MikroTik Fasttrack with IPsec

Fasttrack is a new feature introduced in RouterOS v6.29 that allows you to forward packages in a way that they are not handled by the Linux Kernel which greatly improves the throughput of your router as well as lowering the CPU load.

Fasttrack allows all packages that have the state Established or Related to bypass the Kernel and be directly forwarded to the target. So, once a connection is marked as established or related, it won’t go through any firewalling or processing and will directly forwarded to the target. Of course – a connection gains the state of established or related once it went through the firewall so it will still be secure.

But there’s a known issue that Fasttrack will not work with IPsec connections, it will result in a rather wonky experience or very unstable IPsec connection. So if you have IPsec connections in your MikroTik but want to take the advantages of Fasttrack, here’s the resolution for you!

Firstly, we want to mark all IPsec connections:

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec

Secondly, we want to create a new Fasttrack rule but excluding all IPsec connections that we have marked with the two mangle rules above:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
/ip firewall filter add chain=forward action=accept connection-state=established,related

Don’t forget to delete your old Fasttrack rule if any.

I’ve been using this rule in my live IPsec site-to-site tunnel and the result is just simply amazing!

Let me know if you have any question or comment by posting down below. Cheers!

MikroTik Site-to-Site IPsec Tunnel

Easy Guide on how to setup MikroTik Site-to-Site IPsec Tunnel

If one of MikroTik’s WAN IP address is dynamic, set up that router as the initiator (i.e. dial-out)

If you are working from WAN, don’t forget to enable Safe Mode.

Let’s go to Winbox -> IP -> IPsec -> Proposals, and this is the IPsec proposal I usually use:

It compatible with DrayTek Routers as well, see the picture below:

IPsec Policy

Let’s go to IP -> IPsec -> on Policies, click on + and on the Action tab, fill in the following:

<tick> Tunnel if it’s not ticked.

SA Src. Address: <WAN IP Address of this MikroTik> (this can be blanked, if this MikroTik has dynamic WAN IP address)
SA Dst. Address: <WAN IP Address of the other MikroTik>
Proposal: Select the proposal we created before (i.e. proposal-younameit)

Then click on General tab, and fill with the following:

Src. Address: <Internal LAN IP of this MikroTik
Dst. Address: <Internal LAN IP of the other side>
<untick> Template if it’s ticked.

IPsec Peers

Now let’s go to peers tab to setup the other phase:


If the initiator has dynamic WAN IP, set Generate Policy = port strict on the responder side. Port strict will generate policies and use ports from peer’s proposal, which should match peer’s policy. This is also useful when remote peer’s IP address is unknown at the configuration time, basically allowing the peer to establish SA for non-existing policies.

Setup the same (just reverse the SRC/DST) on the other side of tunnel, if your tunnel works, you will see on IPsec -> Installed SAs.

Last but not least, we need to setup a Firewall NAT rule that allows LAN IP in our MikroTik goes through the tunnel:

On the Action tab, set Action: accept.

Click Apply then OK and put this rule above the masquerade srcnat rule.

I hope this guide works for you, but if you have any question or comment please don’t hesitate to write down below, and I would happy to respond.

How to upgrade or migrate Active Directory server

A quick walkthrough on how to upgrade or migrate an Active Directory Server.

In this guide, the old server is Windows Server 2008 R2 Standard, and the new server is Windows Server 2016 Essentials.

This guide should work on other Windows Server version as the concept would be pretty much the same.

Firstly, we would install Active Directory (AD) role on the new server.

If AD role can’t be installed, we can safely remove the Active Directory Certificate Services first.

The we would join the new server to the domain.

Then type this on the new domain controller:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2008-r2-std.saputra.local
PDC ws-2008-r2-std.saputra.local
RID pool manager ws-2008-r2-std.saputra.local
Infrastructure master ws-2008-r2-std.saputra.local
The command completed successfully.

That means all of the domain role still being handled by the old server.

Let’s go to Active Directory Users and Computers
Right click on saputra.local and select Operations Masters
Change operation masters to new server for all RID, PDC, and Infrastructure

After we changed three roles above, the condition should be like this:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2008-r2-std.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.

Go to Active Directory Domains and Trusts
On the left pane, right click on Active Directory Domains and Trusts
Select Operations Masters (there’s Raise Forest Functional Level as well, completely optional)

And the role should now become like this:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2016-ess.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.

To transfer the last role, type:

C:\Windows\system32> regsvr32 schmmgmt.dll

Then:

C:\Windows\system32> mmc.exe

Load snap-in Active Directory Schema
It will then connect to the old AD server first
Right click ‘Connect to Schema Operations Master’ and select the new server
Then select Operations Master and change the role with the new server:

C:\Windows\system32> netdom query fsmo
Schema master ws-2016-ess.saputra.local
Domain naming master ws-2016-ess.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.
Demoting old server

Obviously, go to the old server;
Use dcpromo.exe, it will say AD is a Global Catalog server;
Go to Active Directory Users and Computers (this can be done from either new server or old server);
Expand the domain and select Domain Controllers;
Select the old server and click on NTDS Settings;
Untick Global Catalog;

And now we should be able to demote the old server.

If you have any questions or comments, please write down below and I would happy to answer 🙂

 

Setup MikroTik as L2TP/IPSec VPN Server

This is a brief guide on how to implement an L2TP/IPSec VPN server on Mikrotik RouterOS and use it as a gateway.

Change these to fit your setup:

  • This router’s local IP address: 172.31.1.1/20
  • WAN connection is PPPoE with the name ether1-GTW.
    If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients is vpn-pool and gives addresses 172.31.2.1-172.31.2.9
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret

Remember that it’s always a good practice to use a strong password and secret.

Let’s create a pool of addresses that VPN clients will get once connected:

/ip pool add name=vpn-pool ranges=172.31.2.1-172.31.2.9

Then create a VPN profile that will determine the IP addresses of the router, VPN clients, and DNS server. You can set it to be outside of the local subnet, but make sure that your firewall allows the connection:

/ppp profile add change-tcp-mss=yes local-address=172.31.1.1 name=vpn-profile remote-address=vpn-pool dns-server=172.31.1.1 use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

If you have a firewall rule that blocks all traffic, you can add these additional rules to allow L2TP/IPSec to pass through the WAN interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=ether1-GTW protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=ether1-GTW protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=ether1-GTW protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=ether1-GTW protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=ether1-GTW protocol=ipsec-ah

[Optional Configurations]

To use MikroTik VPN Server as Gateway so the VPN clients will have MikroTik’s public IP, you can simply masquerade:

/ip firewall nat add chain=srcnat out-interface=ether1-GTW action=masquerade

Allow DNS Remote Requests:

/ip dns set allow-remote-requests=yes

I tested this on Amazon Elastic Compute Cloud (EC2), using t2.micro instance and it worked perfectly fine for me.

I hope this guide works for you, feel free to post any questions or comments down below.

Download and Get the Windows 10 Fall Creators Update

Earlier Microsoft released a Windows 10 Fall Creators Upgrade Assistant, but it’s hard to find now. Just in case you’re missing it, you can download from the link below:

https://saputra.ch/downloads/installers/Windows10Upgrade9252.exe

andy-mac:Downloads andy$ md5 Windows10Upgrade9252.exe 
MD5 (Windows10Upgrade9252.exe) = da222f3519e7387892a7afea30b1cb65
andy-mac:Downloads andy$

Office 365 Convert Regular to Shared Mailbox & Setup Mail Forwarding

Is someone left from your office?

Here is the best practice to do with their mailbox.

With Office 365, we can take advantage of keeping inactive users in the cloud without affecting our quota without any license required.

  1. Go to Admin centers -> Exchange
  2. At the Exchange admin center dashboard, go to recipients -> mailboxes
  3. Click on target user’s mailbox, and select Convert to Shared Mailbox
  4. Go back to Office 365 Admin center, go to Users -> Active users -> click on target user’s mailbox, and remove the license.

Set up email forwarding by going back to Exchange admin center, go to mail flow:
On rules, click + sign to create a new rule, name it: Sent to ‘target.user@saputra.ch’, *Apply this rule if… [The recipient is…] Target user’s name, *Do the following… [Redirect the message to…] Destination user’s name. Let ‘Audit this rule with severity level: Not specified’ ticked, and leave the mode for the role to be ‘Enforce’. Click Save to create the forwarding rule.

If you are managing your own Office 365 licenses, you can decrease the license to minimalise the bill:
Go to Office 365 Admin center -> Click on Billing -> Subscriptions

Setting up WiFi Hotspot on your Samsung Android Smartphone

If you are not connected to a Wi-Fi or local network and want to use the Internet on your computer or any other Wi-Fi compatible device, you can use your phone as a modem. This guide shows with a few easy steps how to establish an Internet connection between your phone and your preferred device.
  1. Select Apps:
  2. Select Settings:
  3. Select Mobile hotspot and tethering:
  4. Select Mobile hotspot:
  5. Select MORE:
  6. Select Configure Mobile hotspot:
  7. Enter a password of at least 8 characters and select SAVE:
  8. Turn On Mobile hotspot:
  9. Your phone is now set up for use as a Wi-Fi hotspot:

Select your phone from the list of Wi-Fi networks on your computer or any other Wi-Fi compatible device and enter your password. To turn Off your personal hotspot, simply slide Mobile hotspot to Off.

Migrating a Mac Local User to a Network User

I’ve seen several places where a smaller company has been integrated into a large company, or where the number of Macs in the company has grown, and now you want those users to have their machines and login managed under the network directory system, be that Open Directory or Active Directory. The most frequent issue with this is that a user has an existing home directory that they’ve been working with and want to be able to bring this over to the new environment. This is a walk-through of how to make that process as painless as possible.

Note: These instructions are based around a 10.5.x client OS. 10.5 uses plist files for user records, where 10.4 used Netinfo. The same theory applies to 10.4, but the method is different, in that the user must be removed from Netinfo.

We’re going to start this assuming that we have already successfully bound our client machine to the existing directory authentication structure. What you may notice here, is that even though your user account exists on the directory server, you may not be able to login with it’s credentials. This is probably because the shortname of both your local user account and your network user account are the same. The search policy for Directory Services on the client will always look to the local machine for authentication first.

You may need to create a new administrative user at this point as you will need to be logged into the client as some user other than the user that you are planning to migrate. Using this alternate user, use the Terminal to navigate to /var/db/dslocal/nodes/Default/users

macmini:~ admin$ sudo -s
Password:
bash-3.2# cd /var/db/dslocal/nodes/Default/users/

We had to use sudo before this command as the files within the Default node is only viewable by the root user.

From here we’re going to move the plist file for the user we want to migrate. I’m only moving, rather than removing to preserve the file in case I want to go back to the local user for any reason. Once you’ve tested a successful login at the end of this process you can delete the file we’re moving into /Users/Shared/.

mv andy.plist /Users/Shared/

You’ll notice if you run an “id” command on the user you just moved the local information will still show up.

bash-3.2# id andy
uid=502(andy) gid=20(staff) groups=20(staff),103(com.apple.sharepoint.group.3),98(_lpadmin),101(com.apple.sharepoint.group.1),102(com.apple.sharepoint.group.2)

We need to restart the DirectoryService process before our change takes affect.

bash-3.2# killall DirectoryService
bash-3.2# id andy
uid=1026(andy) gid=20(staff) groups=20(staff),103(com.apple.sharepoint.group.3),98(_lpadmin),101(com.apple.sharepoint.group.1),81(_appserveradm),1030(all),1027(vpn),102(com.apple.sharepoint.group.2),79(_appserverusr),80(admin)

You’ll notice that the information coming back from the “id” is now from the directory server, and not the local user info, however, if we try to log in at this point the ownership of the files in the home directory will be incorrect. To fix this, we’ll run a recursive chown on the user home directory.

bash-3.2# chown -R andy /Users/andy

Your user is now ready to log in with their directory username and password, and their home directory will remain the same.

3CX SSL certificate has expired

Follow these steps to renew your 3CX SSL certificate (assuming that the PBX in question is SP0 as the last contact with 3CX servers has been made from a 15.5 SP0 – In this case the system must be updated to the latest service pack)

To force the update:

  • If version is lower than v15.5 SP2 skip this step:
    • Starting from v15.5 SP2, go in Settings / Parameters:
    • Set or Add TEMPORARY_SELF_SIGNED_CERTIFICATE_GENERATED and give it value of 1.
  • Linux:
    • Log in via SSH.
    • Type: /usr/lib/3cxpbx/PbxConfigTool -renew-certificates
  •  Windows:
    • Go to Command Prompt.
    • Type: “C:\Program Files\3CX Phone System\Bin\PBXWizard\PbxConfigTool.exe” -renew-certificates
    • Press Enter and the result should look something like this:
    • Restart nginx just to be sure and the certificate should have been renewed (service nginx restart)
I got the instruction above official from 3CX Support Helpdesk.

How to Fix: Google Chrome Updates are disabled by the Administrator

If your Google updates are disabled by the administrator so you cannot update by yourself, here is the solution! It is very easy and it only takes five minutes to fix this issue:

  1. Go to Windows Start Button on the left bottom and Click on Run.
  2. Type in regedit on the run.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update
  4. Double Click on the UpdateDefault
  5. Change the value from 0 to 1.
  6. Restart your Chrome Browser and try to update again.