Mikrotik Point to Point Wireless Bridge

Note that this guide can work for any Mikrotik board with an antenna, just not the SXT product line. You can use these same instructions for the WAP line, LHG line, Groove line, even the BaseBox, as long as the antenna frequencies can match (e.g. 2.4Ghz or 5Ghz),  you can follow these instructions.


The Mikrotik SXT 5GHz units offer a cheap, reliable, and fast point-to-point link connection. You’ll need two SXTs — one at each end of the link. It’s best to think of these units as a “wireless wire”, that is, it connects to physically separated networks, as though there were a wire between them. I highly recommend using Gigabit-capable 5GHz units, like the SXT AC.

Whether it’s 50 feet or 5,000 feet, the concept is the same, and performance can be very high, maybe adding 1-2ms of latency.


Connecting In

You’ll use the program Winbox.exe to configure the units. By default, Mikrotik units are set with as their static IP.

It’s generally a good idea to set a static IP on your NIC to 192.168.88.X/24, for example: / Don’t disconnect yourself though… make it an additional IP on your NIC.

Update & Upgrade

We need to get the SXT internet access, so it can pull Package/Software Updates, then a firmware upgrade.

Connect the SXT to the PoE injector, connect the data plug to your switch, open Winbox on a PC on the same switch, and browse to the SXT. It likely only has a static IP of, but you’ll want to connect by Layer2 through clicking the MAC Address.

Default user/pass: admin/<blank>

Start by disabling the DHCP Server

  • IP > DHCP Server > Select defconf > Disable (Red X)

Bridge your antenna and ethernet ports

  • Bridge > Add (Blue + ) > bridge1
  • Bridge > Ports Tab > + > wlan1 > bridge1
  • Bridge > Ports Tab > + > ether1 > bridge1

Enable DHCP Client

  • IP > DHCP Client > bridge1
  • You now have enough configured to pull internet access from wireless or wired. Let’s get the updates.

Obtain Updates

  • System > Packages > Check for Updates > Channel: BugFix Only > Download and Install
    • The device will automatically reboot and update itself.
  • Once it comes back up, log in again via Winbox, and upgrade the firmware package, that was brought down with the software packages — it needs to be applied manually.
  • System > Routerboard > Upgrade > Yes
  • System > Reboot > Yes
  • If you feel confident your SXT will have a DHCP server it can connect to, feel free to disable the static IP of
    • IP > Addresses > Select defconf ( > Disable (Red X)

Name Units – Apply a Matching Label/Sticker

  • Company PTP01, Company PTP02, etc

Set Password

  • System > Password > YourSecurePassword

Repeat above steps for the other PTP link,

Then continue below

Configuring the PTP Bridge

Broadcast Side

  • Wireless > Interfaces > wlan1
  • Mode: bridge
  • Band:5GHz AC if you can, A/N if AC is not an option.
  • Channel Width: 20/40/80 if you can, 20/40 if it is not an option.
  • Wireless Protocol: NV2
    • NV2 (Tab)> Security: YourSecurePassword
  • Click Advanced Mode Button: > Country: united_states_3
    • You will not be able to transmit until you select a country.


  • Wireless > Security Profiles > Default
  • Mode: Dynamic Keys
  • Auth Types: WPA2 PSK
  • Unicast/Group Ciphers: AES CCM
  • WPA2 PSK: YourSecurePassword

Client Side

  • Wireless > Interfaces > wlan1
  • Mode: Station Bridge
  • Band: Match Broadcast Side
  • Channel Width: Match Broadcast Side
  • Frequency:Match Broadcast Side
  • SSID: Match Broadcast Side
  • Wireless Protocol:Match Broadcast Side
  • Click Advanced Mode Button: > Country: united_states_3


Once these are all set, the devices should automatically connect within 15 seconds.

For troubleshooting, use the Wireless> Interfaces > Scanner tool, see if you’re broadcasting.

Are the protocols set correctly? 802.11 protocol? NV2 protocol? NV2 security? Country Set?

You’ll know you are linked once you see the LED radio bars lit on the back of the SXT. This indicates signal strength.

PHP Server Monitor – Windows Setup Guide

Want to use PHP Server Monitor to track the uptime status of your devices? Not ready to build a CentOS or Ubuntu Server instance, but would rather have a Windows-install?

There are three primary methods to configuring an AMP stack.

  1. LAMP (Linux, Apache, MySQL, PHP)
  2. WAMP (Windows Desktop or Server, Apache, MySQL, PHP)
  3. IIS/PHP (Windows Server with Internet Information Services Role, MySQL, PHP)

This will be focusing on the Windows Desktop option. It’s lower performance than Linux or IIS, but it sure is easier for beginners, and easier to move between hosts.

Win10 + XAMPP

This tool has been around for many, many years. The code base made be old, but it’s free, still updated, and very reliable.

Appropriate for a small one-off server.

In my case, I’m using a Win10 Enterprise VM and loading on XMAPP.



Go snag XAMPP (32 Bit only for Windows). There is also a portable version if you don’t want a permanent install (e.g. run off a thumb-drive).

Run the installer, it is recommended to not install to Program Files directories due to weird permissions with UAC. Recommend installing to root, e.g. C:\XAMPP.

You only need Apache, MySQL, and PHP.

Start it, let it open up the XAMPP control panel.


Download PHPServerMonitor

Go to C:\xampp\htdocs, copy the contents to C:\xampp\htdocs.old, create the directory if it does not exist.

Go snag a download of PHP Server Monitor — https://github.com/phpservermon/phpservermon

Click download to ZIP in the upper right.

Unzip the ZIP contents into your operating PHP directory, by default: C:\xampp\htdocs

Download Composer

Composer is a dependency packager — it downloads and auto-installs the pieces that PHP Server Monitor depends on.


The installer will add the composer.exe file into your Windows environment path, allowing you to run it from command line in any directory. The installer should also auto-detect your xampp install, and the operating directory of C:\xamp\htdocs.

When the command “composer install” is run, it will look for a .JSON file inside the directory it is being run. This contains the instructions of what composer needs to do.


Start > cmd.exe > Right-Click > Run as Administrator
cd C:\xampp\htdocs
composer install

Give it a few minutes, and it should auto-download all of the dependencies.

Start the Server Up, Build the Database

  1. Browse to C:\xampp\htdocs\
    1. Find config.php.sample, Copy/Paste it in the same directory, and rename to config.php
  2. Open XAMPP Control panel, if they are running, stop Apache and MySQL. Then start them both up, MySQL first.
  3. Browse to: http://localhost
    1. It should redirect you to http://localhost/install.php
    2. Hopefully, you see some pre-requisite success messages.
  4. If so, open XAMPP, click “Shell”
mysql -u root -p
[Password is blank, just hit enter]

create database phpsrvmon;
#Change your user and password in quotes
create user phpsrvmon_user@localhost identified by "user_password";
#Make this match the user above
grant all privileges on phpsrvmon.* to phpsrvmon_user@localhost;
flush privileges;

Configure the Database

Open XMAPP, ensure both stop/start Apache and MySQL.

Browse to: http://localhost, you should be redirected back to: http://localhost/install.php

  • Application Base URL: http://something.yourdomain.com
  • Database Host: localhost
  • Database Port 3306 (You can confirm within XAMPP.
  • Database Name: phpsrvmon
  • Database User: phpsrvmon_user (or whatever you entered)
  • Database Password: user_password (you picked something different right?)
  • Table Prefix: psm_

Save Configuration

You may get an error, “Unable to save your configuration”. It should cough out the code you can copy/paste into a config.php file.

If so, open your config.php file, and overwrite the code with what it provided. If you don’t have it, it looks like this:

define('PSM_DB_HOST', 'localhost');
define('PSM_DB_PORT', '3306');
define('PSM_DB_NAME', 'phpsrvmon');
define('PSM_DB_USER', 'phpsrvmon_user');
define('PSM_DB_PASS', 'your password');
define('PSM_DB_PREFIX', 'psm_');
define('PSM_DB_BASEURL', 'http://something.yourdomain.com');

Save the file config.php, go back to XAMPP, and stop/start Apache to load in the new settings.

Create your Web-Account

Go back to http://localhost

You should get the message, “Sweet, your database connection is up and running!”

Now create a username, password, and email — this is for actually using the website, nothing to do with the database infrastructure.

Create a Monitor

Login to your site, it will redirect to your web-URL by the way, so ensure it can be resolved by your DNS server. If you’re desperate, you can always edit the Windows HOSTS file.

Open the “Servers” tab.

Add New (+) > Add a DNS address or IP, select a ping, or a matching service/port. It is important to set a threshold, I typically use a Warning Threshold of 2, meaning after 1 query it is a warning (amber), after 2 it is an alert (red). I use a timeout of 10 seconds usually, just in-case latency is high. Check off the users you want to be able to view the monitor.

Configure the Scheduler/CRON

We have our monitors, but we need a way to run the port/ping query, this is not run automatically. On Linux, it is run via CRON. On Windows, it is run via the Task Scheduler.

  • Start > Run > taskschd.msc > OK
    • Task Scheduler Library > Right-Click > Create Basic Task
      • Name: “PHP Server Monitor Query”
      • Run: One Time
      • Action: Start a Program: C:\xampp\php\php.exe
      • Add Arguments:C:\xampp\htdocs\cron\status.cron.php –timeout=1
        • The timeout number is the timer of cron in minutes, default is 10 minutes.
  • Next > Open Properties Box
    • Check: Run whether user is logged on or not.
  • Trigger Tab > Select > Edit
    • One Time, Advanced Settings > Repeat Task Every: 5 minutes, then change 5 to 1, for a duration of: Indefinitely
      • Note — If you have a large number of monitors (e.g. 100+) increase the timer appropriately. A general guideline is 20 seconds for each 100 monitors.
      • Ensure your Repeat Task Every number matches your timeout value in the Arguments.
    • Stop task if it runs longer than: 30 minutes, adjust to 3 minutes.
  • Conditions Tab > Uncheck power settings that relate to AC and battery power.
  • Settings Tab
    • Check: Allow task to be run on demand
    • Stop the task if it runs longer than: 1 hour
    • Check: If the running task does not end when requested, force it to stop.
    • If the task is already running, then the following rule applies: Stop the existing instance.
  • OK > Enter your password to run the task as an adminstrator when logged off.

Final Settings / Little Details


While in XAMPP, configure the services to autostart on boot. Click: Config > Check: Apache, MySQL

Fixing Queries (Important!)

By default, you  will only get a single query every 10 minutes, as the stock XAMPP php.ini file causes the cron script to get stuck in running mode until it times out after 10 minutes.

Open Notepad, and open: C:\xampp\php\php.ini

Ctrl+F to search, search for: extension=sockets

There will be a comment in front of it ” ; “, remove the semicolon to make the code active, save php.ini. Go back to XAMPP, and stop/start Apache.


Now get those monitors added, and keep and eye on all your important gear. Good luck!

Mikrotik – RADIUS Wireless Authentication Guide

This is a step-by-step guide for configuring RADIUS authentication for Mikrotik Wireless, for Server 2008 R2-2016.


RADIUS allows you to use domain credentials for accessing a wireless network, rather than a static WPA2 PreShared Key that rarely changes. Important for keeping terminated employees out, by just disabling their Active Directory account, rather than having to change the entire PSK every time someone leaves. This guide merely handles the RADIUS authentication, it’s still up to you to protect your network, such as separating your wireless networks into different VLANs or subnets, and isolating networks as fits your environment. (e.g. RADIUS for private network, WPA2 PreShared Key for guest network).


Just having a SSID and PreShared Key is not secure, especially for HIPAA clients.

For more security, it is recommend to use RADIUS — your desktop Windows credentials, are also your WiFi credentials. If a user is terminated, just changing one user in Active Directory locks them out of the network.


The Mikrotik will need a static IP Address

IP > Addresses > + > 192.168.X.X/24

Configure RADIUS on Domain Controller

Install RADIUS

Server Manager > Add > Role or Feature >  Network Policy and Access Services (Include management tools).

Configure Active Directory

Server Manager > Tools > Activity Directory Users and Computers > Select OU (e.g. Company>Groups) > Action > Add New Group > WiFiUsers > Add Members (e.g. John, Bob, Alice). You could use any group, but since we are focused on strong-security, only give WiFi to those who need it.

Register Permissions

Start > cmd.exe > Right-Click > Run As Administrator

netsh nps add registeredserver

Add Trusted Client Device

Server Manager > Tools > Network Policy Server

RADIUS Clients and Servers > Clients > New

Enter name of device, and IP address of Mikrotik WiFi Controller or standalone access point.

Shared Secret > Click Generate > Generate, or use a manual Secret. Copy this down.


Add Policy

Server Manager > Tools > Network Policy Server

Policies > Connection Request Policies > Right-Click > New

Provide a Name (e.g. WiFiUsers)

Type of Network Access Server: Unspecified



Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other


Authentication > CHECK: Authenticate Requests on this server


Policies > Network Policies > Right-Click > New

Give it a name, enable, and Check: Grant Access

CHECK: Ignore user account dial in properties

Type of network access server: unspecified

Conditions > Add > Windows Groups > Add “AD Group Name”

Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other

Settings > IP Settings > CHECK: Client may request an IP address > OK.


Constraints: Authentication Methods:

  • Protected EAP > Select > Edit > If you do not have a publicly signed, FQDN SSL, just use “localhost”.
    • Wildcard SSLs do not work (clients will fail to connect), but you could use a FQDN SSLs (server.main.company.com). .LOCAL cannot get a publicly-signed SSL.

Customize DHCP (If your Windows DC is providing DHCP)

Due to Network Protection Access Policies being default enabled for DHCP, it will not hand out any IP address to just any client. We need to disable Network Access Protection on your IPv4 Scope.

Server Manager > Tools > DHCP > Expand > IPv4 > Right-Click > Properties > Network Access Protection > Disable on all scopes

Configure RADIUS on Mikrotik WiFi CAPSMAN Controller

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress ""
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/caps-man security add name=RADIUSWiFi authentication-types=wpa2-eap encryption=aes-ccm eap-methods=passthrough eap-radius-accounting=yes

 Configure RADIUS on Mikrotik WiFi Standalone Access Point

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress ""
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/interface wireless security-profiles set default authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=aes-ccm radius-eap-accounting=yes mode=dynamic-keys group-key-update=1h

Now when you connect, pop in your username (domain\username) and password to login.

Mikrotik – SSTP VPN Server Setup Guide


I’ve played with L2TP/IPSec, IKEv2, PPTP, and SSTP VPN Servers. SSTP is now my go-to for business clients, and here is a step-by-step guide to help you set one up on a Mikrotik Router :-).

Benefits over L2TP/IPSec

  1. Multiple clients can connect from the same Public IP. Important if you have multiple employees that travel to the same site, like a hotel or other business. On L2TP, it’s one device per WAN IP.
  2. No timeouts, you can stay connected for an indefinite amount of time.
  3. More reliable in bad conditions (weak WiFi signal, cell-hotspot), less likely to drop than L2TP/IPSec, because SSTP is TCP based, and less sensitive to latency.
  4. Works on almost any network. Since it runs over TCP443, the same port as HTTPS, almost every network allows it’s traffic through if there is outbound filtering.
  5. Setup for Windows clients is built in, reliable, and simple. Mac clients require a bit more work, but it functions the same.
  6. Due to being TCP based, and less sensitive to latency, you can get much higher throughput for bad connections.

Cons – Slightly Harder Setup

  1. You must connect by DNS address, e.g. vpn.company.com, IP addresses are not an option.
  2. You must have a SSL certificate that includes your public DNS address (vpn.company.com). Wildcards work great, along with standard SSLs.
  3. The SSL you use, needs to have the private key included, takes extra work to extract.

Once it’s setup and working, SSTP beats L2TP every time hands down!


SSL Export and Config

The only part not included in this guide is creating a publicly signed SSL request, and getting it signed. Here are a two detailed SSL creation/install guides from GoDaddy if need help with this step:


We need to export the installed SSL on the server into two types: A PKCS#12 “.PFX” (Contains Private Key) and an BASE64-encoded X509 “.CER” (Public Cert Only).

Easiest to perform these steps on the server that created the SSL (so it has the private key and matching certificate).

If you cannot export the private key, it means you are on a server that did not create the key – check other servers within that company, like Exchange or RDS.

  • Start > run > mmc.exe
  • File > Add Snap In > Computer Account > Local > OK
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “Yes, export the Private Key” > Export to: … > File Type: *.PFX > Protect with YourPassword
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “No, do not export the Private Key” > BASE64 Encoded Binary X.509 > Export to: … > File Type: *.CER

Get both of these files to your workstation running Winbox.

Login to the Mikrotik

Files > Drag in both files to the Files window

  1. System > Certificates > Import > SSL.CER (Base64) > Password: <leave blank>
    1. Left column, only “LT” (revocation List, Trusted)
  2. System > Certificates > Import > SSL.PFX (PKCS12) > Password: YourPassword
    1. Left column “KLT (private Key, revocation List, Trusted)

Now go to Mikrotik > PPP > Interface Tab > SSTP Server (Button) > Certificate: Select your SSL (X509)

Mikrotik – SSTP Server Setup

Only thing to change for a default setup is the DNS Server. Paste into Mikrotik Terminal.

#Change this to the on-site Domain Controller/DNS Server.
:global DNSServer ""
#IP Address of VPN Bridge
:global VPNGateway ""
#VPN Client LAN IP Range -- IPs the clients should get
:global VPNRange ""
#Network Address of the Target Network
:global VPNNetwork ""

#Add the bridge
/interface bridge add name=vpn-bridge
#Give the bridge an IP and network
/ip address add interface=vpn-bridge address=($VPNGateway."/24") comment="VPN Bridge IP"
#Add an IP Pool for clients to be assigned when they connect
/ip pool add name="vpn-pool" ranges=$VPNRange
#Configure the VPN profile for users to use.
/ppp profile add dns-server=$DNSServer local-address=$VPNGateway name=sstp-profile remote-address=vpn-pool bridge=vpn-bridge
#Turn it on!
/interface sstp-server server set authentication=mschap2 default-profile=sstp-profile enabled=yes

Mikrotik – Add an Local User Account

#Add the User’s Account into the Mikrotik

:global Username "johnsmith"
:global Password  "johns super password"

/ppp secret add name=$Username password=$Password profile=sstp-profile

Setup SSTP Client Connection (Windows 7 or 10)

Adjust names, ServerAddress, username, and password as appropriate.

#In PowerShell
Add-VpnConnection -Name "Company SSTP VPN" -ServerAddress "vpn.company.com" -TunnelType SSTP -EncryptionLevel Required -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential $true
Set-VpnConnectionUsernamePassword -connectionname “Company SSTP VPN” -username johnsmith -password “johns super password”

#Or, in GUI
Click Network Icon near clock in system tray > Network and Internet Settings

VPN (Left) > Add a VPN connection:
VPN Provider: Windows (built-in)
Connection Name “Company SSTP VPN”
Server Name or Address: vpn.company.com
VPN Type: Secure Socket Tunneling Protocol (SSTP)
Username: johnsmith
Password: johns super password
Remember: Checked

Click Network Icon near clock in system tray > Select “Company SSTP VPN > Connect

Mikrotik – Setup a Full Router Within 5 Minutes

We setup a LOT of Mikrotik routers, doing everything by the GUI is tedious. Below is a “cheat-sheet”, feel free to customize it to rapidly deploy your own Mikrotik routers.

Apply to a freshly reset and updated router for best effect.

This script assumes you have a static WAN IP, hence the static route. It also disables Webfig, and only allows Winbox login to trusted WAN IPs (Management) and LAN (bridge)

Just swap out the settings in quotes at the top, the copy/paste the whole thing into a terminal.

Recommend manually editing the “YourManagementWANhere” networks as well, repeat for each trusted site that needs to login via Winbox.

Of special note, is the automatic updater. Don’t let your forgetfulness leave routers outdated! Have the router check for you every two weeks.

Hoping it helps!

:global CompanyName "Johns Bubblegum Co"
:global Password "YourMikrotikAdminPassword"
:global LANIP ""
:global WANIP ""
:global WANGateway ""
:global LCDPIN "1234"

#Start code
#Purge the old Firewall Rules
/ip firewall filter remove [find]
/ip firewall nat remove [find]
/ip dhcp-client disable 0
/ip dhcp-server disable 0
/ip pool remove default-dhcp
#Configure the Interface
/interface ethernet set [ find default-name=ether1 ] comment="WAN Primary"
#Configure the LAN ports to be on a bridge
/interface bridge add name=bridge comment="LAN Bridge"
/interface bridge port add bridge=bridge interface=ether2-master
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6-master
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=sfp1
#Secure against Route Spoofing
/ip settings set rp-filter=strict
#Edit the IPs of the Router
/ip address add address=$LANIP comment="LAN Primary" interface=bridge
/ip address add address=$WANIP comment="WAN Primary" interface=ether1
#Set the static LAN to WAN Route (WAN Gateway) Edit the WAN Gateway IP
/ip route add check-gateway=ping comment="WAN Primary" distance=1 gateway=$WANGateway
#Create the trusted Management IP list
/ip firewall address-list add address=YourManagementWANHere/29 comment="Trust IP Range" list=Management
/ip firewall address-list add address=YourManagementWANHere/27 comment="Trust IP Range" list=Management
#Add the firewall rules
/ip firewall filter add action=accept chain=forward comment="Trusted Management Sites - Forward" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=accept chain=input comment="Trusted Management Sites - Input" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=ether1 src-address-list=BlackList
/ip firewall filter add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=ether1 src-address-list=BlackList
#Blacklist Rules -- Add the bad-guys to the BlackList
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Brute Forcers" dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist UDP WAN DNS Lookups to prevent DDoS" dst-port=53 in-interface=ether1 protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Port Scanners" disabled=no protocol=tcp psd=21,3s,3,1 in-interface=ether1
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=30m chain=input comment="Blacklist SYN Flood Attacks" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn in-interface=ether1
#Allow Good Traffic
/ip firewall filter add action=accept chain=forward comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Accept ICMP, prevent flood" protocol=icmp icmp-options=8:0 limit=1,5
/ip firewall filter add action=accept chain=input comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid
#Allow LAN to WAN NAT Traffic
/ip firewall nat add action=masquerade chain=srcnat comment="Office - NAT" out-interface=ether1
#Security Lockdown
/ip ssh set strong-crypto=yes
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/tool bandwidth-server set enabled=no
/lcd pin set pin-number=$LCDPIN
#Misc System Settings
/lcd set backlight-timeout=never default-screen=stat-slideshow
/system clock set time-zone-autodetect=yes
/system ntp client set enabled=yes primary-ntp= secondary-ntp= server-dns-names=time.nist.gov,time.google.com
/system package update set channel=bugfix
/system scheduler add name="Upgrade Router Bi-Weekly and Reboot" on-event="/system package update set channel=current; /system package update check-for-updates; /system package update download; /system reboot;" start-date=Jan/01/2018 start-time=03:00:00 interval=2w
/system routerboard settings set silent-boot=yes
/system identity set name=($CompanyName." Router")
/ip dns set servers=,
#Cleanup Old Settings
/ip address remove [ find comment=defconf ]
/ip firewall nat remove [ find comment="defconf: masquerade" ]
#Change Admin Password
/user set admin password=$Password
#End Code


FFMPEG – Image Sequence to Video with Date Overlay Based on Timestamps

Need to convert an image sequence into a playable video, with a time-overlay printed onto the images?

Here is the best solution I’ve been able to cobble together, hoping it helps someone out there.

There are a few tools at play here:

  1. FFMPEG — The end all, be all, video processing tool. A single EXE with unlimited power. Actually crunches the image sequence into a playable video.
    1. https://www.ffmpeg.org/download.html
  2. Nirsoft’s Bulk File Changer — Allows modifying timestamps, specifically copying Created to Modified.
    1. https://www.nirsoft.net/utils/bulk_file_changer.html
  3. FastStone Image Viewer — Used to rename files as an image sequence based on the Date Modified timestamp, and overlay a timestamp onto the images.
    1. http://www.faststone.org/FSViewerDetail.htm


Step 1 – Renaming based on timestamps (Optional)

This may not apply to your situation, if your date modified time-stamps are accurate. If so, feel free to skip this step.

Below is a photo showing the timestamps on the sample images.

The names are semi-random, date created is reliable, and date modified is from my copy/paste — not reliable.

Since FastStone viewer, which will overlay a timestamp onto the images only uses Date Modified, we have to overwrite Date Modified with the Date Created timestamp.

Enter: Bulk File Changer, provided by the amazing developer at Nirsoft: https://www.nirsoft.net/utils/bulk_file_changer.html

Go ahead and download it, no installer, runs portable, awesome. Perform the following.

  • File > Add > Select your images > Select All (Ctrl+A)
  • Actions > Change time/attributes
  • Copy Time From: Created > To: Check Modified
  • Do it (run)

Step 2 – FastStone Batch Image Rename

Most Image Sequence processors except an incremental input of some kind. The simplest is a filename followed by a number. E.g. filename-0001.jpg, filename-0002.jpg. A more complex form of input is a text file, that references the images to an incrementing number.

We are going to use the first option, by renaming the images with FastStone.

Open FastStone Image Viewer (Download at: http://www.faststone.org/FSViewerDetail.htm)

Browse to your folder > Select All (Ctrl+A) > Tools > Batch Convert Selected Images

Batch Rename Tab

Click “Date Modified” column header, to sort by date. Select All (Ctrl+A) > Add All

Adjust your template as desired, e.g. Image##### would become Image00001, Image00002, etc



Step 3 – FastStone Batch Image Overlay

Time to overlay a printed timestamp onto the images, based on Date Modified timestamp.

Open FastStone Image Viewer

Browse to your folder > Select All (Ctrl+A) > Tools > Batch Convert Selected Images

Batch Convert Tab

Check: Advance Options > Advanced Options > Text Tab > Check: Add Text > Insert a Variable > File Date/Time > Date and Time (D1) > Position: Bottom-Right > OK

Change your Output Folder to wherever you would like>  Convert.


Step 4 – Convert Image Sequence to Video with FFMPEG

Obtain FFMPEG.exe, download at: https://www.ffmpeg.org/download.html

This is the easy part, finally. A few things to note:

  • -r = frame rate. The 3 in this example is 3 frames per second. Standard video is 24fps or 30fps
  • -i = input. The folder and file-name variable of the image sequence.
    • %05d means, 5 digits, 0-padded. E.g. 00004, 00005, 00006.
    • Adjust as needed.
  • -vcodec = Video codec, what video processing system to use, x264 is popular for MP4 videos.

ffmpeg -r 3 -i “C:\SourceFolder\Image%05d.jpg” -vcodec libx264 “C:\TargetFolder\Video.mp4”


You should end up with a playable MP4 video, with timestamps burned into the images. Hoping that is helpful, enjoy!

Mikrotik – VOIP QoS – Simple Queues

Another bit of helpful code for Mikrotik. We were getting some crackling on our VOIP phone system when the internet connection was maxed out, the following code let phone traffic run smoothly, based on the UDP ports the VOIP service uses. Adjust to your VOIP providers ports, and adjust your LAN targets as needed.

There are a few concepts to be aware of:

  1. Connection Marks — an identifying marker applied by the router to a connection passing through it. Markers are used for other rules to affect these connections.
  2. Packet Marks — an identifying market applied by the router, to the packets inside of a given connection. Markers will be used to escalate the priority of our RTP (Audio) Packets.
  3. SIP – VOIP Control Signalling Channels — e.g., Source phone > Target Phone + Extension, everything about the phone call.
  4. RTP – VOIP Audio Data — e.g. Compressed AAC audio content sent from the phone in packets.
  5. Mikrotik Queues — Basically, Quality of Service (QoS) pools of bandwidth, and reserving speed for a specific type of traffic (VOIP first, web-downloads last).
  6. Mikrotik Parent Queues — A total “pool” of available bandwidth, to be provided to children.
  7. Mikrotik Child Queues — A reserved portion of bandwidth assigned to a type of traffic that child is handling.

Note — If you have FastTrack enabled, it tends to bypass Queues, you may need to disable FastTrack to enforce your Queues, which may drastically increase CPU usage under high loads. For our RB3011-RM, running at 100Mbps, we hit 10-15% CPU load with fast-track disabled.

#Mark SIP Connections
#These numbers are for our VOIP provider, 8x8, different providers have different numbers.
#SIP All - Control:UDP/5060,5196-5199
#RTP All - Audio:UDP/3478-3480,15044,2222-2269,16384-16404,30000-30040
##RTP STUN:UDP/3478-3480
##RTP Polycom Phones:UDP/2222-2269
##RTP Linksys Phones:UDP/16384-16404
##RTP AAC Audio:UDP/30000-30040
#You can change optionally add a dst-address for the IP or IP Address List of your VOIP Provider's Servers, I prefer to keep it simple and focus on ports.
#Mark the SIP Connections with a Connection Mark.
/ip firewall mangle add chain=forward protocol=tcp port=5060,5196-5199 action=mark-connection new-connection-mark=VOIP-SIP-Connection comment="Mark VOIP/SIP Connections"
#Mark SIP Packets, inside of the marked SIP Connections.
/ip firewall mangle add chain=forward connection-mark=VOIP-SIP-Connection action=mark-packet new-packet-mark=VOIP-SIP-Packet comment="Mark VOIP/SIP Packets"
#Mark RTP Connections, change to the port number of your VOIP Calls
/ip firewall mangle add action=mark-connection chain=forward new-connection-mark=VOIP-RTP-Connection port=3478-3480,15044,2222-2269,16384-16404,30000-30040 protocol=udp comment="Mark RTP Connections"
#Mark RTP Packets, inside of the marked RTP Connections. These "rotate" port numbers rapidly, but are generated from the Connections. 
/ip firewall mangle add action=mark-packet chain=forward connection-mark=VOIP-RTP-Connection new-packet-mark=VOIP-RTP-Packet comment="Mark VOIP/RTP Packets"
#Escalate the DSCP Value for the RTP packets to Critical Priority as they pass through the router. This should be respected even beyond our own network, but our ISP and further hops out.
/ip firewall mangle add chain=postrouting action=change-dscp new-dscp=46 passthrough=yes packet-mark=VOIP-RTP-Packet comment="Change RTP Packets DSCP Value"
#There are two types of queues: Parent (Total pool of bandwidth), and Child (Total consumer of bandwidth)
#Prority, measured from 1 (Highest Priority/Most Important) to 8 (Lowest Priority/Least Important)
#Create a simple parent queue, with your total pool of bandwidth, for your target bridge or LAN subnet, syntax is Upload/Download. This is for a 20Mbps Upload, and 170Mbps Download internet connection.
#Use your real-world numbers -- not what is on the ISP's account package!
#Create the Parent Queue.
/queue simple add max-limit=20M/170M name="Office Parent Queue" target=
#Create the Child Queue for RTP Traffic, priority 1/1 (Upload/Download). Each VOIP phone call takes up 256KBps, so 2M/2M is for 8 VOIP calls.
/queue simple add limit-at=2M/2M max-limit=2M/2M name="VOIP-RTP Queue" parent="Office Parent Queue" target= priority=1/1 packet-mark=VOIP-RTP
#Create the Child Queue for SIP Traffic, priority 2/2
/queue simple add limit-at=2M/2M max-limit=2M/2M name="VOIP-SIP Queue" parent="Office Parent Queue" target= priority=2/2 packet-mark=VOIP-SIP
#Create the Child Queue for all unmarked traffic (everything else), priority 8/8.
/queue simple add max-limit=15M/160M name="All Other Traffic" parent="Office Parent Queue" target= priority=8/8 packet-mark=no-mark
#You can monitor if your marks are applying, through IP > Firewall > Connections > Add Column: Connection-Mark > Sort by Connection-Mark, and through watching Queues, and watching the trees colors during a speed test. Run a VOIP call while trying to max out the internet.


Mikrotik – Simple WAN Hard Failover

It is amazing how many ways there are to configure a simple WAN Failover on a Mikrotik. This post, contains three simple lines of code, that will perform a hard failover: Use a primary connection 100% of the time, if the primary line becomes unable to ping an external IP, switch entirely over to the failover line. When the primary comes back up, return to primary.

A common weakness of the simple “check-gateway” ping on a route, is if you are not in bridged mode — because your ISP does not offer true PPPoE bridged mode, the failover will not occur in any event except physical-disconnection — your Mikrotik will always be able to ping the gateway is it directly plugged into. What we really care about, is loss of internet access — not just electrical connectivity. When testing failover, disconnect the input, not the cable to your router or the modem’s power.

A common internet setup:

ISP <> Coax Cable / Fiber <> Modem/ISP-Gateway <> Ethernet Cable <> Ether1 Mikrotik

If you unplug the power of the modem, or disconnect the ethernet cable going to your router, your failover usually will test just fine, because the route to your gateway has been lost — but it won’t work if the ISP has issues.

For a proper test – to simulate the ISP having internal routing problems, or your area’s network node goes down, disconnect at the Coax/Fiber side — one step behind the Modem.


One of the more common methods of failover with Mikrotik is using netwatch to monitor interfaces ability to ping external IPs, if a down state is detected, running a script that changes priority of the primary route, or disables an interface or route entirely. These scripts are normally run every 5-10 seconds. I feel uncomfortable with this method, because complexity increases substantially for failing back to the primary interface. Some code can get pretty intricate.


The below code is simple and reliable, but not immediate. If you want zero-loss in connectivity, you’ll probably need to use scripts for a quicker response.

With these route-based rules, failover times are about 15 seconds. From the time internet connectivity stops, to failing over, to workstations regaining internet access, is about 5-15 seconds. From testing, failing back to primary is a little quicker, maybe 5 seconds.

The way the code operates, is pinging a public DNS server, set to Scope 10. The primary route you use for internet access, is also in Scope 10. Route distance is 1.

Distance is a routing metric, that determines the priority that a route will be taken. The lower the distance — the higher priority it takes for flowing traffic. For example, a route at distance 5, will be taken over a route at distance 10.

When the Check-Gateway ping which is forced to flow through our primary ISP gateway of fails, it’s distance is increased to 200 and it is marked as unreachable/inactive. Now the next lowest route is “2”, the failover route.

The ping will continue to run on the primary route, once the DNS server responds, the route will be re-enabled automatically, bringing it’s distance back to 1 — a priority higher than distance 2 — the failover route — traffic resumes flowing through the primary pipe.

#This hard-codes the Verizon Public DNS Server ( to always go out the primary gateway's IP (usually the gateway IP provided by your ISP), *recursively*, you want to confirm connectivity. Only choose a reliable server (Google is, Comcast is, Verizon is, etc).
#Note that this will make ONLY go through your primary gateway, if your primary gateway stops working, and you're on the failover line, you won't be able to ping this server.
#The scope of 10 is the default scope, which includes any routes you add that don't have a different scope.
/ip route add dst-address= gateway= scope=10 comment="Validate Primary Gateway"
#This runs the ping that checks for connectivity. Distance is  1 -- the lower the number, the higher the priority. Traffic will flow through the lowest-numbered route that is reachable/working.
/ip route add gateway= distance=1 check-gateway=ping comment="WAN Primary"
#This is the failover route, ISP Gateway for the failover line distance is 2, higher than the default route.
/ip route add gateway= distance=2 comment="WAN Secondary"


Mikrotik IKEv2 VPN Server Setup Guide

Looking for a detailed guide on configuring a Mikrotik IKEv2 VPN server? Need your on-the-road devices to be able to remotely access your internal LAN? Then you’ve come to the right place 🙂

The major functional benefit of IKEv2, over L2TP/IPsec VPNs, is that L2TP only allows one source IP per client, while IKEv2 has no limit. If you have say, three Windows laptops all on the same internet connection (hotel WiFi or hotspot) trying to connect into the company VPN, only the most recent connection will remain live — just one laptop at a time. You could always side-step the issue by using a cell-phone hotspot for each laptop — which changes the source IP, but that isn’t always an available option. IKEv2 doesn’t have this L2TP-based issue, so load up as many clients as you want.

With that said, IKEv2 is substantially harder to configure for the first time than L2TP/IPsec, and harder to configure for OSX clients for the first time.

  • L2TP: DNS Hostname/IP + user/password + shared secret
  • IKEv2 is: DNS Hostname + Certificate Authority + Server Certificate + Machine Certificate

With this guide, it shouldn’t be too hard to knockout.



As of 01/30/2018 writing this guide, there is a bug with certificates in the Mikrotik Current Release Channel (6.41) — causing the error: “unable to get local issuer certificate”. Sometimes IKEv2 connects perfectly… With the exact same code, more often than not on 6.41, you’ll get the “local issuer certificate depth 0” error under the the Mikrotik Log in the IPsec category. Use the BugFix/Stable channel (currently 6.39.3) and everything works A-OK.

Create Certificates

We are making the Mikrotik router the Certificate Authority, which signs a TLS-Server certificate linked to it’s DNS name, and then also signs machine-specific certificates.

This means you are authenticating computers by machine — not by a username/password. If you want usernames + passwords on top of machine certificates, you’ll need to configure radius authentication, which is beyond the scope of this article.

Default expiration for keys is 365 days (1 year), so I set it to 3650 (10 years), hence the “days-valid” argument.

Adjust the common name to be your company’s DNS address of the VPN Appliance. e.g. vpn.yourdomain.com. In my instance, I configured the CA-Crl-Host to be the LAN IP address of the device.

We create a Certificate Authority, so certificates can be created. We create and sign a TLS-Server certificate which will allow the Mikrotik to receive connections.

##Mikrotik IKEv2 VPN Server Guide
#Create your Root Certificate Authority
###Replace common name with Public DNS name of VPN appliance, and replace ca-crl-host IP with IP of LAN router.
/certificate add common-name="vpn.yourdomain.com Root CA" name=ca days-valid=3650
/certificate sign ca ca-crl-host=
#Delay pause due to it taking about 0.5s for the CA to be ready for terminal to access it.
:delay 2
#Create your VPN Server Certificate. Ensure to change common-name to DNS of VPN Server, and add the IP of the VPN server as alternative name.
/certificate add common-name=vpn.yourdomain.com subject-alt-name=IP:vpn.yourdomain.com key-usage=tls-server name=vpnserver1 days-valid=3650
/certificate sign vpnserver1 ca=ca

Configure Mikrotik IKEv2 Settings

We are going to have our VPN clients connect to their own subnet, rather than snatching IP addresses from the DHCP server in your primary LAN. This also lets you manage the VPN clients subnet with custom rules if needed, very helpful for controlling access or shaping traffic.

#Create the VPN Bridge
/interface bridge add name=vpn-bridge
#Add an IP address to the VPN bridge, making it act as a gateway for VPN clients
/ip address add interface=vpn-bridge address= comment="VPN Bridge IP"
#Configure the IPSec Proposal encryption levels
#SHA1 and AES-128-cbc required for Windows 7 clients
#SHA256 and AES-256-cbc required for OSX
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1,sha256 enc-algorithms=aes-128-cbc,aes-256-cbc pfs-group=modp2048
#Create an IP pool for VPN clients
/ip pool add name=vpn-pool ranges=
#Configure a Mode Config to use that pool -- CHANGE THE IP ADDRESS to your to your internal Domain Controller/DNS server. If you don't have one, use the IP of the vpn-bridge.
/ip ipsec mode-config add address-pool=vpn-pool address-prefix-length=32 name=vpn-config system-dns=no static-dns=
#Configure IPSec to allow peers to connect, as long as they follow these encryption rules
/ip ipsec peer add address= auth-method=rsa-signature certificate=vpnserver1 dh-group=modp1024,modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn-config passive=yes
#Configure IPSec Policy to allow connection to the following networks.
/ip ipsec policy set 0 dst-address= src-address=

Export Machine Certificates

Time to create, and export the certificates our workstations will need.

#Export certificates so clients can use their cert. They will need to import the trusted Certificate Authority, and then import their personal cert, which should be password protected.
#Export the root Certificate Authority, this will be saved into the root of "Files" tab, no password. Drag cert_export_ca.crt to desktop.
#This certificate is imported to the Trusted Root Certificate Authorities > Certificates store.
#Start > Run > MMC.exe > File > Add Snap-In > Computer Account > Trusted Root Certificate Authorities > Right-Click > Import > Certificates > Import .CRT file (cer_export_ca.CRT)
/certificate export-certificate ca

#Create each client machine certificate, make it match the hostname of the local machine.
/certificate add common-name=computer1 key-usage=tls-client name=computer1 days-valid=3650
/certificate sign computer1 ca=ca

#Export the client's certificate. Matches the "name" of the certificate. Exports a .P12 password protected file, ready for import into a Windows machine.
#Start > Run > MMC.exe > File > Add Snap-In > Computer Account > Personal > Right-Click > Import > Certificates > Import .P12 file (e.g. cert_export_computer01.p12)
#This certificate is imported to the LOCAL COMPUTER Account > Personal > Certificate Store
/certificate export-certificate computer1 export-passphrase=SuperSecretPassword type=pkcs12


Install Certificates on Windows

From Winbox > Files, drag your exported files to your local PC. They should be named:

  • cert_export_ca.crt (Trusted Root Certificate Authority)
  • cert_export_computername.p12 (PKCS#12 / PFX Encrypted Client Certificate)

Start > Run > mmc.exe > File > Add/Remove Snap-In > Certificates > Local Machine

Certificates (Local Computer) > Trusted Root Certification Authorities > Right-Click > All Tasks > Import > Browse > cert_export_ca.crt > OK.

Certificates (Local Computer) > Personal > Right-Click > All Tasks > Import > Browse > Change File Name Filter from X.509 to .p12 (Personal Information Exchange) >  cert_export_computername.p12 > Enter Password > Check: Mark this key as exportable > Next > OK.


Configure VPN Connection on Windows

Start > Control Panel > Network and Sharing Center > Set up a new connection or network

Connect to a Workplace/VPN > No, create new > Use Internet (VPN) > Internet Address: vpn.yourdomain.com > Check: Don’t connect now/Setup later.

Network and Sharing Center > Adapter Settings (left) > right Click VPN Connection > Properties > Security: Type: IKEv2: Use Machine Certificates > OK

As long as you have already successfully imported your CA and computer certificates into the computer’s Local Store, you should now be able to connect.

Windows 10 users may need to also edit the Metro Window’s settings to use Certificate Authentication instead of user.



Install Certificates on MacOS

Open KeyChain Access

Get the .cert_export_ca.crt and cert_export_computername.p12 certificates onto the Mac computer.

File > Import: cert_export_ca.crt > System > Browse to System > find vpn.yourdomain.com > Open > Trust: Always Trust > Close

File > Import: cert_export_ComputerName.crt > System > Browse to System > find ComputerName > Open > Trust: Always Trust > Close

Configure VPN Connection on MacOS

Apple’s built-in VPN client doesn’t give us many options, one of the missing settings, which should really just be a checkbox under System Preferences, is disabling EAP. The only way around it I’ve found, is to obtain Apple Configurator from the App Store, and create a custom profile that installs a IKEv2 Policy along with the certificates. Configurator loads in those extra invisible buttons into an important file.

Open the App Store > Apple Configurator > Install > Open.

File > New Profile


Browse to the CA cert file, also browse to the machine .P12 cert file, enter the password > Enter. Both should appear as trusted since you already marked them as trusted under Keychain Access.


  1. Name: Company VPN
  2. Type: IKEv2
  3. Server: vpn.yourdomain.com
  4. Remote Identifier: vpn.yourdomain.com
  5. Local Identifier: ComputerName (must be ExAct)
  6. Machine Authentication: Certificate, select cert_export_MachineName
  7. Enable Perfect Forward Secrecy: Checked
  8. Encryption Algorithm: AES-256
  9. Integrity Algorithmy: SHA-256
  10. Diffie-Hellman Group: 14 (2048 bit)

File > Save As > Name

On Mac > Double-Click the Saved Profile > Install

Now Open System Preferences > Network, Your VPN connection should have been created, and can now connect without issue — woohoo!


Wow, that was a lot of work, hoping you got it going, thanks for reading this far, and good luck in all your future endeavors!

Mikrotik L2TP IPsec Dedicated VPN Appliance Setup

Mikrotik L2TP IPSec VPN Guide – Start to Finish Appliance

There are a small number of L2TP IPSec VPN guides, I found them pretty frustrating, and often conflicting when integrating into an existing network. This guide provides full configuration steps for a Mikrotik L2TP/IPSec VPN appliance. It does not have to be the primary router. VPN clients are integrated into their own network/bridge, and from there, can connect in to the primary LAN.

First Steps

Update the Router Operating System

  • System > Packages > Check for Updates > Current > Download and Install

Disable Beeping Sounds on Boot

  • System > Routerboard > Settings > Silent Book: Checked > OK

After reboot, upgrade the Router Firmware

  • System > Routerboard > Upgrade
  • System > Reboot > OK

Now Reset the router to defaults

  • System > Reset Configuration > OK

Disable the DHCP server

  • IP > DHCP Server > Select > X (Disable)


Set an identity

  • System > Identity > COMPANY-VPN

Add a static IP to bridge.

  • IP > Addresses > + (Add) > IP/subnetmask (e.g.

Add ETH2 to bridge

  • Bridge > port > + (Add) > ether2-master > bridge

Create two NAT rules (if not already present), a NAT for Internet Access from the LAN, and a NAT for LAN access from the VPN clients.

  • IP > Firewall > NAT > + (Add) > Chain:srcnat > Out Interface: Ether1 (WAN Port) > Action: Masquerade
  • IP > Firewall >  NAT > + (Add) > Chain: srcnat > Out. Interface: bridge (LAN bridge) > Action: Masquerade


Security Hardening

Disable Unused Services

By default a Mikrotik comes with all services enabled

Disable the services you don’t use.

  • IP > Services > Disable all except for Winbox (TCP 8291)
  • IP > Firewall > Service Ports > Disable ALL
  • Tools > RoMon > Disabled
  • IP > Settings > RP-Filter=strict (Prevents IP Spoofing)

Configure Password

Change the Mikrotik’s password to administer the device

  • System > Password > Select a new password

Disable Winbox Discovery on WAN / Reverse Path Filtering

  • IP > Neighbors > Discovery Interfaces > Ether1: Disabled


VPN Settings Config

VPN Subnet

If you need to connect say, 10+ people via VPN, you might not want to use up IPs in the standard LAN range, gobbling up IPs from your DHCP server, in which case, you should create a separate subnet for VPN users, that is able to communicate with the internal LAN.

To do this, there are four things to modify:

  1. Create a bridge — it does not need to be linked to any interface by port.
    1. Bridge > + (Add) > Name: vpn-bridge.
  2. Assign an IP Address to the VPN Bridge.
    1. IP > Addresses > + (Add) >
  3. Create a NAT rule if not already present — this let’s VPN clients talk to the network
    1. IP > Firewall > NAT > + (Add) > Out-Interface: bridge-vpn > Action: Masquerade.
  4. Enable a DHCP server on the VPN Bridge
    1. IP > DHCP Server > Edit the DHCP entry > Interface: vpn-bridge.
    2. IP > DHCP Server > Networks
      1. Network: — Your VPN Bridge LAN
      2. Gateway: — Your VPN Bridge LAN IP Address
      3. DNS Servers:  IP of Domain Controller/DNS Server + (VPN Bridge)
      4. Domain: your FQDN (company.local, etc).
      5. IP > Pool > Adjust IP range to match DHCP Server.
        1. E.g.

Create User Accounts

  • PPP > Secrets > + (Add)
    • Name: username
    • Password: password
    • Service: any
    • Profile:default

VPN Policy

  • PPP > Profiles > Edit “default”
    • General
      • Local Address: IP of Mikrotik
      • Remote Address: default-dhcp (IP pool)
      • Bridge: vpn-bridge
      • DNS Server(s): IP(s) of DNS servers in the building, usually a Domain Controller.
    • Limits – Rate-Limit — Optional — if you want to rate-limit per-client.
      • XXM/YYM, where XX is download and YY is upload in Mbps. (10M/5M)

L2TP VPN Bare Minimum Firewall Rules

IP > Firewall > Delete all rules possible.

Paste all rules below into New Terminal

VPN Rules

  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP UDP” in-interface=ether1 protocol=udp dst-port=500,1701,4500
  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP ESP” protocol=ipsec-esp
  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP AH” protocol=ipsec-ah

Public Router Security Rules

  • /ip firewall filter add action=drop chain=input comment=”Drop Blacklisted Hosts to Router” in-interface=ether1 src-address-list=BlackList
  • /ip firewall filter add action=drop chain=forward comment=”Drop Blacklisted Hosts through Router” in-interface=ether1 src-address-list=BlackList
  • /ip firewall filter add chain=input comment=”Accept Established / Related Input” connection-state=established,related
  • /ip firewall filter add chain=forward comment=”Accept Established / Related Forward” connection-state=established,related
  • /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect Port Scanners” dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
  • /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect UDP WAN DNS Lookups to prevent DDoS” dst-port=53 in-interface=ether1 protocol=udp
  • /ip firewall filter add action=accept chain=input comment=”Accept ICMP/Ping” protocol=icmp
  • /ip firewall filter add action=drop chain=input comment=”Drop Input” in-interface=ether1

L2TP Server Enable

  • IP > IPsec > Peers
    • New (+)
      • Address: (for allowing any internet IP to attempt to connect)
      • Auth Method: pre shared key
      • Exchange Mode: main l2tp
      • Secret: “SharedSecret” (Must match the PSK from PPP > L2TP Server)
    • Advanced Tab
      • Policy Template Group: default
      • Send Initial Contact: Enabled
      • NAT Traversal: Enabled
      • My ID type: auto
      • Generate Policy: port strict
      • Proposal Check: obey
    • Encryption Tab
      • Hash Algorithm: sha1, sha256
      • Encryption Algorithm: Check: aes-128, aes-192, aes-256
      • DH Group: Check: modp1024
  • IP > IPsec > Proposals: Default
      • Auth Algorithms: sha1, sha256
      • Encr Algorithms: aes-128 cbc, aes-192 cbc, aes-256 cbc
      • PFS Group: modp1024

Allow VPN to Local Routing

  • Interface > ether2 (LAN port) > ARP > Change from “Enabled” to “Proxy-Arp”

L2TP Server Config

  • PPP > Interface > L2TP Server
    • Enabled: Yes
    • Use IPsec: Yes
    • Default Profile: Change from “Default-encryption” to “default”
    • Authentication: MSCHAP2 ONLY
    • IPsec Secret: “SharedSecret” (match what was in the IPsec Peer)

Now you can connect from a Windows or Mac client.

Note about DNS lookups

If you try performing a NETBIOS broadcast, for example: “ping server01”, it will time out.

NETBIOS broadcast does not work through the VPN — but FQDNs do.

For example, server01 will not resolve.

Server01.domain.local will resolve

If you need to connect to an internal terminal server but don’t want to use an IP for hostname, you should create an A record on the internal DNS server to match, this would help internal clients resolve directly as well. E.g. remote.company.com on their DNS server.

Additional Steps – Run once

New Terminal Button, copy/paste

#Set the device to reboot every month at 4AM, can’t hurt 🙂

/system scheduler add interval=30d name=”Reboot Router Monthly” on-event=”/system reboot” start-date=jan/01/1970 start-time=4:00:00

#Set the clock time zone

/system clock set time-zone-name=America/Los_Angeles

#Set the time servers

/system ntp client set enabled=yes primary-ntp= secondary-ntp= server-dns-names=time1.google.com,time2.google.com


Multiple Clients — Same Source IP Problem

This is an issue for ANY L2TP VPN appliance, not just Mikrotik gear. The L2TP protocol always initiated connections on the same port, UDP1701. Carried inside of the header is an identifier — usually including the source IP address of the connecting client. If you have a single computer connecting, no issues. If you have a second computer in the same network (e.g. two laptops at a hotel trying to VPN in), the most recent connection will kick off the previous, pre-established connection.

As a note, there is an optional setting in the L2TP VPN protocol, that using a Strict Port setting, allows clients to select a different UDP port once a connection is established, rather than being hard-coded to UDP1701. In practice, it works on Macs/Linux, and does not work on Windows clients. I’ve had 5x OSX devices connect from the same source IP without issue. I’ve had 1x Windows, and 5x OSX devices connect without issue. The moment you have a second Windows L2TP client attempt to connection, the previous connection will be kicked.

What’s the fix if you’ve got a lot of Windows clients sharing the same Source IP? — use different source IPs (cell-phone hotspot), or configure an IKEv2 VPN Server, rather than a L2TP VPN Server. I am currently writing a detailed IKEv2 Mikrotik VPN guide at the moment.


  • System > Logging
    • New (+)
    • Create Three Topics: l2tp, ppp, and ipsec
    • Action: Memory
    • From here you will be able to see logs under “Log” and google your solution where something may need adjusting.
  • For Windows 10, make sure you enter the preshared key twice — once when creating the VPN connection, and then editing the connection after Windows had made it — it isn’t saved automatically.

Windows error for no client saved pre-shared key: “The L2TP Connection failed because the security layer encountered a processing error during initial negotiations.

Mikrotik error for no client saved pre-shared key. Log: “no peer config” or “failed to get valid proposal” or “failed to pre-process ph1”


  • For MacOS

Make sure you configure “tunnel all” mode in advanced under System Preferences > Networking when adding a L2TP IPSec connection. Without tunnel all, you will only be able to ping the gateway (, rather than other devices in the network.