Access Point and Station Combo on Mikrotik

While wireless is available in the most hotels these days, the good old ethernet cable seems to be disappearing bit by bit. That means you cannot simply plug-in your own wireless and have it just work. Having a device capable of bridging two wireless networks is becoming a necessity. Why would you even bother, you wonder?

One reason is convenience - if you always connect to your own wireless access point, you have everything setup and ready to go without annoying web prompts. Particularly handy if you bring your Roku or Chromecast with you as they generally have no provisions for even entering user name/password combination.

Other reason is security. Connecting to an open network (or one with widely known key) means every single device is fully exposed to snooping gremlins hiding around. And you will be surprised how much data is actually not encrypted. Yes, having your own wireless doesn’t necessarily fix that as you still go over unprotected media but it is a necessary first step. In one of the future posts we can talk about connecting over VPN and how to skin that particular cat.

For me a favorite wireless-to-wireless bridge device was aging Asus WL-330gE. Unfortunately, the device hasn’t had any update in ages and using alternative firmware makes wireless bridging functionality much more difficult than it should be.

Lately I’ve been using two Mikrotik mAP lite devices back-to-back. One serves the function of a wireless client toward the hotel’s wireless while the other is an access point with VPN on board. As I needed one mAP for another project of mine, I started to wonder how to setup the same device to be both wireless client and an access point.

This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Assuming you start with fresh mAP lite, first order of business is connecting to its default wireless network and cleaning the whole router out. This will allow connecting WinBox via the cable to the router’s MAC address as default configuration assumes that port is intended for WAN.

/system
reset-configuration no-defaults=yes skip-backup=yes

Since all is deleted, pretty much the only thing one can do is connect to ethernet port and use neighbor discovery on your Mikrotik. When device is found, just connect using the MAC address.

If we do not know exact wireless network we are interested in, we can enable wireless and perform a scan to see what is around.

/interface wireless
scan wlan1

Once we wither find network by scan or because we already new its name, it is time to set it up. Of course, security profile mode and all other parameters must match network you are connecting to.

/interface
wireless security-profiles add name=client-profile mode=^^dynamic-keys^^ authentication-types=wpa2-psk wpa2-pre-shared-key=^^hotel_wireless_password^^
wireless set wlan1 ssid=^^hotel_network_name^^ security-profile=client-profile frequency=auto disabled=no

This is actually one of rare situations where it is probably worth actually using GUI and wireless Scanner tool instead of getting all this sorted out manually. Regardless, if all went well, you should see upper case R next to the wlan1 interface.

As we destroyed the whole network configuration, we need to setup DHCP client on wlan1 interface so we can obtain IP. This is a nice second checkpoint as you should see the hotel’s IP address getting assigned to your router.

/ip
dhcp-client add interface=wlan1 disabled=no
address print

Now that we have client sorted out, we need to create the access point. That involves setting up a security profile, creating the access point interface on top of the existing wlan1, getting its DHCP server interface sorted out, NAT, and lastly the basic firewall.

/interface
wireless security-profiles add name=ap-profile mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key=^^access_point_password^^
wireless add name=ap-wlan master-interface=wlan1 mode=ap-bridge ssid=^^access_point_network_name^^ security-profile=ap-profile disabled=no

/ip
address add interface=ap-wlan address=192.168.89.1/24
dhcp-server network add address=192.168.89.0/24 gateway=192.168.89.1
pool add name=ap-pool ranges=192.168.89.10-192.168.89.99
dhcp-server add name=ap-dhcp interface=ap-wlan address-pool=ap-pool disabled=no

/ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade

/ip firewall filter
add chain=forward action=accept in-interface=wlan1 connection-state=established,related disabled=no
add chain=forward action=accept out-interface=wlan1 disabled=no
add chain=forward action=drop disabled=no

/system reboot

Assuming everything went fine, after reboot, you will have your access point going through hotel’s wireless.

This setup is not necessarily the most comfortable one as every time you want to connect to new network you will have to use WinBox over the ethernet cable. And no, you cannot use access point for configuration since access point is only active if its master - hotel’s connection - is running.

Again no, you cannot do it other way round - have the access point as the main wireless interface and station as slave because you need to have station tracking for your hotel’s access point. If you setup your access point first, you will need to set its frequency to match hotel’s access point at all times. That doesn’t play well if you roam through hotel and see APs with the same name and different frequency nor it will play well if AP changes its frequency, for example, due to radar detection.

However, this setup gives you the full power of Mikrotik to use in a wireless bridge at the cost of a single device.

Me? I’ll stick to my double mAP method.

PS: Yes, you could work around the need for Ethernet cable but it gets complicated enough that it is not worth the trouble.

PPS: Yes, firewall is VERY basic.

Cancelling Column Width Change for ListView Control

While I usually appreciate ability of ListView to adjust column widths, there are situations when I want it fixed to certain size.

For this occasion I already had column size fixed:

column.Width = listView.ClientRectangle.Width - SystemInformation.VerticalScrollBarWidth;

One would think that cancelling ColumnWidthChanging would be sufficient, e.g.:

private void listView_ColumnWidthChanging(object sender, ColumnWidthChangingEventArgs e) {
    e.Cancel = true;
}

However, this will not work. Column width will stay fixed while you are moving mouse around only to change once you release the mouse button. To cancel column width, we need to reset the size too:

private void listView_ColumnWidthChanging(object sender, ColumnWidthChangingEventArgs e) {
    e.Cancel = true;
    e.NewWidth = listView.Columns[e.ColumnIndex].Width;
}

A bit more code then I would personally expect, but easy enough.

Bimil 1.70

For this version I mostly concentrated on getting auto-type working properly. Lot of bug fixes and improvements were done to it. It will work regardless of caps-lock state, added enter and tab keys, and looks on high-DPI screen have been improved; to name a few.

Start dialog has been improved too - most notable change being support for read-only files. And that doesn’t stop at start dialog as application now handles that pesky attribute without an issue.

Additional Run Command field has been added to allow for running any application directly from Bimil. It even supported environment variables (e.g. %APPDATA%) for better usability.

In any case, a new version can be downloaded either directly from application or from Bimil pages.

Git and Missing ANSI Colors

While I have quite a few of my projects exposed on GitHub, I also have a private stash on my FreeBSD-based file server.

After a bit of mess-up I had to modify repository directly on server. No biggie, I connected via Putty only to be greeted with a bunch of ESC nonsense upon every Git command execution. From output it was obvious that something was wrong with ANSI color support.

Adding --no-color to each Git command helped a bit but at the cost of color. Some commands that have no support for omitting color I just redirected to tee null. But that also came in black and white only.

After a while I noticed a pattern - Git commands that needed paging were messy while simple ones showed color just fine. On a whim I set Git pager to less:

git config --global core.pager less

And it worked - despite the fact less is generally a Git’s default to start with.

My best guess is that package I installed doesn’t agree well with my environment and that a few switches might actually solve it without Git reconfiguration. However, this worked and I had no will to continue chasing the rainbow any more. :)

Simple SSTP VPN Server on Mikrotik

Few posts ago, I have gone over the procedure needed to get OpenVPN going. However, what about SSTP-based VPN?

This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Prerequisite for any VPN server is to get certificates sorted. Procedure is exactly the same as for OpenVPN server setup with the slight difference being that common-name really matters. It must match either external IP or external host name - no exceptions.

For completeness sake, I will repeat the certificate creation steps here:

/certificate
add name=ca-template common-name=^^example.com^^ days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=^^*.example.com^^ days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=^^client.example.com^^ days-valid=3650 key-size=2048 key-usage=tls-client

sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Depending on your router’s speed, that sign command might time-out - nothing to worry about - just wait for CPU to drop below 100%. Or alternatively check the name of certificate - template part will disappear once signing is completed.

For later shenaningans, we will need root certificate export (just move it somewhere on your computer afterward):

/certificate
export-certificate ca-certificate export-passphrase=""

Next we need a IP address pool for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN (notice that it can be the same pool as one used for OpenVPN):

/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Instead of editing the default encrypted profile, we can create a new one. Assumption is your Mikrotik will also be a DNS server. And while at it, you can create a bit more imaginative user/password (again, if you did this for OpenVPN server, you can just reuse the same profile and user):

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name=^^user^^ profile=vpn-profile password=^^password^^

Finally, we get to enable SSTP VPN server interface - first step that is actually needed if you already have OpenVPN server running:

/interface sstp-server server
set enabled=yes default-profile=vpn-profile authentication=mschap2 certificate=server-certificate force-aes=yes pfs=yes

One curiosity is force-aes flag that is officially listed as not working with Windows clients. I’ve tested it on Windows 7 and 10 without any issues. You can clear it if you play with something older.

With this, our SSTP VPN server is up and running - onto the client setup!

For client we first need to import our certificate authority and we need to do it a bit roundabout way. First we start MMC (Microsoft Management Console) using mmc.exe and to it add Certificates (File->Add/Remove Snap-in). When asked select Computer account for Local Computer and find Trusted Root Certification Authorities. Right-click on it will show Import to which we give certificate we’ve exported a few steps ago.

In the Network and Sharing Center now we can go and Set up a new connection. When asked we just select Connect to a workplace and write destination host name (or IP). Remember that it must match certificate common-name (or a matching wildcard) you gave to your server certificate.

If all steps went fine, you should be presented with user name / password prompt and off you go.

PS: Do not forget to adjust firewall if necessary (TCP port 443).

/ip firewall filter
add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"

[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later] [2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)]