MikroTik RBwAPR-2nD&R11e-LTE-US with LTE Modem With Verizon HowTo

I grabbed one of these RBwAPR-2nD&R11e-LTE-US off the shelf today at ISP Supplies  and wanted to see how hard it would be to make it work with Verizon Wireless.  I had an active SIM card from an old Verizon Jetpack to use with it.  I inserted the SIM card and fired it up and attached to the onboard 2 GHz WiFi.  As suspected, it did not work out of the box.  I did a little Googling and figure out Verizon uses an APN which is basically a way  LTE carriers differentiate themselves from other carriers on the same technologies.  I created the APN profile, applied it to the LTE interface, disabled the DHCP Client and I had internet.  This is simple and here are the steps:

  1. Start with the default configuration, no changes.  Upgrade to the latest version of RouterOS.  This is covered a million other places. Reboot.
  2.  Click Interfaces-LTE-LTE APNs and delete the APN’s there. Make a new one named whatever you like.  Fill in the AOPN value to “vzwinternet”.

3.Ok out of everything.  Double click the LTE interface and select your APN profile you just created.

Count to ten and your device will connect to Verizon.  Modify as you wish.

The DHCP Client is not needed (and will be red so delete or disable it so it doesn’t bother you…) as the LTE interface will get it’s IP from the authentication process.

Source: Blog

MikroTik + Slingshot Malware, Is it a Threat?

Chances are you have recently heard about Slingshot.  A ZDNet article explains “Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years.  The researchers haven’t named Slingshot’s country of origin, but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets using a compromised software update for routers made by Latvian firm MikroTik.”

So, do you need to be concerned? This email from Normunds at MikroTik explains the slingshot malware attack and why you should or should not worry about it.

All RouterOS versions are safe if you use Winbox 3. Only the old Winbox v2 downloads DLL files from the router. Winbox v3 has been available since the year 2014.

Kaspersky said they have found a malicious DLL file that was loaded to the end users Windows computer with Winbox from a MikroTik router. They said this is a targeted attack on specific organizations and this tool is not spreading itself.

1. Winbox no longer downloads any DLL files from the device, if you are using Winbox v3. Make sure to upgrade RouterOS and Winbox loader. It has been out for ~4 years.

2. As to how this DLL file got it’s way inside a MikroTik router in the first place, is unclear. Most likely this is related to a previously discovered vulnerability in the www service, which was patched in March 2017. Please note that devices affected were only those which did not have a firewall configured.

After the mentioned fixes, we have repeatedly increased RouterOS file system security and made additional internal mechanisms to prevent anything like this in the future. Please keep your devices up to date and configure a firewall (if you disabled the default one) to prevent any unauthorized IPs from accessing your router.

Best regards,
Normunds R.

So, the bottom line is to use WInbox version 3, do a one time upgrade to the current version of RouterOS and worry about something else like, “What’s for lunch?”.


Source: Blog

Why should I invest in MikroTik Training?

This year, 2018 marks my tenth year as a MikroTik trainer and I have been asked this question more times than I can count.  Typically, the question is accompanied by the asker’s reasoning for asking the question.  Their reasonings are valid and so I would like to address these questions:

  1. “I am an owner or manager and I don’t actually log into routers so how could I benefit from training?”
  2. “I have been using MikroTik RouterOS for more than X years, and I use it on a daily basis so why would I need a certification?”

Owners or Managers

With respect to the owner or manager, I can tell you that attending training is one of the most important things you can do to improve your effectiveness as a manager and strategic planner.  Formal training enables you to understand at a deeper level, the capabilities of RouterOS, thereby enabling you to better direct your staff.  Network expansion options, changes to architecture, new services for your customers, all of these are much more clear when you understand at a granular level, the capabilities of the product.  For the owner, this knowledge also facilitates your ability to hire the right technicians and to vet the resume of a potential hire.  Finally, it is important to not overlook the opportunity to network with other owners and managers at one of the few events that attract people in exactly your same position.  Networking creates new opportunities and new ideas you can incorporate into your business.

Seasoned Technicians

I have trained literally thousands of people, many of which introduced themselves as having a level of knowledge adequate to “teach this class themselves” and I always welcome these people with open arms for many reasons.  First, I am always wearing two hats, trainer and student because every day I learn something new myself.  Technology changes so rapidly, I will never “know it all” or even a fraction of what is possible to learn on a daily basis.  Secondly, teaching a group of twenty-something people by myself can be a challenge so having some extra help during the labs is a benefit to me.  Finally, I always say “I never learned so much about a subject until I started teaching it” and the same is true for the seasoned technician involved in formal training.  Although you may have a good foundation, often based on self-paced learning, imparting that knowledge to others makes it grow and progress at a pace far faster than otherwise possible working on your own.  Finally, the most common feedback I get from an experienced person in my classes is that they learned many new ways to do things they had been doing for years “the hard way”.  Standardized training teaches the most optimal way to perform essential tasks using best practices.  This makes your job easier and makes you more efficient.

Finally, I always make it a practice to make myself available to speak with every student that leaves my classroom on the last day of training to get this important feedback and I can say with great confidence, I do not know of a single person, regardless of experience level that didn’t get something important from the class.  That doesn’t speak so much of my ability to teach as it does to the value of formal training.

So, how can you benefit from formal training and when is the next opportunity?  Check our training calendar at https://mywisptraining.com and get signed up.  I hope to see you in class soon.


Source: Blog

Connecting and Managing Remote Grandstream Phones with MikroTik, UCM and Zero Config

If you are familiar with the Grandstream UCM VOIP PBX, you know the value of the Zero Configuration service.  if not, Zero Configuration service allows you to create profiles that are common to all phones, certain models of phones or only certain phones on your network.  These profiles can do things like push configuration changes, push software upgrades, or set new names or extensions on the extension modules or “sidecars” as we call them.  You can, of course, manage each phone individually through a web browser interface but this method does not scale well.

Here is an example of how we use Zero Config in our phone network.

  1. Globally, we set the time zone and the Screen Saver/Background on all phones and rotate them as banners as a message board system.  We also set the path for firmware upgrades for all new phones.
  2. We use a Model Template to configure the Speed Dial buttons on one model of phone and set the names and extensions on other models that have the auxiliary boards.
  3. Adding a new phone is simple for us, plug it in, wait for it to appear in Zero Config, assign an extension, push the changes and that phone is now configured and provisioned.

There are many more capabilities for Zero Config that you can take advantage of but these are a few that I like a lot.

Now, all of this works well in a LAN environment but how can you easily do Zero Configuration with Remote Phones when you have users working from home across the internet?  Easy, MikroTik and RouterOS.  Here is our example:

To make Grandstream Zero Configuration work, we need to get the remote phone and the office LAN on the same Layer2 segment.,  Obviously, this is the job of a VPN protocol, but I wanted to make it as easy and simple as possible, hence fewer issues down the road. I also did not want all the remote LAN traffic to traverse the tunnel and MikroTik L2TP + BCP makes it really easy.

There was one trick that threw me off, and I want to make sure you take notice.  I am telling you this up front for those of you searching to see why a bridged L2TP tunnel BCP is not passing DHCP, do not address the tunnel.  That means, no remote or local address on the server end of the L2TP server.  It is not needed (that itself surprised me) and in fact, it breaks DHCP for some reason.  Also, the MTU, MRU settings must be exactly as shown or bridging will not work.  Again, this caused me a lot of heartache until I figured it out.

Here is the configuration we want to create:

In summary, port Ether5 on the remote router is bridged to the L2TP tunnel on the remote end and on the Office end, the L2TP tunnel is bridged to the port that connects to the office LAN switch.  The net result is that the remote phone pulls an IP address from the UCM which is running DHCP server and the remote phone appears on the same Layer 2 segment as the UCM so it can be used with Zero Configuration.  Here is how you set that up in RouterOS.  I assume basic connectivity is in place at both ends and we are only building the tunnel and the bridges.  Here is how my network looks in my Dude Server:

 

Remote End Configuration:

Each remote device has 2 L2TP interfaces, one for managing the router and one for the VOIP.

First, create the profile because that is where the bridging takes place.  Here is that PPP profile:

Next, create the L2TP Client.  Notice the MTU, MRU, MRRU settings and set as shown because they are critical for bridging to work:

Finally, here are the bridge settings.  Notice the Max MTU, MRU, etc in the red box.  These must be set to these values or bridging will not work:

  

Server End Configuration:

First, create the Bridged profile:

Next, enable the L2TP server and again, the MTU, MRU, MRRU settings are important, set as shown.  Use the profile just created:

Finally, create the bridge and on the Ports tab add the ethernet port connected to the office LAN or switch.  The L2TP interfaces will be added automatically when these users connect.

 

Once this is done, your remote phone, plugged into ether4 pulls an IP from the UCM DHCP Server on the office LAN and is configurable using Grandstream Zero Configuration.

 

 

 

 

 


Source: Blog

Mikrotik RouterOS Dynamic IP Firewall Address List Entries for CDN’s, etc.

Has anyone noticed a new behavior for address lists in RouterOS?  The release notes for 6.37.3 show “firewall – fixed timeout option on address lists with domain name;” but I don’t see when that feature was actually added.

Specifically, if you add a DNS name as the address entry, it dynamically resolves all the IP’s for that name.

The best example is a name record that points to a CDN like WIndows’ Updates. I discovered this trying to mark and prioritize Windows’ updates, MAC Updates, iCloud photo uploads, etc.

Here is an example. Our website, www.ispsupplies.com is distributed by a CDN. One entry in the address list produces 8 dynamic entries, one for each CDN IP. I also noticed they update themselves dynamically, on an unknown schedule. I don’t see this in the Who wants to work together on a QOS system using this feature?

 

No automatic alt text available.
No automatic alt text available.


Source: Blog

One Reason IPV6 on MikroTik Doesn’t Stink

One word, auto configuration.  That’s two words, ok, but if you scrunch it together it is one, autoconfiguration.  My spell check keeps complaining about making it one but oh well.  In the MikroTik world, enabling the MikroTik IPv6 package is really all you need to do to start using it (provided your computer is dual stacked as well).  Today, I realized how nice it is to take a router, reset to factory defaults, and as long as IPv6 is enabled, I can log into the router, Layer 3 with no configuration because IPv6 autoconfigures itself.

That is a big deal because often times on certain laptops, I can’t get MAC WInbox to work.  It can be really flaky but with IPv6 I don’t need it.

Example: I reset this router to factory defaults and look at Winbox:

I can click the MAC address (green arrow) and put up with disconnects or failed connections or click the red arrow and have instant Layer 3 access with no configuration on the router. This one benefit is enough for me to start running IPv6. Obviously, there are many others but this should get your attention at least.

If you want to start learning IPv6, watch some YouTube videos, there are tons, and then create a free IPv6 tunnel with Hurricane Elecric’s Tunnelbroker.com.  Try it, it works!

 

 

The post One Reason IPV6 on MikroTik Doesn’t Stink appeared first on Steve Discher.


Source: Blog

MikroTik Optimal Wireless Config for Transparent Point to Point or Backhaul

I am often asked what is the optimal configuration for a point to point with Mikrotik, typically SXT’s.  I would stress that the fewer settings you make, the better the link will work so I don’t recommend tweaking, just set the basics.  Here are screen shots of everything that needs to be set to make a high capacity point to point.  The red boxes are settings that are peculiar to that end of the link and the blue boxes are the settings that must match both ends of the link:

Wireless AP End of Link (also called bridge mode on a point to point)

Station End

ISP Supplies is a premiere MikroTik stocking distributor in the USA and we pride ourselves on offering more than boxes; we also offer knowledge.  Our team is knowledgeable, willing and able to provide technical assistance with any MikroTik device.

 

The post MikroTik Optimal Wireless Config for Transparent Point to Point or Backhaul appeared first on Steve Discher.


Source: Blog

MikroTik Wireless CAPsMAN Howto

I was intrigued by the recently new feature being developed by MikroTik called “CAPsMan”.  From the wiki “Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of ‘Controlled Access Points’ (CAP) that provide wireless connectivity and a ‘system Manager’ (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.  When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to allow it to establish connection with CAPsMAN. Functions that were conventionally executed by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP device now only has to provide the wireless link layer encryption/decryption.”

When I initially read that, I immediately thought of UniFi, Ubiquiti’s centrally managed enterprise wireless platform.  From that point forward, I spent little time learning the facts and immediately began comparing the product to UniFi only to find I was disappointed with CAPsMAN and why wouldn’t I be?  It had no web interface, no fancy graphs and seemed difficult to configure.  I was wrong.  I am not saying there is eye candy, because there isn’t but it’s beauty is in it’s innovation, and function over form.  Best of all it can be built using existing, already deployed hardware, thereby using software to redefine your wireless network.

In summary, the CAPsMAN concept involves using your existing internet router (must be a MikroTik of course) and adding the optional CAPsMAN package.  Then installing theCAPsMAN package on the AP devices.  Conventional AP’s become CAPs and the router serves as the CAPsMAN controller and you are off to the races.  Each CAP becomes simply an interface on the router.  An interface you can bridge, address, route, whatever, treat it like any other interface.  Want to know who is associated with a certain AP?  Check the main CAPsMAN registration page.  There is one page that summarizes all CAPs!  Want to add a secondary or third ( I don’t like the word tertiary) , easy, just add it in CAPsMAN and it pushes the config to all the CAPs.  Same thing with adding a new WPA key, click once, type, click ok and done, all CAPs get configured automatically.

Hopefully I have wet your appetite enough for you to dive in and try it so here is a step by step to get you going.   Everything else is a modification of this basic setup.

CAPsMan HowTo

First, you must install thee CAPsMAN wireless package on the router and all AP’s.  If using CAPs, this is already done for you.  However, must CAPs come with CAPsMAN version 1 and you want version 2 so download it from MikroTIk.com, drag the file to your files window and reboot all devices.

CAPsMAN Router

Once the router has the CAPsMAN package, open Winbox and enable the CAPsMAN manager service.

CAPsMAN Server1

Next create a bridge interface for the CAPs to be added to dynamically when they appear on the network.

CAPsMAN Server2

Add an IP address, DHCP Server and a NAT rule.  You can learn how to do this elsewhere, like wiki.mikrotik.com for example.

CAPsMAN Server 3

Add a new CAPsMAN configuration.

CAPsMAN Server 4

Add a new provisioning rule.

CAPsMAN Server 5

Configuring the CAP

This is a sticky wicket because there are a few options.

Option 1. Using a RouterBoard MAP or CAP

These are purpose built devices and I really like them for new installs.  There is one  design issue I have and that is they have a default config that is suited for a stand alone configuration.  Basically it is a wireless AP with DHCP server on the wlan, DHCP client on the Ethernet, etc.  I would rather it came factory configured to be a CAP.  Clearly then did not consult me.  To turn it into a CAP, there is a hardware option I will cover here.

Note that most CAPs and MAPs come with version 1 of the CAPsMAN software so BEFORE you use the hardware switch to set them to CAP mode, upgrade the CAPsMAN package!

CAP

There is a reset switch located on the underside of the device next to the Ether jack.  Hold it down and apply power via the supplied POE adapter.  Hold it steady for 10 seconds.  The wireless LED will go from flashing to solid.  Then release and it will load the CAP config and look for a controller on the local LAN.  The is a Layer 3 discovery option for when the CAPsMAN is on a different Layer 3 segment or out on the internet somewhere but that  is covered in the wiki as well.

Note: What I have described here is NOT covered correctly in the instruction sheet that comes with the CAP so throw that away and follow my instructions to save a lot of headache.

Within 2-3 minutes the CAP will be in CAP mode.

MAP

There is a reset switch located on the side of the device.  Hold it down and apply power via the supplied POE adapter.  Hold it steady for 10 seconds.  The AP/CAP LED will go from solid to flashing, exactly the opposite of the CAP’s LED behavior.  Standardize guys!  Then release and it will load the CAP config and look for a controller on the local LAN.

Note Again: What I have described here is NOT covered correctly in the instruction sheet that comes with the MAP so throw that away and follow my instructions to save a lot of headache.  Again.

Within 2-3 minutes the MAP will be in CAP mode.

In either case, forget the LEDs and hold the switch exactly 10 seconds and you are good to go..  When you release the switch the LEDs should do a quick blip, 2-3 of them will do it simultaneously telling you it is applying the config.  You will learn to recognize that.  Or not.

Option 2. Converting Non-CAPs or MAPs to CAPs

Simply download the version 2 CAPsMAN and drag it to the files window.  Reboot and then configure the AP by first removing any existing configuration.  Then configure it to be a CAP by using the following script which you can copy and paste to a terminal window:

/interface wireless
set [ find default-name=wlan1 ] l2mtu=1600 ssid=MikroTik
/interface wireless cap
set discovery-interfaces=ether1 interfaces=wlan1 enabled=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

The device will then communicate with the CAPsMAN and become a CAP.

CAPsMAN Server 6

 

Once the CAP is configured, the CAPsMAN will show it’s status and the CAP will tell you it is being managed by the CAPsMAN;

CAPsMAN Server 7

The registration table will then contain registrations for all CAPs:

CAPsMAN Server 8

There are a lot of modifications you can do at this point like add more SSIDs or optional security keys but this is the basic setup.  Any more CAPs added to the local net will automatically be configured as CAPs as long as they are in CAP mode.

Here’s a screenshot from my router running CAPsMAN.  As you can see the CAPs are just interfaces!  Address them, run HotSpot on them, whatever you would normally do with a physical interface.

Screen Shot 2014-12-02 at 9.08.05 PM

The more I learn, the more I like and I am sure if you give CAPsMAN a try you will like it too!

I used Uldis’ presentation from the MikroTIk USA MUM 2014 to create this how to and he included a lot more detail.  You can ready his presentation HERE.

The manual for CAPsMAN is HERE.

 

MikroTik RouterOS Virtualization and Bridging Issues – Solved!

It started out simple enough – install MikroTik RouterOS as a guest OS on ESXi and make the virtual router a VPN endpoint for a site to site VPN.

Here is my setup.  On the left is an MikroTik RB2011 and on the right is a virtual instance of MikroTik RouterOS.

MikroTik Virtual RouterOS

As you can see I have an EOIP tunnel between the two routers and I am bridging the Ethernet interface on the LAN to the EOIP tunnel. This yields a Layer 2 connection between the two LANs and accomplishes my goal. Or does it?  Things were acting strange and I could not ping across the tunnel any time I bridged the Ether to the EOIP on the ESX side. No bridge, no problems. With a bridge, no pings.

I was Skyping my friend Tom Smyth in Ireland about an unrelated subject and threatening to pull my hair out when he said “have you tried the 3 security questions on ESXi networking?  No, I replied”.  So, I tried it and the problem was solved. Now everything worked.  Apparently, ESX doesn’t like it’s virtual router interfaces being bridged.  Here are the settings that fixed it.

MikroTik RouterOS-ESX3 MikroTik RouterOS-ESX2 MikroTik RouterOS ESX1

I could care less about the why, nor do I plan to figure it out. It works, and that’s all I care about.

 

 

MikroTik RouterOS Packet and Connection Marking

Ever since I wrote the book, RouterOS by Example, I get a lot of emails asking me specific questions about this powerful routing system.  I try and answer the questions, time allowing, as completely as possible.  There is one question that seems to pop up from time to time so I thought it was worth dedicating a blog post to it.

I you are not familiar with the Mangle facility in MikroTik RouterOS, it is a system that allows you to identify traffic and mark it.  The identification criteria can be port, protocol, source address or destination address among other things.  Once traffic is identified, a mark is associated with the packet and that packet can then be queued, firewalled, nat’ted, etc.  to name a few uses.

The question was asked this morning, “Why does everyone suggest marking connections first and then marking packets? Wouldn’t it take less processor power to simply identify and mark the packets with one rule?  Good question so let’s explore that.

If you are in a hurry or have a very simple setup, or if for some reason you have connection tracking turned off, then you can simply mark packets without marking connections.  Although this is quick and dirty, it requires that the router examine every packet that passes through the router and determine if it meets our matching criteria of our one rule.  If you only have a few rules and it works the way you want, then this is probably fine.

For more complicated setups with many rules, this simplistic method will bring a small router to it’s knees by utilizing a huge amount of CPU.  In this case, the best strategy is to first identify the traffic and then mark the connections.

Once the connections are identified and marked, simply mark all packets that belong to that connection.  This is all about numbers so take a look at an example.  My home router currenty shows 118 connections and since I have started writing this post, it has processed more than 13,000 packets.  If you were marking packets only, then the router would have had to examine 13,000 packets to determine if there was a match.  I you use the two step method, it would examine less than 200 connections for a match and then mark only the assiciated packets.  Marking packets in itself is not processor intensive but examining them for a match is.  So, in this case, more rules means less resources.

There is a hidden benefit to marking connections first with respect to troubleshooting.  When you only mark packets, you don’t get a visual feedback about your effectiveness in rule writing.  Yes, the statistics for that rule will increase if you are matching packets, but there is no way to actually see the marks.  On the other hand, if you mark connections first, you will see those marks in the connection tracking table. For me, that in itself is worth the little bit of extra effort.

I hope this helps and happy mangling!