Internal Resources

Overview

This procedure covers the end-to-end process for adding a new WireGuard peer (MikroTik router or employee device) to the ITI management VPN using the WireGuard Deployment Tool.

Prerequisites

• Winbox or SSH access to the spoke router
• Winbox or SSH access to ITI-WG-HUB-01 (CCR)
• WireGuard Deployment Tool open in browser
• RouterOS 7.x on the spoke device
• Next available WireGuard IP from the hub registry

Procedure

1. Open the WireGuard Deployment Tool and enter the peer name and WG IP address.
2. Paste the Winbox allowed addresses command into the spoke terminal.
3. Paste the interface creation command and print command into the spoke terminal.
4. Copy the public key from the spoke output and paste it into the tool.
5. Paste the hub peer add command into ITI-WG-HUB-01.
6. Paste the hub print command and copy the preshared key into the tool.
7. Paste all three finalization commands into the spoke terminal.
8. Verify by pinging 10.250.0.1 from the spoke.

Before Arriving On Site

• Review scope of work in ConnectWise and confirm equipment list
• Verify customer contact information and site access instructions
• Ensure all required tools and equipment are loaded in the vehicle
• Check PRTG for any known issues at the site (if existing customer)

Physical Survey

• Document building layout, square footage, and ceiling types
• Identify MDF/IDF locations and power availability
• Note existing cabling infrastructure (type, condition, termination points)
• Identify cable pathway options (ceiling, wall, conduit, exterior)
• Photograph all relevant locations (MDF, IDF, cable routes, mounting points)
• Note any environmental concerns (outdoor exposure, temperature, moisture)

Wireless Survey

• Record RF environment using site survey tool or EnGenius app
• Identify AP mounting locations with line of sight considerations
• Document channel utilization and interference sources
• Note client density requirements per coverage area

Network Assessment

• Document ISP service details (provider, speed, circuit ID, handoff type)
• Note existing network equipment (make, model, age, condition)
• Identify VLAN and subnet requirements
• Confirm WAN IP information and DNS settings

After Survey

• Upload all photos and notes to the ConnectWise project
• Update the project with a preliminary materials list
• Flag any scope changes or concerns with the project manager

Initial Setup

1. Connect to the router via Winbox using MAC address (default login: admin, no password).
2. Remove all default configuration when prompted.
3. Set system identity: /system identity set name="SITE_NAME"
4. Set admin password (use ITI standard password from the secure vault).
5. Update RouterOS to latest stable version if not current.

WAN Configuration

1. Configure WAN interface (typically ether1) with static or DHCP as required.
2. Set DNS servers: 1.1.1.1 and 8.8.8.8
3. Add NAT masquerade rule for outbound traffic.

LAN Configuration

1. Create bridge for LAN interfaces.
2. Assign LAN IP address and subnet.
3. Configure DHCP server with appropriate pool, lease time, and DNS.

Security Baseline

1. Disable unused services (telnet, ftp, www, api, api-ssl).
2. Set Winbox allowed addresses per ITI standard.
3. Configure basic firewall rules (input chain, forward chain).
4. Disable neighbor discovery on WAN interface.
5. Disable bandwidth test server.

Management

1. Configure SNMP community for PRTG monitoring.
2. Add WireGuard tunnel per the WireGuard VPN Peer Deployment SOP.
3. Set NTP client to time.cloudflare.com
4. Create system backup and export.

Step 1: Verify the Issue

• Check PRTG for the site. Is the router showing as down, or just specific sensors?
• If PRTG shows the router up but internet down, it may be a WAN/ISP issue only.
• Ask the customer: Is it ALL devices or just one? Wired and wireless?

Step 2: Remote Access

• Attempt to connect to the router via WireGuard tunnel using the management IP.
• If WireGuard is down, attempt via the site's public WAN IP (if known and Winbox is allowed).
• If neither works, the issue is likely upstream (ISP outage or modem/ONT failure). Proceed to Step 4.

Step 3: Router Diagnostics (if accessible)

1. Check WAN interface status: is the link up? Does it have an IP?
2. Ping the gateway from the router.
3. Ping an external IP (e.g., 1.1.1.1) from the router.
4. If pings fail at the gateway, the issue is between the router and the modem/ONT.
5. Check for firewall rule changes, NAT issues, or route table anomalies.
6. Check system logs for errors or reboot events.

Step 4: ISP Escalation

• Confirm the modem/ONT has power and link lights.
• If the modem is accessible, check its status page for signal levels and connection status.
• Contact the ISP with the circuit ID and account information from ConnectWise.
• Document the ISP ticket number in the ConnectWise ticket.

Step 5: On-Site (if remote resolution fails)

• Dispatch a technician with a laptop and console cable.
• Power cycle the modem/ONT (wait 60 seconds).
• Verify physical connections (Ethernet cables, SFP modules).
• Connect a laptop directly to the modem to test ISP service in isolation.

Pre-Deployment

1. Register the AP in EnGenius Cloud under the correct organization and network.
2. Pre-configure the SSID(s), VLAN assignments, and radio settings in the cloud profile.
3. Verify the AP firmware is current (update in cloud before shipping if possible).
4. Label the AP with the site name and intended mounting location.

Physical Installation

1. Mount the AP at the planned location per the site survey. Ceiling mount is preferred.
2. Ensure the Ethernet cable run is tested and certified before connecting.
3. Connect the AP to the PoE switch or PoE injector.
4. Confirm the AP powers on and the LED status indicates normal boot.

Cloud Configuration

1. Verify the AP appears online in EnGenius Cloud within 5 minutes of power-on.
2. Assign the AP to the correct floor plan or location tag.
3. Set the radio channel and power per the site survey recommendations.
4. If using a captive portal, verify the walled garden domains are configured on the gateway.

Validation

• Connect a test device to each SSID and verify internet access.
• Confirm VLAN assignment is correct (check the DHCP-assigned IP).
• Walk the coverage area and verify signal strength meets requirements.
• Add the AP to PRTG monitoring.

Adding a Device

1. Navigate to the correct group (site/customer) in PRTG.
2. Click "Add Device" and enter the device name, WireGuard management IP, and SNMP community string.
3. Run auto-discovery or manually add the required sensors.

Standard Sensors for MikroTik Routers

• Ping (availability and latency)
• SNMP Traffic (WAN interface utilization)
• SNMP System Uptime
• SNMP CPU Load
• SNMP Memory Usage
• SNMP Disk Space (if applicable)

Alert Configuration

• Ping sensor: alert after 3 consecutive failures (avoids false positives from brief blips).
• CPU/Memory: alert at 90% sustained for 10 minutes.
• WAN traffic: set warning threshold at 80% of circuit capacity.
• Verify notification templates include the site name and device name for clear alerting.

Password Standards

• All company system passwords must be at least 14 characters and include uppercase, lowercase, numbers, and a special character.
• Passwords must be stored in the company password vault. Storing passwords in plaintext (spreadsheets, sticky notes, email) is prohibited.
• Passwords must be changed immediately if a compromise is suspected.

Device Security

• Company laptops must have full-disk encryption enabled.
• All devices must be locked (screen lock) when unattended.
• Personal devices used for company work must have a screen lock and current OS updates.
• Do not connect to public Wi-Fi without an active VPN connection.

Customer Credentials

• Customer network credentials are stored in ConnectWise Manage configurations only.
• Never send customer credentials via email or text message in plaintext.
• When sharing credentials with a customer, use a secure method (phone call, encrypted message, or in person).

Company Vehicles

• Company vehicles are for business use only. Personal use is not authorized without prior management approval.
• Drivers must maintain a valid driver's license and report any changes to their driving record.
• Report any accidents, damage, or mechanical issues immediately to management.
• Keep company vehicles clean, organized, and stocked with standard tools and equipment.

Mileage and Fuel

• Fuel for company vehicles is covered by the company fuel card.
• Employees using personal vehicles for company business will be reimbursed at the current IRS standard mileage rate.
• Mileage reimbursement requires a log showing date, destination, purpose, and miles driven.

Travel

• Overnight travel must be pre-approved by management.
• Hotel and meal expenses must be reasonable and documented with receipts.
• Submit travel expense reports within 14 days of the trip.

Purchasing Authority

• Purchases under $100 for standard supplies may be made without prior approval.
• Purchases between $100 and $500 require verbal approval from management.
• Purchases over $500 require written (email) approval from Jeff or Frank.

Reimbursement Process

• All expense reimbursement requests must include the original receipt.
• Submit reimbursement requests within 30 days of the expense.
• Approved reimbursements will be included in the next payroll cycle.

Company Credit Cards

• Company credit cards are for authorized business expenses only.
• Receipts for all credit card purchases must be submitted within 7 business days.
• Personal charges on company cards must be reported and repaid immediately.

Requesting Time Off

• All PTO requests must be submitted at least two weeks in advance when possible.
• Requests are approved based on business needs and staffing coverage.
• Unplanned absences (illness, emergency) must be communicated to your manager before the start of your shift.

Attendance Expectations

• Employees are expected to be on time and ready to work at their scheduled start time.
• Repeated tardiness or unexcused absences will be addressed through progressive counseling.
• If you are running late, notify your manager as soon as possible.

General Standards

• Always be professional, courteous, and responsive in all customer interactions.
• Respond to customer emails within one business day. Acknowledge receipt immediately if a full response will take longer.
• Answer phone calls with: "Interstate Telecommunications, this is [your name], how can I help you?"
• If you cannot resolve an issue, set expectations with the customer on next steps and timeline, then escalate internally.

Ticket Documentation

• Every customer interaction (call, email, site visit) must be logged in the ConnectWise ticket.
• Ticket notes should be clear enough that any team member could pick up where you left off.
• Include: what the customer reported, what you did, what the current status is, and what the next step is.

Escalation

• If a customer is frustrated or the issue is beyond your scope, escalate to management immediately. Do not make promises you cannot keep.
• Never argue with a customer. De-escalate, document, and escalate.

General Safety

• All employees are responsible for maintaining a safe work environment.
• Report any unsafe conditions, near-misses, or injuries to management immediately.
• Never take shortcuts that compromise safety, regardless of time pressure.

Job Site Safety

• Wear appropriate PPE for the task: safety glasses for drilling, gloves for cable pulling, hard hats when required by the site.
• Use ladders correctly: maintain three points of contact, do not overreach, and secure the ladder before climbing.
• Inspect tools and equipment before each use. Do not use damaged tools.
• When working in ceilings or attics, be aware of electrical hazards, insulation, and structural limitations.

Electrical Safety

• Only qualified personnel may work on high-voltage electrical systems.
• Low-voltage cabling work (Category cable, coax) does not require electrical licensing but still requires care around proximity to high-voltage wiring.
• Never run low-voltage cable in the same conduit or bundled with high-voltage wiring.