path: root/JOURNAL.md

   
Go Back
Journal
Mostly written in English for concistency due to my prefference of keeping most Servers and Network devices set to English ...
other than Domain Controllers ofcourse :^) 
2025-02-21
Summary : Testing with my prod networks Mikrotik Routers was done to see if my projects essentials would work out with my soon to be made portable test lab for this module.
2025-02-27
Summary : Absent but was capable of gobling together some hardware that I prefer using and make a basic repo describing my project and what will be done.
2025-03-07
Summary :
Took testing Mikrotik Router RB2011UiAS-2HnD-IN to School with me to do basics of testing due to actual router going missing for some reason.
Work done on MT RouterOS on testing board RB2011
Only changed values from default are listed to save on documentation work having to be done.

Router was Reset to default config
Set password for Default SSID broadcast on built in AP

Wireless -> Wireless -> Security Profiles Tab -> Default :

Mode : Dynamic Keys
Auth. Types : WPA2 PSK + WPA2 EAP
WPA2 Pre-Shared Key : PasswordIWontGiveYou123




Changed IP of default net (VLANID1) to 10.201.0.1/24

IP -> Addresses -> 192.168.88.1/24 on bridge interface.

Address : 10.201.0.1/24
Network : 10.201.0.0




Changed DHCP server on bridge Network to match actual network

IP -> DHCP server -> Networks -> 192.168.88.0/24

Address : 10.201.0.0/24
Gateway : 10.201.0.1
DNS Servers : 10.201.0.1 + 9.9.9.9
Domain : 1.m145.teleco.ch


IP -> Pool -> default-dhcp 

Addresses : 10.201.0.50-10.201.0.150




Added the three new VLANs

Interfaces -> VLAN Tab
New

Comment : Virtual Hosts
Name : vlan101
VLAN ID : 101


New

Comment : Users
Name : vlan102
VLAN ID : 102


New

Comment : Guests
Name : vlan103
VLAN ID : 103


Future repetitive tasks that use the same similar values will not be listed repeatedly


Assigned an address to the VLAN interfaces

IP -> Addresses
New

Address : 10.201.1.1/24
Interface : vlan101


Rinse and repeat for other VLANs


Added IP Pools for DHCP on the VLANs

IP -> Pool
New

Name : pool101
10.201.1.50-10.201.1.150


Rinse and Repeat for all VLANs


Added DHCP Networks for VLANs

IP -> DHCP Server -> Networks Tab
New 

Comment : dhcp101
Address : 10.201.1.0/24
Gateway : 10.201.1.1
DNS Servers : 10.201.1.1
Domain : 101.m145.teleco.ch


Rinse and repeat


Added DHCP Servers to Interfaces

IP -> DHCP Server
New 

Name : server101
Interface : vlan101
Address Pool : pool101


Rinse and repeat


Add VLANs to LAN Interface list for testing (for defconf firewall rules to work)

Interfaces -> Interface List Tab
New

List : LAN
Interface : vlan101


Rinse and repeat for all VLANs


Set wifi name of default VLAN to teleco-admin

Wireless -> Wireless -> wlan1

SSID : teleco-admin




Create wifi networks for teleco-user and teleco-guest

Wireless -> Wireless
New -> Virtual

SSID : teleco-user
Master Interface : wlan1


Repeat for guest


Add wifi interfaces to bridge interface

Bridge

wlan1

Clone
Interface : wlan2
PVID : 102


Repeat for wlan3




Test by connecting and seing if IP is assigned and router can be reached
Change Passwords for each wifi (set one for guest temporarily too as no firewall rules exist for it yet)

Wireless -> Wireless -> Security Profiles Tab

default

Clone
Name : profile102
WPA2 Pre-Shared Key : PasswordIWontGiveYou124


Repeat for 103





Assign Security Profile to Actual wifis

Wireless -> Wireless

wlan2

Security Profile : profile102


Repeat for wlan3





End of Lesson

Goals next lesson :

Wireguard Site to Site VPN working
Firewall rules to block Guest to other Nets
(Optional, maybe later) Captive Portal for Guest wifi





2025-03-08 to 2025-03-09
Summary : 
Work was done outside of school but was interupted by a taking wrong routerboard with me from home and water pipe bursting and flooding the basement of my grandpas workshop lol.
Due to some mistakes with my original planing new MikroTik Hardware was ordered with next day shipping.
README was changed to reflect hardware changes.
Work done on MT RouterOS on RB2011 board
Summary :
Ethernet ports 6-10 were removed from bridge.
Wifi Configs deleted (new router doesnt have one built in)
Exported to backup file.
Work done on MT RouterOS on mAP lite
Summary :
Connected to its default SSID that it Broadcasts (sometimes takes a few tries on MacOS machines)
Updates were installed from RouterOS 6.43 to 7.18.1.
Set a Password for admin user
Detailed work :
    - System -> Reset Configuration
        - Keep users : X
        - CAPS Mode : X
Work done on MT RouterOS on hEX S board.
Summary :
Connection to the board was established.
Config was reset to defconf.
Updates were installed from RouterOS 6.43 to 7.18.1.
Config from RB2011 was imported.
Detailed work :

Enabling CAPsMAN (something like a CloudKey but for Mikrotik APs built into MT Routers) and forbidding it broadcasting onto the WAN link.

Wireless -> CAPsMAN -> Manager

Enabled : X


Interfaces
new

Interface : ether1
Forbid : X




Making a default config

Wireless -> CAPsMAN
New

Name : default-config
Mode : ap
SSID : teleco-admin
Country : Switzerland
Auth. Type : WPA2 PSK
Passprhase : PasswordYouWontGet123




Making profisioning profile for APs

Wireless -> CAPsMAN
New

Action : create dynamic enabled
Master Configuration : default-config




Make the other VLANs show up through their respective wifi

Wireless -> CAPsMAN -> Datapaths
New

Bridge : bridge
VLAN mode : no tag for admin, use tag for others
VLAN ID : none for admin, respective ID for others
Interface List : LAN for all


Wireless -> CAPsMAN -> Configurations
default-config
clone

Change SSID and Password


rinse and repeat for guest
Provisioning Tab
default-config

slave configurations : user-config, guest-config





2025-03-14
Summary :

Spent alot of time figuring out why my site to site VPN wasnt working on my already present infra.
Then spent some time actually getting the VPN working on the hEX s
Work done on MT RouterOS on hEX s board

Created two new WireGuard interfaces

Interfaces -> WireGuard
New

Name : wg-v6
Comment : reserved for future IPv6 testing


New

Name : wg-site-to-site
Comment : site-to-site VPN interface
Listen Port : 13331
Private Key : 


IP -> Addresses

New

Address : 10.99.99.4/24
Interface : wg-site-to-site






Added wg-site-to-site interface to LAN interface list

Interfaces -> Interface List
New

List : LAN
Interface : wg-site-to-site




Added Peer for Main Site VPN Gateway

Interfaces -> WireGuard -> Peers
New

Interface : wg-site-to-site
Public Key : 
Allowed Address :

10.99.99.1/32
10.201.0.0/24
10.201.1.0/24


Persistent Keepalive : 25




Added static routes to access main site VLANs

IP -> Routes
New

Dst. Address : 10.0.0.0/8
Gateway : 10.99.99.1





Work done on MT RouterOS on Main Site Router

Added Peer for hEX S

Interfaces -> WireGuard -> Peers
New

Interface : wg-site-to-site
Public Key : 
Allowed Address :

10.99.99.4/32
10.201.0.0/16
10.33.0.0/16
10.43.0.0/16
(Add additional allowed networks here if needed)


Persistent Keepalive : 25





Added static route to access it

IP -> Routes
New

Dst. Address : 10.201.0.0/16
Gateway : 10.99.99.4





End of Lesson

Goals next lesson :

Finish IPv6 WG Tunnel
Firewall rules to block Guest to other Nets finally
(Optional, maybe later) Captive Portal for Guest wifi