29 Jul
2015
29 Jul
'15
2:29 p.m.
Nothing sticks out as overtly wrong. If you are still up brown creek try simplifying the config by: * Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place). Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox? Jason On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 > # software id = IU9F-WHTQ > # > /interface ethernet > set [ find default-name=ether1 ] name=ether1-master-local > set [ find default-name=ether2 ] master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway > set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 > /ip dhcp-client > add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes > /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e > \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 > add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 > add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 > add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 > add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 > add address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 > add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 > add address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 > add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 > add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 > /ip dns > set allow-remote-requests=yes > /ip firewall address-list > add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > you nee\ > d this subnet before enable it" disabled=yes list=bogons > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if > you \ > need this subnet before enable it" disabled=yes list=bogons > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > if you\ > \_need this subnet before enable it" disabled=yes list=bogons > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE > SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=yes > \ > dst-port=25,587 protocol=tcp src-address-list=spammers > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp > add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp > add chain=input comment="Accept to established connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes > add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp > add action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes > /ip firewall nat > add action=masquerade chain=srcnat out-interface=ether24-gateway > /ip firewall service-port > set ftp disabled=yes > set tftp disabled=yes > set irc disabled=yes > set h323 disabled=yes > set sip disabled=yes > set pptp disabled=yes > /ip ipsec policy > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > /ip service > set telnet disabled=yes > set ftp disabled=yes > set www disabled=yes > set ssh disabled=yes > set api disabled=yes > set api-ssl disabled=yes > /system clock > set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port > add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and check >> profiling to see just what is keeping the CPU busy. Don't overestimate the >> CPU in the 2011, it's not as quick as you think. The new FastPath and >> FastTrack features will be something you'll be interested in when routing >> something as fast as a cable modem so read up on them and do try the latest >> firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >>> bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the other >>> ports, which I know uses the main CPU and not the switch chip, but my >>> thinking was that the main CPU is more powerful and the router isn't >>> exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch chip >>> function, especially on the 24 port CRS. On the RB2011's I slave all the >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>>> current is at 6.30 so I can't even see if some related bug has been >>>> fixed >>>> since 6.20. I'd suggest updating the software, reboot, update the >>>> firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>>> bridged? >>>> Which port is connected to the modem? It should be on it's own, not >>>> slaved >>>> or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate at >>>> the >>>> bridge level and some interfaces (not PPPoE unfortunately). You will >>>> definitely benefit using the new speedup options with NAT on a DHCP >>>> based >>>> modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>>> > jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>>> >> > > -DHCP client on the appropriate physical mkt interface >>>> >> > > -masq that interface >>>> >> > > -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit the >>>> issue, >>>> >> > > however these devices do not have the great feature set of the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>>> >> > > > address. However, this creates a double nat situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >>> >>> >> >> >> -- >> >> > --