Posted by & filed under Windows.

So I had a problem at work: a client had a pretty old printer and after a Windows 10 update they couldn’t install its driver. Let’s see how we can resolve the issue.

The printer in question was a Sharp AR5316E and the error message was the following: “Windows can’t install the kernel-mode print driver. To obtain a driver that is compatible with the version of Windows you are running, contact the manufacturer.“ and after this there was another message “Windows cannot connect to the printer. The printer driver is not compatible with a policy enabled on your computer that blocks NT 4.0 drivers”. After a while googling I found out that windows 10 blocks older drivers and because of that you had to set some setting in windows group police editor. This process should work also with other printers.

Here are the steps I took to get it working

Firs of all you have to delete the previous printer drivers, so because of this after this process previous printers need to be reinstalled.
The folders you have to delete are as follows:

NOTE: If you can’t delete them you need to stop printer spool service from service manager, and after deleting start the service again


For this purpose I also made a cmd script that dose this for you, copy the code and past it into a file and name it delprint.cmd . After this you can run it and it will delete the required files.

echo -----------------------------------
echo Remove printer driver files from Windows
echo WARNING: If you continue you have to 
echo reinstall all the printers you had 
echo previously installed.
echo If you don't want to continue press 
echo CTRL+C
echo                 Script by D0rkye
echo -----------------------------------
net stop spooler
echo Deleting printer driver directories.
rmdir /S /Q c:\Windows\System32\spool\drivers\W32X86
rmdir /S /Q c:\Windows\System32\spool\drivers\x64
net start spooler
echo DONE!

Start Group Police Editor pressing Windows key + R and type gpedit.msc


Next step is to set the following settings:

Local computer Policy -> Computer Configuration -> Administrative Templates -> Printers -> “Disallow installation of printers using kernel-mode drivers” set it to disable1

Local computer Policy -> Computer Configuration -> Administrative Templates -> Printers -> Point and printer Restrictions set it to enable and set the other marked settings.

These setting have to be set also here: Local computer Policy -> User Configuration -> Administrative Templates -> Printers -> Point and printer Restrictions


After these settings have been set you need to restart your pc or run the following command: gpupdate, when this is done try to install the printer again.

I hope this will help someone.

Posted by & filed under Mikrotik, RouterOS.

Placeholder for Intro


[ ID] Interval Transfer Bandwidth Retr Cwnd
 [ 4] 0.00-1.00 sec 83.3 MBytes 698 Mbits/sec 0 273 KBytes
 [ 4] 1.00-2.00 sec 83.7 MBytes 702 Mbits/sec 0 273 KBytes
 [ 4] 2.00-3.00 sec 83.6 MBytes 701 Mbits/sec 0 273 KBytes
 [ 4] 3.00-4.00 sec 83.9 MBytes 703 Mbits/sec 0 273 KBytes
 [ 4] 4.00-5.00 sec 83.7 MBytes 702 Mbits/sec 0 273 KBytes
 [ 4] 5.00-6.00 sec 83.9 MBytes 704 Mbits/sec 0 273 KBytes
 [ 4] 6.00-7.00 sec 82.9 MBytes 696 Mbits/sec 0 273 KBytes
 [ 4] 7.00-8.00 sec 82.9 MBytes 695 Mbits/sec 0 273 KBytes
 [ 4] 8.00-9.00 sec 83.7 MBytes 702 Mbits/sec 0 273 KBytes
 [ 4] 9.00-10.00 sec 83.8 MBytes 703 Mbits/sec 0 273 KBytes
 - - - - - - - - - - - - - - - - - - - - - - - - -
 [ ID] Interval Transfer Bandwidth Retr
 [ 4] 0.00-10.00 sec 835 MBytes 701 Mbits/sec 0 sender
 [ 4] 0.00-10.00 sec 835 MBytes 700 Mbits/sec receiver


[ 4] local port 37097 connected to port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 2.73 MBytes 22.9 Mbits/sec 0 201 KBytes
[ 4] 1.00-2.00 sec 2.65 MBytes 22.2 Mbits/sec 0 272 KBytes
[ 4] 2.00-3.00 sec 2.43 MBytes 20.4 Mbits/sec 0 272 KBytes
[ 4] 3.00-4.00 sec 2.39 MBytes 20.1 Mbits/sec 0 272 KBytes
[ 4] 4.00-5.00 sec 2.38 MBytes 20.0 Mbits/sec 0 272 KBytes
[ 4] 5.00-6.00 sec 2.60 MBytes 21.8 Mbits/sec 0 272 KBytes
[ 4] 6.00-7.00 sec 2.39 MBytes 20.0 Mbits/sec 0 272 KBytes
[ 4] 7.00-8.00 sec 2.37 MBytes 19.9 Mbits/sec 0 272 KBytes
[ 4] 8.00-9.00 sec 2.60 MBytes 21.8 Mbits/sec 0 272 KBytes
[ 4] 9.00-10.00 sec 2.40 MBytes 20.2 Mbits/sec 0 272 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 24.9 MBytes 20.9 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 24.6 MBytes 20.6 Mbits/sec receiver


[ 4] local port 40813 connected to port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 3.18 MBytes 26.7 Mbits/sec 0 203 KBytes
[ 4] 1.00-2.00 sec 2.93 MBytes 24.6 Mbits/sec 0 272 KBytes
[ 4] 2.00-3.00 sec 3.08 MBytes 25.8 Mbits/sec 0 272 KBytes
[ 4] 3.00-4.00 sec 2.86 MBytes 24.0 Mbits/sec 0 272 KBytes
[ 4] 4.00-5.00 sec 3.05 MBytes 25.6 Mbits/sec 0 272 KBytes
[ 4] 5.00-6.00 sec 2.67 MBytes 22.4 Mbits/sec 0 272 KBytes
[ 4] 6.00-7.00 sec 3.02 MBytes 25.4 Mbits/sec 0 272 KBytes
[ 4] 7.00-8.00 sec 2.98 MBytes 25.0 Mbits/sec 0 272 KBytes
[ 4] 8.00-9.00 sec 2.95 MBytes 24.7 Mbits/sec 0 272 KBytes
[ 4] 9.00-10.00 sec 2.99 MBytes 25.1 Mbits/sec 0 272 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 29.7 MBytes 24.9 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 29.4 MBytes 24.6 Mbits/sec receiver


[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 3.43 MBytes 28.7 Mbits/sec 0 224 KBytes
[ 4] 1.00-2.00 sec 3.17 MBytes 26.6 Mbits/sec 0 272 KBytes
[ 4] 2.00-3.00 sec 3.70 MBytes 31.0 Mbits/sec 0 272 KBytes
[ 4] 3.00-4.00 sec 2.97 MBytes 24.9 Mbits/sec 0 272 KBytes
[ 4] 4.00-5.00 sec 3.19 MBytes 26.7 Mbits/sec 0 272 KBytes
[ 4] 5.00-6.00 sec 3.40 MBytes 28.6 Mbits/sec 0 272 KBytes
[ 4] 6.00-7.00 sec 3.41 MBytes 28.6 Mbits/sec 0 272 KBytes
[ 4] 7.00-8.00 sec 3.16 MBytes 26.5 Mbits/sec 0 272 KBytes
[ 4] 8.00-9.00 sec 3.18 MBytes 26.7 Mbits/sec 0 272 KBytes
[ 4] 9.00-10.00 sec 3.19 MBytes 26.8 Mbits/sec 0 272 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 32.8 MBytes 27.5 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 32.6 MBytes 27.3 Mbits/sec receiver


[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 7.47 MBytes 62.7 Mbits/sec 0 272 KBytes
[ 4] 1.00-2.00 sec 7.84 MBytes 65.7 Mbits/sec 0 272 KBytes
[ 4] 2.00-3.00 sec 7.44 MBytes 62.4 Mbits/sec 0 272 KBytes
[ 4] 3.00-4.00 sec 7.98 MBytes 67.0 Mbits/sec 0 272 KBytes
[ 4] 4.00-5.00 sec 6.80 MBytes 57.0 Mbits/sec 48 145 KBytes
[ 4] 5.00-6.00 sec 6.71 MBytes 56.2 Mbits/sec 0 158 KBytes
[ 4] 6.00-7.00 sec 7.47 MBytes 62.8 Mbits/sec 0 174 KBytes
[ 4] 7.00-8.00 sec 7.75 MBytes 65.0 Mbits/sec 0 190 KBytes
[ 4] 8.00-9.00 sec 7.48 MBytes 62.8 Mbits/sec 0 203 KBytes
[ 4] 9.00-10.00 sec 7.79 MBytes 65.4 Mbits/sec 0 216 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 74.7 MBytes 62.7 Mbits/sec 48 sender
[ 4] 0.00-10.00 sec 74.4 MBytes 62.4 Mbits/sec receiver


[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 7.95 MBytes 66.7 Mbits/sec 43 133 KBytes
[ 4] 1.00-2.00 sec 7.87 MBytes 66.0 Mbits/sec 0 153 KBytes
[ 4] 2.00-3.00 sec 9.11 MBytes 76.4 Mbits/sec 0 173 KBytes
[ 4] 3.00-4.00 sec 8.89 MBytes 74.6 Mbits/sec 0 190 KBytes
[ 4] 4.00-5.00 sec 8.66 MBytes 72.6 Mbits/sec 0 205 KBytes
[ 4] 5.00-6.00 sec 8.11 MBytes 68.1 Mbits/sec 0 218 KBytes
[ 4] 6.00-7.00 sec 8.29 MBytes 69.5 Mbits/sec 0 231 KBytes
[ 4] 7.00-8.00 sec 9.07 MBytes 76.1 Mbits/sec 24 187 KBytes
[ 4] 8.00-9.00 sec 9.15 MBytes 76.7 Mbits/sec 0 213 KBytes
[ 4] 9.00-10.00 sec 8.68 MBytes 72.9 Mbits/sec 0 229 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 85.8 MBytes 72.0 Mbits/sec 67 sender
[ 4] 0.00-10.00 sec 85.3 MBytes 71.5 Mbits/sec receiver

Posted by & filed under Mikrotik, pfSense, RouterOS.

In this tutorial we will look at how to set up a site to site VPN between a pfSense server and a Mikrotik client using OpenVPN the proper way. We’ll be taking advantage of pfSenses superb certificate management features to do SSL/TLS instead of just a pre-shared key.

Our client will be a Routerboard RB2011 detailed in a earlier post that connects to a pfSense server. Only the local networks will be shared between the two sites, sharing the external address of the server with the client is out of scope of this tutorial. In my scenario the client’s local network will be and the server’s Out encryption will be AES with a key size of 256bit (the maximum that RouterOS supports on this router as of now).

Let’s first connect to our router and set up the bare minimum. If you don’t know how to do that please refer to this tutorial to get you started. After we connect via winbox go to Quick Set:


And change the defaults to suit our needs:


Of course after applying the settings it will disconnect because of the network change:


Now to the server side of things. Log in to pfSense and go to System -> Cert. Manager:


The Certificate Manager screen will default to the CAs, where u can see your Certificate Authorities. If you don’t already have a dedicated CA for site to site VPNs than I highly suggest setting up one here. In my case we will be using the one that starts with bb (it stands for Back-Bone):


Navigating to Certificates we will see our certificates. At the very least there will be the webConfigurator present:


In my case I have a lot, so i scroll to the bottom to Add a new one:


The Add a New Certificate screen will appear:


We don’t wan’t to import but rather create a new one, so let’s start by creating a server certificate. Give it a descriptive name, in my case it will be bb-server-SOMETHING, where SOMETHING is the remote locations name. Set the Digest to sha256, the type to Server Certificate and fill in the rest of the required fields as applicable:


Now let’s add another one but here we will set the descriptive name to bb-client-SOMETHING and the certificate type to User Certificate, the digest remains sha256:


Now that we have our certificates we are ready to create our VPN server. Go to VPN -> OpenVPN:

13 Stay on the Servers tab, cause we want to create a server. Scroll to the bottom of the page and click the green Add button:

14 The OpenVPN server creation screen will appear:

15 Let’s change some of its settings. RouterOS (as of now) doesn’t support some OpenVPN features, so we need to adjust our server to be compatible with it.If this changes (hopefully in RouterOS 7) I will update the blog accordingly.

General Information

Let’s leave the Server mode on Peer to Peer (SSL/TLS) cause we want to do site-to-site. We need to change the Protocol to TCP, the Device mode is good as it is on tun. I prefer to set the Interface to Localhost, cause if there are more interfaces on the server or more than one external IP I will have more control over it later in the Firewall -> NAT section. I usually let the Local port auto increment as pfSense want’s it, but in this case I set it to 1196. Please note that the default port for OpenVPN is 1194, I usually reserve that for Remote Access type of servers (for the Road Warrior users). Let’s give it a nice Description so that later we can identify it.

Cryptographic Settings

Under TLS authentication we need to DISABLE Enable authentication of TLS packets. Change the Peer Certificate Authority to the one that contains our keys and set the Server certificate to the one we created earlier. Everything else you can leave at it’s default values, but I prefer to use AES-256-CBC instead of the default AES-128-CBC.

16 Tunnel Settings

Let’s set the IPv4 Tunnel Network to something sensible, that no one uses. Any type of internal network is fine, but I prefer to use networks from the B class for my VPNing needs. In this example the network is Make sure to use a /30 netmask, since we are connecting only two IPs together. Leave IPv6 Tunnel Network empty and Redirect Gateway unchecked. Under IPv4 Local netowork(s) we need to input the local (server’s) CIDR, in my case it is and under IPv4 Remote network(s) the remote (client’s) CIDR, that would be for me. I leave both IPv6 Local network(s) and IPv6 Remote network(s) empty, since we are only working with IPv4 here. We can safely set the Concurrent connections to 1, for obvious reasons. Leave Compression on No Preference, cause RouterOS 6 doesn’t support LZO compression, but if you disable it it won’t work either (maybe a bug?). Lastly I check Disable IPv6.

17 Advanced Configuration

Let’s leave this section as is, if you know what you are doing and need to do additional OpenVPN options than this article clearly isn’t for you.


Now lets make NAT rule to allow our VPN server to be reachable from the outside. Go to Firewall -> NAT

19 Scroll to the bottom of the page and click Add, the following screen will appear:

20 We leave the Interface on WAN, the Protocol on TCP, the Destination on WAN address, in the Destination port range field we input 33311 (in my case, but it can be anything you want to use, for example it could be 1196 to match the target port). For the Redirect target IP we enter and we set Redirect target port to 1196 (the port and address our OpenVPN server listens on). Finally we give it a proper Description and click Save:


Now we are ready to set up the VPN on the client side, but first let’s export the certificates. Go to System -> Cert. Manager:


Let’s export the CA’s Certificate by pressing the dot/star button next to the CA that we used:


Now on the Certificates tab let’s export the client certificate that we created by pressing dot/star button next to it:


And also the client key for that certificate by pressing the key button next to it:


You should have 3 files:

  • CA cert (here: bb.crt)
  • client cert (here: bb-client.crt)
  • client key (here: bb-client.key)

Let’s upload those files to our Mikrotik device. You can just simply drag and drop the 3 files from explorer directly into winbox. It will upload it and the File List window will popup showing where it was stored:


First let’s install our certificates. Go to System -> Certificates:


The certificates window will pop up:


Click on the Import button:


Select your client certificate from the drop down list, don’t enter a password and hit Import:


Now click Import a second time, to import the key as well. Notice that the certificate is imported (under the Import window):


After you added the key to the certificate it will show you KT instead of just a T. That means that you successfully added the key as well:


And finally using the Import button let’s add our CA cert as well:


The certificates are properly installed, let’s close the window and go to PPP on the left side menu:


The PPP window will appear, defaulting to the Interface tab:


First let’s go and create a profile for our PPP interface on the Profiles tab:


Click the + button to add a new one and enter the Local Address and Remote Address. This should be the first usable address in your network for the remote address and the second for the local address. (Remember this is the client, it’s inverted here). In my case I input for Local and for Remote. Don’t forget to give it a proper Name:


After we hit OK it should look somewhat similar to this:


Now let’s go back to the Inferface tab and click on the + button to add a new interface. There will be a drop down menu (that I could not screenshot) with a lot of different type of PPP interfaces, but we will be using OpenVPN and in client mode, so click OVPN Client. The new interface dialog will appear. Under the General tab leave everything on default, but give it a proper Name:


Under the Dial Out tab we need to enter the external IP address or host name of our server (redacted in the below screenshot) in the Connect To field, the external Port that we set (in my case 33311), leave the Mode on IP, enter any random Username (I usually like to enter my certificates name here). Leave the Password field unused and select the Profile that we just created. Select the client (not the CA) certificate in the Certificate field, leave Auth on sha1, but change the Ciper to aes 256 to match our servers configuration After all that is set up hit OK:


This is our VPN interface:


Now to test it out. I just did some pings (Tools -> Ping) to the remote site:


And the same on the server side:


That’s pretty much it. Enjoy your VPN! You also might want to read my OpenVPN performance of Mikrotik devices article where I tested a wide range of routers to find out which router might fit your needs.


Posted by & filed under Mikrotik, RouterOS.

Let’s talk about Mikrotik’s RB2011 routers for a second. They are pretty nifty, even though on the hardware side they are a bit lacking the software makes more than up for it.

There are a lot of different sub-models, this one, RB2011UiAS-2HnD-IN is the beefiest, featuring an SFP cage, b/g/n Wireless, a micro-USB port and an LCD screen. The cheapest one, RB2011iL-IN has none of those options and half the memory. They are all powered by the Atheros AR9344 SOC that is somewhat overclocked at 600 MHz. In addition there is 7 port gigabit switch, AR8327 made as well by Atheros. As mentioned earlier we can chose between 64 MB or 128 MB of ram memory and for storage we have 128 MB of NAND on every model. Since the SOC is a bit old we get 5x 10/100 (Fast) Ethernet ports, but we also get 5x 10/100/1000 (Gigabit) Ethernet ports as well bringing up the total of usable ports to 10 (11 if you count the SFP as well).



It is running RouterOS, a proprietary operating system Mikrotik makes based on the Linux kernel. It has a lot of features, like firewalling, shaping, qos, all kind of vpn servers and clients, etc. Besides being installed on the company made routers it can be purchased separately for x86 based systems as well. The preferred method of configuring it is via the winbox appliction, It can be donwloaded from the manufacturers website.

Here is the login screen:



Usually the IP address of a new router is the default administrator user is admin with no password set. After we log the router wants to apply a default configuration and prompts us if we agree:



After we agree we can thinker around with the router a bit. Let’s go to Quick Set:



The Quick Set panel appears. Here we can quickly set up a few things like LAN and WAN IPs, Wireless, administrator password, etc. Let’s change the default WISP AP mode to Home AP:



It will prompt us that it might lose connectivity, press Yes:



After the change is committed we get some more options, namely Guest Wireless Network. Before we configure it further, let us first check for any firmware updates, by clicking Check For Updates:



Check For Updates panel appears. I strongly suggest to leave the Channel on current. It shows that the latest version is 6.34.4, but the installed one is only 6.33.1. It also show’s what are the new features and bug-fixes in this version. Let’s update our router by clicking Download&Install:



It will start downloading and installing the new firmware. After it’s done an automatic reboot is invoked:



That of course will kick us out of the interface. Let’s wait a bit till it’s fully booted up and press Reconnect:



After we log in we can see that all the windows left open are still there, and that the installed version now matches the latest. We can now hit OK to get back to the configuration panel:



Now we can configure the router properly. Enter a Network Name for the Wireless and a Guest Network for the Guest Wireless fields. Those will be the SSIDs that will be advertised by the router. Set the WiFi Password (by default it use both WPA and WPA2 auth and AES ciphers, we can change those later) for the main WiFi and set a Download Limit of 1 Mbps for the guest WiFi. On the right side of the panel we can change the Internet interfaces port, Address Acquisition type even spoof a MAC address. Below that we can change the Local Network settings: the routers IP and Netmask, if we want to run a DHCP Server or not and the address range(s) that it will give out. Lastly we can set the administrator password here as well. For the purposes of this tutorial i will leave everything at it’s default values. Note that the WAN address is and the router will NAT between that and the subnet.



Note that on the router itself physically there is no marking for what the WAN and what the LAN ports are as opposite to the commonly found consumer routers made by Linksys, Asus, Tp-link and the like. That is because we have full control on how things are connected together. Let’s go to the Bridge menu and check out what’s bridged with what. On the Bridge tab we can see that there is only one bridge named bridge-local:



On the Ports tab we can see what physical port is actually a member of that bridge. In this case the Ethernet port number 2, number 6, the SFP port and the two WiFi ports all belong to the bridge-local bridge. Port number 1 is missing since it is the WAN port in this configuration, and ports 3, 4, 5, 7, 8, 9 and 10 are connected to the bridge as well, but in a different way, we will see how a bit later.



If we go to the Filters tab, we can see that we already have two rules. Those two rules drop all packets that come in from the wlan2 WIFi interface (our guest wifi) and want to access the bridge and vice versa. This is how the guest WiFi is isolated from the rest of the LAN. Users on the guest WiFi still get an IP in the subnet, but they can only access the router (and the internet since the router is NAT-ing) and nothing else, not even other guest WiFi users.



Let’s go and check out the Wireless Tables by clicking Wireless in the left menu, as we expect we can see the two WiFi interfaces:



Going to the Access List tab we can see that there is a rule applied to the guest WiFi interface:



Remember when we set the maximum download speed of the guest WiFi interface to 1 Mbps? This is where that is set. Let’s check the rule in more detail:



Some ports where missing from the bridge yet they still worked, but how? They are set under the Switch menu, let’s take a closer look. In the Switch tab we can see that we have 2 switches:



On the Port tab we can see what port belongs to what switch. Remember that this router has two switches: the SOC itself with 5x fast Ethernet ports and another with 5x gigabit ports. Ethernet port 1 is the gateway, port 2 is the master of ports 3, 4, 5 and port 6 is the master of ports 7, 8, 9, 10.



Now let us look at the individual interfaces by clicking Interfaces on the menu. Here we can change where each port belongs, divide the switch into different segments (for example if we want a wired guest networks as well, not just wireless, etc.). Note that these are all different interfaces, meaning that for example the MAC address of port 8 is different from port 9:



Lastly these are the firewall rules that where set during the Quick Set. The Firewall can be accessed under IP -> Firewall. The first tab shows the Filter Rules:



And on the NAT tab we can see how everything is masqueraded on to port 1, the gateway.



As you can see the Quick Set option sets up the router pretty well and really fast, but for mode advanced stuff we gonna have to do everything manually.