Syed Jahanzaib Personnel Blog to Share Knowledge !

April 11, 2012

Howto Manage Active Directory using Webmin/Linux Customized Panel

Article by
~!~ Syed Jahanzaib ~!~

Dedicated to ALL Pakistani Soldiers who gave there Life in SIACHIN

Following is one of  the simplest way to manage your Active Directory Using WEBMIN base customized panel. I always prefer to create my own in-house made solutions for daily routine tasks.

Using this method you can customize the options you want to use. For example, this panel access can be granted to support personnel or help-desk staff , so they will be limited to the features / options you provide them with.

For example, Support personnel can access your panel via using there browser

and after entering his credentials, he will be redirected to command panel, Only those commands will appear here which you have granted access for.

A very basic example is showed in the image below . . . But you can create more advance, sophisticated functions with beautification using this panel to control every aspect of your network, whether its Microsoft, Linux or Mikrotik or any compatible device

To create this panel, you will need following components

1) Linux box with WEBMIN installed,

2) sshpass Utility on Linux box,

3) freeSSHD application installed on Windows AD Server .

4) Testing ssh connection to A.D from your Linux BOX

5) Create Scripts on Linux and Link them to WEBMIN

6) Create User in Webmin and Grant Custom Commands Rights

We will discuss above six topics in minimum details as following. . .


I assumed that you have installed and configure your Linux box (preferably Ubuntu, but any flavor can do the job, this is the main quality of Linux OS :)~
To install Webmin , first add its repositories to sources.list, to do this first open sources.list

nano /etc/apt/sources.list

Now paste the following lines in the end of this file.

deb sarge contrib
deb sarge contrib
deb lucid partner

Save & Exit.

Now update apt-get and install webmin using

apt-get update
apt-get install webmin

It will take some time to install webmin depend on your internet connection (usually less then 10 minutes) , afterward you can access it using


(TIP: you can change the webmin port by editing in /etc/webmin/miniserv.conf and change the port number to any port you like, for example 443 or 1234)

Now moving to ahead . . .


sshpass utility is required so that you can do ssh to your windows box with the provided password, otherwise if you do normal ssh it will stop and ask you  the password , which you can’t provide in automated way while using the webmin script, thus the script will stop on password function and will not perform as desired,
[However The best approach is to generate SSH keys and use them, but i am not going in that detail, just Google for it]

To install sshpass , use the below command . . .

sudo apt-get install sshpass



First download freeSSHD server and install it. Installation procedure of this app is very simple , just clicking few next next button :p You can download it from

At the end of the installation, it will ask you to run freeSSHD as Service, Select YES , so that it may run automatic when windows start as a windows service.

After Finishing setup, You will see its icon in your taskbar area , Right click on it and select SETTINGS,
Goto Users TAB, and add your users, (You can add local users in it , OR you can select NT Authentication for domain.
For domain, you wont have to enter password, choice is yours).
As shows in the image below . . .


Now its time to test if your freeSSHD box is working. From your Linux box you can use the following command to test the connection.

sshpass -p ‘freessdh_password’ ssh userid@

And if successful, you will see the windows command prompt
As shows in the image below . . .

If you are testing it from Windows, you can Use any sshclient tool, like PUTTY, and enter your freeSSHD Box IP and try to connect, if all goes OK, you will see the user id . Enter your id password you added in the freeSSHD , and you will see command prompt of windows.

4) Create Scripts on Linux and Link them to WEBMIN

Now that we have finished configuring base requirements, It is time to create various Scripts to perform our desired functions and link them to webmin GUI user interface (Usermin?) :D

On your Linux box, Create an folder

mkdir /scripts
cd /scripts

Now create first script which will ssh to A.D Server and will fetch the DISABLED USERS list.

chmod +x

and paste the following line

sshpass -p '123'' ssh zaib@ 'dsquery user -disabled'

Now Save & Exit.You can test it by execute it by ./ and you will see its result on your screen.

Now its time to link it with the webmin GUI Interface.

Login to Webmin.
Goto OTHERS / CUSTOM COMMANDS and click on Create a new custom command.
As showed in the image below . . .

After Entering Command Details as showed in the image above, Click on SAVE
Now you will see your newly created command box on Custom Commands Menu, click on it and you will see the result :)


I will show you howto create custom command for specific User Info with input box.

Create a new Custom Command ,
As showed in the image below . . .

After entering all details, click on SAVE.

Now you will see View User Info Box on Custom Commands menu, Enter any valid user id (which exists on AD Users) and click on view user info button.
As showed in the image below . . .

Result . . .
As showed in the image below . . .

6) CREATE USER IN WEBMIN USERS & Grant Custom Command Rights

Now we will create a support staff user account and grant Custom Commands rights only , so when the support staff logged in to webmin, they see only Custom Commands Box, (Not all webmin access)

Goto Webmin / Webmin Users
Click on Create a new Webmin user
As showed in the image below . . .

In User name, type your user name
In Password field, select SET TO  and enter password in the box.
In Available Webmin modules section, select Custom Commands
Click SAVE to finish.

As showed in the image below . . .

Now logout Webmin and again login with the new user id you just created in above step.

After successfully logedin . . .

User will see only Custom Commands Menu . . .

TIP: You can replace WEBMIN default logo with your company logo , default image location is/usr/share/webmin/images/webmin-blue.png

To change webmin default 10000 port

To change webmin default port which is 10000, you have to edit minisev.conf , following is an example. Open it and change port (usually appears in 1st line to one required)

sudo nano -w /etc/webmin/miniserv.conf


root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ 'cmd /c dsquery user -limit 0 | dsget user -dn -disabled'

root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ Net user $UID /DOMAIN /active:NO

root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ 'dsquery user "dc=agp1" -inactive 2'

root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ 'dsquery user -disabled'

root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ Net user $UID /DOMAIN /active:YES

root@linux:/scripts# cat

sshpass -p 'freesshd_password' ssh zaib@ Net user $UID /domain

More commands references are available here.


aacable [at] hotmail . com

November 25, 2011

Howto Login on Remote Mikrotik & Linux without PASSWORD to execute commands using DSA key

~ Article by Syed Jahanzaib ~

By Following this guide , You will be able to Execute Scripts from a Remote Linux machine to Mikrotik RouterOS OR Linux without requiring password.


Login From Linux to Mikrotik to execute commands via ssh without Password !!!

[STEP # 1]
First you need to generate public dsa key. At your Linux box, issue the following command.

ssh-keygen -t dsa

This will create a DSA key pair that is compatible with Mikrotik/Linux
It will ask you few questions, as below.

root@zaib-desktop:~# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
ed:da:88:da:d1:b1:f0:b5:f2:39:04:85:9d:d0:19:f1 root@zaib-desktop
The key's randomart image is:
+--[ DSA 1024]----+
|        .=o=     |
|        . *.     |
|         .  E    |
|        ..       |
|      . S.o      |
|       + =..     |
|      . =.o      |
|     . o *..     |
|    ..o o +.     |

Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password.


[STEP # 2]
Now the key have been generated, It’s time to upload it to MIKROTIK using FTP. Make sure FTP service is enabled on mikrotik. Upload this key via ftp using below commands.

root@zaib-desktop:~# cd /root/.ssh/
root@zaib-desktop:~/.ssh# ftp
Connected to

220 MikroTik FTP server (MikroTik 3.3) ready
Name ( admin
331 Password required for admin
230 User admin logged in
Remote system type is UNIX.

ftp> put
local: remote:
200 PORT command successful
150 Opening ASCII mode data connection for '/'
226 ASCII transfer complete
608 bytes sent in 0.00 secs (2207.2 kB/s)

ftp> exit
221 Closing


[STEP # 3]
Now login to Mikrotik via Winbox, and open Terminal , you need to import the key. to import key, use the below command.

user ssh-keys import
user: admin

The user field above determines which user account will be logged in when you pass the key, In this example , I am using default admin id.

All Done. You’ve created a key pair and imported the public key into Mikrotik ,

Now you can start running commands from your remote machine without using the password.

Some examples are below, from your Linux box, try the following . . .

(For the first time Login, It will ask you “Are you sure you want to continue connecting (yes/no)?” Type yes to continue)

ssh admin@  /system resource print
The authenticity of host ' (' can't be established.
DSA key fingerprint is 5f:d5:ee:51:8b:1c:c3:df:4d:3c:29:d8:af:48:35:a5.
Are you sure you want to continue connecting (yes/no)? yes

Again try to execute command and this time it will execute smoothly without asking any thing.

root@zaib-desktop:~# ssh admin@  /system resource print
uptime: 40m37s
version: "3.3"
free-memory: 40512kB
total-memory: 62276kB
cpu: "Intel(R)"
cpu-count: 1
cpu-frequency: 3200MHz
cpu-load: 1
free-hdd-space: 956832kB
total-hdd-space: 1021408kB
write-sect-since-reboot: 2373
write-sect-total: 2373


You can do so many interesting things using this method, you can link scripts with php or webmin and control your mikrotik / linux box with webmin as Frontend.


Login From Linux to Linux to execute commands via ssh without Password !!!


Suppose, We want to login from ADMIN PC to REMOTE SERVER without password , or we want to execute command from ADMIN PC to REMOTE SERVER.

[STEP # 1]

You have to first generate DSA public key on ADMIN PC.
You can create it by following [STEP # 1]  in Scenario # 1 of this post.
If you have already generated it, then skip this Step#1

[STEP # 2]

From Admin PC , issue the following command to upload to Remote Server.

scp root@

[It will ask Remote Server Password, type password and hit enter.

Now try to Login to REMOTE SERVER using following command


root@zaib-desktop:~/.ssh# ssh
Linux test2-proxy 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686

To access official Ubuntu documentation, please visit:

353 packages can be updated.
202 updates are security updates.

Last login: Fri Nov 25 03:01:45 2011 from

SUCCESS ! You are now able to Login to remote server without password.

You can Execute any command on remote server from admin pc, For example, you can shutdown / restart or whatever you like . . .

root@zaib-desktop:~/.ssh# ssh df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             3.8G  2.1G  1.5G  59% /
udev                  186M  224K  186M   1% /dev
none                  186M  164K  186M   1% /dev/shm
none                  186M   88K  186M   1% /var/run
none                  186M     0  186M   0% /var/lock
none                  186M     0  186M   0% /lib/init/rw

October 15, 2011

Howto redirect audio/video or some contents to another proxy using SQUID

Howto redirect Audio/Video or some contents based on extensions to another proxy using SQUID

Assalam Va Alaekum,

Following guide will show you how to redirect some contents from Squid proxy server to another proxy server (possibly squid or ISA, whatever). This is one of the oldest tricks in the book. People who are engaged in Linux after late 90′s  knows about it very well. I used this scenario at my network in year 2003-2004 when I had SPEEDCAST IVS downlink of 256Kb and 64Kbs ISDN link. It was very useful at that time and user were really amazed with the browsing speed :)

Here is the test scenario, we have two proxy servers , proxy1 and proxy2.
PROXY1 is our master/parent proxy server connected with fast internet link and we want it to be reserved just for browsing and other important stuff, and we want that any request for .mp3 .exe .wmv .avi content must be redirect to PROXY2 server which is connected with lower bandwidth Link like satellite downlink or other.

Install 2 squid servers.

proxy1 =  [master/parent proxy]
proxy2 = [for download redirected_content only]

Now on proxy1 (parent/master) , add following lines in /etc/squid/squid.conf

acl mynetwork src
acl redirect_content urlpath_regex -i \.MP3$ \.AVI$ \.WMV$ \.RM$ \.FLV$ \.ZIP$ \.RAR$ \.EXE$ \.mp3$ \.avi$ \wmv.$ \.rm$ \.flv$ \.zip$ \.rar$ \.exe$
cache_peer parent 8080 3130
cache_peer_access allow mynetwork redirect_content
never_direct allow redirect_content

All Done. Now test the setup. Set client browser proxy to use proxy1 and try to download anything (which is in redirect_content acl e.g rm or mp3 songs)
See the attached images.

apniisp- Testing Song Download from internet

apniisp- Testing Song Download from internet

Monitor Squid access log at proxy1 and proxy2, you will clearly see that only redirect_content are redirected to proxy2, rest of traffic is using proxy1 only.


PARENT PROXY1 Squid Access Log

PROXY2 Squid Access Log

PROXY2 Squid Access Log

This way you can do load balancing on your proxy servers.

The biggest advantage of such load balancing is that user browsing will not be effected if 20-30 users are simultaneously downloading any media contents or your marked contents :)


Allah Hafiz

Syed Jahanzaib

October 12, 2011

LTSP : Thin Client Server on Ubuntu , One of my Favourite Project :)


Why I needed LTSP ?

Few months back, at my company, we were very low in hardware resources, my office pc harddisk turned out in to a grabage piece, and I was no other backup disk to install windows or linux.  Several outdated pcs in my office was having hardware software trouble too, so I was quite annoyed and fedup by the hardware / software / viruses  problems, Then I decided to give a try to Ubuntu LTSP, which I used 2 years back in a lab environment successfully. So I created LTSP Server in Ubuntu and connect all low hardware base pcs to boot via LTSP, this way I got rid of softwares / hardware / storage / management problems in very cheap way :D , this article explains how I achieved this at my office.


Linux Terminal Server Project (LTSP) provides a way for you to build a server and then add Old diskless computers to the server thus creating a huge savings for an organization. To the user, they will not recognize that the computer they are at is without a hard drive. They typically notice the fast speed at which the workstation runs and the features that are available. LTSP helps in improving Total Cost of Ownership (TCO) and also offers increased value over traditional computing solutions. The Linux thin clients are very reliable as viruses and tampering is non-existent. It is distributed under the GNU General Public License, which is free.


1. Cost – Diskless computers like old Pentium 2/3 base computers with 64 mb ram can be purchased new for about 1500-2000 Rs (or 15-20$) from Regal / Saddar Market and can be built from outdated computers for $0. This is a very interesting way to build a network from computers that others want to discard.

2. Central Management – Central Management alone will save an organization dramatically. You can expect virtually NO WORKSTATION maintenance with LTSP. Without a hard drive there is nothing to maintain except connections for monitor, network, keyboard and mouse. All management is done from the server.System maintenance is also easier when everything is on one computer, and upgrades are simpler, as is backing up. In fact, the only major disadvantage of such a system is that the server provides a single point of failure. If this breaks, the whole system goes down, so some sort of redundancy is needed here if downtime isn’t acceptable.

3. Heat Reduction – Computers create heat which leads to more power usage to reduce the heat. Many diskless systems are only using 15 watts of power and producing virtually not heat.

4. Power Reduction – Diskless computers may use as little as 15 watts of power compared to the 450 watts of a typical workstation. When you are looking at 200 computers in a school system is a significant savings.

5. Flexibility – You are not limited to just running diskless computers. You can set up a network that will allow diskless computers, computers with disks and Windows computers connecting via Samba. One server can do it all for you.


1. Single Location of Failure – Since the whole network depends on the server up 24/7 that server must be robust and dependable. If the server is down everyone on the LTSP server is off line. You can create redundancy. I tried creating a LTSP Cluster which is very easy to setup and it is simple enough to rsync two servers so that you have a clone ready to go if you experience failure. I did run this LTSP server for about 3 monhts without having any downtime.

2. Server Cost – You must invest in a server that is robust, something in the line of dual Xeons with 4-8 GB of RAM if you have more then 50 diskless computers connected.

To install LTSP on Ubuntu

Login to terminal via root and issue the following command to install LTSP and SSH server.

sudo apt-get install ltsp-server-standalone openssh-server

Now Update DHCP file with your network configuration

nano /etc/dhcp3/dhcpd.conf

ddns-update-style none;
log-facility local7;
subnet netmask {
option routers;
option domain-name-servers;
filename "/ltsp/i386/pxelinux.0";
default-lease-time 600;
max-lease-time 7200;

Now start DHCP server by

service dhcp3-server start]

You must see OK status for it, If you get Following error while starting <strong>DHCP</strong> server
<strong><span style="color: #ff0000;">Can't create PID file /var/run/ Permission denied.</span></strong>

Then issue the following command,

1ln -s /var/run/dhcp3-server/ /var/run/

Now create your Thin Client environment on the server with.
(This will take some time, so sit back, relax and have a cup of tea with EVERYDAY milk :p )

sudo ltsp-build-client

At the end, If you receive following error:
error: LTSP client installation ended abnormally”
then issue the following commands

sudo -s
su -

Now update the sshkeys and lts image

sudo ltsp-update-sshkeys
sudo ltsp-update-image

Your LTSP server is ready. Now goto client side, and boot it from PXE enabled network card, usually f12 works , or use the bios option to boot from network card, Now when the client tries to PXE boot, it will get ip from dhcp server, and will get the tftp info and will then take you to the login screen, here you must provide valid user id password in order to login to the server.

In the following example, I created test machine in VM with very minimum hardware specs, for example 64Mb ram, No harddisk, as client boots via ltsp server.

Below are some screenshot of client booting via ltsp server.

Tips N Tricks for LTSP

HOWTO ASSIGN STATIC IPs with dhcpd.conf

The recommented way to assign static IPs is by appending host declarations to /etc/ltsp/dhcpd.conf:

host zaib-pc1 {
hardware ethernet 00:0c:29:f1:6d:3f;

apt-get error <Meta-index file (malformed Release file?) >

If you receive error while updating apt-get <Meta-index file (malformed Release file?) > type error, Then edit /etc/apt/sources.list and remove ‘non-free‘ and ‘contrib‘ words in whole file by searching.

The valid components for Ubuntu are ‘main‘, ‘restricted‘, ‘universe‘ and ‘multiverse’. There is no ‘non-free‘ nor ‘contrib‘ that’s for debian. Update you sources.list accordingly and try performing the upgrade again.


Goto Folder /opt/ltsp/i386/usr/share/ldm/themes/ and edit bg.png to add your logo and info.

After you done editing your file, Dont forget to update ltsp image by issuing this command.

sudo ltsp-update-image

Some useful links for ltsp management:

September 27, 2011

Howto create Windows 7 PPPoE Dialer Installer Package using Auto-iT !

PPPoE Dialer Package Sample

Following is a guide on howto to create Windows 7 PPPoE DIALER Installer Package.  It is based on same principles as my previous Winxp PPPoE Dialer Script.

Being a Linux Lover, I am publishing these codes under GPL (General Public License). You can modify it as per your requirements, redistribute it. Don’t forget to give credit if it helps you :~) Remember it’s not a standard, neat and clean way but It’s very simple and it do the job nicely:)

This script is made for Windows 7 Operating System Only, For windows XP/200x, please follow the below link.

Following functions will be performed.

# First it will ask you if you want to continue to install the Dialer.
# Then it will minimize all opened Window to Let user focus the installation,
# Then it will show you the Logo in front(dialer.jpg which is customizable according to your need),
# in Background it will open the Network and sharing center and create new entry for pppoe dialer,
# After creating dialer, it will close the Logo and will show you the message that Dialer have been installed.

This is not fully final Script, Few things have been left intentionally, Following functions will not be performed.

# It will not check Duplicate entries. For example, If you have installed the dialer, and want to re.install it again, It will not check duplicate entries, and will stop on DUPLICATE NAME FOUND, So please Delete Previously Created Dialer with the same name.

Please check and Do Let me know the results.

I have checked It on Windows 7 several times and working fine. The speed of executing functions in program can be + or – in some cases, It can be tuned with the $DELAY variable.

So Here we go . . .

First of all you have to download ‘Auto-it‘ software from its website at

I used Latest version: v3.3.6.1, Do full installation of AutoiT.

After installation, launch it by  Goto Start / Programs / Autoit v3  and select SciTE Script Editor

Now an advance Notepad type windows will open, Just paste the following code in it.

(Note: FOR SOME REASONS, Sometimes CODE Does not displayed PROPERLY IN THIS BLOG, IF you face syntax errors,  you can copy the raw code from following location)

#cs ----------------------------------------------------------------------------
AutoIt Version :
Email :
Web :
Script Function: Template AutoIt script. for PPPoE Dialer Installer
OS Supported   : Windows 7
Dated          : 27/09/2011
#ce ----------------------------------------------------------------------------
; Script Start - Add your code below here

$DELAY = 300
$answer = MsgBox(4, "PPPOE Connection", "This script will create a PPPOE DIALER, Do you want to Continue?")
If $answer = 7 Then

WinMinimizeAll ( )
; Put Logo in front and do installation in background, place dialer.jpg in the same folder
; From you have launched dialer.
SplashImageOn("Please wait Few Seconds While Installer Installs PPPoE Dialer ", "dialer.jpg", 800,650)

$COMPANY_NAME = ("Type Your pppoe service name here")
; Example $COMPANY_NAME = ("MY_ISP")
$DELAY = 300

; Run Windows 7 Network Setup
Run("control.exe /name Microsoft.NetworkAndSharingCenter")

; Send TAB 7 times to Select 'setup a new connection'
Send("{TAB 7}")

; Send Enter to Launch 'setup a new connection'

; Send Next to select 'Connect to Internet'

; Send 'S' to select 'Setup a new connection anyway

;Check Duplicate Connection ???


; Send 'r' to select 'Broadband PPPoE'

; Send TAB 4 times to Enter 'ISP NAME'
Send("{TAB 4}")

; Send 'c' to connect $COMPANY_NAME service to contiue further

; Send 's' to skip connect '$comapany name' service to contiue further

; Send 'c' to close.

WinClose("Network Connections")
Run("control.exe /name Microsoft.NetworkAndSharingCenter")
SplashOff ( )
Run("control ncpa.cpl")
WinWaitActive("Network Connections")
;send ( "!{TAB}" )
MsgBox(0, "Setup Complete", "Your Dialer have been installed , Click Connect on  " & $COMPANY_NAME & " to initiate Dialing")

Now Open File / Save and name it ‘pppoe-win7-dialer-installer’

Now your script with source code is ready to be compiled in .EXE executable format so any user can install it like any other normal application.

Now Open Tools and click on ‘Compile’ and it will compile the script in .exe format and it will save it to the Desktop or whatever Path You have selected.

Now click on pppoe-win7-dialer-installer.exe and it will install the pppoe dialer and place its shortcut on Desktop. Its always better to test the script fully before compiling it, as compilation is done when your program is fully tested and good to go.

Any suggestions on improvements and enhancements / advancements are most welcome and will be appreciable


August 29, 2011

Mikrotik 4 WAN Load Balancing using PCC with PPPoE Server / Complete Script !

Following is a complete script for Mikrotik to combine/load balance 4 DSL lines. This server is also acting as a PPPoE Server, therefore I have made some modifications in PCC Script.

For normal LB, read my article at

In this example I used MikrotikT RB750 5 ports router. 4 ports were connected with four DSL Routers, and 5th port was connected with User LAN. Also don’t forget to rename the interface names accordingly. This script will also add pppoe server , one pppoe user, dhcp server, dns server and pcc.

In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.

If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address  for PCC load balancing.

Syed Jahanzaib

/ip address
 add address= broadcast= comment="" disabled=no interface=Local network=
 add address= broadcast= comment="" disabled=no interface=WAN1 network=
 add address= broadcast= comment="" disabled=no interface=WAN2 network=
 add address= broadcast= comment="" disabled=no interface=WAN3 network=
 add address= broadcast= comment="" disabled=no interface=WAN4 network=

/ip pool
 add name=dhcp_pool1 ranges=
 add name=pppoe-users-pool ranges=

/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Local lease-time=12h name="My DHCP Server"

/ip dhcp-server config
 set store-leases-disk=5m

/ip dhcp-server network
 add address= comment="" dns-server=,

/interface pppoe-server server
 add authentication=pap default-profile=default disabled=no interface=Local keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=aacable

/ppp profile add change-tcp-mss=default dns-server= local-address= name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default

/ppp secret add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=zaib password=1234 profile=pppoe-profile routes=”" service=pppoe

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=,

/ip firewall mangle
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN4 new-connection-mark=WAN4_conn passthrough=yes

add action=mark-routing chain=output comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

add action=accept chain=prerouting comment="" disabled=no dst-address=
 add action=accept chain=prerouting comment="" disabled=no dst-address=
 add action=accept chain=prerouting comment="" disabled=no dst-address=
 add action=accept chain=prerouting comment="" disabled=no dst-address=

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2 src-address=

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3 src-address=

add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

/ip firewall nat
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1 src-address=
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2 src-address=
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN3 src-address=
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN4 src-address=

/ip route
 add check-gateway=ping disabled=no distance=1 dst-address= gateway= routing-mark=to_WAN1 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address= gateway= routing-mark=to_WAN2 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address= gateway= routing-mark=to_WAN3 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=4 dst-address= gateway= routing-mark=to_WAN4 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address= gateway= scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=2 dst-address= gateway= scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=3 dst-address= gateway= scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=4 dst-address= gateway= scope=30 target-scope=10

All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get :)


If you wanna run PCC with HOTSPOT on same Mikrotik Server, Put this rule in place to stop the hotspot from processing people after they have signed into the network.

/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth


If you have Un-Equal WAN Links, for example WAN,1,2,3 are of 4MB and WAN,4 is of 8 Mb, and you want to force MT to use WAN4 link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN4 , something like


add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/4 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

٩(●̮̮̃•̃)۶   ZaiB   ٩(●̮̮̃•̃)۶

August 20, 2011

CMAK Howto create VPN Dialer Installer Package Using Windows 2003 utility called CMAK !

Filed under: Microsoft Related, Mikrotik Related — Tags: , , , , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 3:17 PM

~!~ Howto Create VPN Dialer Installer Package ~!~

Consider if you have a VPN Server and over 100 clients in your area, you certainly do not want to visit every client one just to create dialer in order to connect to internet. Windows 2003 Server have builtin tool called CMAK (connection manager administration kit) , using this tool, you can create a vpn dialer installer package with pre configured settings of your network including your VPN serve IP , Your Customized logo on dialer, Support phone numbers etc, User just have to download it, and run it, it will install itself like any other ordinary program by clikcing on NEXT NEXT NEXT :)
simple isn’t it ;)

I have prepared a step by step screenshots guide on howto install CMAK and create dialer using this awesome tool (H) :D

1) Step by step SLIDE-SHOW of Screenshots are as following

This slideshow requires JavaScript.

2) Step by step [static] Screenshots are as following



August 9, 2011

July 5, 2011

A Success story with Mikrotik and DMASoftlab RADIUS MANAGER [Glass Line Pvt Ltd.] June, 2011

Article by Syed Jahanzaib !

Recently I was contacted by a friend who was really passionate in starting a mini-ISP type network setup for about 3000 users in the interior area of city. (soon it may expand up to 5000+ users). He asked my help to setup a scratch card base fully automatic system where user purchase scratch card, & using User self care portal web site, user may create his new ID or refresh his previous ID or change the service package according to the card package offers. I had previously setup this kind of scenario in a environment using Mikrotik built-in radius server called ‘User Manager’, but it have very limited basic features and all it can offer was a pre-paid type option and it doesn’t have many accounting features. So I thought I should give a try to more rich feature radius server and after a lot of googling i decided to go with  (FREERADIUS base ) DMASOFTLAB RADIUS MANAGER. A very famous radius server with all the option that a mini-ISP would required at unbelievably low price.

The hardware that I have used for this setup.

*Main Mikrotik = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd , This MT is serving as a PPPoE Server + NAT + bandwidth shaping. It also redirects HTTP traffic to Proxy server.

* Mikrotik RB750 = Just for HOTSPOT to redirect users to self care portal.
(This can be done on Main MT also, but I prefer it this way)

* Radius Server = DMASoftlab RM v3.9 installed on Fedora v10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB x2 Sata Hdd

* SQUID PROXY GW = SQUID v2.7 on UBUNTU Karmic Koala v9.10 / Xeon 3.6Ghz Dual / 8 GB Ram / WD 500 GB x3 SATA HDD (2 HDD reserved for Cache), This server acts as a proxy + Gateway machine for the Mikrotik, It also do URL Filtering blocking ads, it also have ZPH enabled so content available in squid cache should be downloaded at full speed (without package limitation) at user end. It also cache youtube videos using VIDEOCACHE.

* Linux Transparent BRIDGE firewall + DHCP + DNS + MRTG + WEB Server on FEDORA V10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB SATA HDD, This server sits between Mikrotik and Users , filtering unwanted traffic, ports and do some other stuff like lightweight DNSMASQ DNS Server,  DHCP server providing ips to users , Web Site with MRTG , Psychostats ranking system for Counter Strike Game, Server Monitoring Scripts and Alerts, PHPBB Forums for Users, and some other cool stuff. DNS+DHCP is hosted on this server to minimize load on main mikrotik machine, alos this machine filters unwanted traffic from passing by to main mikrotik.

In this setup , I have configured HOTSPOT on extra RB750 only to redirect user to my advertisement page, where he is informed that he is not logged in via dialer, either create / refresh his ID from RM User Self Care Portal, or if he already have an id, connect it via dialer. I don’t prefer HotSpot authentication due to various security reasons, mainly due to I had a very bad experience having HOTSPOT hit by ARP-POISONING and many virus flooder that requires default gateway.

When user first login , his PC MAC address is binded with his ID to prevent accessing it from different pcs. Multiple session of same ID is NOT allowed , I provide user with scratch card (with refill code) , which he can use to refill his account according to card amount/package from RM User self care portal. RM demo can be viewed at

When users with pppoe dialer tries to connect to main Mikrotik, MT verifies its credentials by asking Radius Server for the account validity, if the ID is valid, user connects okay and can use internet , otherwise he gets disconnected. When the User account is expired, he still can login via dialer, but then he is redirect to my local web server page where he is informed that his account is expired and he should visit billing.local page to renew his account using the card.

Please find along with attachment is my Network Diagram (This was initially designed, I made few changes afterward, I removed FTP from MT DMZ to user subnet lan to avoid load on MT , I moved ftp OS from windows to Linux and integrate it with radius authentication using APACHE.

Some other entertainment services that I setup here were:
2 FTP Media Sharing Servers ( 4 TB of data )
2 Live TV Channel streaming over LAN using VLC Media Player Broadcasting
1 Counter Strike 1.6 Dedicated Server with Psychostats Ranking System and adminmod/amxmod
1 Web Server (Ubunut) hosting site u-dear . com , an entertainment portal and hosting other features. It also features monitoring system with MRTG / SMS Alerts via attached Mobile.

About RM: Radius Manager uses a nice web interface for administering the users and the whole system (traffic accounting, tracking of online users, display statistics, maintenance ,account management etc.).

and to add that DMASoftlab customer support guys (specially Mr. Viktor.K) have excellent support and respond instantly even to the dumbest of questions. It is real value for money especially for those who do not have big wallet$.

Network Diagram Layout : (Complete setup guide can found at

GLASSLINE-Network-Presentation-by-zaib Update 03/08/2001

The Silver is the New Black Theme Blog at


Get every new post delivered to your Inbox.

Join 2,047 other followers