November 25, 2013

Mikrotik Central VPN Server For Remote Branches Connectivity

vpn connectivity

Consider following scenario:

An ISP have multiple locations all over the country. Main Mikrotik router at NOC have fixed public IP. Radius Billing system is connected with LAN. All remote locations have Mikrotik Router boards as NAS and have dynamic public IP. All locations have there own internet connectivity with various ISP’s but we want to use our main RADIUS server as a centralized billing solution for all the REMOTE locations. So this is a short guide on howto create central Radius Server and connected all remote branches/nases with it.


Basic Points:

Create PPTP server at your Head Office Mikrotik.
Create user account in secret section, nd assign him fix IP address like
Now at branch office, create a pptp client in mikrotik pptp section, and add head office IP / user id passwd, Dont forget to UNCHECK “add DEFAULT ROUTE” button. because if you do so it will override default route and will route every traffic including internet requests too to head office, which will overload head office internet connection, since we only want to route request for specific IP/subnet, so we will create a route at both end so that request for specific ip subent should go via vpn tunnel .

Head Office Mikrotik Config

LAN subnet =
WAN subnet =
Radius =

First add IP pool for VPN users, like same as LAN series but with specific series.

/ip pool
add name=PPP-Pool ranges=

Now add VPN Profile

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default dns-server= local-address= name=vpn-profile only-one=default remote-address=PPP-Pool \
use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default

Now enable VPN server

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

Now add user so that we will be testing from remote location NAS.

/ppp secret
add caller-id=”” disabled=no limit-bytes-in=0 limit-bytes-out=0 name=aa password=aa profile=vpn-profile routes=”” service=any

Now add route for the subnet in IP ROUTE section , via pptp gateway.

Remote Branch Mikrotik Config

LAN subnet =
WAN subnet = DYNAMIC Public IP x.x.x.x

Now we want to connect remote NAS with head office VPN server so that it can use central radius server as a centralized billing system.

In short: Create a pptp dialer , pointing to Head Office Main RB (where vpn is configured) , enter valid user id password, Make sure you remove tick from add default route, after its connect, simply add a route for and its gateway pointing to pptp-out1 (pptp link we created above)

To be continued . . . will write soon about it , while writing guide,an issue in the network popedup . . 00-(

[Mikrotik Hotspot] Workaround to move Static Queue above Dynamic Queue

We have HOTSPOT configured in Mikrotik Routerboard along with SQUID proxy server. Users management is done in ser Manager which creates dynamic queue upon each user login. We have created one simple queue that allows SQUID cache marked packets unlimited speed so that user should get cache at unlimited rate bypassing the internet queue user have. The issue was that when any hotspot user user login and Hotspot/Radius creates Dynamic Queues, and it override our created simple queue of cache by moving itself above the static queue, so the cache-hit queue remain useless to provide unlimited speed to cache packets due to its lower position as things works order wise in the Mikrotik.

As showed in the image below . . .

Before HOTSPOT user login,


After HOTSPOT user logged in,


The workaround for this issue was to add a simple command in the HOTSPOT user profile login section which will moves this static queue name “cache-hit” to 0 (top number) whenever any user login.

The command/script can be added in HOTSPOT > USERS PROFILES > SCRIPTS > On Login section. This way whenever any hotspot user login, this command/script will run, and it will move the cache-hit to 0 number (Top)

Ok first rename your cache hit queue to “cache-hit

Now add cmd/script in HOTSPOT > USERS PROFILES > SCRIPTS > On Login section that will move the cache-hit queue to top. (in this example I have only one default profile, if you have multiple user profiles, you have to add this in all profiles either via CLI, or preferably via GUI )

To move queue based on packet-marks name, use following

/queue simple move [find packet-marks="cache-hit"] 0]

OR to move queue by finding Comments of the queue use following

/queue simple move [find comment ="cache-hit"] 0


Another command format

 /queue simple move [find name="cache-hit"] [:pick [find] 0] 


After adding this cmd, whenever any hotspot user will login , the hotspot profile will execute this cmd & it will move the cache-hit queue to TOP.

Now the results will be as showed in the images below . . .



Move queue before another queue name ‘ZAIB’
/queue simple move [find packet-marks=”YOUTUBE”] destination=ZAIB

To specific Number, like move this queue on number X
/queue simple move [find packet-marks=”YOUTUBE”] [:pick [find] 3]

Move to TOP
/queue simple move [find packet-marks=”YOUTUBE”] 0]

Move Queue by finding its comment

/queue simple move [find comment =”YOUTUBE”] 0

How to remove all dynamic queues [can be used in script login section]

/queue simple remove [find where dynamic]

[Lotus Notes] INBOX not showing any mails, but appearing in ALL DOCUMENTS folder

lotusToday morning, When one of our user opened Lotus Notes client, no email was showing in INBOX, but all appearing in ALL DOCUMENTS folder. To fix this I issued following command and problem went away and INBOX showed all emails.

load updall -r mail\usermailfile.nsf

This problem also occurs if you have corrupted INBXO view , dual of them. To check this you ahve to open user mail file in Domino Designer, and lookfor two inbox view. If there are two inbox view, first create a temporary folder, and move all the inbox mails to this temp folder, now create both inbxo folder, and replace design, this will create inbox view, now move all mails from temp folder to inbox , simple is that :p

Tip: If the problem remains still, then try to replace the FOLDER DESIGN.

Also read this thread, it really have some very good information to solve this problem.

