Mikrotik + Pihole = Block All Ads

If you are using a Pihole, whether actually on a Raspberry Pi, or as a VM in say, DietPi, you like that it does not resolve ad-servers within your LAN.

However, many apps and devices do not use the offered DNS servers per DHCP, they are just that — an offer. Hardcoded DNS servers will still resolve and allow ads and tracking.

Mikrotik allows you to use NAT rules that will redirect all DNS requests, no matter where they go, to the Pihole. For example, if you query 8.8.8.8 (Google) or 1.1.1.1 (CloudFlare), or some shady ad-allowing DNS server online, it will be redirected to the Pihole. This is also useful for business networks where you don’t want guests using their own DNS servers to bypass your content blocking.

From there, the response has to be masqueraded as though it came from the original server. Without these Masquerade rules, many apps and devices will refuse to function without checking in with their expected ad-servers.

#Edit IPs and Networks to match your setup.
10.10.10.3 is the Pihole in this example.
10.10.10.0/24 is the LAN network.
#
#Rule for UDP 53 -- Actual DNS
#If any DNS request is sent through the router, and it is not already going to 10.10.10.3, redirect it to 10.10.10.3
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.3 protocol=udp src-address=!10.10.10.3 dst-address=!10.10.10.3 dst-port=53
#
#Rule for TCP53 -- DNS does not normally run on this port, but some programs bypass and use TCP.
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.3 protocol=tcp src-address=!10.10.10.3 dst-address=!10.10.10.3 dst-port=53
#
#Masquerade rules for both types of traffic to hide the source.
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=10.10.10.0/24 dst-address=10.10.10.3 dst-port=53
/ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=10.10.10.0/24 dst-address=10.10.10.3 dst-port=53

Physical to Virtual Conversion – BSOD – 0x0000007B

So you’re trying to convert a physical computer into a virtual machine. This physical computer probably has a RAID card, like a Dell PowerEdge Server or a Precision Workstation. You may have used Disk2VHD or another conversion tool, everything goes great — you may have even confirmed it’s not the bootloader — a boot menu does appear, and Macrium Reflect’s “Fix Boot Problems” tool identifies you’ve got the right OS selected. Normal, safe mode, whatever — on trying to boot, you get a Blue Screen of Death (BSoD) and it auto-restarts, and nothing seems to fix it. If you’re really, really fast, and screen capture your VM at 60fps with something like OBS or FRAPS, you see the glitched out error: 0x0000007B… What could it mean? Google provides a million potential reasons, most are wrong…

The root issue, is Windows is hard-coded in the registry to expect a specific value what for disk driver to load. You’ve just made a massive change, from expecting a vendor specific storage driver, to a new generic virtual-hardware driver from a different vendor. Have to point it back on track.

If you’ve got a VHD, make it accessible by either the HyperV host, or a Windows workstation, and right-click the VHD > Mount. Go to “This PC”, and look for the drive. In my case, it’s a 2008 R2 VM. But I’ve had this same issue occur with Win7, Win2012, or Win2019 servers, so, it’s pretty common.

Solution: Mount the virtual disk, use RegEdit on another machine to remove the bad entry, unmount, reboot, pray for the best on the next boot.

Start + R = Run > regedit.exe

Select: HKEY_LOCAL_MACHINE > File > Load Hive > Browse to the mounted VHD: X:\Windows\System32\Config\SYSTEM > Keyname: ComputerName_SYSTEM

HKEY_LOCAL_MACHINE\ ComputerName_SYSTEM\ControlSet001\services

Depending on the type of Physical machine you came from, new virtualization host (HyperV, VMWare, Virtualbox, etc) and generation of new VM (Gen1 = IDE, Gen2 = SCSI, typically). You will need to change the “Start” values below, customized to your situation.

DISABLE the old controller by changing its Start value to: 3
ENABLE the new controller, by changing its Start value to: 0
aliide (ALI / Acer RAID Controller)
amdide (AMD IDE RAID Controller)
ahci (SATA AHCI Controller)
atapi (ATA / SCSI Controller)
iaStorV (Intel RAID Controller)
intelide (HyperV IDE RAID Controller)
pciide (Old school PCI IDE Adapter)
msahci (VMWare VMDK > VirtualBox)
lsi_sas or lsi_sas2 (Physical to ESXi)
viaide (VIA RAID Controller)

In my case, I’m going from a Dell PowerEdge PERC RAID Controller, to a HyperV IDE (Gen1) Controller. So I will edit intelide\Start from 3 (disabled) to be 0 (enabled). I also set atapi\Start to 0 to be safe, since HyperV often expects SCSI. In my case, I did not need to disable the old controller, just enabling the new ones to run was enough.

Once your changes are made, go back to HKLM, select the Key, File > Unload Hive. Eject your VHD. Cross your fingers, pray, and hope for the best — boot the VM. If it doesn’t instantly BSoD — it just stays black… wait. it. out…. it may take anywhere from 2 minutes to 20, just let it think and be patient.

If you get to a logon (Ctrl+Alt+Del) screen, well, the scope of this article is done. If you’ve got a Server 2008 R2 / SBS2011 VM, after logging in, there is a chance you will only have a solid blue screen. Task Manager can open with (Ctrl+Shift+Escape), you may need to boot into Safe Mode, log in, let it sit on the blue screen for 10 minutes while it loads in drivers (don’t hard reboot and interrupt it immediately), then reboot in normal mood and everything should load up. Once you’re fully in, recommend installing the integration tools.

Well that was fun…. Another day in the life of a sysadmin =].

Remotely Erase a Stolen PC

What we want to make happen.

Laptop stolen? Got a way to remotely run code on it, like remote access, Kaseya, LabTech, NAble, or another RMM? You already Bitlocker encrypted it right? Right??? — If not, then look no further for code to erase user data, and make a computer non-bootable.

Feel free to modify into a batch file and run remotely.

#Optional, helps reduce any roadblocks you run into. PSExec is a Microsoft SysInternals tool, that allows you to execute a program with "NT AUTHORITY\SYSTEM" level permissions. Using the "-s" switch runs in a system context. /accepteula prevents a prompt to agree to the license when running.
#
#copy .\PSExec.EXE into your directory, I will be using Kaseya's default working directory: C:\kworking\

#
#Before anything else, delete the bootloader. Upon a reboot, there will be nothing to boot to, and Startup Repair will be unable to fix it. At this point, repair options do exist -- but this step is just part 1.
bcdedit /delete {bootmgr} /f
bcdedit /delete {current} /f
#
#Going to use Robocopy to MIRror over our existing data. Start with a blank directory.
mkdir C:\blank
#
#Take ownership of all User folders. This folder is protected against normal deletion. We also give "everyone Full" permission over all User directories, again, for the sake of easier deletion.
C:\kworking\psexec.exe /accepteula -s takeown /r /d y /f C:\Users
C:\kworking\psexec.exe /accepteula -s icacls C:\Users /t /grant Everyone:(OI)(CI)F
#
#Purge all local User Files
#Using > NUL prevents console output, making it run significantly faster.
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Users\ /MIR /r:0 /w:0 /e > NUL
#
#Purge ProgramData
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\ProgramData /MIR /r:0 /w:0 /e > NUL
#
#Start breaking programs
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank "C:\Program Files (x86)" /MIR /r:0 /w:0 > NUL
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank "C:\Program Files" /MIR /r:0 /w:0 /e > NUL
#
#Break the Windows OS -- delete as many important pieces as you can.
#Typically reduces WinSxS from ~15k files to about ~2k.
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Windows\WinSxS /MIR /r:0 /w:0 /e > NUL
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Windows\System32 /MIR /r:0 /w:0 /e > NUL
#
#At this point, the machine is probably just a black screen, and nothing works. No Task Manager, no icons, no interface -- nothing... You can try to trigger a "shutdown -r -t 0", but it's likely the shutdown.exe has also been purged.
#
#There is nothing left to do with the machine besides wipe and reload the OS.

Dell Precision Win10 In-Place Upgrade – “Installation Failed”

“Installation Failed”, what an unhelpful error message direct from Microsoft. If you’re reading this, you’ve probably been fighting with upgrading a Dell Precision Win7/8 OS to Win10, like a T3600, and it randomly stops around 79%, or reverts on initial reboot.

The T3600 I was attempting to upgrade to Win10 was running Intel C600 Series SAS RAID Controller, Dell branded as a RST F6.

The most common error codes you’ll bump into are:

  1. 0x80070032 – 0x50015
  2. 0xC1900101 – 0x20017 – Installation Failed in SAFE_OS phase with an error during BOOT operation.
  3. CheckImageHealthCommandObject::InternalExecute(hr:0x80070032)

You can run SetupDiag from Microsoft to diagnose the C:\$Windows\Panther error logs, but none of it relates to the root issue — Windows can’t find a driver for the RAID controller inside the machine.

There are plenty of posts to run DISM or System File Checker…. like the following.

  1. DISM /Online /Cleanup-Image /CheckHealth
  2. DISM /Online /Cleanup-Image /ScanHealth
  3. DISM /Online /Cleanup-Image /RestoreHealth

If you install Win10 v1903, it will fail on a Pre-Finalize Setup and not proceed. If you install an earlier version, like Win10 v1607, it will install, reboot, and revert.

The solution: Disable the RAID Controller in Dell BIOS, and connect your drive to a standard SATA port (reuse the SATA cable going to the DVD drive). Installing Win10 should now proceed just fine. Some days I hate computers….

NextCloud SSL – Custom Signed Cert for SNAP

Want to use a custom, publicly-signed SSL for your NextCloud Server?

You’ve just built a new Ubuntu Server, and selected the “NextCloud” server option in the packages to include. The ISO will auto-download and configure NextCloud-SNAP, a sort of pre-built version with a lot of assumptions made for what you want. Overall, it’s a great start, and a LOT faster than compiling from scratch like most guides. Every guide I’ve found includes solely self-signed, or Let’s Encrypt SSLs — hard to find any guides regarding using a publicly signed by a certificate authority, so I’m writing my own — hoping it helps someone out there!

#Applying and Enabling a public SSL Certificate to NextCloud-SNAP HTTPS
#Escalate your Putty/SSH Session so you don't have to enter your password 10 times.
sudo -i
#
#Generate your SSL CSR
cd /home
openssl req -new -newkey rsa:2048 -nodes -keyout files.company.com.key -out files.company.com.csr
#
#This will create a private-key TXT file, and a Certificate Signing Request file. Submit the CSR into your SSL Authority (NameCheap, GoDaddy, whoever...). Get the SSL Signed, and download the ZIP file.
#
#To pull the files to your local computer, Use FileZilla and connect to your NextCloud Server. If you are unable to download a file, like the private key, try adjusting permissions on it and then downloading it.
chmod 750 files.company.com.key
#
#Inside a ZIP from your Signing Authority will usually be:
1. .CRT - The publicly signed Certificate.
2. .P7B - The certificate chain.
Next step, is to feed it all into Nextcloud's SNAP handler.
#
#Filezilla upload the .CRT and .P7B into your server. Move all of the goodies into a specific directory:
mv files.company.com* /var/snap/nextcloud/common
#Run the below command to import the SSL, bind it to HTTPS, and enable HTTPS access.
#nextcloud.enable-https custom <Public Cert> <Private Key> <Cert Chain>
nextcloud.enable-https custom filename.crt filename.key filename.p7b
At this point, your NextCloud server should begin responding with a SSL.

Mikrotik Point to Point Wireless Bridge

Note that this guide can work for any Mikrotik board with an antenna, just not the SXT product line. You can use these same instructions for the WAP line, LHG line, Groove line, even the BaseBox, as long as the antenna frequencies can match (e.g. 2.4Ghz or 5Ghz),  you can follow these instructions.

 

The Mikrotik SXT 5GHz units offer a cheap, reliable, and fast point-to-point link connection. You’ll need two SXTs — one at each end of the link. It’s best to think of these units as a “wireless wire”, that is, it connects to physically separated networks, as though there were a wire between them. I highly recommend using Gigabit-capable 5GHz units, like the SXT AC.

Whether it’s 50 feet or 5,000 feet, the concept is the same, and performance can be very high, maybe adding 1-2ms of latency.

 

Connecting In

You’ll use the program Winbox.exe to configure the units. By default, Mikrotik units are set with 192.168.88.1/24 as their static IP.

It’s generally a good idea to set a static IP on your NIC to 192.168.88.X/24, for example: 192.168.88.200 / 255.255.255.0. Don’t disconnect yourself though… make it an additional IP on your NIC.

Update & Upgrade

We need to get the SXT internet access, so it can pull Package/Software Updates, then a firmware upgrade.

Connect the SXT to the PoE injector, connect the data plug to your switch, open Winbox on a PC on the same switch, and browse to the SXT. It likely only has a static IP of 192.168.88.1, but you’ll want to connect by Layer2 through clicking the MAC Address.

Default user/pass: admin/<blank>

Start by disabling the DHCP Server

  • IP > DHCP Server > Select defconf > Disable (Red X)

Bridge your antenna and ethernet ports

  • Bridge > Add (Blue + ) > bridge1
  • Bridge > Ports Tab > + > wlan1 > bridge1
  • Bridge > Ports Tab > + > ether1 > bridge1

Enable DHCP Client

  • IP > DHCP Client > bridge1
  • You now have enough configured to pull internet access from wireless or wired. Let’s get the updates.

Obtain Updates

  • System > Packages > Check for Updates > Channel: BugFix Only > Download and Install
    • The device will automatically reboot and update itself.
  • Once it comes back up, log in again via Winbox, and upgrade the firmware package, that was brought down with the software packages — it needs to be applied manually.
  • System > Routerboard > Upgrade > Yes
  • System > Reboot > Yes
  • If you feel confident your SXT will have a DHCP server it can connect to, feel free to disable the static IP of 192.168.88.1
    • IP > Addresses > Select defconf (192.168.88.1/24) > Disable (Red X)

Name Units – Apply a Matching Label/Sticker

  • Company PTP01, Company PTP02, etc

Set Password

  • System > Password > YourSecurePassword

Repeat above steps for the other PTP link,

Then continue below

Configuring the PTP Bridge

Broadcast Side

  • Wireless > Interfaces > wlan1
  • Mode: bridge
  • Band:5GHz AC if you can, A/N if AC is not an option.
  • Channel Width: 20/40/80 if you can, 20/40 if it is not an option.
  • Wireless Protocol: NV2
    • NV2 (Tab)> Security: YourSecurePassword
  • Click Advanced Mode Button: > Country: united_states_3
    • You will not be able to transmit until you select a country.

 

  • Wireless > Security Profiles > Default
  • Mode: Dynamic Keys
  • Auth Types: WPA2 PSK
  • Unicast/Group Ciphers: AES CCM
  • WPA2 PSK: YourSecurePassword

Client Side

  • Wireless > Interfaces > wlan1
  • Mode: Station Bridge
  • Band: Match Broadcast Side
  • Channel Width: Match Broadcast Side
  • Frequency:Match Broadcast Side
  • SSID: Match Broadcast Side
  • Wireless Protocol:Match Broadcast Side
  • Click Advanced Mode Button: > Country: united_states_3

 

Once these are all set, the devices should automatically connect within 15 seconds.

For troubleshooting, use the Wireless> Interfaces > Scanner tool, see if you’re broadcasting.

Are the protocols set correctly? 802.11 protocol? NV2 protocol? NV2 security? Country Set?

You’ll know you are linked once you see the LED radio bars lit on the back of the SXT. This indicates signal strength.

PHP Server Monitor – Windows Setup Guide

Want to use PHP Server Monitor to track the uptime status of your devices? Not ready to build a CentOS or Ubuntu Server instance, but would rather have a Windows-install?

There are three primary methods to configuring an AMP stack.

  1. LAMP (Linux, Apache, MySQL, PHP)
  2. WAMP (Windows Desktop or Server, Apache, MySQL, PHP)
  3. IIS/PHP (Windows Server with Internet Information Services Role, MySQL, PHP)

This will be focusing on the Windows Desktop option. It’s lower performance than Linux or IIS, but it sure is easier for beginners, and easier to move between hosts.

Win10 + XAMPP

This tool has been around for many, many years. The code base made be old, but it’s free, still updated, and very reliable.

Appropriate for a small one-off server.

In my case, I’m using a Win10 Enterprise VM and loading on XMAPP.

 

https://www.apachefriends.org/index.html

Go snag XAMPP (32 Bit only for Windows). There is also a portable version if you don’t want a permanent install (e.g. run off a thumb-drive).

Run the installer, it is recommended to not install to Program Files directories due to weird permissions with UAC. Recommend installing to root, e.g. C:\XAMPP.

You only need Apache, MySQL, and PHP.

Start it, let it open up the XAMPP control panel.

 

Download PHPServerMonitor

Go to C:\xampp\htdocs, copy the contents to C:\xampp\htdocs.old, create the directory if it does not exist.

Go snag a download of PHP Server Monitor — https://github.com/phpservermon/phpservermon

Click download to ZIP in the upper right.

Unzip the ZIP contents into your operating PHP directory, by default: C:\xampp\htdocs

Download Composer

Composer is a dependency packager — it downloads and auto-installs the pieces that PHP Server Monitor depends on.

https://getcomposer.org/download/

The installer will add the composer.exe file into your Windows environment path, allowing you to run it from command line in any directory. The installer should also auto-detect your xampp install, and the operating directory of C:\xamp\htdocs.

When the command “composer install” is run, it will look for a .JSON file inside the directory it is being run. This contains the instructions of what composer needs to do.

 

Start > cmd.exe > Right-Click > Run as Administrator
cd C:\xampp\htdocs
composer install

Give it a few minutes, and it should auto-download all of the dependencies.

Start the Server Up, Build the Database

  1. Browse to C:\xampp\htdocs\
    1. Find config.php.sample, Copy/Paste it in the same directory, and rename to config.php
  2. Open XAMPP Control panel, if they are running, stop Apache and MySQL. Then start them both up, MySQL first.
  3. Browse to: http://localhost
    1. It should redirect you to http://localhost/install.php
    2. Hopefully, you see some pre-requisite success messages.
  4. If so, open XAMPP, click “Shell”
mysql -u root -p
[Password is blank, just hit enter]

create database phpsrvmon;
#Change your user and password in quotes
create user phpsrvmon_user@localhost identified by "user_password";
#Make this match the user above
grant all privileges on phpsrvmon.* to phpsrvmon_user@localhost;
flush privileges;
quit

Configure the Database

Open XMAPP, ensure both stop/start Apache and MySQL.

Browse to: http://localhost, you should be redirected back to: http://localhost/install.php

  • Application Base URL: http://something.yourdomain.com
  • Database Host: localhost
  • Database Port 3306 (You can confirm within XAMPP.
  • Database Name: phpsrvmon
  • Database User: phpsrvmon_user (or whatever you entered)
  • Database Password: user_password (you picked something different right?)
  • Table Prefix: psm_

Save Configuration

You may get an error, “Unable to save your configuration”. It should cough out the code you can copy/paste into a config.php file.

If so, open your config.php file, and overwrite the code with what it provided. If you don’t have it, it looks like this:

<?php
define('PSM_DB_HOST', 'localhost');
define('PSM_DB_PORT', '3306');
define('PSM_DB_NAME', 'phpsrvmon');
define('PSM_DB_USER', 'phpsrvmon_user');
define('PSM_DB_PASS', 'your password');
define('PSM_DB_PREFIX', 'psm_');
define('PSM_DB_BASEURL', 'http://something.yourdomain.com');

Save the file config.php, go back to XAMPP, and stop/start Apache to load in the new settings.

Create your Web-Account

Go back to http://localhost

You should get the message, “Sweet, your database connection is up and running!”

Now create a username, password, and email — this is for actually using the website, nothing to do with the database infrastructure.

Create a Monitor

Login to your site, it will redirect to your web-URL by the way, so ensure it can be resolved by your DNS server. If you’re desperate, you can always edit the Windows HOSTS file.

Open the “Servers” tab.

Add New (+) > Add a DNS address or IP, select a ping, or a matching service/port. It is important to set a threshold, I typically use a Warning Threshold of 2, meaning after 1 query it is a warning (amber), after 2 it is an alert (red). I use a timeout of 10 seconds usually, just in-case latency is high. Check off the users you want to be able to view the monitor.

Configure the Scheduler/CRON

We have our monitors, but we need a way to run the port/ping query, this is not run automatically. On Linux, it is run via CRON. On Windows, it is run via the Task Scheduler.

  • Start > Run > taskschd.msc > OK
    • Task Scheduler Library > Right-Click > Create Basic Task
      • Name: “PHP Server Monitor Query”
      • Run: One Time
      • Action: Start a Program: C:\xampp\php\php.exe
      • Add Arguments:C:\xampp\htdocs\cron\status.cron.php –timeout=1
        • The timeout number is the timer of cron in minutes, default is 10 minutes.
  • Next > Open Properties Box
    • Check: Run whether user is logged on or not.
  • Trigger Tab > Select > Edit
    • One Time, Advanced Settings > Repeat Task Every: 5 minutes, then change 5 to 1, for a duration of: Indefinitely
      • Note — If you have a large number of monitors (e.g. 100+) increase the timer appropriately. A general guideline is 20 seconds for each 100 monitors.
      • Ensure your Repeat Task Every number matches your timeout value in the Arguments.
    • Stop task if it runs longer than: 30 minutes, adjust to 3 minutes.
  • Conditions Tab > Uncheck power settings that relate to AC and battery power.
  • Settings Tab
    • Check: Allow task to be run on demand
    • Stop the task if it runs longer than: 1 hour
    • Check: If the running task does not end when requested, force it to stop.
    • If the task is already running, then the following rule applies: Stop the existing instance.
  • OK > Enter your password to run the task as an adminstrator when logged off.

Final Settings / Little Details

Autostart

While in XAMPP, configure the services to autostart on boot. Click: Config > Check: Apache, MySQL

Fixing Queries (Important!)

By default, you  will only get a single query every 10 minutes, as the stock XAMPP php.ini file causes the cron script to get stuck in running mode until it times out after 10 minutes.

Open Notepad, and open: C:\xampp\php\php.ini

Ctrl+F to search, search for: extension=sockets

There will be a comment in front of it ” ; “, remove the semicolon to make the code active, save php.ini. Go back to XAMPP, and stop/start Apache.

 

Now get those monitors added, and keep and eye on all your important gear. Good luck!

Mikrotik – RADIUS Wireless Authentication Guide

This is a step-by-step guide for configuring RADIUS authentication for Mikrotik Wireless, for Server 2008 R2-2016.

 

RADIUS allows you to use domain credentials for accessing a wireless network, rather than a static WPA2 PreShared Key that rarely changes. Important for keeping terminated employees out, by just disabling their Active Directory account, rather than having to change the entire PSK every time someone leaves. This guide merely handles the RADIUS authentication, it’s still up to you to protect your network, such as separating your wireless networks into different VLANs or subnets, and isolating networks as fits your environment. (e.g. RADIUS for private network, WPA2 PreShared Key for guest network).

Overview

Just having a SSID and PreShared Key is not secure, especially for HIPAA clients.

For more security, it is recommend to use RADIUS — your desktop Windows credentials, are also your WiFi credentials. If a user is terminated, just changing one user in Active Directory locks them out of the network.

 

The Mikrotik will need a static IP Address

IP > Addresses > + > 192.168.X.X/24

Configure RADIUS on Domain Controller

Install RADIUS

Server Manager > Add > Role or Feature >  Network Policy and Access Services (Include management tools).

Configure Active Directory

Server Manager > Tools > Activity Directory Users and Computers > Select OU (e.g. Company>Groups) > Action > Add New Group > WiFiUsers > Add Members (e.g. John, Bob, Alice). You could use any group, but since we are focused on strong-security, only give WiFi to those who need it.

Register Permissions

Start > cmd.exe > Right-Click > Run As Administrator

netsh nps add registeredserver

Add Trusted Client Device

Server Manager > Tools > Network Policy Server

RADIUS Clients and Servers > Clients > New

Enter name of device, and IP address of Mikrotik WiFi Controller or standalone access point.

Shared Secret > Click Generate > Generate, or use a manual Secret. Copy this down.

 

Add Policy

Server Manager > Tools > Network Policy Server

Policies > Connection Request Policies > Right-Click > New

Provide a Name (e.g. WiFiUsers)

Type of Network Access Server: Unspecified

Next

 

Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other

Next

Authentication > CHECK: Authenticate Requests on this server

 

Policies > Network Policies > Right-Click > New

Give it a name, enable, and Check: Grant Access

CHECK: Ignore user account dial in properties

Type of network access server: unspecified

Conditions > Add > Windows Groups > Add “AD Group Name”

Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other

Settings > IP Settings > CHECK: Client may request an IP address > OK.

 

Constraints: Authentication Methods:

  • Protected EAP > Select > Edit > If you do not have a publicly signed, FQDN SSL, just use “localhost”.
    • Wildcard SSLs do not work (clients will fail to connect), but you could use a FQDN SSLs (server.main.company.com). .LOCAL cannot get a publicly-signed SSL.
  • EAP-MSCHAPv2.

Customize DHCP (If your Windows DC is providing DHCP)

Due to Network Protection Access Policies being default enabled for DHCP, it will not hand out any IP address to just any client. We need to disable Network Access Protection on your IPv4 Scope.

Server Manager > Tools > DHCP > Expand > IPv4 > Right-Click > Properties > Network Access Protection > Disable on all scopes

Configure RADIUS on Mikrotik WiFi CAPSMAN Controller

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress "192.168.1.5"
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/caps-man security add name=RADIUSWiFi authentication-types=wpa2-eap encryption=aes-ccm eap-methods=passthrough eap-radius-accounting=yes

 Configure RADIUS on Mikrotik WiFi Standalone Access Point

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress "192.168.1.5"
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/interface wireless security-profiles set default authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=aes-ccm radius-eap-accounting=yes mode=dynamic-keys group-key-update=1h

Now when you connect, pop in your username (domain\username) and password to login.

Mikrotik – SSTP VPN Server Setup Guide

Overview

I’ve played with L2TP/IPSec, IKEv2, PPTP, and SSTP VPN Servers. SSTP is now my go-to for business clients, and here is a step-by-step guide to help you set one up on a Mikrotik Router :-).

Benefits over L2TP/IPSec

  1. Multiple clients can connect from the same Public IP. Important if you have multiple employees that travel to the same site, like a hotel or other business. On L2TP, it’s one device per WAN IP.
  2. No timeouts, you can stay connected for an indefinite amount of time.
  3. More reliable in bad conditions (weak WiFi signal, cell-hotspot), less likely to drop than L2TP/IPSec, because SSTP is TCP based, and less sensitive to latency.
  4. Works on almost any network. Since it runs over TCP443, the same port as HTTPS, almost every network allows it’s traffic through if there is outbound filtering.
  5. Setup for Windows clients is built in, reliable, and simple. Mac clients require a bit more work, but it functions the same.
  6. Due to being TCP based, and less sensitive to latency, you can get much higher throughput for bad connections.

Cons – Slightly Harder Setup

  1. You must connect by DNS address, e.g. vpn.company.com, IP addresses are not an option.
  2. You must have a SSL certificate that includes your public DNS address (vpn.company.com). Wildcards work great, along with standard SSLs.
  3. The SSL you use, needs to have the private key included, takes extra work to extract.

Once it’s setup and working, SSTP beats L2TP every time hands down!

 

SSL Export and Config

The only part not included in this guide is creating a publicly signed SSL request, and getting it signed. Here are a two detailed SSL creation/install guides from GoDaddy if need help with this step:

 

We need to export the installed SSL on the server into two types: A PKCS#12 “.PFX” (Contains Private Key) and an BASE64-encoded X509 “.CER” (Public Cert Only).

Easiest to perform these steps on the server that created the SSL (so it has the private key and matching certificate).

If you cannot export the private key, it means you are on a server that did not create the key – check other servers within that company, like Exchange or RDS.

  • Start > run > mmc.exe
  • File > Add Snap In > Computer Account > Local > OK
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “Yes, export the Private Key” > Export to: … > File Type: *.PFX > Protect with YourPassword
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “No, do not export the Private Key” > BASE64 Encoded Binary X.509 > Export to: … > File Type: *.CER

Get both of these files to your workstation running Winbox.

Login to the Mikrotik

Files > Drag in both files to the Files window

  1. System > Certificates > Import > SSL.CER (Base64) > Password: <leave blank>
    1. Left column, only “LT” (revocation List, Trusted)
  2. System > Certificates > Import > SSL.PFX (PKCS12) > Password: YourPassword
    1. Left column “KLT (private Key, revocation List, Trusted)

Now go to Mikrotik > PPP > Interface Tab > SSTP Server (Button) > Certificate: Select your SSL (X509)

Mikrotik – SSTP Server Setup

Only thing to change for a default setup is the DNS Server. Paste into Mikrotik Terminal.

#Change this to the on-site Domain Controller/DNS Server.
:global DNSServer "192.168.1.5"
#IP Address of VPN Bridge
:global VPNGateway "192.168.200.1"
#VPN Client LAN IP Range -- IPs the clients should get
:global VPNRange "192.168.200.100-192.168.200.200"
#Network Address of the Target Network
:global VPNNetwork "192.168.200.0/24"


#Add the bridge
/interface bridge add name=vpn-bridge
#Give the bridge an IP and network
/ip address add interface=vpn-bridge address=($VPNGateway."/24") comment="VPN Bridge IP"
#Add an IP Pool for clients to be assigned when they connect
/ip pool add name="vpn-pool" ranges=$VPNRange
#Configure the VPN profile for users to use.
/ppp profile add dns-server=$DNSServer local-address=$VPNGateway name=sstp-profile remote-address=vpn-pool bridge=vpn-bridge
#Turn it on!
/interface sstp-server server set authentication=mschap2 default-profile=sstp-profile enabled=yes

Mikrotik – Add an Local User Account

#Add the User’s Account into the Mikrotik

:global Username "johnsmith"
:global Password  "johns super password"

/ppp secret add name=$Username password=$Password profile=sstp-profile

Setup SSTP Client Connection (Windows 7 or 10)

Adjust names, ServerAddress, username, and password as appropriate.

#In PowerShell
Add-VpnConnection -Name "Company SSTP VPN" -ServerAddress "vpn.company.com" -TunnelType SSTP -EncryptionLevel Required -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential $true
Set-VpnConnectionUsernamePassword -connectionname “Company SSTP VPN” -username johnsmith -password “johns super password”



#Or, in GUI
Click Network Icon near clock in system tray > Network and Internet Settings

VPN (Left) > Add a VPN connection:
VPN Provider: Windows (built-in)
Connection Name “Company SSTP VPN”
Server Name or Address: vpn.company.com
VPN Type: Secure Socket Tunneling Protocol (SSTP)
Username: johnsmith
Password: johns super password
Remember: Checked
SAVE

#Connecting
Click Network Icon near clock in system tray > Select “Company SSTP VPN > Connect

Mikrotik – Setup a Full Router Within 5 Minutes

We setup a LOT of Mikrotik routers, doing everything by the GUI is tedious. Below is a “cheat-sheet”, feel free to customize it to rapidly deploy your own Mikrotik routers.

Apply to a freshly reset and updated router for best effect.

This script assumes you have a static WAN IP, hence the 0.0.0.0/0 static route. It also disables Webfig, and only allows Winbox login to trusted WAN IPs (Management) and LAN (bridge)

Just swap out the settings in quotes at the top, the copy/paste the whole thing into a terminal.

Recommend manually editing the “YourManagementWANhere” networks as well, repeat for each trusted site that needs to login via Winbox.

Of special note, is the automatic updater. Don’t let your forgetfulness leave routers outdated! Have the router check for you every two weeks.

Hoping it helps!

:global CompanyName "Johns Bubblegum Co"
:global Password "YourMikrotikAdminPassword"
:global LANIP "10.10.10.1/24"
:global WANIP "200.200.200.200/29"
:global WANGateway "200.200.200.201"
:global LCDPIN "1234"


#Start code
#Purge the old Firewall Rules
/ip firewall filter remove [find]
/ip firewall nat remove [find]
/ip dhcp-client disable 0
/ip dhcp-server disable 0
/ip pool remove default-dhcp
#
#Configure the Interface
/interface ethernet set [ find default-name=ether1 ] comment="WAN Primary"
#
#Configure the LAN ports to be on a bridge
/interface bridge add name=bridge comment="LAN Bridge"
/interface bridge port add bridge=bridge interface=ether2-master
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6-master
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=sfp1
#
#Secure against Route Spoofing
/ip settings set rp-filter=strict
#
#Edit the IPs of the Router
/ip address add address=$LANIP comment="LAN Primary" interface=bridge
/ip address add address=$WANIP comment="WAN Primary" interface=ether1
#
#Set the static LAN to WAN Route (WAN Gateway) Edit the WAN Gateway IP
/ip route add check-gateway=ping comment="WAN Primary" distance=1 gateway=$WANGateway
#
#Create the trusted Management IP list
/ip firewall address-list add address=YourManagementWANHere/29 comment="Trust IP Range" list=Management
/ip firewall address-list add address=YourManagementWANHere/27 comment="Trust IP Range" list=Management
#
#Add the firewall rules
/ip firewall filter add action=accept chain=forward comment="Trusted Management Sites - Forward" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=accept chain=input comment="Trusted Management Sites - Input" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=ether1 src-address-list=BlackList
/ip firewall filter add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=ether1 src-address-list=BlackList
#
#Blacklist Rules -- Add the bad-guys to the BlackList
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Brute Forcers" dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist UDP WAN DNS Lookups to prevent DDoS" dst-port=53 in-interface=ether1 protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Port Scanners" disabled=no protocol=tcp psd=21,3s,3,1 in-interface=ether1
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=30m chain=input comment="Blacklist SYN Flood Attacks" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn in-interface=ether1
#
#Allow Good Traffic
/ip firewall filter add action=accept chain=forward comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Accept ICMP, prevent flood" protocol=icmp icmp-options=8:0 limit=1,5
/ip firewall filter add action=accept chain=input comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid
#
#Allow LAN to WAN NAT Traffic
/ip firewall nat add action=masquerade chain=srcnat comment="Office - NAT" out-interface=ether1
#
#Security Lockdown
/ip ssh set strong-crypto=yes
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/tool bandwidth-server set enabled=no
/lcd pin set pin-number=$LCDPIN
#
#Misc System Settings
/lcd set backlight-timeout=never default-screen=stat-slideshow
/system clock set time-zone-autodetect=yes
/system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time.nist.gov,time.google.com
/system package update set channel=bugfix
/system scheduler add name="Upgrade Router Bi-Weekly and Reboot" on-event="/system package update set channel=current; /system package update check-for-updates; /system package update download; /system reboot;" start-date=Jan/01/2018 start-time=03:00:00 interval=2w
/system routerboard settings set silent-boot=yes
/system identity set name=($CompanyName." Router")
/ip dns set servers=8.8.8.8,8.8.4.4
#
#Cleanup Old Settings
/ip address remove [ find comment=defconf ]
/ip firewall nat remove [ find comment="defconf: masquerade" ]
#Change Admin Password
/user set admin password=$Password
#End Code