Public
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
August 2015
- 22 participants
- 20 discussions
Hello Mikrotikians,
I've been looking at this one for a while now.
I have several hundred QinQ vlans heading into a single bridge group.
ipv4 and ipv6 from the bridge interface into the individual links is
working well.
None of the ipv4 addresses can actually connect to or ping each other.
Flags: X - disabled, R - running
0 R name="bridge136" mtu=auto actual-mtu=1500 l2mtu=1992
*arp=proxy-arp* mac-address=D4:CA:6D:01:38:C7 protocol-mode=none
priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
Flags: X - disabled, I - inactive, D - dynamic
0 interface=XXXXXX bridge=bridge136 priority=0x80 path-cost=10
edge=auto *point-to-point=yes* external-fdb=auto horizon=1 auto-isolate=no
A bridge too far?
_So, I'm looking for solution where the IPv* arrives at bridge136 and
then goes straight back out the correct port.__
_
--
http://about.me/terry.sweetser
4
11
Hi guys, just wondering if anybody has used the Routerboard mAP2n with a USB dongle for 3G/4G access ?
We are looking at some out of band options for some remote sites and also a way to identify if there has been a power problem on site, so thinking that these things are pretty cheap and we can configure them as an out of band router which plugs into the mains power rather than UPS, that way if we see it drop we know we are running on UPS and if our other gear fails for any reason we can get in remotely using the unit as long as the mains power is working.
The other option I am considering is the hAP-2nD which has the advantage of additional ports which I can connect to different devices on site if need be.
Both units are the same price.
Any thoughts ??
Regards
Paul
6
6
http://routerboard.com/CCR1072-1G-8Splus -- it's out -- will it do a
full BGP table?
--
http://about.me/terry.sweetser
1
0
Hi
Not that new release
http://forum.mikrotik.com/viewtopic.php?f=21&t=99531
but the key think I wanted to point out was
*) chr - added x86_64 image for use in virtual environments
*) chr - added support for VMware SCSI virtual disks
*) chr - added support for VMware vmxnet3 network card
*) chr - added support for HyperV SCSI disks
*) chr - added support for HyperV Ethernet interfaces
*) chr - added support for virtio disks
Awesome ..... vmxnet3 drivers woo hoo, didn't think they would do this.
A
8
23
Hi Mikrotikians,
Any one recently tried BGP with a full table on a CCR 36 core with 1+
Gbps of traffic?
How did go? Or not go?
--
http://about.me/terry.sweetser
6
12
Good afternoon,
I was wondering if anyone has managed to get the Info channel working on
these at the same time as the data channel.
We only seem to be able to get one or the other, not both working.
Regards,
Andrew
1
0
Hi guys, just wondering if somebody can confirm if I can upgrade from 5.24 straight to 6.31 on an RB1100 ??
I thought you needed to go to a later version of 5.x first before upgrading ?
When I try to do the upgrade from within the router itself it says that the latest version is 6.27 and then complains that it can't find one of the npk files and aborts the download.
Thanks
Paul
5
7
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the
CRS125-24G) in large residential AV situations where invariably, the
Mikrotik is in dhcp client mode, in a cable internet scenario where
Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched
off) and the carrier-supplied WAN IP address gets bound to the gateway
interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access
points, and at least 3-4 zones of Sonos. On initial set up, everything
seems to work great, with the full bandwidth of the cable modem getting
passed on to the rest of the network, even when 802.11 clients are
connected (a testament to the UniFi's I my opinion - I only use dual band
Pro AP's).
However, after a week or so the internet connection seems to get either
very slow, or stop working altogether. If I look in the logs (with dhcp
logging switched on) I can see regular NAK's getting passed from the dhcp
server on the cable modem. The problem is I don't really understand how
DHCP works on cable modems. I'm assuming every so often the cable modem
gets a new IP address from the carrier (normally after a reset) and at this
point the modem is not passing this new address onto the Mikrotik which is
effectively cut off from the internet. Since we are stuck with using
Bigpond and Optus modems these are the only solutions I have discovered
which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous
services such as Wi-Fi, and also put one IP address in the dhcp pool so
that the Mikrotik always gets the same private IP address. However, this
creates a double nat situation which means I can no longer perform reliable
port forwarding for things such as DVR's and CBus controllers (which I find
the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding
(which is a joke on these devices) and firewall tasks for the entire LAN
and turn the CRS into an unmanaged L2 switch. The main problem here is that
these Bigpond devices simply do not have the grunt to deal with large
networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I
wonder if anyone has had similar experiences as I am just about ready to
dump the MikroTik's and start looking at other options in the hope that
they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson
eLogik
m:0404 924745
e: ben(a)elogik.net
w: www.elogik.com.au
[image: http://www.elogik.com.au] <http://www.elogik.com.au>
8
43
---------- Forwarded message ----------
From: "Ben Jackson" <ben(a)elogik.net>
Date: 14 Aug 2015 7:31 am
Subject: Re: Cable Modem DHCP Issues
To: "Jason Hecker" <jason(a)upandrunningtech.com.au>
Cc:
DHCP lease is in the order of days..can't remember exactly how long. It
normally takes at least a week or two before things start to slow down.
On 14 Aug 2015 7:28 am, "Jason Hecker (Up & Running Tech)" <
jason(a)upandrunningtech.com.au> wrote:
> How long is the DHCP lease?
> How long does it take before things go awry?
>
>
> On 14 August 2015 at 07:11, Ben Jackson <ben(a)elogik.net> wrote:
>
>> I did have one case where I reinstated the cable modem as the main router
>> and made the mikrotik CRS into an unmanaged switch. There have been no
>> reported problems since then.
>>
>> I really feel this is somehow to do with the DHCP client/server
>> interaction between the two devices. I have even tried running the modem
>> non-bridged so that there is a dual NAT situation which gives me a very
>> similar result.
>> Maybe the Cable modems are expecting a certain field to be present in the
>> DHCP challenge/response packet and the mikrotik is not providing this
>> information ? Something like that anyway?
>> On 14 Aug 2015 7:01 am, "Ben Jackson" <ben(a)elogik.net> wrote:
>>
>>> All the DSL modems are running in full bridged mode already with the
>>> Mikrotik doing the authentication.
>>> The cable modems are also set up in "bridged" mode which essentially
>>> means that NAT is switched off.
>>> Either way, the Mikrotik ends up with a public IP on it's WAN-facing
>>> port.
>>> On 13 Aug 2015 9:51 pm, "Jason Hecker (Up & Running Tech)" <
>>> jason(a)upandrunningtech.com.au> wrote:
>>>
>>>> Can you run the modems in a PPPoE bridged mode?
>>>>
>>>>
>>>> On 13 August 2015 at 17:49, Ben Jackson <ben(a)elogik.net> wrote:
>>>>
>>>>> OK all the problems are back. I'm still getting customers whose
>>>>> networks are grinding to a halt after making the changes I detailed above.
>>>>> As always after changing the config, everything seems to run great for a
>>>>> few weeks and then everything falls over in a heap again. If I run direct
>>>>> through the modem (any DOCSIS version) the speeds return to normal
>>>>> immediately.
>>>>>
>>>>> I did find this post on the forum
>>>>> http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try
>>>>> in a controlled environment.
>>>>>
>>>>> Someone somewhere HAS to be expereincing this same issue - it's
>>>>> happening with too many customers to be a coincidence.
>>>>>
>>>>> You guys have checked my config and no-one has flagged anything as
>>>>> being immediately wrong so I'm really at a loss. The only other common
>>>>> factor here seems to be SONOS and I am talking to playback about any issues
>>>>> they may have seen with MikroTik (which they unofficially recommend).
>>>>>
>>>>> Ben
>>>>>
>>>>> Ben Jackson
>>>>> eLogik
>>>>> m:0404 924745
>>>>> e: ben(a)elogik.net
>>>>> w: www.elogik.com.au
>>>>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>
>>>>> On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>
>>>>>> Hi Jason,
>>>>>>
>>>>>> I think so. I was waiting for a week or so to make absolutely
>>>>>> certain. It seems there were a few issues at play here.
>>>>>>
>>>>>> Essentially I think many of my customers were subject to a DNS
>>>>>> escalation attack (as pointed out by Mike Everest) so I specifically
>>>>>> blocked udp and tcp port 53. This was because I had "Allow remote requests"
>>>>>> enabled in the DNS config. This was intentional as I wanted to use my
>>>>>> router as a DNS relay for my internal LAN but I was unaware of the fact
>>>>>> that these ports were open to the WAN also.
>>>>>>
>>>>>> Also I trimmed down my firewall rules to the ones you suggested and
>>>>>> then started to build them up again based on what I wanted to allow through
>>>>>> and by looking at drops in the log.
>>>>>>
>>>>>> I also enabled the helpers you suggested in firewall/service ports,
>>>>>> and I also updated all my customers to the latest version.
>>>>>>
>>>>>> Although this helped, I still think there are a lot of bugs with the
>>>>>> newest DOCSIS 3.0 modems, especially when running in bridge mode. I am
>>>>>> seeing random disconnects etc in the logs.
>>>>>>
>>>>>> These actions also improved my customers who run PPPoE over ADSL.
>>>>>>
>>>>>> It's been a very busy week!
>>>>>>
>>>>>> Thank you to everyone for your input. I hope this helps someone else
>>>>>> who may be experiencing these problems.
>>>>>>
>>>>>> Ben
>>>>>>
>>>>>>
>>>>>> On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) <
>>>>>> jason(a)upandrunningtech.com.au> wrote:
>>>>>>
>>>>>>> Ben,
>>>>>>>
>>>>>>> What happened in the end? Did you get to the bottom of the DOCSIS
>>>>>>> modem
>>>>>>> slowdowns?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 29 July 2015 at 20:36, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>>>
>>>>>>> > Thanks Mike - that's basically what I was attempting. I'll try it
>>>>>>> again.
>>>>>>> > I've been a bit stressed recently and am finding even simple tasks
>>>>>>> a bit
>>>>>>> > hard :)
>>>>>>> >
>>>>>>> > Ben Jackson
>>>>>>> > eLogik
>>>>>>> > m:0404 924745
>>>>>>> > e: ben(a)elogik.net
>>>>>>> > w: www.elogik.com.au
>>>>>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>> >
>>>>>>> > On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike(a)duxtel.com>
>>>>>>> wrote:
>>>>>>> >
>>>>>>> > > Hi Ben,
>>>>>>> > >
>>>>>>> > > Config of CRS as a simple le switch is easy - just set 'master
>>>>>>> port' on
>>>>>>> > all
>>>>>>> > > interfaces to the same value (except for master port itself ;)
>>>>>>> > >
>>>>>>> > > For example, set master-port=ether01 for all interfaces
>>>>>>> (including sfp)
>>>>>>> > > except for ether1 itself (leave it as master-port=none)
>>>>>>> > >
>>>>>>> > > Then just add ip address firewall filters etc on the master port.
>>>>>>> > >
>>>>>>> > > Only wlan can't be switched - in that case, you need to make a
>>>>>>> bridge
>>>>>>> > then
>>>>>>> > > add wlan and the master-port as bridge ports.
>>>>>>> > >
>>>>>>> > > Hope it makes sense! :-)
>>>>>>> > >
>>>>>>> > > Cheers, Mike
>>>>>>> > >
>>>>>>> > > -----Original Message-----
>>>>>>> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>>>>>> Behalf Of
>>>>>>> > Ben
>>>>>>> > > Jackson
>>>>>>> > > Sent: Wednesday, 29 July 2015 7:27 PM
>>>>>>> > > To: Jason Hecker <jason(a)upandrunningtech.com.au>; MikroTik
>>>>>>> Australia
>>>>>>> > > Public
>>>>>>> > > List <public(a)talk.mikrotik.com.au>
>>>>>>> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>> > >
>>>>>>> > > Thanks for the input Jason, I'll see if that makes a difference.
>>>>>>> > >
>>>>>>> > > Today, after a lot of complaints from a customer, I had to pull
>>>>>>> out a
>>>>>>> > > Mikrotik CRS125-24G from a customer site and put in a 24 port
>>>>>>> TP-Link
>>>>>>> > > switch
>>>>>>> > > instead with the Telstra DOCSIS gateway set up to do all the
>>>>>>> heavy
>>>>>>> > lifting
>>>>>>> > > inlcuding DHCP reservations and port forwarding. Ugh Nasty.
>>>>>>> > >
>>>>>>> > > It seems fine so far but TBH so did the Mikrotik for about a
>>>>>>> week. I'm
>>>>>>> > > convinced this is to do with the new v3.0 modems Telstra are
>>>>>>> pushing not
>>>>>>> > > behaving themselves in bridge mode. There are a few models out
>>>>>>> there but
>>>>>>> > > the
>>>>>>> > > Netgear CG3100D seems to be the most prevalent. Telstra market
>>>>>>> this as
>>>>>>> > the
>>>>>>> > > Gateway "Max". Perhaps because the maximum is easily reached
>>>>>>> with these
>>>>>>> > > devices? :)
>>>>>>> > >
>>>>>>> > > I have raised support tickets with both MikroTik and Duxtel.
>>>>>>> Let's see
>>>>>>> > how
>>>>>>> > > we go. Until then I'm going to try using the Ubiquiti Edge
>>>>>>> Routers with a
>>>>>>> > > UniFi 48v PoE+ switch.
>>>>>>> > >
>>>>>>> > > Just as an aside does anyone have experience setting the CRS
>>>>>>> devices up
>>>>>>> > as
>>>>>>> > > a
>>>>>>> > > dumb, unmanaged switch? I thought it would be fairly
>>>>>>> straightforward but
>>>>>>> > I
>>>>>>> > > had a go today and found myself struggling a little.
>>>>>>> > >
>>>>>>> > > Ben Jackson
>>>>>>> > > eLogik
>>>>>>> > > m:0404 924745
>>>>>>> > > e: ben(a)elogik.net
>>>>>>> > > w: www.elogik.com.au
>>>>>>> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>> > >
>>>>>>> > > On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running
>>>>>>> Tech) <
>>>>>>> > > jason(a)upandrunningtech.com.au> wrote:
>>>>>>> > >
>>>>>>> > > > Nothing sticks out as overtly wrong.
>>>>>>> > > >
>>>>>>> > > > If you are still up brown creek try simplifying the config by:
>>>>>>> > > >
>>>>>>> > > > * Using the simple firewall here:
>>>>>>> > > > http://wiki.mikrotik.com/wiki/Securing_your_router
>>>>>>> > > > * Use basic NAT (no change);
>>>>>>> > > > * Use the DCHP client (no change);
>>>>>>> > > > * Use DHCP server without any reservations;
>>>>>>> > > > * Slave and bridge the switch ports appropriately (no change);
>>>>>>> > > > * Lastest software and Routerboard firmware
>>>>>>> > > > (System->Routerboard->Upgrade if different versions in place).
>>>>>>> > > >
>>>>>>> > > > Are you any wiser today? Are there any red highlighted
>>>>>>> (invalid)
>>>>>>> > > > settings in Winbox?
>>>>>>> > > >
>>>>>>> > > > Jason
>>>>>>> > > >
>>>>>>> > > > On 28 July 2015 at 18:34, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>>> > > >
>>>>>>> > > > > Guys,
>>>>>>> > > > >
>>>>>>> > > > > Here is a typical config from one of my clients:
>>>>>>> > > > >
>>>>>>> > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id =
>>>>>>> IU9F-WHTQ
>>>>>>> > > > > # /interface ethernet set [ find default-name=ether1 ]
>>>>>>> > > > > name=ether1-master-local set [ find default-name=ether2 ]
>>>>>>> > > > > master-port=ether1-master-local name=\
>>>>>>> > > > > ether2-slave-local
>>>>>>> > > > > set [ find default-name=ether3 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether3-slave-local
>>>>>>> > > > > set [ find default-name=ether4 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether4-slave-local
>>>>>>> > > > > set [ find default-name=ether5 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether5-slave-local
>>>>>>> > > > > set [ find default-name=ether6 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether6-slave-local
>>>>>>> > > > > set [ find default-name=ether7 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether7-slave-local
>>>>>>> > > > > set [ find default-name=ether8 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether8-slave-local
>>>>>>> > > > > set [ find default-name=ether9 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > name=\
>>>>>>> > > > > ether9-slave-local
>>>>>>> > > > > set [ find default-name=ether10 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether10-slave-local
>>>>>>> > > > > set [ find default-name=ether11 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether11-slave-local
>>>>>>> > > > > set [ find default-name=ether12 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether12-slave-local
>>>>>>> > > > > set [ find default-name=ether13 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether13-slave-local
>>>>>>> > > > > set [ find default-name=ether14 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether14-slave-local
>>>>>>> > > > > set [ find default-name=ether15 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether15-slave-local
>>>>>>> > > > > set [ find default-name=ether16 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether16-slave-local
>>>>>>> > > > > set [ find default-name=ether17 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether17-slave-local
>>>>>>> > > > > set [ find default-name=ether18 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether18-slave-local
>>>>>>> > > > > set [ find default-name=ether19 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether19-slave-local
>>>>>>> > > > > set [ find default-name=ether20 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether20-slave-local
>>>>>>> > > > > set [ find default-name=ether21 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether21-slave-local
>>>>>>> > > > > set [ find default-name=ether22 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether22-slave-local
>>>>>>> > > > > set [ find default-name=ether23 ]
>>>>>>> master-port=ether1-master-local
>>>>>>> > > name=\
>>>>>>> > > > > ether23-slave-local
>>>>>>> > > > > set [ find default-name=ether24 ] name=ether24-gateway set [
>>>>>>> find
>>>>>>> > > > > default-name=sfp1 ] master-port=ether1-master-local name=\
>>>>>>> > > > > sfp1-slave-local
>>>>>>> > > > > /ip pool
>>>>>>> > > > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200
>>>>>>> > > > > /ip dhcp-server
>>>>>>> > > > > add address-pool=dhcp_pool1 disabled=no
>>>>>>> > interface=ether1-master-local \
>>>>>>> > > > > lease-time=1d name=dhcp1
>>>>>>> > > > > /ip address
>>>>>>> > > > > add address=192.168.88.1/24 comment="default configuration"
>>>>>>> > > interface=\
>>>>>>> > > > > ether1-master-local network=192.168.88.0 /ip dhcp-client
>>>>>>> add
>>>>>>> > > > > default-route-distance=0 dhcp-options=hostname,clientid
>>>>>>> disabled=no \
>>>>>>> > > > > interface=ether24-gateway use-peer-ntp=yes /ip
>>>>>>> dhcp-server lease
>>>>>>> > > > > add address=192.168.88.100 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:e:c \
>>>>>>> > > > > comment="Sonos - 192.168.88.100-110"
>>>>>>> > mac-address=00:0E:58:32:0E:0C
>>>>>>> > > \
>>>>>>> > > > > server=dhcp1
>>>>>>> > > > > add address=192.168.88.101 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:e:1e
>>>>>>> > > > > \
>>>>>>> > > > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add
>>>>>>> > > > > address=192.168.88.102 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:e:a0
>>>>>>> > > > > \
>>>>>>> > > > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add
>>>>>>> > > > > address=192.168.88.103 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:e:da
>>>>>>> > > > > \
>>>>>>> > > > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add
>>>>>>> > > > > address=192.168.88.104 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:e:ac
>>>>>>> > > > > \
>>>>>>> > > > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add
>>>>>>> > > > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\
>>>>>>> > > > > "Control System - 192.168.88.130 - "
>>>>>>> > mac-address=00:1F:B8:05:07:48
>>>>>>> > > \
>>>>>>> > > > > server=dhcp1
>>>>>>> > > > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6
>>>>>>> mac-address=\
>>>>>>> > > > > 00:0E:58:24:65:B6 server=dhcp1
>>>>>>> > > > > add address=192.168.88.106 always-broadcast=yes
>>>>>>> > > > > client-id=1:0:e:58:24:64:9e \
>>>>>>> > > > > mac-address=00:0E:58:24:64:9E server=dhcp1 add
>>>>>>> > > > > address=192.168.88.107 always-broadcast=yes
>>>>>>> > > > > client-id=1:0:e:58:24:59:40 \
>>>>>>> > > > > mac-address=00:0E:58:24:59:40 server=dhcp1 add
>>>>>>> > > > > address=192.168.88.108 always-broadcast=yes
>>>>>>> > > > client-id=1:0:e:58:32:f:9a
>>>>>>> > > > > \
>>>>>>> > > > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add
>>>>>>> > > > > address=192.168.88.109 always-broadcast=yes
>>>>>>> > > > > client-id=1:0:e:58:32:15:ac \
>>>>>>> > > > > mac-address=00:0E:58:32:15:AC server=dhcp1 add
>>>>>>> > > > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8
>>>>>>> mac-address=\
>>>>>>> > > > > 00:0E:58:24:6B:E8 server=dhcp1
>>>>>>> > > > > add address=192.168.88.131 comment=MRX-1
>>>>>>> > mac-address=00:1F:B8:04:0C:F5
>>>>>>> > > \
>>>>>>> > > > > server=dhcp1
>>>>>>> > > > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a
>>>>>>> comment=\
>>>>>>> > > > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A
>>>>>>> > > > > server=dhcp1 add address=192.168.88.120
>>>>>>> client-id=1:4:18:d6:80:b3:5d
>>>>>>> > > comment=\
>>>>>>> > > > > "UniFi - 192.168.88.120 - 124"
>>>>>>> mac-address=04:18:D6:80:B3:5D
>>>>>>> > > > > server=dhcp1
>>>>>>> > > > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85
>>>>>>> mac-address=\
>>>>>>> > > > > 04:18:D6:80:B3:85 server=dhcp1
>>>>>>> > > > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23
>>>>>>> comment=\
>>>>>>> > > > > "Time Capsule - 192.168.88.150"
>>>>>>> mac-address=00:24:36:A2:C3:23
>>>>>>> > > > server=\
>>>>>>> > > > > dhcp1
>>>>>>> > > > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9
>>>>>>> mac-address=\
>>>>>>> > > > > 04:18:D6:80:B2:F9 server=dhcp1
>>>>>>> > > > > /ip dhcp-server network
>>>>>>> > > > > add address=192.168.88.0/24 dns-server=192.168.88.1
>>>>>>> > > > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes
>>>>>>> /ip
>>>>>>> > > > > firewall address-list add address=192.168.88.0/24 comment=\
>>>>>>> > > > > "Support address list - full access to router allowed
>>>>>>> from this
>>>>>>> > > > range"
>>>>>>> > > > > \
>>>>>>> > > > > list=support
>>>>>>> > > > > add address=0.0.0.0/8 comment="Self-Identification [RFC
>>>>>>> 3330]"
>>>>>>> > > > list=bogons
>>>>>>> > > > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A
>>>>>>> # Check
>>>>>>> > if
>>>>>>> > > > > you nee\
>>>>>>> > > > > d this subnet before enable it" disabled=yes list=bogons
>>>>>>> > > > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]"
>>>>>>> list=bogons
>>>>>>> > > > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]"
>>>>>>> > > disabled=yes
>>>>>>> > > > > list=\
>>>>>>> > > > > bogons
>>>>>>> > > > > add address=172.16.0.0/12 comment="Private[RFC 1918] -
>>>>>>> CLASS B #
>>>>>>> > Check
>>>>>>> > > > if
>>>>>>> > > > > you \
>>>>>>> > > > > need this subnet before enable it" disabled=yes
>>>>>>> list=bogons
>>>>>>> > > > > add address=192.168.0.0/16 comment="Private[RFC 1918] -
>>>>>>> CLASS C #
>>>>>>> > > Check
>>>>>>> > > > > if you\
>>>>>>> > > > > \_need this subnet before enable it" disabled=yes
>>>>>>> list=bogons
>>>>>>> > > > > add address=192.0.2.0/24 comment="Reserved - IANA -
>>>>>>> TestNet1"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > list=bogons
>>>>>>> > > > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC
>>>>>>> 3068]"
>>>>>>> > > > > disabled=\
>>>>>>> > > > > yes list=bogons
>>>>>>> > > > > add address=198.18.0.0/15 comment="NIDB Testing"
>>>>>>> disabled=yes
>>>>>>> > > > list=bogons
>>>>>>> > > > > add address=198.51.100.0/24 comment="Reserved - IANA -
>>>>>>> TestNet2"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > list=bogons
>>>>>>> > > > > add address=203.0.113.0/24 comment="Reserved - IANA -
>>>>>>> TestNet3"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > list=bogons
>>>>>>> > > > > add address=224.0.0.0/4 comment=\
>>>>>>> > > > > "MC, Class D, IANA # Check if you need this subnet
>>>>>>> before enable
>>>>>>> > > it"
>>>>>>> > > > \
>>>>>>> > > > > disabled=yes list=bogons
>>>>>>> > > > > /ip firewall filter
>>>>>>> > > > > add action=add-src-to-address-list address-list=Syn_Flooder \
>>>>>>> > > > > address-list-timeout=30m chain=input comment=\
>>>>>>> > > > > "Add Syn Flood IP to the list" connection-limit=30,32
>>>>>>> > disabled=yes
>>>>>>> > > \
>>>>>>> > > > > protocol=tcp tcp-flags=syn
>>>>>>> > > > > add action=drop chain=input comment="Drop to syn flood list"
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > src-address-list=Syn_Flooder
>>>>>>> > > > > add action=add-src-to-address-list address-list=Port_Scanner
>>>>>>> \
>>>>>>> > > > > address-list-timeout=1w chain=input comment="Port Scanner
>>>>>>> > Detect" \
>>>>>>> > > > > disabled=yes protocol=tcp psd=21,3s,3,1
>>>>>>> > > > > add action=drop chain=input comment="Drop to port scan list"
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > src-address-list=Port_Scanner
>>>>>>> > > > > add action=jump chain=input comment="Jump for icmp input
>>>>>>> flow"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > jump-target=ICMP protocol=icmp
>>>>>>> > > > > add action=drop chain=input comment="Block all access to the
>>>>>>> winbox -
>>>>>>> > > > > except t\
>>>>>>> > > > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR
>>>>>>> SUBNET
>>>>>>> > IN
>>>>>>> > > > THE
>>>>>>> > > > > SUP\
>>>>>>> > > > > PORT ADDRESS LIST" disabled=yes dst-port=8291
>>>>>>> protocol=tcp \
>>>>>>> > > > > src-address-list=!support
>>>>>>> > > > > add action=jump chain=forward comment="Jump for icmp forward
>>>>>>> flow"
>>>>>>> > > > > disabled=\
>>>>>>> > > > > yes jump-target=ICMP protocol=icmp
>>>>>>> > > > > add action=drop chain=forward comment="Drop IP's in bogon
>>>>>>> list"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > dst-address-list=bogons
>>>>>>> > > > > add action=add-src-to-address-list address-list=spammers \
>>>>>>> > > > > address-list-timeout=3h chain=forward comment=\
>>>>>>> > > > > "Add Spammers to the list for 3 hours"
>>>>>>> connection-limit=30,32
>>>>>>> > > > > disabled=\
>>>>>>> > > > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp
>>>>>>> > > > > add action=drop chain=forward comment="Avoid spammers action"
>>>>>>> > > > disabled=yes
>>>>>>> > > > > \
>>>>>>> > > > > dst-port=25,587 protocol=tcp src-address-list=spammers
>>>>>>> > > > > add chain=input comment="Accept DNS - UDP" disabled=yes
>>>>>>> port=53
>>>>>>> > > > > protocol=udp
>>>>>>> > > > > add chain=output disabled=yes dst-port=1723 protocol=tcp
>>>>>>> > > > > add chain=input disabled=yes dst-port=1723 protocol=tcp
>>>>>>> > > > > add chain=input comment="Accept DNS - TCP" disabled=yes
>>>>>>> port=53
>>>>>>> > > > > protocol=tcp
>>>>>>> > > > > add chain=input comment="Accept to established connections"
>>>>>>> > > > > connection-state=\
>>>>>>> > > > > established disabled=yes
>>>>>>> > > > > add chain=input comment="Accept related connections"
>>>>>>> > > > > connection-state=related \
>>>>>>> > > > > disabled=yes
>>>>>>> > > > > add chain=input comment="Allow SUPPORT address list full
>>>>>>> access"
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > src-address-list=support
>>>>>>> > > > > add chain=ICMP comment="Echo request - Avoiding Ping Flood"
>>>>>>> > > disabled=yes
>>>>>>> > > > \
>>>>>>> > > > > icmp-options=8:0 limit=1,5 protocol=icmp
>>>>>>> > > > > add chain=ICMP comment="Echo reply" disabled=yes
>>>>>>> icmp-options=0:0
>>>>>>> > > > > protocol=\
>>>>>>> > > > > icmp
>>>>>>> > > > > add chain=ICMP comment="Time Exceeded" disabled=yes
>>>>>>> > icmp-options=11:0 \
>>>>>>> > > > > protocol=icmp
>>>>>>> > > > > add chain=ICMP comment="Destination unreachable" disabled=yes
>>>>>>> > > > > icmp-options=\
>>>>>>> > > > > 3:0-1 protocol=icmp
>>>>>>> > > > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4
>>>>>>> > > protocol=icmp
>>>>>>> > > > > add action=drop chain=input comment="Drop invalid
>>>>>>> connections" \
>>>>>>> > > > > connection-state=invalid disabled=yes
>>>>>>> > > > > add action=drop chain=ICMP comment="Drop to the other ICMPs"
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > protocol=icmp
>>>>>>> > > > > add action=jump chain=output comment="Jump for icmp output"
>>>>>>> > > disabled=yes
>>>>>>> > > > \
>>>>>>> > > > > jump-target=ICMP protocol=icmp
>>>>>>> > > > > add action=drop chain=input comment="drop ftp brute forcers"
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist
>>>>>>> > > > > add chain=output content="530 Login incorrect" disabled=yes
>>>>>>> > dst-limit=\
>>>>>>> > > > > 1/1m,9,dst-address/1m protocol=tcp
>>>>>>> > > > > add action=add-dst-to-address-list
>>>>>>> address-list=ftp_blacklist \
>>>>>>> > > > > address-list-timeout=3h chain=output content="530 Login
>>>>>>> > incorrect"
>>>>>>> > > \
>>>>>>> > > > > disabled=yes protocol=tcp
>>>>>>> > > > > add action=drop chain=input comment="drop ssh brute forcers"
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist
>>>>>>> > > > > add action=add-src-to-address-list
>>>>>>> address-list=ssh_blacklist \
>>>>>>> > > > > address-list-timeout=1w3d chain=input
>>>>>>> connection-state=new
>>>>>>> > > > > disabled=yes \
>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage3
>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage3 \
>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage2
>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage2 \
>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage1
>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage1 \
>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>> > > > disabled=yes \
>>>>>>> > > > > dst-port=22 protocol=tcp
>>>>>>> > > > > add action=drop chain=input comment="Drop anything else! #
>>>>>>> DO NOT
>>>>>>> > > ENABLE
>>>>>>> > > > > THIS \
>>>>>>> > > > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU
>>>>>>> NEED"
>>>>>>> > > > disabled=yes
>>>>>>> > > > > /ip firewall nat
>>>>>>> > > > > add action=masquerade chain=srcnat
>>>>>>> out-interface=ether24-gateway
>>>>>>> > > > > /ip firewall service-port
>>>>>>> > > > > set ftp disabled=yes
>>>>>>> > > > > set tftp disabled=yes
>>>>>>> > > > > set irc disabled=yes
>>>>>>> > > > > set h323 disabled=yes
>>>>>>> > > > > set sip disabled=yes
>>>>>>> > > > > set pptp disabled=yes
>>>>>>> > > > > /ip ipsec policy
>>>>>>> > > > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
>>>>>>> > > > > /ip service
>>>>>>> > > > > set telnet disabled=yes
>>>>>>> > > > > set ftp disabled=yes
>>>>>>> > > > > set www disabled=yes
>>>>>>> > > > > set ssh disabled=yes
>>>>>>> > > > > set api disabled=yes
>>>>>>> > > > > set api-ssl disabled=yes
>>>>>>> > > > > /system clock
>>>>>>> > > > > set time-zone-autodetect=no time-zone-name=Australia/Sydney
>>>>>>> > > > > /tool romon port
>>>>>>> > > > > add
>>>>>>> > > > >
>>>>>>> > > > >
>>>>>>> > > > > Ben Jackson
>>>>>>> > > > > eLogik
>>>>>>> > > > > m:0404 924745
>>>>>>> > > > > e: ben(a)elogik.net
>>>>>>> > > > > w: www.elogik.com.au
>>>>>>> > > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>> > > > >
>>>>>>> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running
>>>>>>> Tech) <
>>>>>>> > > > > jason(a)upandrunningtech.com.au> wrote:
>>>>>>> > > > >
>>>>>>> > > > >> Hi Ben,
>>>>>>> > > > >>
>>>>>>> > > > >> When the problem occurs again check the Routerboard for CPU
>>>>>>> use and
>>>>>>> > > > check
>>>>>>> > > > >> profiling to see just what is keeping the CPU busy. Don't
>>>>>>> > > overestimate
>>>>>>> > > > the
>>>>>>> > > > >> CPU in the 2011, it's not as quick as you think. The new
>>>>>>> FastPath
>>>>>>> > and
>>>>>>> > > > >> FastTrack features will be something you'll be interested
>>>>>>> in when
>>>>>>> > > > routing
>>>>>>> > > > >> something as fast as a cable modem so read up on them and
>>>>>>> do try the
>>>>>>> > > > latest
>>>>>>> > > > >> firmware images.
>>>>>>> > > > >>
>>>>>>> > > > >> Jason
>>>>>>> > > > >>
>>>>>>> > > > >> On 28 July 2015 at 13:48, Ben Jackson <ben(a)elogik.net>
>>>>>>> wrote:
>>>>>>> > > > >>
>>>>>>> > > > >>> Hi Jason,
>>>>>>> > > > >>>
>>>>>>> > > > >>> Yes - when I am using the RB2011's the gateway (WAN) port
>>>>>>> is not in
>>>>>>> > > any
>>>>>>> > > > >>> bridge or switch config and is routing only.
>>>>>>> > > > >>>
>>>>>>> > > > >>> When I first started installing Mikrotiks I used to bridge
>>>>>>> all the
>>>>>>> > > > other
>>>>>>> > > > >>> ports, which I know uses the main CPU and not the switch
>>>>>>> chip, but
>>>>>>> > my
>>>>>>> > > > >>> thinking was that the main CPU is more powerful and the
>>>>>>> router
>>>>>>> > isn't
>>>>>>> > > > >>> exactly doing anything complex such as queues or heaps of
>>>>>>> firewall
>>>>>>> > > > rules.
>>>>>>> > > > >>>
>>>>>>> > > > >>> However since then I have started using the master - slave
>>>>>>> switch
>>>>>>> > > chip
>>>>>>> > > > >>> function, especially on the 24 port CRS. On the RB2011's I
>>>>>>> slave
>>>>>>> > all
>>>>>>> > > > the
>>>>>>> > > > >>> gigabit ports to ether2 and, slave all the 10/100 ports to
>>>>>>> ether6,
>>>>>>> > > then
>>>>>>> > > > >>> bridge the two, with ether1 as the WAN port. On the CRS I
>>>>>>> slave all
>>>>>>> > > the
>>>>>>> > > > >>> ports apart from ether24 to ether1. I then use ether24 as
>>>>>>> the WAN
>>>>>>> > > port.
>>>>>>> > > > >>>
>>>>>>> > > > >>> Ben Jackson
>>>>>>> > > > >>> eLogik
>>>>>>> > > > >>> m:0404 924745
>>>>>>> > > > >>> e: ben(a)elogik.net
>>>>>>> > > > >>> w: www.elogik.com.au
>>>>>>> > > > >>> [image: http://www.elogik.com.au] <
>>>>>>> http://www.elogik.com.au>
>>>>>>> > > > >>>
>>>>>>> > > > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up &
>>>>>>> Running Tech) <
>>>>>>> > > > >>> jason(a)upandrunningtech.com.au> wrote:
>>>>>>> > > > >>>
>>>>>>> > > > >>>> Hi
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> OK, the current changelog on Mikrotik only goes back to
>>>>>>> 6.27 and
>>>>>>> > the
>>>>>>> > > > >>>> current is at 6.30 so I can't even see if some related
>>>>>>> bug has
>>>>>>> > been
>>>>>>> > > > >>>> fixed
>>>>>>> > > > >>>> since 6.20. I'd suggest updating the software, reboot,
>>>>>>> update the
>>>>>>> > > > >>>> firmware, reboot and see if that helps.
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> If in doubt beyond that, save export your config, factory
>>>>>>> reset
>>>>>>> > and
>>>>>>> > > > >>>> reimport the config.
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> What ports do you use on the 2011? Are the ports on 1Gb
>>>>>>> side
>>>>>>> > slaved
>>>>>>> > > > to
>>>>>>> > > > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1
>>>>>>> and Eth6
>>>>>>> > > > >>>> bridged?
>>>>>>> > > > >>>> Which port is connected to the modem? It should be on
>>>>>>> it's own,
>>>>>>> > not
>>>>>>> > > > >>>> slaved
>>>>>>> > > > >>>> or bridged.
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> Since 6.20 there have been some packet engine speedups
>>>>>>> that
>>>>>>> > operate
>>>>>>> > > at
>>>>>>> > > > >>>> the
>>>>>>> > > > >>>> bridge level and some interfaces (not PPPoE
>>>>>>> unfortunately). You
>>>>>>> > > will
>>>>>>> > > > >>>> definitely benefit using the new speedup options with NAT
>>>>>>> on a
>>>>>>> > DHCP
>>>>>>> > > > >>>> based
>>>>>>> > > > >>>> modem.
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> Jason
>>>>>>> > > > >>>>
>>>>>>> > > > >>>>
>>>>>>> > > > >>>>
>>>>>>> > > > >>>>
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben(a)elogik.net>
>>>>>>> wrote:
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> > Hi Jason,
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> > I have customers at on few different ROS versions,
>>>>>>> normally
>>>>>>> > > nothing
>>>>>>> > > > >>>> earier
>>>>>>> > > > >>>> > than 6.18 - and I always make sure the firmware is at a
>>>>>>> matching
>>>>>>> > > > >>>> level. I
>>>>>>> > > > >>>> > think the majority right now are at 6.20.
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> > Thanks
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> > Ben Jackson
>>>>>>> > > > >>>> > eLogik
>>>>>>> > > > >>>> > m:0404 924745
>>>>>>> > > > >>>> > e: ben(a)elogik.net
>>>>>>> > > > >>>> > w: www.elogik.com.au
>>>>>>> > > > >>>> > [image: http://www.elogik.com.au] <
>>>>>>> http://www.elogik.com.au>
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up &
>>>>>>> Running
>>>>>>> > Tech)
>>>>>>> > > <
>>>>>>> > > > >>>> > jason(a)upandrunningtech.com.au> wrote:
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> >> What version of RouterOS are you using and what level
>>>>>>> is the
>>>>>>> > > > >>>> firmware at?
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben(a)elogik.net>
>>>>>>> wrote:
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >> > Hi RJ,
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > Yep - that's exactly what I do.
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > I know it's not congestion because when I reboot the
>>>>>>> mikrotik
>>>>>>> > > or
>>>>>>> > > > >>>> simply
>>>>>>> > > > >>>> >> > renew the dhcp client address on the gateway port
>>>>>>> the whole
>>>>>>> > > > system
>>>>>>> > > > >>>> >> springs
>>>>>>> > > > >>>> >> > back to life.
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > Thanks,
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > Ben Jackson
>>>>>>> > > > >>>> >> > eLogik
>>>>>>> > > > >>>> >> > m:0404 924745
>>>>>>> > > > >>>> >> > e: ben(a)elogik.net
>>>>>>> > > > >>>> >> > w: www.elogik.com.au
>>>>>>> > > > >>>> >> > [image: http://www.elogik.com.au] <
>>>>>>> http://www.elogik.com.au>
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <
>>>>>>> > > > >>>> RJ.Plummer(a)4logic.com.au>
>>>>>>> > > > >>>> >> > wrote:
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >> > > Hi Ben,
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > We have a few staff with bigpond cable and
>>>>>>> mikrotiks who
>>>>>>> > > don't
>>>>>>> > > > >>>> exhibit
>>>>>>> > > > >>>> >> > > this behaviour.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Their setups are very straight forward:
>>>>>>> > > > >>>> >> > > -Bridge the cable modem (same cable modem model as
>>>>>>> you
>>>>>>> > > > describe)
>>>>>>> > > > >>>> >> > > -DHCP client on the appropriate physical mkt
>>>>>>> interface
>>>>>>> > > > >>>> >> > > -masq that interface
>>>>>>> > > > >>>> >> > > -firewall filter as usual
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Do you have anything different in your
>>>>>>> configurations?
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Cheers,
>>>>>>> > > > >>>> >> > > RJ
>>>>>>> > > > >>>> >> > > -----Original Message-----
>>>>>>> > > > >>>> >> > > From: Public [mailto:
>>>>>>> public-bounces(a)talk.mikrotik.com.au]
>>>>>>> > On
>>>>>>> > > > >>>> Behalf
>>>>>>> > > > >>>> >> Of
>>>>>>> > > > >>>> >> > > Paul Julian
>>>>>>> > > > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM
>>>>>>> > > > >>>> >> > > To: 'MikroTik Australia Public List' <
>>>>>>> > > > >>>> public(a)talk.mikrotik.com.au>
>>>>>>> > > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC
>>>>>>> address, or
>>>>>>> > at
>>>>>>> > > > >>>> least
>>>>>>> > > > >>>> >> the
>>>>>>> > > > >>>> >> > > one they present, this usually happens if a config
>>>>>>> has been
>>>>>>> > > > >>>> uploaded
>>>>>>> > > > >>>> >> to
>>>>>>> > > > >>>> >> > > them without MAC addresses removed.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > There is an option in the interface settings
>>>>>>> called "Reset
>>>>>>> > > MAC
>>>>>>> > > > >>>> >> Address",
>>>>>>> > > > >>>> >> > > try clicking this on the interface you have
>>>>>>> plugged into
>>>>>>> > the
>>>>>>> > > > >>>> NTU, it
>>>>>>> > > > >>>> >> will
>>>>>>> > > > >>>> >> > > reset the MAC address back to or force it to be the
>>>>>>> > actually
>>>>>>> > > > >>>> physical
>>>>>>> > > > >>>> >> MAC
>>>>>>> > > > >>>> >> > > just in case anything has changed.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > We use bridge mode in modems and NTU's with
>>>>>>> Mikrotiks in
>>>>>>> > > > >>>> hundreds of
>>>>>>> > > > >>>> >> > > locations for ADSL and Ethernet services and never
>>>>>>> have one
>>>>>>> > > > >>>> issue.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Regards
>>>>>>> > > > >>>> >> > > Paul
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > -----Original Message-----
>>>>>>> > > > >>>> >> > > From: Public [mailto:
>>>>>>> public-bounces(a)talk.mikrotik.com.au]
>>>>>>> > On
>>>>>>> > > > >>>> Behalf
>>>>>>> > > > >>>> >> Of
>>>>>>> > > > >>>> >> > > Ben Jackson
>>>>>>> > > > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM
>>>>>>> > > > >>>> >> > > To: MikroTik Australia Public List
>>>>>>> > > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you
>>>>>>> 100%, there
>>>>>>> > > > >>>> should be
>>>>>>> > > > >>>> >> > > almost nothing to go wrong in this type of set-up.
>>>>>>> The NTU
>>>>>>> > is
>>>>>>> > > > >>>> >> definitely
>>>>>>> > > > >>>> >> > in
>>>>>>> > > > >>>> >> > > bridge mode - as evidenced by the radio button
>>>>>>> saying
>>>>>>> > "Bridge
>>>>>>> > > > >>>> Mode" on
>>>>>>> > > > >>>> >> > the
>>>>>>> > > > >>>> >> > > web GUI ;) and I have a DHCP client running on
>>>>>>> ether24 of
>>>>>>> > the
>>>>>>> > > > >>>> CRS (or
>>>>>>> > > > >>>> >> > > sometimes ether 1) which immediately binds the
>>>>>>> public IP
>>>>>>> > > > address
>>>>>>> > > > >>>> to
>>>>>>> > > > >>>> >> > itself.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > I understand about the MAC based DHCP which the
>>>>>>> ISP's use,
>>>>>>> > I
>>>>>>> > > > >>>> have had
>>>>>>> > > > >>>> >> > > issues in the past (no longer seems to be as
>>>>>>> issue) where I
>>>>>>> > > > have
>>>>>>> > > > >>>> had
>>>>>>> > > > >>>> >> to
>>>>>>> > > > >>>> >> > > spoof the MAC address of the NTU to get a DHCP
>>>>>>> address. I
>>>>>>> > > have
>>>>>>> > > > >>>> also
>>>>>>> > > > >>>> >> > noticed
>>>>>>> > > > >>>> >> > > if my MBP is the first device to connect to the
>>>>>>> NTU while
>>>>>>> > in
>>>>>>> > > > >>>> bridge
>>>>>>> > > > >>>> >> mode,
>>>>>>> > > > >>>> >> > > sometimes I need to power cycle the device to
>>>>>>> "deregister"
>>>>>>> > > the
>>>>>>> > > > >>>> MAC
>>>>>>> > > > >>>> >> > address
>>>>>>> > > > >>>> >> > > of the MBP. I am able to get a binding on the
>>>>>>> MikroTik
>>>>>>> > after
>>>>>>> > > > this
>>>>>>> > > > >>>> >> process
>>>>>>> > > > >>>> >> > > is complete.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > But, in this instance this is not the problem
>>>>>>> unless
>>>>>>> > somehow
>>>>>>> > > > the
>>>>>>> > > > >>>> MAC
>>>>>>> > > > >>>> >> > > address of the MikroTik ether port is changing -
>>>>>>> is this
>>>>>>> > > > >>>> possible? I
>>>>>>> > > > >>>> >> must
>>>>>>> > > > >>>> >> > > admit, my progress on this is somewhat hampered by
>>>>>>> not
>>>>>>> > having
>>>>>>> > > a
>>>>>>> > > > >>>> cable
>>>>>>> > > > >>>> >> > setup
>>>>>>> > > > >>>> >> > > to test on at home - I run ADSL.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > I'm pretty sure that nothing else on the network
>>>>>>> would be
>>>>>>> > > able
>>>>>>> > > > >>>> to bind
>>>>>>> > > > >>>> >> > > it's MAC address to the public IP before the
>>>>>>> MikroTik has
>>>>>>> > had
>>>>>>> > > a
>>>>>>> > > > >>>> chance
>>>>>>> > > > >>>> >> > to -
>>>>>>> > > > >>>> >> > > although I must admit I hadn't though of that so
>>>>>>> I'll check
>>>>>>> > > it
>>>>>>> > > > >>>> out in
>>>>>>> > > > >>>> >> > more
>>>>>>> > > > >>>> >> > > detail.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > I am also inclined to agree with you that this is
>>>>>>> not
>>>>>>> > solely
>>>>>>> > > a
>>>>>>> > > > >>>> >> Mikrotik
>>>>>>> > > > >>>> >> > > issue. It seems to me that it is the magic (or not
>>>>>>> so
>>>>>>> > magic)
>>>>>>> > > > >>>> >> combination
>>>>>>> > > > >>>> >> > of
>>>>>>> > > > >>>> >> > > the ISP's hardware and the MikroTik that seems to
>>>>>>> cause the
>>>>>>> > > > >>>> problem. I
>>>>>>> > > > >>>> >> > have
>>>>>>> > > > >>>> >> > > tried other brands of router which do not seem to
>>>>>>> exhibit
>>>>>>> > the
>>>>>>> > > > >>>> issue,
>>>>>>> > > > >>>> >> > > however these devices do not have the great
>>>>>>> feature set of
>>>>>>> > > the
>>>>>>> > > > >>>> >> MikroTik
>>>>>>> > > > >>>> >> > and
>>>>>>> > > > >>>> >> > > are often not rack-mountable. Trotting out the
>>>>>>> "It's not a
>>>>>>> > > > >>>> Mikrotik
>>>>>>> > > > >>>> >> > issue"
>>>>>>> > > > >>>> >> > > line is starting to wear very thin with both my
>>>>>>> customers
>>>>>>> > and
>>>>>>> > > > >>>> >> colleagues.
>>>>>>> > > > >>>> >> > > Although my gut feeling is that it isn't - I need
>>>>>>> proof
>>>>>>> > and I
>>>>>>> > > > >>>> don't
>>>>>>> > > > >>>> >> know
>>>>>>> > > > >>>> >> > > where to start. This is happening far too often
>>>>>>> for it to
>>>>>>> > be
>>>>>>> > > a
>>>>>>> > > > >>>> >> > coincidence
>>>>>>> > > > >>>> >> > > or a faulty device.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > I have, unfortunately also seen very strange
>>>>>>> behaviour over
>>>>>>> > > > ADSL
>>>>>>> > > > >>>> /
>>>>>>> > > > >>>> >> pppoe
>>>>>>> > > > >>>> >> > > connections in bridge mode too, I sent an email
>>>>>>> about this
>>>>>>> > > some
>>>>>>> > > > >>>> time
>>>>>>> > > > >>>> >> ago
>>>>>>> > > > >>>> >> > > and it still plagues me from time to time.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > The type of installations I am doing are not your
>>>>>>> typical
>>>>>>> > > home
>>>>>>> > > > >>>> setups
>>>>>>> > > > >>>> >> and
>>>>>>> > > > >>>> >> > > customers are paying a lot of money for a
>>>>>>> supposedly
>>>>>>> > > > >>>> >> "commercial-grade"
>>>>>>> > > > >>>> >> > > solution which is only adding to my stresses.
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Do any of you guys out there use a MikroTik as
>>>>>>> your home
>>>>>>> > > router
>>>>>>> > > > >>>> - how
>>>>>>> > > > >>>> >> do
>>>>>>> > > > >>>> >> > > you set it up? Have you seen issues like this?
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > One thing I have noticed is that the issue seems
>>>>>>> to be much
>>>>>>> > > > more
>>>>>>> > > > >>>> >> > prevalent
>>>>>>> > > > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra /
>>>>>>> optus modems.
>>>>>>> > > No
>>>>>>> > > > >>>> idea
>>>>>>> > > > >>>> >> why.
>>>>>>> > > > >>>> >> > > Any cable experts out there?
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Thanks again,
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > Ben Jackson
>>>>>>> > > > >>>> >> > > eLogik
>>>>>>> > > > >>>> >> > > m:0404 924745
>>>>>>> > > > >>>> >> > > e: ben(a)elogik.net
>>>>>>> > > > >>>> >> > > w: www.elogik.com.au
>>>>>>> > > > >>>> >> > > [image: http://www.elogik.com.au] <
>>>>>>> > http://www.elogik.com.au>
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <
>>>>>>> > > > >>>> >> > paul(a)oxygennetworks.com.au>
>>>>>>> > > > >>>> >> > > wrote:
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that
>>>>>>> Telstra
>>>>>>> > and
>>>>>>> > > > >>>> Optus
>>>>>>> > > > >>>> >> Cable
>>>>>>> > > > >>>> >> > > > networks use MAC based DHCP, they bind the IP to
>>>>>>> the MAC
>>>>>>> > of
>>>>>>> > > > >>>> the NTU
>>>>>>> > > > >>>> >> or
>>>>>>> > > > >>>> >> > > > in the case of bridge mode the first client that
>>>>>>> makes a
>>>>>>> > > > >>>> request,
>>>>>>> > > > >>>> >> and
>>>>>>> > > > >>>> >> > > > often you have trouble with these things because
>>>>>>> of
>>>>>>> > this, I
>>>>>>> > > > >>>> don't
>>>>>>> > > > >>>> >> > > > really think it's a Mikrotik thing.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining
>>>>>>> the same
>>>>>>> > > MAC
>>>>>>> > > > >>>> on the
>>>>>>> > > > >>>> >> > > > interface plugged into the NTU and the NTU is
>>>>>>> truly in
>>>>>>> > > bridge
>>>>>>> > > > >>>> mode
>>>>>>> > > > >>>> >> and
>>>>>>> > > > >>>> >> > > > the Mikrotik is the only thing plugged into the
>>>>>>> NTU I
>>>>>>> > > can't
>>>>>>> > > > >>>> see why
>>>>>>> > > > >>>> >> > > > it would be having issues.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Is there any chance that another device might
>>>>>>> somehow be
>>>>>>> > > > >>>> getting a
>>>>>>> > > > >>>> >> > > > DHCP request through to the NTU somehow the way
>>>>>>> you have
>>>>>>> > it
>>>>>>> > > > all
>>>>>>> > > > >>>> >> plugged
>>>>>>> > > > >>>> >> > > in ?
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Regards
>>>>>>> > > > >>>> >> > > > Paul
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > -----Original Message-----
>>>>>>> > > > >>>> >> > > > From: Public [mailto:
>>>>>>> public-bounces(a)talk.mikrotik.com.au
>>>>>>> > ]
>>>>>>> > > On
>>>>>>> > > > >>>> >> Behalf Of
>>>>>>> > > > >>>> >> > > > Ben Jackson
>>>>>>> > > > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM
>>>>>>> > > > >>>> >> > > > To: MikroTik Australia Public List
>>>>>>> > > > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Hi All,
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my
>>>>>>> wit's end
>>>>>>> > with
>>>>>>> > > > >>>> this one.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and
>>>>>>> more
>>>>>>> > > recently,
>>>>>>> > > > >>>> the
>>>>>>> > > > >>>> >> > > > CRS125-24G) in large residential AV situations
>>>>>>> where
>>>>>>> > > > >>>> invariably, the
>>>>>>> > > > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable
>>>>>>> internet
>>>>>>> > > scenario
>>>>>>> > > > >>>> where
>>>>>>> > > > >>>> >> > > > Telstra's / Optus's modem has been placed into
>>>>>>> "bridge"
>>>>>>> > > mode
>>>>>>> > > > >>>> (NAT
>>>>>>> > > > >>>> >> > > > switched
>>>>>>> > > > >>>> >> > > > off) and the carrier-supplied WAN IP address
>>>>>>> gets bound
>>>>>>> > to
>>>>>>> > > > the
>>>>>>> > > > >>>> >> gateway
>>>>>>> > > > >>>> >> > > > interface of the Mikrotik.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on
>>>>>>> average, about
>>>>>>> > 3
>>>>>>> > > > >>>> UniFi
>>>>>>> > > > >>>> >> > > > access points, and at least 3-4 zones of Sonos.
>>>>>>> On
>>>>>>> > initial
>>>>>>> > > > set
>>>>>>> > > > >>>> up,
>>>>>>> > > > >>>> >> > > > everything seems to work great, with the full
>>>>>>> bandwidth
>>>>>>> > of
>>>>>>> > > > the
>>>>>>> > > > >>>> cable
>>>>>>> > > > >>>> >> > > > modem getting passed on to the rest of the
>>>>>>> network, even
>>>>>>> > > when
>>>>>>> > > > >>>> 802.11
>>>>>>> > > > >>>> >> > > > clients are connected (a testament to the
>>>>>>> UniFi's I my
>>>>>>> > > > opinion
>>>>>>> > > > >>>> - I
>>>>>>> > > > >>>> >> > > > only use dual band Pro AP's).
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > However, after a week or so the internet
>>>>>>> connection seems
>>>>>>> > > to
>>>>>>> > > > >>>> get
>>>>>>> > > > >>>> >> > > > either very slow, or stop working altogether. If
>>>>>>> I look
>>>>>>> > in
>>>>>>> > > > the
>>>>>>> > > > >>>> logs
>>>>>>> > > > >>>> >> > > > (with dhcp logging switched on) I can see
>>>>>>> regular NAK's
>>>>>>> > > > getting
>>>>>>> > > > >>>> >> passed
>>>>>>> > > > >>>> >> > > > from the dhcp server on the cable modem. The
>>>>>>> problem is I
>>>>>>> > > > don't
>>>>>>> > > > >>>> >> really
>>>>>>> > > > >>>> >> > > > understand how DHCP works on cable modems. I'm
>>>>>>> assuming
>>>>>>> > > every
>>>>>>> > > > >>>> so
>>>>>>> > > > >>>> >> often
>>>>>>> > > > >>>> >> > > > the cable modem gets a new IP address from the
>>>>>>> carrier
>>>>>>> > > > >>>> (normally
>>>>>>> > > > >>>> >> after
>>>>>>> > > > >>>> >> > > > a reset) and at this point the modem is not
>>>>>>> passing this
>>>>>>> > > new
>>>>>>> > > > >>>> address
>>>>>>> > > > >>>> >> > > > onto the Mikrotik which is effectively cut off
>>>>>>> from the
>>>>>>> > > > >>>> internet.
>>>>>>> > > > >>>> >> > > > Since we are stuck with using Bigpond and Optus
>>>>>>> modems
>>>>>>> > > these
>>>>>>> > > > >>>> are the
>>>>>>> > > > >>>> >> > > > only solutions I have discovered which seem to
>>>>>>> stop the
>>>>>>> > > issue
>>>>>>> > > > >>>> from
>>>>>>> > > > >>>> >> > > occurring (at least as regularly).
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and
>>>>>>> switch off
>>>>>>> > > all
>>>>>>> > > > >>>> >> > > > extraneous services such as Wi-Fi, and also put
>>>>>>> one IP
>>>>>>> > > > address
>>>>>>> > > > >>>> in
>>>>>>> > > > >>>> >> the
>>>>>>> > > > >>>> >> > > > dhcp pool so that the Mikrotik always gets the
>>>>>>> same
>>>>>>> > private
>>>>>>> > > > IP
>>>>>>> > > > >>>> >> > > > address. However, this creates a double nat
>>>>>>> situation
>>>>>>> > which
>>>>>>> > > > >>>> means I
>>>>>>> > > > >>>> >> > > > can no longer perform reliable port forwarding
>>>>>>> for things
>>>>>>> > > > such
>>>>>>> > > > >>>> as
>>>>>>> > > > >>>> >> > > > DVR's and CBus controllers (which I find the
>>>>>>> Mikrotik's
>>>>>>> > > great
>>>>>>> > > > >>>> for).
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp,
>>>>>>> routing,
>>>>>>> > port
>>>>>>> > > > >>>> >> forwarding
>>>>>>> > > > >>>> >> > > > (which is a joke on these devices) and firewall
>>>>>>> tasks for
>>>>>>> > > the
>>>>>>> > > > >>>> entire
>>>>>>> > > > >>>> >> > > > LAN and turn the CRS into an unmanaged L2
>>>>>>> switch. The
>>>>>>> > main
>>>>>>> > > > >>>> problem
>>>>>>> > > > >>>> >> > > > here is that these Bigpond devices simply do not
>>>>>>> have the
>>>>>>> > > > >>>> grunt to
>>>>>>> > > > >>>> >> > > > deal with large networks with lots of AV
>>>>>>> streaming and
>>>>>>> > > > control
>>>>>>> > > > >>>> >> > happening.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Since both of the above have severe drawbacks in
>>>>>>> terms of
>>>>>>> > > > >>>> >> > > > functionality, I wonder if anyone has had similar
>>>>>>> > > experiences
>>>>>>> > > > >>>> as I
>>>>>>> > > > >>>> >> am
>>>>>>> > > > >>>> >> > > > just about ready to dump the MikroTik's and
>>>>>>> start looking
>>>>>>> > > at
>>>>>>> > > > >>>> other
>>>>>>> > > > >>>> >> > > > options in the hope that they play better with
>>>>>>> the
>>>>>>> > Bigpond
>>>>>>> > > > >>>> gear.
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Thanks in advance,
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > Ben Jackson
>>>>>>> > > > >>>> >> > > > eLogik
>>>>>>> > > > >>>> >> > > > m:0404 924745
>>>>>>> > > > >>>> >> > > > e: ben(a)elogik.net
>>>>>>> > > > >>>> >> > > > w: www.elogik.com.au
>>>>>>> > > > >>>> >> > > > [image: http://www.elogik.com.au] <
>>>>>>> > > http://www.elogik.com.au>
>>>>>>> > > > >>>> >> > > > _______________________________________________
>>>>>>> > > > >>>> >> > > > Public mailing list
>>>>>>> > > > >>>> >> > > > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>>>>>> > > > .
>>>>>>> > > > >>>> >> > > > au
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > > _______________________________________________
>>>>>>> > > > >>>> >> > > > Public mailing list
>>>>>>> > > > >>>> >> > > > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>>>>>> > > > .
>>>>>>> > > > >>>> >> > > > au
>>>>>>> > > > >>>> >> > > >
>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>> >> > >
>>>>>>> > > > >>>> >> > _______________________________________________
>>>>>>> > > > >>>> >> > Public mailing list
>>>>>>> > > > >>>> >> > Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>> >> >
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >> --
>>>>>>> > > > >>>> >> _______________________________________________
>>>>>>> > > > >>>> >> Public mailing list
>>>>>>> > > > >>>> >> Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>> >>
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>> >
>>>>>>> > > > >>>>
>>>>>>> > > > >>>>
>>>>>>> > > > >>>> --
>>>>>>> > > > >>>> _______________________________________________
>>>>>>> > > > >>>> Public mailing list
>>>>>>> > > > >>>> Public(a)talk.mikrotik.com.au
>>>>>>> > > > >>>>
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > > >>>>
>>>>>>> > > > >>>
>>>>>>> > > > >>>
>>>>>>> > > > >>
>>>>>>> > > > >>
>>>>>>> > > > >> --
>>>>>>> > > > >>
>>>>>>> > > > >>
>>>>>>> > > > >
>>>>>>> > > >
>>>>>>> > > >
>>>>>>> > > > --
>>>>>>> > > > _______________________________________________
>>>>>>> > > > Public mailing list
>>>>>>> > > > Public(a)talk.mikrotik.com.au
>>>>>>> > > >
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > > >
>>>>>>> > > _______________________________________________
>>>>>>> > > Public mailing list
>>>>>>> > > Public(a)talk.mikrotik.com.au
>>>>>>> > >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > >
>>>>>>> > >
>>>>>>> > > _______________________________________________
>>>>>>> > > Public mailing list
>>>>>>> > > Public(a)talk.mikrotik.com.au
>>>>>>> > >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> > >
>>>>>>> > _______________________________________________
>>>>>>> > Public mailing list
>>>>>>> > Public(a)talk.mikrotik.com.au
>>>>>>> >
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> _______________________________________________
>>>>>>> Public mailing list
>>>>>>> Public(a)talk.mikrotik.com.au
>>>>>>>
>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ben Jackson
>>>>>> eLogik
>>>>>> m:0404 924745
>>>>>> e: ben(a)elogik.net
>>>>>> w: www.elogik.com.au
>>>>>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>
>
> --
>
>
2
1
---------- Forwarded message ----------
From: "Ben Jackson" <ben(a)elogik.net>
Date: 14 Aug 2015 7:34 am
Subject: Re: Cable Modem DHCP Issues
To: "Jason Hecker" <jason(a)upandrunningtech.com.au>
Cc:
One other thing I have noticed is that customers with this problem are also
experiencing extremely high upload usage on their broadband plan.
On 14 Aug 2015 7:31 am, "Ben Jackson" <ben(a)elogik.net> wrote:
> DHCP lease is in the order of days..can't remember exactly how long. It
> normally takes at least a week or two before things start to slow down.
> On 14 Aug 2015 7:28 am, "Jason Hecker (Up & Running Tech)" <
> jason(a)upandrunningtech.com.au> wrote:
>
>> How long is the DHCP lease?
>> How long does it take before things go awry?
>>
>>
>> On 14 August 2015 at 07:11, Ben Jackson <ben(a)elogik.net> wrote:
>>
>>> I did have one case where I reinstated the cable modem as the main
>>> router and made the mikrotik CRS into an unmanaged switch. There have been
>>> no reported problems since then.
>>>
>>> I really feel this is somehow to do with the DHCP client/server
>>> interaction between the two devices. I have even tried running the modem
>>> non-bridged so that there is a dual NAT situation which gives me a very
>>> similar result.
>>> Maybe the Cable modems are expecting a certain field to be present in
>>> the DHCP challenge/response packet and the mikrotik is not providing this
>>> information ? Something like that anyway?
>>> On 14 Aug 2015 7:01 am, "Ben Jackson" <ben(a)elogik.net> wrote:
>>>
>>>> All the DSL modems are running in full bridged mode already with the
>>>> Mikrotik doing the authentication.
>>>> The cable modems are also set up in "bridged" mode which essentially
>>>> means that NAT is switched off.
>>>> Either way, the Mikrotik ends up with a public IP on it's WAN-facing
>>>> port.
>>>> On 13 Aug 2015 9:51 pm, "Jason Hecker (Up & Running Tech)" <
>>>> jason(a)upandrunningtech.com.au> wrote:
>>>>
>>>>> Can you run the modems in a PPPoE bridged mode?
>>>>>
>>>>>
>>>>> On 13 August 2015 at 17:49, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>
>>>>>> OK all the problems are back. I'm still getting customers whose
>>>>>> networks are grinding to a halt after making the changes I detailed above.
>>>>>> As always after changing the config, everything seems to run great for a
>>>>>> few weeks and then everything falls over in a heap again. If I run direct
>>>>>> through the modem (any DOCSIS version) the speeds return to normal
>>>>>> immediately.
>>>>>>
>>>>>> I did find this post on the forum
>>>>>> http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to
>>>>>> try in a controlled environment.
>>>>>>
>>>>>> Someone somewhere HAS to be expereincing this same issue - it's
>>>>>> happening with too many customers to be a coincidence.
>>>>>>
>>>>>> You guys have checked my config and no-one has flagged anything as
>>>>>> being immediately wrong so I'm really at a loss. The only other common
>>>>>> factor here seems to be SONOS and I am talking to playback about any issues
>>>>>> they may have seen with MikroTik (which they unofficially recommend).
>>>>>>
>>>>>> Ben
>>>>>>
>>>>>> Ben Jackson
>>>>>> eLogik
>>>>>> m:0404 924745
>>>>>> e: ben(a)elogik.net
>>>>>> w: www.elogik.com.au
>>>>>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>
>>>>>> On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>>
>>>>>>> Hi Jason,
>>>>>>>
>>>>>>> I think so. I was waiting for a week or so to make absolutely
>>>>>>> certain. It seems there were a few issues at play here.
>>>>>>>
>>>>>>> Essentially I think many of my customers were subject to a DNS
>>>>>>> escalation attack (as pointed out by Mike Everest) so I specifically
>>>>>>> blocked udp and tcp port 53. This was because I had "Allow remote requests"
>>>>>>> enabled in the DNS config. This was intentional as I wanted to use my
>>>>>>> router as a DNS relay for my internal LAN but I was unaware of the fact
>>>>>>> that these ports were open to the WAN also.
>>>>>>>
>>>>>>> Also I trimmed down my firewall rules to the ones you suggested and
>>>>>>> then started to build them up again based on what I wanted to allow through
>>>>>>> and by looking at drops in the log.
>>>>>>>
>>>>>>> I also enabled the helpers you suggested in firewall/service ports,
>>>>>>> and I also updated all my customers to the latest version.
>>>>>>>
>>>>>>> Although this helped, I still think there are a lot of bugs with the
>>>>>>> newest DOCSIS 3.0 modems, especially when running in bridge mode. I am
>>>>>>> seeing random disconnects etc in the logs.
>>>>>>>
>>>>>>> These actions also improved my customers who run PPPoE over ADSL.
>>>>>>>
>>>>>>> It's been a very busy week!
>>>>>>>
>>>>>>> Thank you to everyone for your input. I hope this helps someone else
>>>>>>> who may be experiencing these problems.
>>>>>>>
>>>>>>> Ben
>>>>>>>
>>>>>>>
>>>>>>> On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) <
>>>>>>> jason(a)upandrunningtech.com.au> wrote:
>>>>>>>
>>>>>>>> Ben,
>>>>>>>>
>>>>>>>> What happened in the end? Did you get to the bottom of the DOCSIS
>>>>>>>> modem
>>>>>>>> slowdowns?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 29 July 2015 at 20:36, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>>>>
>>>>>>>> > Thanks Mike - that's basically what I was attempting. I'll try it
>>>>>>>> again.
>>>>>>>> > I've been a bit stressed recently and am finding even simple
>>>>>>>> tasks a bit
>>>>>>>> > hard :)
>>>>>>>> >
>>>>>>>> > Ben Jackson
>>>>>>>> > eLogik
>>>>>>>> > m:0404 924745
>>>>>>>> > e: ben(a)elogik.net
>>>>>>>> > w: www.elogik.com.au
>>>>>>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>>> >
>>>>>>>> > On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike(a)duxtel.com>
>>>>>>>> wrote:
>>>>>>>> >
>>>>>>>> > > Hi Ben,
>>>>>>>> > >
>>>>>>>> > > Config of CRS as a simple le switch is easy - just set 'master
>>>>>>>> port' on
>>>>>>>> > all
>>>>>>>> > > interfaces to the same value (except for master port itself ;)
>>>>>>>> > >
>>>>>>>> > > For example, set master-port=ether01 for all interfaces
>>>>>>>> (including sfp)
>>>>>>>> > > except for ether1 itself (leave it as master-port=none)
>>>>>>>> > >
>>>>>>>> > > Then just add ip address firewall filters etc on the master
>>>>>>>> port.
>>>>>>>> > >
>>>>>>>> > > Only wlan can't be switched - in that case, you need to make a
>>>>>>>> bridge
>>>>>>>> > then
>>>>>>>> > > add wlan and the master-port as bridge ports.
>>>>>>>> > >
>>>>>>>> > > Hope it makes sense! :-)
>>>>>>>> > >
>>>>>>>> > > Cheers, Mike
>>>>>>>> > >
>>>>>>>> > > -----Original Message-----
>>>>>>>> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>>>>>>> Behalf Of
>>>>>>>> > Ben
>>>>>>>> > > Jackson
>>>>>>>> > > Sent: Wednesday, 29 July 2015 7:27 PM
>>>>>>>> > > To: Jason Hecker <jason(a)upandrunningtech.com.au>; MikroTik
>>>>>>>> Australia
>>>>>>>> > > Public
>>>>>>>> > > List <public(a)talk.mikrotik.com.au>
>>>>>>>> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>>> > >
>>>>>>>> > > Thanks for the input Jason, I'll see if that makes a difference.
>>>>>>>> > >
>>>>>>>> > > Today, after a lot of complaints from a customer, I had to pull
>>>>>>>> out a
>>>>>>>> > > Mikrotik CRS125-24G from a customer site and put in a 24 port
>>>>>>>> TP-Link
>>>>>>>> > > switch
>>>>>>>> > > instead with the Telstra DOCSIS gateway set up to do all the
>>>>>>>> heavy
>>>>>>>> > lifting
>>>>>>>> > > inlcuding DHCP reservations and port forwarding. Ugh Nasty.
>>>>>>>> > >
>>>>>>>> > > It seems fine so far but TBH so did the Mikrotik for about a
>>>>>>>> week. I'm
>>>>>>>> > > convinced this is to do with the new v3.0 modems Telstra are
>>>>>>>> pushing not
>>>>>>>> > > behaving themselves in bridge mode. There are a few models out
>>>>>>>> there but
>>>>>>>> > > the
>>>>>>>> > > Netgear CG3100D seems to be the most prevalent. Telstra market
>>>>>>>> this as
>>>>>>>> > the
>>>>>>>> > > Gateway "Max". Perhaps because the maximum is easily reached
>>>>>>>> with these
>>>>>>>> > > devices? :)
>>>>>>>> > >
>>>>>>>> > > I have raised support tickets with both MikroTik and Duxtel.
>>>>>>>> Let's see
>>>>>>>> > how
>>>>>>>> > > we go. Until then I'm going to try using the Ubiquiti Edge
>>>>>>>> Routers with a
>>>>>>>> > > UniFi 48v PoE+ switch.
>>>>>>>> > >
>>>>>>>> > > Just as an aside does anyone have experience setting the CRS
>>>>>>>> devices up
>>>>>>>> > as
>>>>>>>> > > a
>>>>>>>> > > dumb, unmanaged switch? I thought it would be fairly
>>>>>>>> straightforward but
>>>>>>>> > I
>>>>>>>> > > had a go today and found myself struggling a little.
>>>>>>>> > >
>>>>>>>> > > Ben Jackson
>>>>>>>> > > eLogik
>>>>>>>> > > m:0404 924745
>>>>>>>> > > e: ben(a)elogik.net
>>>>>>>> > > w: www.elogik.com.au
>>>>>>>> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>>> > >
>>>>>>>> > > On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running
>>>>>>>> Tech) <
>>>>>>>> > > jason(a)upandrunningtech.com.au> wrote:
>>>>>>>> > >
>>>>>>>> > > > Nothing sticks out as overtly wrong.
>>>>>>>> > > >
>>>>>>>> > > > If you are still up brown creek try simplifying the config by:
>>>>>>>> > > >
>>>>>>>> > > > * Using the simple firewall here:
>>>>>>>> > > > http://wiki.mikrotik.com/wiki/Securing_your_router
>>>>>>>> > > > * Use basic NAT (no change);
>>>>>>>> > > > * Use the DCHP client (no change);
>>>>>>>> > > > * Use DHCP server without any reservations;
>>>>>>>> > > > * Slave and bridge the switch ports appropriately (no change);
>>>>>>>> > > > * Lastest software and Routerboard firmware
>>>>>>>> > > > (System->Routerboard->Upgrade if different versions in place).
>>>>>>>> > > >
>>>>>>>> > > > Are you any wiser today? Are there any red highlighted
>>>>>>>> (invalid)
>>>>>>>> > > > settings in Winbox?
>>>>>>>> > > >
>>>>>>>> > > > Jason
>>>>>>>> > > >
>>>>>>>> > > > On 28 July 2015 at 18:34, Ben Jackson <ben(a)elogik.net> wrote:
>>>>>>>> > > >
>>>>>>>> > > > > Guys,
>>>>>>>> > > > >
>>>>>>>> > > > > Here is a typical config from one of my clients:
>>>>>>>> > > > >
>>>>>>>> > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id =
>>>>>>>> IU9F-WHTQ
>>>>>>>> > > > > # /interface ethernet set [ find default-name=ether1 ]
>>>>>>>> > > > > name=ether1-master-local set [ find default-name=ether2 ]
>>>>>>>> > > > > master-port=ether1-master-local name=\
>>>>>>>> > > > > ether2-slave-local
>>>>>>>> > > > > set [ find default-name=ether3 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether3-slave-local
>>>>>>>> > > > > set [ find default-name=ether4 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether4-slave-local
>>>>>>>> > > > > set [ find default-name=ether5 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether5-slave-local
>>>>>>>> > > > > set [ find default-name=ether6 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether6-slave-local
>>>>>>>> > > > > set [ find default-name=ether7 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether7-slave-local
>>>>>>>> > > > > set [ find default-name=ether8 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether8-slave-local
>>>>>>>> > > > > set [ find default-name=ether9 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > name=\
>>>>>>>> > > > > ether9-slave-local
>>>>>>>> > > > > set [ find default-name=ether10 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether10-slave-local
>>>>>>>> > > > > set [ find default-name=ether11 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether11-slave-local
>>>>>>>> > > > > set [ find default-name=ether12 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether12-slave-local
>>>>>>>> > > > > set [ find default-name=ether13 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether13-slave-local
>>>>>>>> > > > > set [ find default-name=ether14 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether14-slave-local
>>>>>>>> > > > > set [ find default-name=ether15 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether15-slave-local
>>>>>>>> > > > > set [ find default-name=ether16 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether16-slave-local
>>>>>>>> > > > > set [ find default-name=ether17 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether17-slave-local
>>>>>>>> > > > > set [ find default-name=ether18 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether18-slave-local
>>>>>>>> > > > > set [ find default-name=ether19 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether19-slave-local
>>>>>>>> > > > > set [ find default-name=ether20 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether20-slave-local
>>>>>>>> > > > > set [ find default-name=ether21 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether21-slave-local
>>>>>>>> > > > > set [ find default-name=ether22 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether22-slave-local
>>>>>>>> > > > > set [ find default-name=ether23 ]
>>>>>>>> master-port=ether1-master-local
>>>>>>>> > > name=\
>>>>>>>> > > > > ether23-slave-local
>>>>>>>> > > > > set [ find default-name=ether24 ] name=ether24-gateway set
>>>>>>>> [ find
>>>>>>>> > > > > default-name=sfp1 ] master-port=ether1-master-local name=\
>>>>>>>> > > > > sfp1-slave-local
>>>>>>>> > > > > /ip pool
>>>>>>>> > > > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200
>>>>>>>> > > > > /ip dhcp-server
>>>>>>>> > > > > add address-pool=dhcp_pool1 disabled=no
>>>>>>>> > interface=ether1-master-local \
>>>>>>>> > > > > lease-time=1d name=dhcp1
>>>>>>>> > > > > /ip address
>>>>>>>> > > > > add address=192.168.88.1/24 comment="default configuration"
>>>>>>>> > > interface=\
>>>>>>>> > > > > ether1-master-local network=192.168.88.0 /ip
>>>>>>>> dhcp-client add
>>>>>>>> > > > > default-route-distance=0 dhcp-options=hostname,clientid
>>>>>>>> disabled=no \
>>>>>>>> > > > > interface=ether24-gateway use-peer-ntp=yes /ip
>>>>>>>> dhcp-server lease
>>>>>>>> > > > > add address=192.168.88.100 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:e:c \
>>>>>>>> > > > > comment="Sonos - 192.168.88.100-110"
>>>>>>>> > mac-address=00:0E:58:32:0E:0C
>>>>>>>> > > \
>>>>>>>> > > > > server=dhcp1
>>>>>>>> > > > > add address=192.168.88.101 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:e:1e
>>>>>>>> > > > > \
>>>>>>>> > > > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.102 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:e:a0
>>>>>>>> > > > > \
>>>>>>>> > > > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.103 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:e:da
>>>>>>>> > > > > \
>>>>>>>> > > > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.104 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:e:ac
>>>>>>>> > > > > \
>>>>>>>> > > > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\
>>>>>>>> > > > > "Control System - 192.168.88.130 - "
>>>>>>>> > mac-address=00:1F:B8:05:07:48
>>>>>>>> > > \
>>>>>>>> > > > > server=dhcp1
>>>>>>>> > > > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6
>>>>>>>> mac-address=\
>>>>>>>> > > > > 00:0E:58:24:65:B6 server=dhcp1
>>>>>>>> > > > > add address=192.168.88.106 always-broadcast=yes
>>>>>>>> > > > > client-id=1:0:e:58:24:64:9e \
>>>>>>>> > > > > mac-address=00:0E:58:24:64:9E server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.107 always-broadcast=yes
>>>>>>>> > > > > client-id=1:0:e:58:24:59:40 \
>>>>>>>> > > > > mac-address=00:0E:58:24:59:40 server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.108 always-broadcast=yes
>>>>>>>> > > > client-id=1:0:e:58:32:f:9a
>>>>>>>> > > > > \
>>>>>>>> > > > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.109 always-broadcast=yes
>>>>>>>> > > > > client-id=1:0:e:58:32:15:ac \
>>>>>>>> > > > > mac-address=00:0E:58:32:15:AC server=dhcp1 add
>>>>>>>> > > > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8
>>>>>>>> mac-address=\
>>>>>>>> > > > > 00:0E:58:24:6B:E8 server=dhcp1
>>>>>>>> > > > > add address=192.168.88.131 comment=MRX-1
>>>>>>>> > mac-address=00:1F:B8:04:0C:F5
>>>>>>>> > > \
>>>>>>>> > > > > server=dhcp1
>>>>>>>> > > > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a
>>>>>>>> comment=\
>>>>>>>> > > > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A
>>>>>>>> > > > > server=dhcp1 add address=192.168.88.120
>>>>>>>> client-id=1:4:18:d6:80:b3:5d
>>>>>>>> > > comment=\
>>>>>>>> > > > > "UniFi - 192.168.88.120 - 124"
>>>>>>>> mac-address=04:18:D6:80:B3:5D
>>>>>>>> > > > > server=dhcp1
>>>>>>>> > > > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85
>>>>>>>> mac-address=\
>>>>>>>> > > > > 04:18:D6:80:B3:85 server=dhcp1
>>>>>>>> > > > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23
>>>>>>>> comment=\
>>>>>>>> > > > > "Time Capsule - 192.168.88.150"
>>>>>>>> mac-address=00:24:36:A2:C3:23
>>>>>>>> > > > server=\
>>>>>>>> > > > > dhcp1
>>>>>>>> > > > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9
>>>>>>>> mac-address=\
>>>>>>>> > > > > 04:18:D6:80:B2:F9 server=dhcp1
>>>>>>>> > > > > /ip dhcp-server network
>>>>>>>> > > > > add address=192.168.88.0/24 dns-server=192.168.88.1
>>>>>>>> > > > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes
>>>>>>>> /ip
>>>>>>>> > > > > firewall address-list add address=192.168.88.0/24 comment=\
>>>>>>>> > > > > "Support address list - full access to router allowed
>>>>>>>> from this
>>>>>>>> > > > range"
>>>>>>>> > > > > \
>>>>>>>> > > > > list=support
>>>>>>>> > > > > add address=0.0.0.0/8 comment="Self-Identification [RFC
>>>>>>>> 3330]"
>>>>>>>> > > > list=bogons
>>>>>>>> > > > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS
>>>>>>>> A # Check
>>>>>>>> > if
>>>>>>>> > > > > you nee\
>>>>>>>> > > > > d this subnet before enable it" disabled=yes list=bogons
>>>>>>>> > > > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]"
>>>>>>>> list=bogons
>>>>>>>> > > > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]"
>>>>>>>> > > disabled=yes
>>>>>>>> > > > > list=\
>>>>>>>> > > > > bogons
>>>>>>>> > > > > add address=172.16.0.0/12 comment="Private[RFC 1918] -
>>>>>>>> CLASS B #
>>>>>>>> > Check
>>>>>>>> > > > if
>>>>>>>> > > > > you \
>>>>>>>> > > > > need this subnet before enable it" disabled=yes
>>>>>>>> list=bogons
>>>>>>>> > > > > add address=192.168.0.0/16 comment="Private[RFC 1918] -
>>>>>>>> CLASS C #
>>>>>>>> > > Check
>>>>>>>> > > > > if you\
>>>>>>>> > > > > \_need this subnet before enable it" disabled=yes
>>>>>>>> list=bogons
>>>>>>>> > > > > add address=192.0.2.0/24 comment="Reserved - IANA -
>>>>>>>> TestNet1"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > list=bogons
>>>>>>>> > > > > add address=192.88.99.0/24 comment="6to4 Relay Anycast
>>>>>>>> [RFC 3068]"
>>>>>>>> > > > > disabled=\
>>>>>>>> > > > > yes list=bogons
>>>>>>>> > > > > add address=198.18.0.0/15 comment="NIDB Testing"
>>>>>>>> disabled=yes
>>>>>>>> > > > list=bogons
>>>>>>>> > > > > add address=198.51.100.0/24 comment="Reserved - IANA -
>>>>>>>> TestNet2"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > list=bogons
>>>>>>>> > > > > add address=203.0.113.0/24 comment="Reserved - IANA -
>>>>>>>> TestNet3"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > list=bogons
>>>>>>>> > > > > add address=224.0.0.0/4 comment=\
>>>>>>>> > > > > "MC, Class D, IANA # Check if you need this subnet
>>>>>>>> before enable
>>>>>>>> > > it"
>>>>>>>> > > > \
>>>>>>>> > > > > disabled=yes list=bogons
>>>>>>>> > > > > /ip firewall filter
>>>>>>>> > > > > add action=add-src-to-address-list address-list=Syn_Flooder
>>>>>>>> \
>>>>>>>> > > > > address-list-timeout=30m chain=input comment=\
>>>>>>>> > > > > "Add Syn Flood IP to the list" connection-limit=30,32
>>>>>>>> > disabled=yes
>>>>>>>> > > \
>>>>>>>> > > > > protocol=tcp tcp-flags=syn
>>>>>>>> > > > > add action=drop chain=input comment="Drop to syn flood list"
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > src-address-list=Syn_Flooder
>>>>>>>> > > > > add action=add-src-to-address-list
>>>>>>>> address-list=Port_Scanner \
>>>>>>>> > > > > address-list-timeout=1w chain=input comment="Port
>>>>>>>> Scanner
>>>>>>>> > Detect" \
>>>>>>>> > > > > disabled=yes protocol=tcp psd=21,3s,3,1
>>>>>>>> > > > > add action=drop chain=input comment="Drop to port scan list"
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > src-address-list=Port_Scanner
>>>>>>>> > > > > add action=jump chain=input comment="Jump for icmp input
>>>>>>>> flow"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > jump-target=ICMP protocol=icmp
>>>>>>>> > > > > add action=drop chain=input comment="Block all access to
>>>>>>>> the winbox -
>>>>>>>> > > > > except t\
>>>>>>>> > > > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD
>>>>>>>> YOUR SUBNET
>>>>>>>> > IN
>>>>>>>> > > > THE
>>>>>>>> > > > > SUP\
>>>>>>>> > > > > PORT ADDRESS LIST" disabled=yes dst-port=8291
>>>>>>>> protocol=tcp \
>>>>>>>> > > > > src-address-list=!support
>>>>>>>> > > > > add action=jump chain=forward comment="Jump for icmp
>>>>>>>> forward flow"
>>>>>>>> > > > > disabled=\
>>>>>>>> > > > > yes jump-target=ICMP protocol=icmp
>>>>>>>> > > > > add action=drop chain=forward comment="Drop IP's in bogon
>>>>>>>> list"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > dst-address-list=bogons
>>>>>>>> > > > > add action=add-src-to-address-list address-list=spammers \
>>>>>>>> > > > > address-list-timeout=3h chain=forward comment=\
>>>>>>>> > > > > "Add Spammers to the list for 3 hours"
>>>>>>>> connection-limit=30,32
>>>>>>>> > > > > disabled=\
>>>>>>>> > > > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp
>>>>>>>> > > > > add action=drop chain=forward comment="Avoid spammers
>>>>>>>> action"
>>>>>>>> > > > disabled=yes
>>>>>>>> > > > > \
>>>>>>>> > > > > dst-port=25,587 protocol=tcp src-address-list=spammers
>>>>>>>> > > > > add chain=input comment="Accept DNS - UDP" disabled=yes
>>>>>>>> port=53
>>>>>>>> > > > > protocol=udp
>>>>>>>> > > > > add chain=output disabled=yes dst-port=1723 protocol=tcp
>>>>>>>> > > > > add chain=input disabled=yes dst-port=1723 protocol=tcp
>>>>>>>> > > > > add chain=input comment="Accept DNS - TCP" disabled=yes
>>>>>>>> port=53
>>>>>>>> > > > > protocol=tcp
>>>>>>>> > > > > add chain=input comment="Accept to established connections"
>>>>>>>> > > > > connection-state=\
>>>>>>>> > > > > established disabled=yes
>>>>>>>> > > > > add chain=input comment="Accept related connections"
>>>>>>>> > > > > connection-state=related \
>>>>>>>> > > > > disabled=yes
>>>>>>>> > > > > add chain=input comment="Allow SUPPORT address list full
>>>>>>>> access"
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > src-address-list=support
>>>>>>>> > > > > add chain=ICMP comment="Echo request - Avoiding Ping Flood"
>>>>>>>> > > disabled=yes
>>>>>>>> > > > \
>>>>>>>> > > > > icmp-options=8:0 limit=1,5 protocol=icmp
>>>>>>>> > > > > add chain=ICMP comment="Echo reply" disabled=yes
>>>>>>>> icmp-options=0:0
>>>>>>>> > > > > protocol=\
>>>>>>>> > > > > icmp
>>>>>>>> > > > > add chain=ICMP comment="Time Exceeded" disabled=yes
>>>>>>>> > icmp-options=11:0 \
>>>>>>>> > > > > protocol=icmp
>>>>>>>> > > > > add chain=ICMP comment="Destination unreachable"
>>>>>>>> disabled=yes
>>>>>>>> > > > > icmp-options=\
>>>>>>>> > > > > 3:0-1 protocol=icmp
>>>>>>>> > > > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4
>>>>>>>> > > protocol=icmp
>>>>>>>> > > > > add action=drop chain=input comment="Drop invalid
>>>>>>>> connections" \
>>>>>>>> > > > > connection-state=invalid disabled=yes
>>>>>>>> > > > > add action=drop chain=ICMP comment="Drop to the other ICMPs"
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > protocol=icmp
>>>>>>>> > > > > add action=jump chain=output comment="Jump for icmp output"
>>>>>>>> > > disabled=yes
>>>>>>>> > > > \
>>>>>>>> > > > > jump-target=ICMP protocol=icmp
>>>>>>>> > > > > add action=drop chain=input comment="drop ftp brute forcers"
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist
>>>>>>>> > > > > add chain=output content="530 Login incorrect" disabled=yes
>>>>>>>> > dst-limit=\
>>>>>>>> > > > > 1/1m,9,dst-address/1m protocol=tcp
>>>>>>>> > > > > add action=add-dst-to-address-list
>>>>>>>> address-list=ftp_blacklist \
>>>>>>>> > > > > address-list-timeout=3h chain=output content="530 Login
>>>>>>>> > incorrect"
>>>>>>>> > > \
>>>>>>>> > > > > disabled=yes protocol=tcp
>>>>>>>> > > > > add action=drop chain=input comment="drop ssh brute forcers"
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist
>>>>>>>> > > > > add action=add-src-to-address-list
>>>>>>>> address-list=ssh_blacklist \
>>>>>>>> > > > > address-list-timeout=1w3d chain=input
>>>>>>>> connection-state=new
>>>>>>>> > > > > disabled=yes \
>>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage3
>>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage3 \
>>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage2
>>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage2 \
>>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > dst-port=22 protocol=tcp src-address-list=ssh_stage1
>>>>>>>> > > > > add action=add-src-to-address-list address-list=ssh_stage1 \
>>>>>>>> > > > > address-list-timeout=1m chain=input connection-state=new
>>>>>>>> > > > disabled=yes \
>>>>>>>> > > > > dst-port=22 protocol=tcp
>>>>>>>> > > > > add action=drop chain=input comment="Drop anything else! #
>>>>>>>> DO NOT
>>>>>>>> > > ENABLE
>>>>>>>> > > > > THIS \
>>>>>>>> > > > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU
>>>>>>>> NEED"
>>>>>>>> > > > disabled=yes
>>>>>>>> > > > > /ip firewall nat
>>>>>>>> > > > > add action=masquerade chain=srcnat
>>>>>>>> out-interface=ether24-gateway
>>>>>>>> > > > > /ip firewall service-port
>>>>>>>> > > > > set ftp disabled=yes
>>>>>>>> > > > > set tftp disabled=yes
>>>>>>>> > > > > set irc disabled=yes
>>>>>>>> > > > > set h323 disabled=yes
>>>>>>>> > > > > set sip disabled=yes
>>>>>>>> > > > > set pptp disabled=yes
>>>>>>>> > > > > /ip ipsec policy
>>>>>>>> > > > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
>>>>>>>> > > > > /ip service
>>>>>>>> > > > > set telnet disabled=yes
>>>>>>>> > > > > set ftp disabled=yes
>>>>>>>> > > > > set www disabled=yes
>>>>>>>> > > > > set ssh disabled=yes
>>>>>>>> > > > > set api disabled=yes
>>>>>>>> > > > > set api-ssl disabled=yes
>>>>>>>> > > > > /system clock
>>>>>>>> > > > > set time-zone-autodetect=no time-zone-name=Australia/Sydney
>>>>>>>> > > > > /tool romon port
>>>>>>>> > > > > add
>>>>>>>> > > > >
>>>>>>>> > > > >
>>>>>>>> > > > > Ben Jackson
>>>>>>>> > > > > eLogik
>>>>>>>> > > > > m:0404 924745
>>>>>>>> > > > > e: ben(a)elogik.net
>>>>>>>> > > > > w: www.elogik.com.au
>>>>>>>> > > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au
>>>>>>>> >
>>>>>>>> > > > >
>>>>>>>> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running
>>>>>>>> Tech) <
>>>>>>>> > > > > jason(a)upandrunningtech.com.au> wrote:
>>>>>>>> > > > >
>>>>>>>> > > > >> Hi Ben,
>>>>>>>> > > > >>
>>>>>>>> > > > >> When the problem occurs again check the Routerboard for
>>>>>>>> CPU use and
>>>>>>>> > > > check
>>>>>>>> > > > >> profiling to see just what is keeping the CPU busy. Don't
>>>>>>>> > > overestimate
>>>>>>>> > > > the
>>>>>>>> > > > >> CPU in the 2011, it's not as quick as you think. The new
>>>>>>>> FastPath
>>>>>>>> > and
>>>>>>>> > > > >> FastTrack features will be something you'll be interested
>>>>>>>> in when
>>>>>>>> > > > routing
>>>>>>>> > > > >> something as fast as a cable modem so read up on them and
>>>>>>>> do try the
>>>>>>>> > > > latest
>>>>>>>> > > > >> firmware images.
>>>>>>>> > > > >>
>>>>>>>> > > > >> Jason
>>>>>>>> > > > >>
>>>>>>>> > > > >> On 28 July 2015 at 13:48, Ben Jackson <ben(a)elogik.net>
>>>>>>>> wrote:
>>>>>>>> > > > >>
>>>>>>>> > > > >>> Hi Jason,
>>>>>>>> > > > >>>
>>>>>>>> > > > >>> Yes - when I am using the RB2011's the gateway (WAN) port
>>>>>>>> is not in
>>>>>>>> > > any
>>>>>>>> > > > >>> bridge or switch config and is routing only.
>>>>>>>> > > > >>>
>>>>>>>> > > > >>> When I first started installing Mikrotiks I used to
>>>>>>>> bridge all the
>>>>>>>> > > > other
>>>>>>>> > > > >>> ports, which I know uses the main CPU and not the switch
>>>>>>>> chip, but
>>>>>>>> > my
>>>>>>>> > > > >>> thinking was that the main CPU is more powerful and the
>>>>>>>> router
>>>>>>>> > isn't
>>>>>>>> > > > >>> exactly doing anything complex such as queues or heaps of
>>>>>>>> firewall
>>>>>>>> > > > rules.
>>>>>>>> > > > >>>
>>>>>>>> > > > >>> However since then I have started using the master -
>>>>>>>> slave switch
>>>>>>>> > > chip
>>>>>>>> > > > >>> function, especially on the 24 port CRS. On the RB2011's
>>>>>>>> I slave
>>>>>>>> > all
>>>>>>>> > > > the
>>>>>>>> > > > >>> gigabit ports to ether2 and, slave all the 10/100 ports
>>>>>>>> to ether6,
>>>>>>>> > > then
>>>>>>>> > > > >>> bridge the two, with ether1 as the WAN port. On the CRS I
>>>>>>>> slave all
>>>>>>>> > > the
>>>>>>>> > > > >>> ports apart from ether24 to ether1. I then use ether24 as
>>>>>>>> the WAN
>>>>>>>> > > port.
>>>>>>>> > > > >>>
>>>>>>>> > > > >>> Ben Jackson
>>>>>>>> > > > >>> eLogik
>>>>>>>> > > > >>> m:0404 924745
>>>>>>>> > > > >>> e: ben(a)elogik.net
>>>>>>>> > > > >>> w: www.elogik.com.au
>>>>>>>> > > > >>> [image: http://www.elogik.com.au] <
>>>>>>>> http://www.elogik.com.au>
>>>>>>>> > > > >>>
>>>>>>>> > > > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up &
>>>>>>>> Running Tech) <
>>>>>>>> > > > >>> jason(a)upandrunningtech.com.au> wrote:
>>>>>>>> > > > >>>
>>>>>>>> > > > >>>> Hi
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> OK, the current changelog on Mikrotik only goes back to
>>>>>>>> 6.27 and
>>>>>>>> > the
>>>>>>>> > > > >>>> current is at 6.30 so I can't even see if some related
>>>>>>>> bug has
>>>>>>>> > been
>>>>>>>> > > > >>>> fixed
>>>>>>>> > > > >>>> since 6.20. I'd suggest updating the software, reboot,
>>>>>>>> update the
>>>>>>>> > > > >>>> firmware, reboot and see if that helps.
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> If in doubt beyond that, save export your config,
>>>>>>>> factory reset
>>>>>>>> > and
>>>>>>>> > > > >>>> reimport the config.
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> What ports do you use on the 2011? Are the ports on 1Gb
>>>>>>>> side
>>>>>>>> > slaved
>>>>>>>> > > > to
>>>>>>>> > > > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1
>>>>>>>> and Eth6
>>>>>>>> > > > >>>> bridged?
>>>>>>>> > > > >>>> Which port is connected to the modem? It should be on
>>>>>>>> it's own,
>>>>>>>> > not
>>>>>>>> > > > >>>> slaved
>>>>>>>> > > > >>>> or bridged.
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> Since 6.20 there have been some packet engine speedups
>>>>>>>> that
>>>>>>>> > operate
>>>>>>>> > > at
>>>>>>>> > > > >>>> the
>>>>>>>> > > > >>>> bridge level and some interfaces (not PPPoE
>>>>>>>> unfortunately). You
>>>>>>>> > > will
>>>>>>>> > > > >>>> definitely benefit using the new speedup options with
>>>>>>>> NAT on a
>>>>>>>> > DHCP
>>>>>>>> > > > >>>> based
>>>>>>>> > > > >>>> modem.
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> Jason
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben(a)elogik.net>
>>>>>>>> wrote:
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> > Hi Jason,
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> > I have customers at on few different ROS versions,
>>>>>>>> normally
>>>>>>>> > > nothing
>>>>>>>> > > > >>>> earier
>>>>>>>> > > > >>>> > than 6.18 - and I always make sure the firmware is at
>>>>>>>> a matching
>>>>>>>> > > > >>>> level. I
>>>>>>>> > > > >>>> > think the majority right now are at 6.20.
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> > Thanks
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> > Ben Jackson
>>>>>>>> > > > >>>> > eLogik
>>>>>>>> > > > >>>> > m:0404 924745
>>>>>>>> > > > >>>> > e: ben(a)elogik.net
>>>>>>>> > > > >>>> > w: www.elogik.com.au
>>>>>>>> > > > >>>> > [image: http://www.elogik.com.au] <
>>>>>>>> http://www.elogik.com.au>
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up &
>>>>>>>> Running
>>>>>>>> > Tech)
>>>>>>>> > > <
>>>>>>>> > > > >>>> > jason(a)upandrunningtech.com.au> wrote:
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> >> What version of RouterOS are you using and what level
>>>>>>>> is the
>>>>>>>> > > > >>>> firmware at?
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben(a)elogik.net>
>>>>>>>> wrote:
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >> > Hi RJ,
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > Yep - that's exactly what I do.
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > I know it's not congestion because when I reboot
>>>>>>>> the mikrotik
>>>>>>>> > > or
>>>>>>>> > > > >>>> simply
>>>>>>>> > > > >>>> >> > renew the dhcp client address on the gateway port
>>>>>>>> the whole
>>>>>>>> > > > system
>>>>>>>> > > > >>>> >> springs
>>>>>>>> > > > >>>> >> > back to life.
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > Thanks,
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > Ben Jackson
>>>>>>>> > > > >>>> >> > eLogik
>>>>>>>> > > > >>>> >> > m:0404 924745
>>>>>>>> > > > >>>> >> > e: ben(a)elogik.net
>>>>>>>> > > > >>>> >> > w: www.elogik.com.au
>>>>>>>> > > > >>>> >> > [image: http://www.elogik.com.au] <
>>>>>>>> http://www.elogik.com.au>
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <
>>>>>>>> > > > >>>> RJ.Plummer(a)4logic.com.au>
>>>>>>>> > > > >>>> >> > wrote:
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >> > > Hi Ben,
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > We have a few staff with bigpond cable and
>>>>>>>> mikrotiks who
>>>>>>>> > > don't
>>>>>>>> > > > >>>> exhibit
>>>>>>>> > > > >>>> >> > > this behaviour.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Their setups are very straight forward:
>>>>>>>> > > > >>>> >> > > -Bridge the cable modem (same cable modem model
>>>>>>>> as you
>>>>>>>> > > > describe)
>>>>>>>> > > > >>>> >> > > -DHCP client on the appropriate physical mkt
>>>>>>>> interface
>>>>>>>> > > > >>>> >> > > -masq that interface
>>>>>>>> > > > >>>> >> > > -firewall filter as usual
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Do you have anything different in your
>>>>>>>> configurations?
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Cheers,
>>>>>>>> > > > >>>> >> > > RJ
>>>>>>>> > > > >>>> >> > > -----Original Message-----
>>>>>>>> > > > >>>> >> > > From: Public [mailto:
>>>>>>>> public-bounces(a)talk.mikrotik.com.au]
>>>>>>>> > On
>>>>>>>> > > > >>>> Behalf
>>>>>>>> > > > >>>> >> Of
>>>>>>>> > > > >>>> >> > > Paul Julian
>>>>>>>> > > > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM
>>>>>>>> > > > >>>> >> > > To: 'MikroTik Australia Public List' <
>>>>>>>> > > > >>>> public(a)talk.mikrotik.com.au>
>>>>>>>> > > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP
>>>>>>>> Issues
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC
>>>>>>>> address, or
>>>>>>>> > at
>>>>>>>> > > > >>>> least
>>>>>>>> > > > >>>> >> the
>>>>>>>> > > > >>>> >> > > one they present, this usually happens if a
>>>>>>>> config has been
>>>>>>>> > > > >>>> uploaded
>>>>>>>> > > > >>>> >> to
>>>>>>>> > > > >>>> >> > > them without MAC addresses removed.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > There is an option in the interface settings
>>>>>>>> called "Reset
>>>>>>>> > > MAC
>>>>>>>> > > > >>>> >> Address",
>>>>>>>> > > > >>>> >> > > try clicking this on the interface you have
>>>>>>>> plugged into
>>>>>>>> > the
>>>>>>>> > > > >>>> NTU, it
>>>>>>>> > > > >>>> >> will
>>>>>>>> > > > >>>> >> > > reset the MAC address back to or force it to be
>>>>>>>> the
>>>>>>>> > actually
>>>>>>>> > > > >>>> physical
>>>>>>>> > > > >>>> >> MAC
>>>>>>>> > > > >>>> >> > > just in case anything has changed.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > We use bridge mode in modems and NTU's with
>>>>>>>> Mikrotiks in
>>>>>>>> > > > >>>> hundreds of
>>>>>>>> > > > >>>> >> > > locations for ADSL and Ethernet services and
>>>>>>>> never have one
>>>>>>>> > > > >>>> issue.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Regards
>>>>>>>> > > > >>>> >> > > Paul
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > -----Original Message-----
>>>>>>>> > > > >>>> >> > > From: Public [mailto:
>>>>>>>> public-bounces(a)talk.mikrotik.com.au]
>>>>>>>> > On
>>>>>>>> > > > >>>> Behalf
>>>>>>>> > > > >>>> >> Of
>>>>>>>> > > > >>>> >> > > Ben Jackson
>>>>>>>> > > > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM
>>>>>>>> > > > >>>> >> > > To: MikroTik Australia Public List
>>>>>>>> > > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP
>>>>>>>> Issues
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you
>>>>>>>> 100%, there
>>>>>>>> > > > >>>> should be
>>>>>>>> > > > >>>> >> > > almost nothing to go wrong in this type of
>>>>>>>> set-up. The NTU
>>>>>>>> > is
>>>>>>>> > > > >>>> >> definitely
>>>>>>>> > > > >>>> >> > in
>>>>>>>> > > > >>>> >> > > bridge mode - as evidenced by the radio button
>>>>>>>> saying
>>>>>>>> > "Bridge
>>>>>>>> > > > >>>> Mode" on
>>>>>>>> > > > >>>> >> > the
>>>>>>>> > > > >>>> >> > > web GUI ;) and I have a DHCP client running on
>>>>>>>> ether24 of
>>>>>>>> > the
>>>>>>>> > > > >>>> CRS (or
>>>>>>>> > > > >>>> >> > > sometimes ether 1) which immediately binds the
>>>>>>>> public IP
>>>>>>>> > > > address
>>>>>>>> > > > >>>> to
>>>>>>>> > > > >>>> >> > itself.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > I understand about the MAC based DHCP which the
>>>>>>>> ISP's use,
>>>>>>>> > I
>>>>>>>> > > > >>>> have had
>>>>>>>> > > > >>>> >> > > issues in the past (no longer seems to be as
>>>>>>>> issue) where I
>>>>>>>> > > > have
>>>>>>>> > > > >>>> had
>>>>>>>> > > > >>>> >> to
>>>>>>>> > > > >>>> >> > > spoof the MAC address of the NTU to get a DHCP
>>>>>>>> address. I
>>>>>>>> > > have
>>>>>>>> > > > >>>> also
>>>>>>>> > > > >>>> >> > noticed
>>>>>>>> > > > >>>> >> > > if my MBP is the first device to connect to the
>>>>>>>> NTU while
>>>>>>>> > in
>>>>>>>> > > > >>>> bridge
>>>>>>>> > > > >>>> >> mode,
>>>>>>>> > > > >>>> >> > > sometimes I need to power cycle the device to
>>>>>>>> "deregister"
>>>>>>>> > > the
>>>>>>>> > > > >>>> MAC
>>>>>>>> > > > >>>> >> > address
>>>>>>>> > > > >>>> >> > > of the MBP. I am able to get a binding on the
>>>>>>>> MikroTik
>>>>>>>> > after
>>>>>>>> > > > this
>>>>>>>> > > > >>>> >> process
>>>>>>>> > > > >>>> >> > > is complete.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > But, in this instance this is not the problem
>>>>>>>> unless
>>>>>>>> > somehow
>>>>>>>> > > > the
>>>>>>>> > > > >>>> MAC
>>>>>>>> > > > >>>> >> > > address of the MikroTik ether port is changing -
>>>>>>>> is this
>>>>>>>> > > > >>>> possible? I
>>>>>>>> > > > >>>> >> must
>>>>>>>> > > > >>>> >> > > admit, my progress on this is somewhat hampered
>>>>>>>> by not
>>>>>>>> > having
>>>>>>>> > > a
>>>>>>>> > > > >>>> cable
>>>>>>>> > > > >>>> >> > setup
>>>>>>>> > > > >>>> >> > > to test on at home - I run ADSL.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > I'm pretty sure that nothing else on the network
>>>>>>>> would be
>>>>>>>> > > able
>>>>>>>> > > > >>>> to bind
>>>>>>>> > > > >>>> >> > > it's MAC address to the public IP before the
>>>>>>>> MikroTik has
>>>>>>>> > had
>>>>>>>> > > a
>>>>>>>> > > > >>>> chance
>>>>>>>> > > > >>>> >> > to -
>>>>>>>> > > > >>>> >> > > although I must admit I hadn't though of that so
>>>>>>>> I'll check
>>>>>>>> > > it
>>>>>>>> > > > >>>> out in
>>>>>>>> > > > >>>> >> > more
>>>>>>>> > > > >>>> >> > > detail.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > I am also inclined to agree with you that this is
>>>>>>>> not
>>>>>>>> > solely
>>>>>>>> > > a
>>>>>>>> > > > >>>> >> Mikrotik
>>>>>>>> > > > >>>> >> > > issue. It seems to me that it is the magic (or
>>>>>>>> not so
>>>>>>>> > magic)
>>>>>>>> > > > >>>> >> combination
>>>>>>>> > > > >>>> >> > of
>>>>>>>> > > > >>>> >> > > the ISP's hardware and the MikroTik that seems to
>>>>>>>> cause the
>>>>>>>> > > > >>>> problem. I
>>>>>>>> > > > >>>> >> > have
>>>>>>>> > > > >>>> >> > > tried other brands of router which do not seem to
>>>>>>>> exhibit
>>>>>>>> > the
>>>>>>>> > > > >>>> issue,
>>>>>>>> > > > >>>> >> > > however these devices do not have the great
>>>>>>>> feature set of
>>>>>>>> > > the
>>>>>>>> > > > >>>> >> MikroTik
>>>>>>>> > > > >>>> >> > and
>>>>>>>> > > > >>>> >> > > are often not rack-mountable. Trotting out the
>>>>>>>> "It's not a
>>>>>>>> > > > >>>> Mikrotik
>>>>>>>> > > > >>>> >> > issue"
>>>>>>>> > > > >>>> >> > > line is starting to wear very thin with both my
>>>>>>>> customers
>>>>>>>> > and
>>>>>>>> > > > >>>> >> colleagues.
>>>>>>>> > > > >>>> >> > > Although my gut feeling is that it isn't - I need
>>>>>>>> proof
>>>>>>>> > and I
>>>>>>>> > > > >>>> don't
>>>>>>>> > > > >>>> >> know
>>>>>>>> > > > >>>> >> > > where to start. This is happening far too often
>>>>>>>> for it to
>>>>>>>> > be
>>>>>>>> > > a
>>>>>>>> > > > >>>> >> > coincidence
>>>>>>>> > > > >>>> >> > > or a faulty device.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > I have, unfortunately also seen very strange
>>>>>>>> behaviour over
>>>>>>>> > > > ADSL
>>>>>>>> > > > >>>> /
>>>>>>>> > > > >>>> >> pppoe
>>>>>>>> > > > >>>> >> > > connections in bridge mode too, I sent an email
>>>>>>>> about this
>>>>>>>> > > some
>>>>>>>> > > > >>>> time
>>>>>>>> > > > >>>> >> ago
>>>>>>>> > > > >>>> >> > > and it still plagues me from time to time.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > The type of installations I am doing are not your
>>>>>>>> typical
>>>>>>>> > > home
>>>>>>>> > > > >>>> setups
>>>>>>>> > > > >>>> >> and
>>>>>>>> > > > >>>> >> > > customers are paying a lot of money for a
>>>>>>>> supposedly
>>>>>>>> > > > >>>> >> "commercial-grade"
>>>>>>>> > > > >>>> >> > > solution which is only adding to my stresses.
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Do any of you guys out there use a MikroTik as
>>>>>>>> your home
>>>>>>>> > > router
>>>>>>>> > > > >>>> - how
>>>>>>>> > > > >>>> >> do
>>>>>>>> > > > >>>> >> > > you set it up? Have you seen issues like this?
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > One thing I have noticed is that the issue seems
>>>>>>>> to be much
>>>>>>>> > > > more
>>>>>>>> > > > >>>> >> > prevalent
>>>>>>>> > > > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra /
>>>>>>>> optus modems.
>>>>>>>> > > No
>>>>>>>> > > > >>>> idea
>>>>>>>> > > > >>>> >> why.
>>>>>>>> > > > >>>> >> > > Any cable experts out there?
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Thanks again,
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > Ben Jackson
>>>>>>>> > > > >>>> >> > > eLogik
>>>>>>>> > > > >>>> >> > > m:0404 924745
>>>>>>>> > > > >>>> >> > > e: ben(a)elogik.net
>>>>>>>> > > > >>>> >> > > w: www.elogik.com.au
>>>>>>>> > > > >>>> >> > > [image: http://www.elogik.com.au] <
>>>>>>>> > http://www.elogik.com.au>
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <
>>>>>>>> > > > >>>> >> > paul(a)oxygennetworks.com.au>
>>>>>>>> > > > >>>> >> > > wrote:
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that
>>>>>>>> Telstra
>>>>>>>> > and
>>>>>>>> > > > >>>> Optus
>>>>>>>> > > > >>>> >> Cable
>>>>>>>> > > > >>>> >> > > > networks use MAC based DHCP, they bind the IP
>>>>>>>> to the MAC
>>>>>>>> > of
>>>>>>>> > > > >>>> the NTU
>>>>>>>> > > > >>>> >> or
>>>>>>>> > > > >>>> >> > > > in the case of bridge mode the first client
>>>>>>>> that makes a
>>>>>>>> > > > >>>> request,
>>>>>>>> > > > >>>> >> and
>>>>>>>> > > > >>>> >> > > > often you have trouble with these things
>>>>>>>> because of
>>>>>>>> > this, I
>>>>>>>> > > > >>>> don't
>>>>>>>> > > > >>>> >> > > > really think it's a Mikrotik thing.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining
>>>>>>>> the same
>>>>>>>> > > MAC
>>>>>>>> > > > >>>> on the
>>>>>>>> > > > >>>> >> > > > interface plugged into the NTU and the NTU is
>>>>>>>> truly in
>>>>>>>> > > bridge
>>>>>>>> > > > >>>> mode
>>>>>>>> > > > >>>> >> and
>>>>>>>> > > > >>>> >> > > > the Mikrotik is the only thing plugged into the
>>>>>>>> NTU I
>>>>>>>> > > can't
>>>>>>>> > > > >>>> see why
>>>>>>>> > > > >>>> >> > > > it would be having issues.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Is there any chance that another device might
>>>>>>>> somehow be
>>>>>>>> > > > >>>> getting a
>>>>>>>> > > > >>>> >> > > > DHCP request through to the NTU somehow the way
>>>>>>>> you have
>>>>>>>> > it
>>>>>>>> > > > all
>>>>>>>> > > > >>>> >> plugged
>>>>>>>> > > > >>>> >> > > in ?
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Regards
>>>>>>>> > > > >>>> >> > > > Paul
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > -----Original Message-----
>>>>>>>> > > > >>>> >> > > > From: Public [mailto:
>>>>>>>> public-bounces(a)talk.mikrotik.com.au
>>>>>>>> > ]
>>>>>>>> > > On
>>>>>>>> > > > >>>> >> Behalf Of
>>>>>>>> > > > >>>> >> > > > Ben Jackson
>>>>>>>> > > > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM
>>>>>>>> > > > >>>> >> > > > To: MikroTik Australia Public List
>>>>>>>> > > > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Hi All,
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my
>>>>>>>> wit's end
>>>>>>>> > with
>>>>>>>> > > > >>>> this one.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and
>>>>>>>> more
>>>>>>>> > > recently,
>>>>>>>> > > > >>>> the
>>>>>>>> > > > >>>> >> > > > CRS125-24G) in large residential AV situations
>>>>>>>> where
>>>>>>>> > > > >>>> invariably, the
>>>>>>>> > > > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable
>>>>>>>> internet
>>>>>>>> > > scenario
>>>>>>>> > > > >>>> where
>>>>>>>> > > > >>>> >> > > > Telstra's / Optus's modem has been placed into
>>>>>>>> "bridge"
>>>>>>>> > > mode
>>>>>>>> > > > >>>> (NAT
>>>>>>>> > > > >>>> >> > > > switched
>>>>>>>> > > > >>>> >> > > > off) and the carrier-supplied WAN IP address
>>>>>>>> gets bound
>>>>>>>> > to
>>>>>>>> > > > the
>>>>>>>> > > > >>>> >> gateway
>>>>>>>> > > > >>>> >> > > > interface of the Mikrotik.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on
>>>>>>>> average, about
>>>>>>>> > 3
>>>>>>>> > > > >>>> UniFi
>>>>>>>> > > > >>>> >> > > > access points, and at least 3-4 zones of Sonos.
>>>>>>>> On
>>>>>>>> > initial
>>>>>>>> > > > set
>>>>>>>> > > > >>>> up,
>>>>>>>> > > > >>>> >> > > > everything seems to work great, with the full
>>>>>>>> bandwidth
>>>>>>>> > of
>>>>>>>> > > > the
>>>>>>>> > > > >>>> cable
>>>>>>>> > > > >>>> >> > > > modem getting passed on to the rest of the
>>>>>>>> network, even
>>>>>>>> > > when
>>>>>>>> > > > >>>> 802.11
>>>>>>>> > > > >>>> >> > > > clients are connected (a testament to the
>>>>>>>> UniFi's I my
>>>>>>>> > > > opinion
>>>>>>>> > > > >>>> - I
>>>>>>>> > > > >>>> >> > > > only use dual band Pro AP's).
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > However, after a week or so the internet
>>>>>>>> connection seems
>>>>>>>> > > to
>>>>>>>> > > > >>>> get
>>>>>>>> > > > >>>> >> > > > either very slow, or stop working altogether.
>>>>>>>> If I look
>>>>>>>> > in
>>>>>>>> > > > the
>>>>>>>> > > > >>>> logs
>>>>>>>> > > > >>>> >> > > > (with dhcp logging switched on) I can see
>>>>>>>> regular NAK's
>>>>>>>> > > > getting
>>>>>>>> > > > >>>> >> passed
>>>>>>>> > > > >>>> >> > > > from the dhcp server on the cable modem. The
>>>>>>>> problem is I
>>>>>>>> > > > don't
>>>>>>>> > > > >>>> >> really
>>>>>>>> > > > >>>> >> > > > understand how DHCP works on cable modems. I'm
>>>>>>>> assuming
>>>>>>>> > > every
>>>>>>>> > > > >>>> so
>>>>>>>> > > > >>>> >> often
>>>>>>>> > > > >>>> >> > > > the cable modem gets a new IP address from the
>>>>>>>> carrier
>>>>>>>> > > > >>>> (normally
>>>>>>>> > > > >>>> >> after
>>>>>>>> > > > >>>> >> > > > a reset) and at this point the modem is not
>>>>>>>> passing this
>>>>>>>> > > new
>>>>>>>> > > > >>>> address
>>>>>>>> > > > >>>> >> > > > onto the Mikrotik which is effectively cut off
>>>>>>>> from the
>>>>>>>> > > > >>>> internet.
>>>>>>>> > > > >>>> >> > > > Since we are stuck with using Bigpond and Optus
>>>>>>>> modems
>>>>>>>> > > these
>>>>>>>> > > > >>>> are the
>>>>>>>> > > > >>>> >> > > > only solutions I have discovered which seem to
>>>>>>>> stop the
>>>>>>>> > > issue
>>>>>>>> > > > >>>> from
>>>>>>>> > > > >>>> >> > > occurring (at least as regularly).
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and
>>>>>>>> switch off
>>>>>>>> > > all
>>>>>>>> > > > >>>> >> > > > extraneous services such as Wi-Fi, and also put
>>>>>>>> one IP
>>>>>>>> > > > address
>>>>>>>> > > > >>>> in
>>>>>>>> > > > >>>> >> the
>>>>>>>> > > > >>>> >> > > > dhcp pool so that the Mikrotik always gets the
>>>>>>>> same
>>>>>>>> > private
>>>>>>>> > > > IP
>>>>>>>> > > > >>>> >> > > > address. However, this creates a double nat
>>>>>>>> situation
>>>>>>>> > which
>>>>>>>> > > > >>>> means I
>>>>>>>> > > > >>>> >> > > > can no longer perform reliable port forwarding
>>>>>>>> for things
>>>>>>>> > > > such
>>>>>>>> > > > >>>> as
>>>>>>>> > > > >>>> >> > > > DVR's and CBus controllers (which I find the
>>>>>>>> Mikrotik's
>>>>>>>> > > great
>>>>>>>> > > > >>>> for).
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp,
>>>>>>>> routing,
>>>>>>>> > port
>>>>>>>> > > > >>>> >> forwarding
>>>>>>>> > > > >>>> >> > > > (which is a joke on these devices) and firewall
>>>>>>>> tasks for
>>>>>>>> > > the
>>>>>>>> > > > >>>> entire
>>>>>>>> > > > >>>> >> > > > LAN and turn the CRS into an unmanaged L2
>>>>>>>> switch. The
>>>>>>>> > main
>>>>>>>> > > > >>>> problem
>>>>>>>> > > > >>>> >> > > > here is that these Bigpond devices simply do
>>>>>>>> not have the
>>>>>>>> > > > >>>> grunt to
>>>>>>>> > > > >>>> >> > > > deal with large networks with lots of AV
>>>>>>>> streaming and
>>>>>>>> > > > control
>>>>>>>> > > > >>>> >> > happening.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Since both of the above have severe drawbacks
>>>>>>>> in terms of
>>>>>>>> > > > >>>> >> > > > functionality, I wonder if anyone has had
>>>>>>>> similar
>>>>>>>> > > experiences
>>>>>>>> > > > >>>> as I
>>>>>>>> > > > >>>> >> am
>>>>>>>> > > > >>>> >> > > > just about ready to dump the MikroTik's and
>>>>>>>> start looking
>>>>>>>> > > at
>>>>>>>> > > > >>>> other
>>>>>>>> > > > >>>> >> > > > options in the hope that they play better with
>>>>>>>> the
>>>>>>>> > Bigpond
>>>>>>>> > > > >>>> gear.
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Thanks in advance,
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > Ben Jackson
>>>>>>>> > > > >>>> >> > > > eLogik
>>>>>>>> > > > >>>> >> > > > m:0404 924745
>>>>>>>> > > > >>>> >> > > > e: ben(a)elogik.net
>>>>>>>> > > > >>>> >> > > > w: www.elogik.com.au
>>>>>>>> > > > >>>> >> > > > [image: http://www.elogik.com.au] <
>>>>>>>> > > http://www.elogik.com.au>
>>>>>>>> > > > >>>> >> > > > _______________________________________________
>>>>>>>> > > > >>>> >> > > > Public mailing list
>>>>>>>> > > > >>>> >> > > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>>>>>>> > > > .
>>>>>>>> > > > >>>> >> > > > au
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > > _______________________________________________
>>>>>>>> > > > >>>> >> > > > Public mailing list
>>>>>>>> > > > >>>> >> > > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>>>>>>> > > > .
>>>>>>>> > > > >>>> >> > > > au
>>>>>>>> > > > >>>> >> > > >
>>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > > _______________________________________________
>>>>>>>> > > > >>>> >> > > Public mailing list
>>>>>>>> > > > >>>> >> > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> > >
>>>>>>>> > > > >>>> >> > _______________________________________________
>>>>>>>> > > > >>>> >> > Public mailing list
>>>>>>>> > > > >>>> >> > Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>> >> >
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >> --
>>>>>>>> > > > >>>> >> _______________________________________________
>>>>>>>> > > > >>>> >> Public mailing list
>>>>>>>> > > > >>>> >> Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>> >>
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>> >
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>> --
>>>>>>>> > > > >>>> _______________________________________________
>>>>>>>> > > > >>>> Public mailing list
>>>>>>>> > > > >>>> Public(a)talk.mikrotik.com.au
>>>>>>>> > > > >>>>
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > > >>>>
>>>>>>>> > > > >>>
>>>>>>>> > > > >>>
>>>>>>>> > > > >>
>>>>>>>> > > > >>
>>>>>>>> > > > >> --
>>>>>>>> > > > >>
>>>>>>>> > > > >>
>>>>>>>> > > > >
>>>>>>>> > > >
>>>>>>>> > > >
>>>>>>>> > > > --
>>>>>>>> > > > _______________________________________________
>>>>>>>> > > > Public mailing list
>>>>>>>> > > > Public(a)talk.mikrotik.com.au
>>>>>>>> > > >
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > > >
>>>>>>>> > > _______________________________________________
>>>>>>>> > > Public mailing list
>>>>>>>> > > Public(a)talk.mikrotik.com.au
>>>>>>>> > >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > _______________________________________________
>>>>>>>> > > Public mailing list
>>>>>>>> > > Public(a)talk.mikrotik.com.au
>>>>>>>> > >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> > >
>>>>>>>> > _______________________________________________
>>>>>>>> > Public mailing list
>>>>>>>> > Public(a)talk.mikrotik.com.au
>>>>>>>> >
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> _______________________________________________
>>>>>>>> Public mailing list
>>>>>>>> Public(a)talk.mikrotik.com.au
>>>>>>>>
>>>>>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ben Jackson
>>>>>>> eLogik
>>>>>>> m:0404 924745
>>>>>>> e: ben(a)elogik.net
>>>>>>> w: www.elogik.com.au
>>>>>>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>
>>
>> --
>>
>>
1
0