment="Port Knock for Router Access" dst-port=10000 protocol=tcp
add action=add-src-to-address-list address-list=AccessRouter2 address-list-timeout=10s chain=input dst-port=20000 protocol=udp src-address-list=AccessRouter1
add action=add-src-to-address-list address-list=AccessRouter3 address-list-timeout=1h chain=input dst-port=30000 protocol=udp src-address-list=AccessRouter2
add action=add-src-to-address-list address-list=AccessRouter4 address-list-timeout=1h chain=input dst-port=40000 protocol=tcp src-address-list=AccessRouter3
add chain=input comment="Allow in Winbox" dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=AccessRouter4

#Allow through good traffic (started from LAN)
add chain=forward comment="allow established/related connections through the router" connection-state=established,related

#Block DDoS Attacks
/ip firewall filter
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=DOSattacker
add action=add-src-to-address-list address-list=DOSattacker address-list-timeout=1d chain=input comment="Detect DoS attack" in-interface=ether1 connection-limit=20,32 log=yes protocol=tcp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp

#Drop Unsolicited Traffic from WAN
/ip firewall filter
add action=drop chain=input comment="Drop Unsolicited WAN Traffic" connection-state=invalid,related,new in-interface=ether1

####LAN Rules####
#Redirect clients in a specific interface-list (guest bridges) to our DNS Servers (OpenDNS), and prevent from using their own DNS Servers (Google, Comcast, etc) to bypass filtering
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=list-guests protocol=udp to-addresses=208.67.222.222 

#Block Torrenting DNS Lookups
/ip firewall layer7-protocol
add comment="P2P DNS Blocking" name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits|rarbg|torlock|kat|1337x).*\$"
/ip firewall mangle
add action=mark-packet chain=postrouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no
/ip firewall filter
add action=drop chain=forward comment="Block P2P_dns Packets" disabled=no layer7-protocol=p2p_dns

#Block basic Torrenting Traffic
/ip firewall filter
add action=drop chain=forward comment="Block General P2P Connections" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 1: Drop classic torrents" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 2: Drop outgoing DHT" content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment="TORRENT No 3: Drop outgoing TCP announce" content="info_hash=" disabled=no dst-port=2710,80,443 protocol=tcp

#Enable NAT for Web Translation (Should not have ETH1 and ETH2 bridged, use NAT to get your LAN to the WAN connection)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

#Detect Compromised Hosts (SMTP Outbound and NetBIOS Outbound)
add action=drop chain=forward comment="Log and Drop potential compromised internal hosts" log=yes log-prefix=SMTP-25-VIOLATION out-interface=ether1 port=25 protocol=tcp
add action=drop chain=forward comment="Log and Drop Netbios/SMB outbound" dst-port=139 log=yes log-prefix=NETBIOS-139-VIOLATION out-interface=ether1 protocol=tcp
add action=drop chain=forward dst-port=445 log=yes log-prefix=NETBIOS-445-VIOLATION out-interface=ether1 protocol=tcp

Mikrotik Queues, Bandwidth Throttling, and Bursting

Bandwidth Throttling, a system you would think would be easier to pull off. Hoping you find this article helpful.

I’m installing a CCR-1036-12G-4S for a minor league baseball stadium, and am expecting about 600-800 devices to be connected during a game. The stadium has a symmetrical (up/down) gigabit fiber line, and I have to ration bandwidth properly between them. This means bridges to isolate devices from seeing where they shouldn’t, bandwidth pools / cap-limits, and per-device throttling. Fun stuff!

 

I spent about 4 hours practicing to get Queue Trees and Packet Marketing working, much to my frustration. I eventually found they are intended for ISPs to deliver bandwidth to client sites, as in, building internet connections, not individual devices.

 

I found the tool I needed in Simple Queues, applied to an interface with a PCQ (Per Connection [device] queue), and using Queue Types as my rate limiters.

 

Oh boy, what a fun router, 16Gbps of raw traffic, 4x SFP ports, 12x GigE ports, a fun little interactive touchscreen, and a 36-core CPU to number crunch it all, all for under $1k, wowzers, eat that Cisco/Sonicwall/Palo Alto Networks, hah!

Part 1 – The Bridges

Bridges are used to connect one interface to another. An interface could be an ethernet port, fiber-port, antenna, heck, even a VLAN. Just as a switch connects together ethernet cables in the physical world, so a bridge connects different interfaces in the digital world. We are using bridges to manage the traffic across multiple parts of the stadium. Whether a guest is on the ground-floor Wireless Access Points, or on the third-floor, they should be sharing the same total pool of bandwidth. However, within this pool, each device should only be allowed so much of it.

Let’s pretend we have two bridges, and they should not be able to talk to each other.

  • bridge-stadium
    • Ports ETH2-4
      • ETH2 = Staff
      • ETH3 = Broadcasters
      • ETH4 = Ticket Scanners
  • bridge-guest
    • Ports ETH10-12
      • ETH10 = First Floor
      • ETH11 = Second Floor
      • ETH12 = Third Floor

Part 2 – The Simple Queues

We will make one queue for each bridge.

Note – The terms upload and download are from the perspective of the router — not the client device! For example, if you want your client to only download at 20Mbps. The router will upload 20Mbps to your client. The terms are reversed in queue menus!

  •  queue-stadium
    • 100 devices.
    • 300M Download / 100M Upload Bandwidth Pool  (Called the Max Limit of the Target Interface/Bridge on the General Tab)
      • 20M Max Limit – Download / 10M Upload per client
        • 40M Burst Limit – Download / 20M Upload per client
  • queue-guest
    • 500 devices.
    • 500M Download / 400M Upload Bandwidth Pool (Called the Max Limit of the Target Interface/Bridge on the General Tab)
      • 10M Max Limit – Download / 5M Upload per client
        • 20M Burst Limit – Download / 10M Upload per client

Mikrotik Simple Queues 1

Part 3 – Queue Types

The Queue Types are your definitions of speed limits. They are applied on a per-client basis.

Terminology

  • Rate = Speed in bit/s (the one you really want)
  • Limit = Packet limit in KiB (don’t touch unless you know what you are doing).
  • Total Limit = Packet buffer limit in KiB (don’t touch unless you know what you are doing).
  • Burst Threshold = The speed limit, once passed, the client will be considered to have started their burst timer.
    • Note that a burst time of 30s, does not mean the client will download at burst speed for 30s in real-time.
    • It means the calculation for burst speed will be spread across 30s of calculation.
    • For example, a 30s burst time calculation, may yield 10-12s of real-time high-speed. The router is averaging 30s of the speed that client would otherwise use, and crunch it down until they use it all up, then back to the max-limit they go. Just search “mikrotik burst spreadsheet” to find a graphical way of understanding it.
  • Max Limit = After burst is used up, the maximum speed the client is allowed to go.

For our scenario, we will need four queue type definitions:

  • Stadium
    • 20M-40B-Download (Called the rate in bits/s)
      • 20Mbps max limit, 40Mbps burst limit, for stadium client download/receive traffic.
    • 10M-20B-Upload (Called the rate in bits/s)
      • 10Mbps max limit, 20Mbps burst limit, for stadium client upload/send traffic.
  • Guest
    • 10M-20B-Download (Called the rate in bits/s)
      • 10Mbps max limit, 20MBps burst limit, for guest client download/receive traffic.
    • 5M-10B-Upload (Called the rate in bits/s)
      • 5Mbps max limit, 10Mbps burst limit, for stadium client upload/send traffic.

Below is an image of the Queue Types listed above, as programmed in Winbox.

Note – You MUST use the classifiers if you want per-device bandwidth throttling. If you leave the classifiers blank, then these limiters are spread equally across all devices, making effectively the same as the bandwidth pool, which you really don’t want.

Note 2 – Fasttrack can bypass your throttling queues, depending on where it is located in your firewall rules (nearing the top, the more likely your rules will be skipped). For testing purposes to better understand this process, disable your fasttrack firewall rule.

Classifiers

Remember, perspective of the router for these definitions. (In parenthesis, is the client’s perspective / wording everyone else uses).

  • Source Address (Client Download/Receive)
  • Destination Address (Client Upload/Send)

Mikrotik Queue Types 2

Part 4 – Assign the Queue Types to the Simple Queues

In the advanced tab of your simple queue, change the Queue Types.

Remember, the definitions are reversed, the Router’s Target, is your client device. So the Target Upload = Client Download. Target Download = Client Upload). Leave the “Limit At” fields at unlimited, unless you know what you are doing.

 

Another benefit of the Advanced field, is the “Priority” Field, also known by the rest of the world as QoS — Quality of Service. On a scale of 1-8, where 1 is the highest/most-important priority, and 8 is the lowest/least-important priority.

Generally VOIP traffic would be a 1, and bulk file-sharing/downloading would be priority 8 (last).

Mikrotik Simple Queues 0

Part 5 – Testing

Gee Dan, this guide was very concise, now time to test if it really works!

Enter: iPerf3.

iPerf is a tool that give you the no-bs, second to second speeds you are running at. You could also use speedof.me  or speedtest.net to get “average” speeds or to throw load on the connection, the downside is they average out their numbers across the whole test.

 

I recommend for your testing, to have your OWN iPerf3 server, rather than using an internet-based server. iPerf3 will only allow one client to connect at a time. Pretty crazy right? A publicly available internet testing service, that only one person can test at a time….. not to mention the bandwidth caps, they won’t let you saturate their entire 10Gbit line, sorry :-(.

 

To test that the pool limit evenly splits speed across devices, I’ve had the best experience running iPerf to my own server on the WAN side of the router, and at the same time, an internet-based server for my second client to test. You could also just use two PCs on the WAN for two personal iPerf servers you can max out.

program.exe, -format (m = megabit) (M = MegaByte), -port (5201 TCP), -client (host), -time (120 seconds)

  • Download from an internet server for 15 seconds (Max speed of 25Mbps receive, bummer).
    • iperf3.exe -f m -p 5201 -c iperf.he.net -t 15
  • Send to an internet server for 15 seconds (-R = reverse traffic flow)
    • iperf3.exe -f m -p 5201 -c iperf.scottlinux.com -t 15 -R
  • Download from a local server on your WAN for 120 seconds (to test full gigabit speed)
    • iperf3.exe -f m -p 5201 -c 10.10.200.123 -t 120

I recommend practicing with Max Limits in your queue-types first, before moving on to setting Burst Limits.

Play with it, spend a few hours fiddling with the settings until you understand it.

That’s all folks, let me know if this guide was helpful, and have a brilliant week 🙂

Mikrotik WAP AC Quick Setup Guide & Guest Network Scripts

mikrotik wap acMikrotik WAP AC – Quick Setup – Guide & Guest Network Scripts

Oh boy, look what just arrived in the mail, a brand new Mikrotik WAP AC, also known as the “RBwAPG-5HacT2HnD”!

I’ve had a blast configuring this awesome little wireless access point.  Unlike exporting/importing a configuration which can cause major issues when imported to new hardware, this script is designed to be run on ANY factory-defaulted WAP AC. Just import the .RSC file (instructions below).

This post will provide three quick-setup scripts for the purpose of rapidly deploying multiple WAPs.

  1. Configure a 2.4GHz Wireless Access Point, connected to your private LAN
  2. Configure a 2.4GHz and 5GHz Wireless Access Point, connected to your private LAN.
  3. Configure a 2.4GHz and 5GHz Wireless Access Point connected to your private LAN, and add an isolated Guest Network, unable to access your internal LAN — Internet Only.
    1. This was a real conundrum, — the majority of isolation guides require a VLAN or bridging the wireless antennas to a separate physical port. I achieved the same goal by putting guest clients in their own subnet, and using firewall rules to block traffic between them. NAT Masquerade rules get both networks internet access through the primary gateway.

Overview

Incredible price, awesome range, ultra-reliable, with 2x 2.4GHz and 3x 5GHz antennas, what’s not to love?

Your average home ISP Router/WAP can only handle 5-10 clients before performance becomes terrible. A Ubiquiti UAP-Pro caps out around 25-30 clients. For the WAP AC, expect a maximum real world healthy-load of 30 clients on 2.4GHz and up to 40 clients on 5GHz) per WAP. This is based on the short-and-sweet rule of 15 clients per antenna.

The interface names are… different on the WAP AC than the WAP. For example, on the WAP: ether1-gateway, is now just ether1 on the WAP AC.

If you want to see what your current settings are, use the New Terminal > “export” command.

Update your packages first! System > Packages > Check For Updates > Release Candidate > Update and Install

Customize the scripts below to your liking. You can use these scripts as-is, just change the SSIDs, Passwords, etc in the variables section to meet your needs, and import.

I had to add a “hack” to the start and end of each command line to let the script continue running if there errors like having a setting already defined. For example, a common error would be “bridge with that name already exists, stopping.”

If you ever get stuck, you can always reset the WAP by holding the Reset Button when connecting power/POE (it only checks at boot), and waiting for the 2GHz and 5GHz lights to blink once, then let go of reset.

Script 1 – 2.4GHz Private LAN

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz LAN Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private WiFi, 1x SSID
#This will be used for the majority of deployments, due to 5GHz having limited range [for any WAP].

#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global Password "companypassword"

#-----Guest Wireless Network
:global GuestSSID "Guest Wireless"
:global GuestPass "guestpassword"

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (4+ WAPs, walk around and stay connected).
#do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}
do { /interface bridge add name="bridge"  } on-error={}

#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}

#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server from breaking your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
/ip address remove 0

#Set Password for SSID profile
#Group-Key-Update needed for iOS compatibility, default is 5m, set higher.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Disable 5GHz
do { /interface wireless disable wlan2 } on-error={}

#Set the clock for logging
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}
#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

 

Script 2 – 2.4GHz & 5GHz Private LAN

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz and 5GHz LAN Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private WiFi, 2x SSIDs

#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global SSID5GHz "Company Wireless 5GHz"
:global Password "companypassword"

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (roaming).
do { /interface wireless access-list add signal-range=-89..120 } on-error={}
do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}

do { /interface bridge add name="bridge"  } on-error={}
#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}
#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
#5GHz Antenna
do { /interface bridge port add interface=wlan2 bridge=bridge } on-error={}
#Assign Static IP if variable is set
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server from breaking your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
/ip address remove 0

#Configure Min-RSSI Connect Rule
do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#Configure Min-RSSI Kickoff Rule
do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}

#Set Password for SSID profile
#Group-key-update required for iOS compatibility, default is 5m, set higher.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Configure 5GHz
do { /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=$SSID5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 tx-power=$TransmitPower } on-error={}

#Set the clock for logging
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}
#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

 Script 3 – 2.4GHz & 5GHz, Private LAN & Guest Network

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz and 5GHz LAN and Guest Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private and Guest WiFi, Up to 4x SSIDs
#This script is good for a standalone WAP.

#If 4 SSIDs is too many, run this command to disable wlan2 (5GHz Antenna)
#/interface disable wlan2


#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global SSID5GHz "Company Wireless 5GHz"
:global Password "companypassword"

#-----Guest Wireless Network
:global GuestSSID "Guest Wireless"
:global GuestSSID5GHz "Guest Wireless 5GHz"
:global GuestPass "guestpassword"

########################################################################################
#Guest Isolation - Adjust the isolation firewall rules to match your internal networks.#
########################################################################################

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (roaming).
#do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}

#Create Private and Guest bridges
do { /interface bridge add name="bridge"  } on-error={}
do { /interface bridge add name="guestbridge" } on-error={}

#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}
#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
#5GHz Antenna
do { /interface bridge port add interface=wlan2 bridge=bridge } on-error={}

#-----Assign static IP to the bridge (if uncommented above)
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server on ether1 from taking over your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
do { /ip address remove 0 } on-error={}

#-----Set Passwords
#Password for SSID profile
#Group-key-update required for iOS compatibility, default is 5m, set higher to 50m.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Guest SSID profile
do { /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=guest group-key-update=60m wpa2-pre-shared-key=$GuestPass } on-error={}

#-----Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Configure 2.4GHz Guest SSID
do { /interface wireless add disabled=no master-interface=wlan1 mode=ap-bridge name=wlan3 security-profile=guest ssid="$GuestSSID" } on-error={}

#Add 2.4GHz Guest to Bridge
do { /interface bridge port add interface=wlan3 bridge=guestbridge } on-error={}

#-----Configure 5GHz
do { /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=$SSID5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 tx-power=$TransmitPower } on-error={}

#Configure 5GHz Guest SSID
do { /interface wireless add disabled=no master-interface=wlan2 mode=ap-bridge name=wlan4 security-profile=guest ssid="$GuestSSID5GHz" } on-error={}

#Add 5GHz Guest to Bridge
do { /interface bridge port add interface=wlan4 bridge=guestbridge } on-error={}

#-----Guest DHCP Server
do { /ip address add address=10.10.200.1/24 interface=guestbridge network=10.10.200.0 } on-error={}
do { /ip pool add name=guestdhcppool ranges=10.10.200.10-10.10.200.200 } on-error={}
do { /ip dhcp-server add address-pool=guestdhcppool disabled=no interface=guestbridge name=guestdhcp } on-error={}
do { /ip dhcp-server network add address=10.10.200.0/24 dns-server=8.8.8.8 gateway=10.10.200.1 } on-error={}

#Isolate the Private and Guest Networks from each other
do { /ip firewall filter add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.10.200.0/24 } on-error={}
do { /ip firewall filter add action=drop chain=forward dst-address=10.10.200.0/24 src-address=192.168.1.0/24 } on-error={}

#NAT the Private and Guest networks so they can reach the internet
do { /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=bridge } on-error={}
do { /ip firewall nat add action=masquerade chain=srcnat out-interface=guestbridge } on-error={}

#-----Set Clock
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}

 

RetroPie Setup Guide – Xbox 360 Controllers – ROMs

RetroPie Setup Guide

If you’re looking for a cheat-sheet to quickly setup a Raspberry Pi 3 Model B as a RetroPie emulation system, you’re in the right spot. Many of the guides you find, including the official RetroPie wiki, are outdated, between 2012-2015 before the release of RetroPie v4. This guide will eventually meet the same fate, but for now, it’s the newest, sweetest, down-and-dirty guide you’ll find. Enjoy!

emulation

Chapters

  1. Parts
  2. Installing OS
  3. Updating OS
  4. Adding ROMs
  5. Configuring System (the long part)
  6. Performance Improvements
  7. Configuring Controllers
  8. ROM Compatibility per Emulator Plugin

Chapter 1 – Parts

retropie-parts

Raspberry Pi 3 Model B

  • I highly recommend the Vilros kit, includes power cord, case, and board
    • $50 https://www.amazon.com/dp/B01D92SSX6

MicroSD Card

  • I got a 64GB SanDisk Class 10 MicroSD
    • $25 – https://www.amazon.com/dp/B010Q588D4/
  • I recommend a minimum of 16GB, 32GB is the sweet spot for not having to worry about enough space. If you are planning at add countless MAME ROMs or PS1 games, you’ll want as big a MicroSD card you can get.

Official Microsoft Xbox 360 Wireless Receiver

  • Get the official Microsoft OEM version. There are third-party receivers that *can* work fine, but I’ve had bad experiences in the past. The official Microsoft labeled device works the best.
    • $20 – https://www.amazon.com/dp/B000HZFCT2/

Official Xbox 360 Wireless Controllers

  • $30/ea, you can find them anywhere. Best Buy Price Matching works too.
    • https://www.amazon.com/dp/B004QRKWKQ

Keyboard

  • Any keyboard will work, for running more intense menu commands.

Case with Fan

  • If you are planning on playing N64 games, I highly recommend purchasing a vented Raspberry Pi case with fans so you can overclock the system, which is absolutely necessary for smooth N64 emulation. Below is what I use.
    • https://www.amazon.com/dp/B01LXSMY1N/

Chapter 2 – Installing OS

You’ll need a way to format the MicroSD card. This is usually done with the included SD Card (full size) adapter, and plugging it into a laptop/desktop/memory-card adapter.

Go download and install Win32DiskImager from Sourceforge. This lets you write a downloaded .IMG file directly to the MicroSD card.

  • https://sourceforge.net/projects/win32diskimager/

Download RetroPie v4.X

  • The OS is about 600MB. They seem to choose random mirrors for downloads, some go at 30KBps, others at 20MBps, if it’s slow, cancel and re-download.
  • https://retropie.org.uk/download/

The image file will be a .img.gz (GZIP) file. Extract the .IMG file inside with 7Zip or WinRar to somewhere on your local PC.

Run Win32DiskImager from Start as Administrator (right-click > Run as Administrator)

Select the MicroSD card drive letter, browse to your extracted .IMG, and write. — This will completely erase the selected device (which should be the MicroSD card). Make sure it’s the right one.

Wait until the write is complete.

retropie write sd win32

Once complete, remove the MicroSD card, and connect it to the Raspberry Pi memory slot. Connect everything together:

  • MicroSD
  • 360 Wireless Receiver
  • Power MicroSD

Then connect the power-adapter to a power-strip/wall-jack.

 

Chapter 3 – Updating OS

Let the Raspberry Pi boot up and wait until you get to the main interface. You will need a controller input

Configuring Primary Controller for System

We need to define the base controller button definitions via Emulation Station. Start > Configure Input > Are you sure? > Yes

After mapping the buttons per the references below (picture included), we can then make any changes per-system as needed.

Reference 1:https://github.com/RetroPie/RetroPie-Setup/wiki/Controller-Configuration

Reference 2:https://github.com/RetroPie/RetroPie-Setup/wiki/retroarch-configuration

 

Note — You are intentionally Mis-Mapping the Xbox 360 Controller Buttons — this is intended.

For example, the Green button on a 360 controller, is being mapped to B for EmulationStation’s RetroArch default config. This is correct, it will make your life easier. From there — the buttons will be remapped again by each core (NES, SNES, Genesis) to match the “feel” of that controller — automatically. As an example, on a NES Controller, the B button is to the left of the A button. The “feel” should be the same — A (360 Button) > B (RetroArch Default Input) > Auto-Remapped to A (NES Controller).

It’s an odd system, but it can work really well as long as you follow the mapping below. Some emulators (looking at you N64 non-RetroArch cores Gles2N64 and Mupen64Plus) will require controller customization, as their mappings cannot load the built in RetroArch input file. (The default RetroArch input file is stored at “/opt/retropie/configs/all/retroarch-joypads/Xbox 360 Wireless Receiver.cfg”

 

 

Updating OS Packages

Updating the RetroPie OS and packages can provide a 80% performance improvement in some cases. Absolutely 100% do this step.

  1. Open RetroPie
  2. RetroPie Setup > Update RetroPie-Setup Script > Yes
  3. Update all installed packages > Yes > Would you like to update the underlying OS packages? > Yes
  4. Wait 25 minutes (I timed it)

That was easy enough…

 

Chapter 4 – Adding ROMs

If you’ve got the ROMs, it’s easy. Just remove them from their ZIP files, and copy them to a network share. If you don’t yet have ROMs, go find a torrent site and get your game on! Generally releases are call “ROM Collections” or “ROM Packs”, so for example go on Google and search for, “N64 ROM collection torrent”.

Hop on your PC, and browse your local network. If you can’t find anything and you’re on Windows, Start > Advanced Sharing > Enable Network Discovery

You can also find your IP on RetroPie by going RetroPie > Show IP

Then browsing to \\192.168.0.X\ or \\retropie

win10

Go into the roms folder, and start copy/pasting in ROMs for each system. They will need to be unzipped, so a NES game would be something like: Super Mario Bros.NES, a N64 title would be Super Mario 64.z64, and a PSX game would be either a Crash Bandicoot.BIN/Crash Bandicoot.CUE combo, or a combined Crash Bandicoot.PBP file.

 

Chapter 5 – Configuring System (the long part)

Raspberry Pi Config

We are going to configure some core OS settings that have nothing to do with RetroPie. You will likely need a keyboard for this to work, controller buttons can go weird in Raspi-Config.

From the menus, open RetroPie > Raspi-Config

You can also open this by using Putty, SSHing in, and typing “raspi-config”.

  1. This step should not be necessary as of RetroPie v4, but if you find yourself running out of space much earlier than expected:
    1. Expand FileSystem”, this takes the 600MB image you flashed to the MicroSD, and lets you have all of the free space of your 64/128GB MicroSD card.
  2. Boot Options > Wait for Network at Boot > Would you like boot to wait? > NO
    1. This makes the Raspberry Pi boot MUCH faster if a network connection is not available. Otherwise you will sit for 30s while the Raspberry looks for a DHCP server and times out.
  3. Advanced Options > Overscan > Would you like to enable compensation for displays with overscan?
    1. Select No if you have a modern, 1080p or higher HDTV, or are on HDMI.
    2. Select Yes if you have an older TV that zooms in on devices so there are no black bars (but it cuts off detail with HDMI/DVI).

Disable Run Command Editor

Whenever you load a ROM, you have 5 seconds to press any button to load the Run Command Editor. That means if any person presses anything during those 5 seconds, time to pull out a keyboard or reboot the system to try again while everyone gets confused. I highly recommend turning this off if non-technical people or children are playing on the system, or to disable it once your system is dialed-in.

You will want to leave it enabled to select a per-game Emulator Core setting. For example, StarFox64 runs best under GlideN64. If GlideN64 is not your default, the Run Command Editor lets you select that specific game’s default emulator core, which the setting will keep even after you (later) disable Run Command Editor.

  1. Launch Menu > Disabled
  2. Launch Menu Art > Disabled
  3. Launch Menu Joystick Control > Enabled
  4. Select Cancel (should be named Quit or Exit) > A (or Yes).

Upgrade Theme

I personally prefer Tronkyfran (#32 at the bottom of the list), pick whatever you prefer 🙂

RetroPie Setup > Configuration / Tools > esthemes (Emulation Station User Interface themes) > 32 – Install Tronkyfran

Go back to home > Start > UI Settings > Theme Set (at the bottom) > Change from Carbon (default) to Tronkyfran (or whatever you use). Some themes may require a reboot to go into effect.

Scrape for Details

A scraper scans all of the games in your system for metadata like year of release, rating, description, title, cover-arts, etc. Very worth the time to run it, makes the system look MUCH prettier. For running an scrape of 2500 games, it took 3 hours to complete.

Do this after copying over your ROM files.

  1. Plug in a keyboard, hit F4 to close Emulation Station – if it is open, the scraping cannot succeed.
  2. sudo -i
  3. sh /home/pi/RetroPie-Setup/retropie_setup.sh
  4. Configuration Tools > Scraper > Scan All Systems

Change Default N64 Emulator

This file lets you select the default emulator. You have the option to assign different emulators to different ROM files with the Run Command before a system launches. I have personally had better stability and performance with Gles2N64 than GlideN64. Officially, GlideN64 is supposed to be the best current graphical plugin and may one day be the best (isn’t everything linux like that though ;-). At the time of writing this (March 2017) glitchy graphics, stuttering audio, and random buggyness with GlideN64 says otherwise, so I recommend Gles2N64.

  1. sudo -i
  2. nano /opt/retropie/configs/n64/emulators.cfg
  3. Change the following line
    1. (Before) default = “mupen64plus-GLideN64”
    2. (After) default = “mupen64plus-gles2n64”
  4. Ctrl + X (Exit) > Y (Yes to save changes)

Chapter 6 – Performance Improvements

This is surprisingly important. I normally don’t overclock any equipment, ever, but overclocking really does make a massive improvement on your RetroPi setup, it’s the difference between some N64 games working great or being completely unplayable — if you want to play Goldeneye or Perfect Dark and have a good time, you’ll need this step.

These settings are for a Raspberry Pi 3 in a case with minor ventilation, and the cheapo 14mm x 14mm x 4mm heatsinks on top that come with cheap kits. If you’ve installed a large heatsink and fan, you can push the numbers farther. Watch out for the heat, check it with the Putty command:

#Check temperature. Hit Up-Arrow > Enter to keep checking.
vcgencmd measure_temp

The most important setting oddly enough, is the v3d_frequency. This seems to provide more performance improvements than anything else I’ve found. disable_splash=1 just speeds up the boot process.

  1. sudo -i
  2. nano /boot/config.txt
  3. Insert the below code:
  4. #Raspberry Pi - ACTIVE COOLING Only!! (40C idle, up to 55C under heavy load)
    arm_freq=1350
    gpu_freq=525
    core_freq=525
    sdram_freq=500
    over_voltage=6
    v3d_freq=525
    force_turbo=1
    avoid_pwm_pll=1
    disable_splash=1
  5. #Raspberry Pi - Passive Cooling - Runs Hot (50C idle, up to 80C under heavy load)
    arm_freq=1300
    gpu_freq=500
    sdram_freq=500
    over_voltage=6
    v3d_freq=525
    disable_splash=1

Resolution

This can be a tricky category. Different games run better, and look better, at different resolutions. The higher the resolution, the greater the process/performance demands on the RaspberryPi. In general, I’ve found it best to have the default video mode for any emulator to be 640×480 (CEA1). For example, even the emulator GLes2N64-HighRes, will look more “HD” running at CEA-1 (640×480) than say, CEA-4(1280×720) and run smoother on Jet Force Gemini. For GLes2N64, CEA-1 though a 4:3 resolution is scaled properly to fit a 1080p 16:9 display — it looks really good on many games!

Using the Run Command editor can be helpful for changing specific setting — per-ROM. To do so, you would enable the Run-Command editor in RetroPi Setup.

RetroPie Setup > Configuration/Tools > Run Command > Launch Menu (Enabled).

From here, you can define a default emulator overall, and specific settings per ROM. You rarely need to touch the framebuffer, it’s usually just the emulator choice, and possibly what resolution you want to run at. Again, Using 640×480 rendered on the RetroPie, will be scaled up to your 1080p screen, and can look better than a 1920×1080 rendering by the RetroPie.

Chapter 7 (Optional) – Configuring Controllers

Only needed if your buttons are not matching up between systems, especially on N64.

There are three ways controller configurations are saved in a RetroPie.

  1. From the initial setup configuration file
    1. nano “/opt/retropie/configs/all/retroarch/autoconfig/Xbox 360 Wireless Receiver.cfg”
  2. From the “live” setup configuration file, what you can change via EmulationStation
    1. nano “/opt/retropie/configs/all/retroarch-joypads/Xbox 360 Wireless Receiver.cfg”
  3. From a system-specific configuration file (N64)
    1. nano /opt/retropie/configs/n64/InputAutoCfg.ini

Below is a mapping image that may be helpful. The stock-mapping works perfectly for NES, SNES, Game Boy, (which all use the RetroArch Input File you created through Emulation Station, but goes absolutely bonkers with non-RetroArch cores.

These input mappings were figured out via the RetroCore GUI Configuration Tool (While in a RetroArch game, press Select + X).

360-ps3-controller-inputs

 

Example Code of a default”/opt/retropie/configs/n64/InputAutoCfg.ini” N64 setup (Wrong).

; Xbox 360 Wireless Receiver_START
[Xbox 360 Wireless Receiver]
plugged = True
plugin = 2
mouse = False
AnalogDeadzone = 4096,4096
AnalogPeak = 32768,32768
Mempak switch = button(11)
Rumblepak switch = button(12)
C Button D = button(0) axis(3+)
C Button L = axis(2-)
Z Trig = button(4)
Start = button(9)
Y Axis = axis(1-,1+)
DPad U = button(15)
C Button U = button(1) axis(3-)
A Button = button(2)
DPad D = button(16)
X Axis = axis(0-,0+)
R Trig = button(5)
DPad R = button(14)
B Button = button(3)
DPad L = button(13)
C Button R = axis(2+)
L Trig = button(6)
; Xbox 360 Wireless Receiver_END

Issues are:

  1. Button (0) [The A button on a 360 controller)], is auto-mapped to C-Button Down AND Right-Stick Down.
  2. Button (1) [The B button on a 360 controller], is auto-mapped to C-Button up AND Right-Stick Up.
  3. Button (2) [The X button on a 360 controller], is auto-mapped to A.
  4. Button (3) [The Y button on a 360 controller], it auto-mapped to B.

 

If you are using a 360 Wireless controller, feel free to use these mappings. Edit your config file with a command such as:
"nano /opt/retropie/configs/n64/InputAutoCfg.ini"

Use Ctrl+K to delete by line rather than holding down backspace, a bit faster.

Right-Click in Putty to paste in the code box below, for "; Xbox 360 Wireless Receiver_START

Example Code of a modified “/opt/retropie/configs/n64/InputAutoCfg.ini” N64 setup (Correct).

 

; Xbox 360 Wireless Receiver_START
[Xbox 360 Wireless Receiver]
plugged = True
plugin = 2
mouse = False
AnalogDeadzone = 4096,4096
AnalogPeak = 32768,32768
Mempak switch = button(11)
Rumblepak switch = button(12)
C Button D = axis(3+)
C Button L = axis(2-)
Z Trig = button(4)
Start = button(9)
Y Axis = axis(1-,1+)
DPad U = button(15)
C Button U = axis(3-)
A Button = button(0)
DPad D = button(16)
X Axis = axis(0-,0+)
R Trig = button(5)
DPad R = button(14)
B Button = button(2)
DPad L = button(13)
C Button R = axis(2+)
L Trig = button(6)
; Xbox 360 Wireless Receiver_END

 

Chapter 8 – ROM Compatibility for N64

If you are planning to make a few of these systems, you may want to prep one image perfectly and then copy/paste the image to other SD cards with Win32DiskImager.

For that first unit, I’ve always customized each emulator for the most important N64 ROMs. You can define a single ROM to use a specific emulator video-plugin, you can also define the default settings for each plugin. I recommend going lower res for all of the plugins: 720×480 16:9 will give you the best performance for modern widescreen monitors/TVs. You may want to reduce the frame buffer to the native 320×240 size, which is what the N64 used.

For the below list, I have personally tested all three emulators: Gles2N64, Gles2Rice, and GlideN64, to see which is the most stable and has the most playable performance. Some games simply cannot run smoothly on the RetroPie, others it’s a toss-up. You’ll need to enable the Command Editor temporarily when you save these changes. Once done, turn it back off. List below, hope it helps.

Game Name Best Plugin Notes
007 Goldeneye GlideN64 Works fine if overclocked
1080 Snowboarding Gles2N64 Works fine if overclocked
Banjo Kazooie Gles2N64 Graphical Glitches (puzzle pieces)
Bomberman N64 GlideN64 Works ok, some glitches
Conkers Bad Fur Day N/A Too slow on all 🙁
Cruisin’ USA N/A Too slow on all 🙁
Diddy Kong Racing Gles2N64 Works fine
Jet Force Gemini Gles2Rice Work ok, minor stutters
Legend of Zelda – Ocarina Gles or Glide Works fine
Mario Kart 64 Gles2N64 Works fine
Mario Party 1 Gles2N64 Works on all
Mario Tennis Gles2Rice Works ok, minor stutters
Pokemon Snap Gles2N64 Works ok, some glitches
Starfox 64 GlideN64 Works fine
Super Smash Bros Gles2N64 Works fine if overclocked
Wave Race 64 Gles2Rice Works fine if overclocked

That should be enough to get you a fully operational RetroPie. Enjoy, and have fun!

 

ROM File Cleanup – Powershell – GoodMerge – NoIntro

ROM File Cleanup

You just downloaded a massive ROM pack for emulation, could be NES, SNES, N64, Genesis, etc… In the pack you would expect the ~600 games that actually came out in stores. Instead you find 15,000 games containing every version and prototype cartridge imaginable from every corner of the world.

Powershell can be the cure for this complete mess, by simply purging out the files matching filters. Code is below. Star (*) is a wildcard character. Just define the source and destination at the beginning.

This script assumes you want United States compatible releases. Note that some games were only released as (EU) [Europe + United States], or (JU) [Japan + United Sates]. This script includes these titles. If you find a pattern or format you do not like, feel free to add your own filter in to the list. If you are from Europe, you would want the (E)  or (EU) releases. (W) is a World-Wide Release.

This script is not perfect — it cannot catch everything because collectors often use custom naming conventions, but this code very easy to work with. After you are done, I recommend scrolling through your list and checking for any duplicate games.

There are two scripts:

  1. The first script creates a a copy of your files to a folder where you can process them all.
  2. The other script actually purges out the unwanted games with the Remove-Item command — a permanent delete command (no Recycle Bin)

ROM File Copy / Move Code

#File Copy or Move Code.
#Delete the comment (#) for Move-Item if you want to use that instead, and then comment out #Copy-Item
#Edit your source path (Original copy of unzipped ROMs) and destination path (Working area for ROMs).
$source = "C:\Installers\GenesisSource"
$destination = "C:\Installers\GenesisDestination"

cd $source
#Use if you want to work on your copy
#The symbol [!] means verified working, usable ROM.
Copy-Item *[!]* $destination

#Uncomment if you want to move -- This is a cut/paste, these files will not be coming back.
#Move-Item *[!]* $destination

 ROM File Cleanup Code

#Dan Kruse - itimagination.com - December 2nd 2016
#To run this command, you can either copy/paste in all of the code, or more easily, save it into a TEXT file in the format .ps1.
#Then open Powershell.exe in Windows and run the filename of the script. For example:
#Powershell.exe
#C:\Installers\CleanupRoms.ps1

#The hash-symbol(# will deactivate a line of code. Useful for pausing the copy/pasting of the script on the row beginning with "Copy-Item"

#Remove by Country Initials
get-childitem -Recurse -path "$destination" -filter '*(B)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Bra]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(CCE)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(CH)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Chi]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(E)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(F)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(G)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(J)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(JE)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(K)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(R)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(PAL)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(PD)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(SECAM)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(UA)*' | remove-item

#Remove by Country Name
get-childitem -Recurse -path "$destination" -filter '*Canada*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*China*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(Europe)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*France*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Germany*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Italy*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Japan*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Sachen*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Spain*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(Unknown)*' | remove-item

#Remove by Keyword
get-childitem -Recurse -path "$destination" -filter '*AKA*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*(Alpha)*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Beta*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*canal*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*demo*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*hack*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*preview*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Proto*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Rev A*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Rev02*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Rev03*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Rev04*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*Screen Search*' | remove-item

#Remove by Invalid ROM Type
get-childitem -Recurse -path "$destination" -filter '*[a*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[b*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[f*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[fixed]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[h*C]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[hI*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[o*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[p*]*' | remove-item
get-childitem -Recurse -path "$destination" -filter '*[p1]*' | remove-item

 

Mikrotik Guest Wireless Network

Mikrotik Guest Wireless Network

If you’ve got a Mikrotik router with wireless or a Mikrotik Wireless Access Point and desire to setup WiFi with a Guest Network — you’re in the right place!

This guide will assume the most common setup scenario — Guest Wireless and Private Wireless share the same internet connection, but cannot talk to each other- your guest devices only need internet access and do not need to interact with any other devices.

 

Note that the Mikrotik QuickSet feature now includes all of these steps in a single interface. The lower left of QuickSet has a section for “Guest Wireless Network”.

This guide will explain the details of how it is operating.

mikrotik-wireless-16

 

Interface SSIDs

A SSID is the name of a wireless network. For Mikrotik, you can have a single SSID bound to each interface. If you only have one antenna interface, like many routers/WAPs, you will need to create a virtual AP interface and assign it an SSID as well.

Use Winbox to login to your Mikrotik router, by default IP 192.168.88.1

On the left page: Wireless > Double-Click Interface (wlan1 usually) > Wireless Tab.

mikrotik-wireless-1

Here you can configure your AP Bridge, which means “Access Point, bridge to wired network.” You can also change the SSID.

Security Profile (Password)

To change the password: Wireless > Security Profiles > Double-Click Entry > WPA and WPA2 Pre-Shared Key (PSK). These are usually the same password.

mikrotik-wireless-2

Adding the Guest Interface (Virtual Access Point)

Create a new Security Profile (password) for what will become our guest wireless network.

Wireless > Security Profiles Tab > Click Plus Symbol (+) > Name, WPA and WPA2 Pre-Shared Key.

mikrotik-wireless-7

Wireless > Interfaces > Blue Plus (+) Symbol > Virtual

mikrotik-wireless-4

You can name the interface however you would like, but generally giving them a number is best. wlan1 means Wireless LAN 1. So to follow naming you may use wlan2 or wlan3 for your 2nd and 3rd SSIDs.

mikrotik-wireless-5

Click the Wireless Tab to decide the SSID for this new AP Bridge, and give it a fun name. You can also select the Security Profile (password) to use for this interface.

mikrotik-wireless-8

Guest IP Addresses and DHCP Server

Let’s start by assigning your new Virtual AP Interface a Static IP address. Choose a different subnet. So if you are currently say, 10.10.10.1/24, we might use 10.10.100.1/24

IP > Addresses > Plus (+) > Address/Subnet > Interface (Virtual AP Interface, like wlan2)

mikrotik-wireless-9

To add a DHCP Server: IP > DHCP Server > DHCP Setup > Select Virtual AP Interface (wlan2)

Follow the prompts, it should auto-populate the fields for you.

mikrotik-wireless-10

Bridging

As a switch is to ethernet cable, so a bridge is to network interfaces — it connects them together. To have your physical wireless interface (antenna) send and receive traffic through your wired interface (RJ-45 port on ETH2), they need to know to talk to one another, and bridges make this happen. You do not need to also bridge your Virtual AP wireless interface (guest) because wlan1 is it’s master port. This entry is just in case you don’t have any bridge between wlan1 and ethernet. Don’t worry, we will isolate them from your private devices via a firewall rule. You could also isolate the wlan2 (guest) interface traffic to a separate ethernet plug (say, ether5, while ether2-4 is private traffic and ether1-gateway is your WAN).

mikrotik-wireless-3

Allow NAT Translation (Masquerade for Internet Access)

You likely already have NAT translation enabled, but if you don’t, enabled a masquarade rule that allows srcnat traffic to go out through your WAN interface (usually gateway or ETH1). This goes for all interfaces, including your existing local ports, existing wireless interface and new wireless virtual AP interface. You can specific Source Address if you want to, but if you leave the field blank Mikrotik assumes all sources are valid.

mikrotik-wireless-11

Block Guest Interface From Communicating with Private with Firewall Rule

You’ll want to make a firewall rule, forward chain, action will be DROP. This blocks traffic from the source network (10.10.100.0/24, in this case, Guest Wireless), from communicating with the destination network (10.10.10.0/24, in this case, Private Wireless).

mikrotik-wireless-12

 

I hope that helped you out a bit, enjoy!

MikroTik wAP – Setup Guide – Multiple APs with Roaming

MikroTik wAP Quick Setup Guide

Hello there, this post will provide instructions configuring a MikroTik wireless access points from start to finish with a quick script. The goal is a wireless network where you can walk around the building and have client devices jump from WAP to WAP via access rules (Min-RSSI).

These principles will work on any Mikrotik device with wireless capability since they all run the same Routerboard software.

wAP

Setting

My company deployed 12 Ubiquiti UAP Pros to a client, we experienced intermittent connectivity with Apple devices (MacBook Air, MBP, and iPhones), Ubiquiti forums were not helpful, firmware upgrades/downgrades didn’t make a difference, and devs shifted the blame to Apple. We decided to try a different vendor, MikroTik, and purchased four RBwAP2nD units (Looks like a rounded, white rectangle).

The Mikrotiks did the job beautifully after proper setup! Not only did they not have issues with Apple devices, but the quality of signal was FAR higher than with Ubiquiti. More capacity, better signal, 1/4 the cost, with granted much harder management than the beautiful UniFi Controller, but in this setting it is acceptable — one location, set it and forget it.

Rather than set up a Wireless Mesh (WDS) or use the CAPsMAN controller, I’m keeping it simple. Set each AP in each corner of the building, use Min-RSSI to kick off clients when their signal is too weak, then they join the strongest signal near them. It’s short-and-sweet roaming, not seamless, but good enough.

The wAP can be powered by PoE or power-plug, between 12v-57v. We are using our already purchased Ubiquiti Toughswitch-8-Pro to power the units, but you could use any standard 24v or 48v PoE switch.

 Initial LoginMikrotik1

By default the WAP runs a DHCP Server, so I made sure to not plug it directly into our existing
network. You can connect directly to the WAP through wireless with a laptop. Once connected, you’ll pull a DHCP IP, usually 192.168.88.254. You can connect to the Mikrotik wAP with Winbox, their management software — very powerful!

 

Click the three dots next to “Connect” and WinBox will search for any Mikrotik devices. You can connect by IP, or direct MAC address (no matching IP/subnet needed!). Default username/password is admin/<blank>.

Mikrotik2

Initial Setup

All of these commands are menu presses. So “/system identity” means click the System button on the left, then the identity drop-down, further commands are tabs or fields. These commands can be entered DIRECTLY into the WAP applying immediately by using “New Terminal” on the left. The terminal lets you rapidly set up units after you’ve got your base commands in a text file. With these codes I’m able to crank out a matching WAP in about 4 minutes.

Name the AP

/system identity set name="NAME"

Wireless / Wired Bridge

Allow the wireless and wired connections to talk to each other. A bridge functions like a switch, it lets different interfaces talk to each other (whether that is a physical port, antenna, or VLAN, it connects them together).

/interface bridge add name="bridge1" 
/interface bridge port add interface=ether1-gateway bridge=bridge1
/interface bridge port add interface=wlan1 bridge=bridge1

LAN Dynamic IP

Force the wired connection to pull a dynamic IP address by turning on the DHCP-Client service.

/ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway

Overwrite the existing (192.168.88.1/24) IP Address applied to the wired NIC. This will be an additional  static IP to the wired NIC, the first being by DHCP Client.

Edit the IP
/ip address set address=10.10.10.53/24 interface=ether1-gateway numbers=0

Disable DHCP Server

This is just an access point, no DHCP Server needed.

/ip dhcp-server disable 0

 

Minimum-RSSI (Kickoff when the signal is too weak)

Called Min-RSSI by Ubiquiti, Mikrotik uses an access rule to allow or deny connections. It is almost like a firewall yes/no rule, if your signal is between this range (-84dB through 120dB, written as -84..120), you are allowed to authenticate and to talk to other devices (forward). If your signal is below this range (-120 through -85dB, written as -120..-85), you will be kicked. In reality, it takes about 1-2 seconds of a device having a signal lower than -84dB before the kick happens.

The way signal measurements work, a negative number is a receive number. A positive number is a transmitted or sent number.

Here are some quick dB examples. I have found the Mikrotiks to continue running well at even -85dB because the hardware has such an extremely low/quiet noise floor: -105dB, which is insanely quiet, means you get MUCH better range for the power. 1000mW is a great marketing feature, but it doesn’t mean squat without a good noise floor to compare to. For comparison, Ubiquiti gear (which is usually quite good for the money) signal becomes unusable around -72dB.

General Client Receiving Signal Examples

  • -55dB, this is a great signal quality for a client like a laptop or cell-phone
  • -75dB, we are nearing the limits of usable signal, expect some packet loss or stutters in video/VOIP.
  • -30dB, power is extremely high, you are probably standing within 3 feet of the antenna, or your transmit power is way too high.
## Each of these commands will restart the networking interfaces, so you'll probably be disconnected.

#Configure Min-RSSI Connect
/interface wireless access-list add signal-range=-84..120
#Configure Min-RSSI Kickoff
/interface wireless access-list add authentication=no forwarding=no signal-range=-120..-85

Edit the Wireless Password:WPA or WPA2

####Edit the Password in two places, once for WPA and WPA2####
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=MyPassword wpa2-pre-shared-key=MyPassword

Edit the SSID, and set your transmit power in dB

Antenna/Station Transmitting Examples

  • +12dB, low power, usable 40 foot radius with 1 piece of drywall between station and client.
  • +16dB, medium power, usable 60 fo0t radius with 2 drywalls between station and client..
  • +21dB, high power, range is unpredictable, could be 400 foot radius with line of sight, or 120 foot radius with interference.

High transmit power for MikroTiks is 19-21dB, be aware that though your transmitter may be loud, clients may not be loud enough to reply back. You would see this as a client having full bars of signal, but extreme packet loss or “unable to connect”. For comparison, a Ubiquiti running on High power (Auto) is +30dB.

Don’t just turn up the dB to get farther range, it’s possible to burn out amplifiers/antennas if you don’t know what you’re doing, and may make your signal-to-noise ratio worse.

/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1-local rx-chains=0,1 ssid=WirelessName tx-chains=0,1 tx-power=16 tx-power-mode=all-rates-fixed wireless-protocol=802.11

Configure Time (NTP) and Automatic Nightly Reboot

Mikrotiks do not have a battery inside, and thus the time resets whenever they reboot. Configure a NTP server to have the clock auto-update after boot.

In addition, it never hurts to reboot once per day to work out any glitches.

#Reboot router every day at 12:10AM
/system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:10:00


#Configure the client to use Google as time servers
/system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com

 

Update Packages

I updated each WAP at the end, since it was easier to configure them to a usable state and avoid conflict with DHCP-Servers, so data can be pulled via the ethernet cable once they are hooked into the primary switches.

Winbox > System > Packages > Check for Updates > Download and Install

 

Hopefully this quick start guide was helpful in getting you going on MikroTik WAPs. I’m really amazed by what these units can do for so little money. Harder to configure than most WAPs for sure, but they are extremely reliable — I never have to reboot them, they just take a beating with capacity and handle it like a champ, and don’t even get me started on the reliability of home routers like Netgear, ASUS, or Linksys. Have fun! 😉