Re: [MT-AU Public] Cable Modem DHCP Issues

Are you 100% sure this is only the internet connection which is affected when you see the issues and not the whole LAN. 

This may be left field here but I note the sonos commented in your config. These things are terrible with any semi smart network due to their STP operation (or lack of) and generally cause issues if not designed around, most notably their path cost.  Are all these customers of yours running sonos in a similar setup (with a mtk being the 'core' of the switching as well)?. The issue may very well be a loop/storm event rather than the ISP side of things in which case you may need to work with a mtk bridge interface to get some STP control.

RJ
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson
Sent: Tuesday, 28 July 2015 4:41 PM
To: Jason Hecker <jason@upandrunningtech.com.au>
Cc: MikroTik Australia Public List <public@talk.mikrotik.com.au>
Subject: Re: [MT-AU Public] Cable Modem DHCP Issues

Just FYI, I normally disable all the bogon IP address stuff just in case that is having an impact.

Ben Jackson
eLogik
m:0404 924745
e: ben@elogik.net
w: www.elogik.com.au
[image: http://www.elogik.com.au] <http://www.elogik.com.au>

On Tue, Jul 28, 2015 at 6:34 PM, Ben Jackson <ben@elogik.net> wrote:

> Guys,
>
> Here is a typical config from one of my clients:
>
> # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # 
> /interface ethernet set [ find default-name=ether1 ] 
> name=ether1-master-local set [ find default-name=ether2 ] 
> master-port=ether1-master-local name=\
>     ether2-slave-local
> set [ find default-name=ether3 ] master-port=ether1-master-local name=\
>     ether3-slave-local
> set [ find default-name=ether4 ] master-port=ether1-master-local name=\
>     ether4-slave-local
> set [ find default-name=ether5 ] master-port=ether1-master-local name=\
>     ether5-slave-local
> set [ find default-name=ether6 ] master-port=ether1-master-local name=\
>     ether6-slave-local
> set [ find default-name=ether7 ] master-port=ether1-master-local name=\
>     ether7-slave-local
> set [ find default-name=ether8 ] master-port=ether1-master-local name=\
>     ether8-slave-local
> set [ find default-name=ether9 ] master-port=ether1-master-local name=\
>     ether9-slave-local
> set [ find default-name=ether10 ] master-port=ether1-master-local name=\
>     ether10-slave-local
> set [ find default-name=ether11 ] master-port=ether1-master-local name=\
>     ether11-slave-local
> set [ find default-name=ether12 ] master-port=ether1-master-local name=\
>     ether12-slave-local
> set [ find default-name=ether13 ] master-port=ether1-master-local name=\
>     ether13-slave-local
> set [ find default-name=ether14 ] master-port=ether1-master-local name=\
>     ether14-slave-local
> set [ find default-name=ether15 ] master-port=ether1-master-local name=\
>     ether15-slave-local
> set [ find default-name=ether16 ] master-port=ether1-master-local name=\
>     ether16-slave-local
> set [ find default-name=ether17 ] master-port=ether1-master-local name=\
>     ether17-slave-local
> set [ find default-name=ether18 ] master-port=ether1-master-local name=\
>     ether18-slave-local
> set [ find default-name=ether19 ] master-port=ether1-master-local name=\
>     ether19-slave-local
> set [ find default-name=ether20 ] master-port=ether1-master-local name=\
>     ether20-slave-local
> set [ find default-name=ether21 ] master-port=ether1-master-local name=\
>     ether21-slave-local
> set [ find default-name=ether22 ] master-port=ether1-master-local name=\
>     ether22-slave-local
> set [ find default-name=ether23 ] master-port=ether1-master-local name=\
>     ether23-slave-local
> set [ find default-name=ether24 ] name=ether24-gateway set [ find 
> default-name=sfp1 ] master-port=ether1-master-local name=\
>     sfp1-slave-local
> /ip pool
> add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200
> /ip dhcp-server
> add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \
>     lease-time=1d name=dhcp1
> /ip address
> add address=192.168.88.1/24 comment="default configuration" interface=\
>     ether1-master-local network=192.168.88.0 /ip dhcp-client add 
> default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
>     interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease 
> add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \
>     comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \
>     server=dhcp1
> add address=192.168.88.101 always-broadcast=yes 
> client-id=1:0:e:58:32:e:1e \
>     mac-address=00:0E:58:32:0E:1E server=dhcp1 add 
> address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 
> \
>     mac-address=00:0E:58:32:0E:A0 server=dhcp1 add 
> address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da 
> \
>     mac-address=00:0E:58:32:0E:DA server=dhcp1 add 
> address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac 
> \
>     mac-address=00:0E:58:32:0E:AC server=dhcp1 add 
> address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\
>     "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \
>     server=dhcp1
> add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\
>     00:0E:58:24:65:B6 server=dhcp1
> add address=192.168.88.106 always-broadcast=yes 
> client-id=1:0:e:58:24:64:9e \
>     mac-address=00:0E:58:24:64:9E server=dhcp1 add 
> address=192.168.88.107 always-broadcast=yes
> client-id=1:0:e:58:24:59:40 \
>     mac-address=00:0E:58:24:59:40 server=dhcp1 add 
> address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a 
> \
>     mac-address=00:0E:58:32:0F:9A server=dhcp1 add 
> address=192.168.88.109 always-broadcast=yes 
> client-id=1:0:e:58:32:15:ac \
>     mac-address=00:0E:58:32:15:AC server=dhcp1 add 
> address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\
>     00:0E:58:24:6B:E8 server=dhcp1
> add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \
>     server=dhcp1
> add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\
>     "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A 
> server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\
>     "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D
> server=dhcp1
> add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\
>     04:18:D6:80:B3:85 server=dhcp1
> add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\
>     "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\
>     dhcp1
> add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\
>     04:18:D6:80:B2:F9 server=dhcp1
> /ip dhcp-server network
> add address=192.168.88.0/24 dns-server=192.168.88.1 
> gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip 
> firewall address-list add address=192.168.88.0/24 comment=\
>     "Support address list - full access to router allowed from this range"
> \
>     list=support
> add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" 
> list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS 
> A # Check if you nee\
>     d this subnet before enable it" disabled=yes list=bogons add 
> address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add 
> address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes 
> list=\
>     bogons
> add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check 
> if you \
>     need this subnet before enable it" disabled=yes list=bogons add 
> address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if 
> you\
>     \_need this subnet before enable it" disabled=yes list=bogons add 
> address=192.0.2.0/24 comment="Reserved - IANA - TestNet1"
> disabled=yes \
>     list=bogons
> add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]"
> disabled=\
>     yes list=bogons
> add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes 
> list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2"
> disabled=yes \
>     list=bogons
> add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3"
> disabled=yes \
>     list=bogons
> add address=224.0.0.0/4 comment=\
>     "MC, Class D, IANA # Check if you need this subnet before enable it" \
>     disabled=yes list=bogons
> /ip firewall filter
> add action=add-src-to-address-list address-list=Syn_Flooder \
>     address-list-timeout=30m chain=input comment=\
>     "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \
>     protocol=tcp tcp-flags=syn
> add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
>     src-address-list=Syn_Flooder
> add action=add-src-to-address-list address-list=Port_Scanner \
>     address-list-timeout=1w chain=input comment="Port Scanner Detect" \
>     disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop 
> chain=input comment="Drop to port scan list" disabled=yes \
>     src-address-list=Port_Scanner
> add action=jump chain=input comment="Jump for icmp input flow"
> disabled=yes \
>     jump-target=ICMP protocol=icmp
> add action=drop chain=input comment="Block all access to the winbox - 
> except t\
>     o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN 
> THE SUP\
>     PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
>     src-address-list=!support
> add action=jump chain=forward comment="Jump for icmp forward flow"
> disabled=\
>     yes jump-target=ICMP protocol=icmp add action=drop chain=forward 
> comment="Drop IP's in bogon list"
> disabled=yes \
>     dst-address-list=bogons
> add action=add-src-to-address-list address-list=spammers \
>     address-list-timeout=3h chain=forward comment=\
>     "Add Spammers to the list for 3 hours" connection-limit=30,32 
> disabled=\
>     yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop 
> chain=forward comment="Avoid spammers action" disabled=yes \
>     dst-port=25,587 protocol=tcp src-address-list=spammers add 
> chain=input comment="Accept DNS - UDP" disabled=yes port=53 
> protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp 
> add chain=input disabled=yes dst-port=1723 protocol=tcp add 
> chain=input comment="Accept DNS - TCP" disabled=yes port=53 
> protocol=tcp add chain=input comment="Accept to established 
> connections"
> connection-state=\
>     established disabled=yes
> add chain=input comment="Accept related connections"
> connection-state=related \
>     disabled=yes
> add chain=input comment="Allow SUPPORT address list full access"
> disabled=yes \
>     src-address-list=support
> add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \
>     icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP 
> comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\
>     icmp
> add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \
>     protocol=icmp
> add chain=ICMP comment="Destination unreachable" disabled=yes 
> icmp-options=\
>     3:0-1 protocol=icmp
> add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 
> protocol=icmp add action=drop chain=input comment="Drop invalid connections" \
>     connection-state=invalid disabled=yes add action=drop chain=ICMP 
> comment="Drop to the other ICMPs" disabled=yes \
>     protocol=icmp
> add action=jump chain=output comment="Jump for icmp output" disabled=yes \
>     jump-target=ICMP protocol=icmp
> add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
>     dst-port=21 protocol=tcp src-address-list=ftp_blacklist add 
> chain=output content="530 Login incorrect" disabled=yes dst-limit=\
>     1/1m,9,dst-address/1m protocol=tcp add 
> action=add-dst-to-address-list address-list=ftp_blacklist \
>     address-list-timeout=3h chain=output content="530 Login incorrect" \
>     disabled=yes protocol=tcp
> add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
>     dst-port=22 protocol=tcp src-address-list=ssh_blacklist add 
> action=add-src-to-address-list address-list=ssh_blacklist \
>     address-list-timeout=1w3d chain=input connection-state=new 
> disabled=yes \
>     dst-port=22 protocol=tcp src-address-list=ssh_stage3 add 
> action=add-src-to-address-list address-list=ssh_stage3 \
>     address-list-timeout=1m chain=input connection-state=new disabled=yes \
>     dst-port=22 protocol=tcp src-address-list=ssh_stage2 add 
> action=add-src-to-address-list address-list=ssh_stage2 \
>     address-list-timeout=1m chain=input connection-state=new disabled=yes \
>     dst-port=22 protocol=tcp src-address-list=ssh_stage1 add 
> action=add-src-to-address-list address-list=ssh_stage1 \
>     address-list-timeout=1m chain=input connection-state=new disabled=yes \
>     dst-port=22 protocol=tcp
> add action=drop chain=input comment="Drop anything else! # DO NOT 
> ENABLE THIS \
>     RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" 
> disabled=yes /ip firewall nat add action=masquerade chain=srcnat 
> out-interface=ether24-gateway /ip firewall service-port set ftp 
> disabled=yes set tftp disabled=yes set irc disabled=yes set h323 
> disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec 
> policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service 
> set telnet disabled=yes set ftp disabled=yes set www disabled=yes set 
> ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system 
> clock set time-zone-autodetect=no time-zone-name=Australia/Sydney 
> /tool romon port add
>
>
> Ben Jackson
> eLogik
> m:0404 924745
> e: ben@elogik.net
> w: www.elogik.com.au
> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>
> On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < 
> jason@upandrunningtech.com.au> wrote:
>
>> Hi Ben,
>>
>> When the problem occurs again check the Routerboard for CPU use and 
>> check profiling to see just what is keeping the CPU busy.  Don't 
>> overestimate the CPU in the 2011, it's not as quick as you think.  
>> The new FastPath and FastTrack features will be something you'll be 
>> interested in when routing something as fast as a cable modem so read 
>> up on them and do try the latest firmware images.
>>
>> Jason
>>
>> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
>>
>>> Hi Jason,
>>>
>>> Yes - when I am using the RB2011's the gateway (WAN) port is not in 
>>> any bridge or switch config and is routing only.
>>>
>>> When I first started installing Mikrotiks I used to bridge all the 
>>> other ports, which I know uses the main CPU and not the switch chip, 
>>> but my thinking was that the main CPU is more powerful and the 
>>> router isn't exactly doing anything complex such as queues or heaps of firewall rules.
>>>
>>> However since then I have started using the master - slave switch 
>>> chip function, especially on the 24 port CRS. On the RB2011's I 
>>> slave all the gigabit ports to ether2 and, slave all the 10/100 
>>> ports to ether6, then bridge the two, with ether1 as the WAN port. 
>>> On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port.
>>>
>>> Ben Jackson
>>> eLogik
>>> m:0404 924745
>>> e: ben@elogik.net
>>> w: www.elogik.com.au
>>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>
>>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < 
>>> jason@upandrunningtech.com.au> wrote:
>>>
>>>> Hi
>>>>
>>>> OK, the current changelog on Mikrotik only goes back to 6.27 and 
>>>> the current is at 6.30 so I can't even see if some related bug has 
>>>> been fixed since 6.20.  I'd suggest updating the software, reboot, 
>>>> update the firmware, reboot and see if that helps.
>>>>
>>>> If in doubt beyond that, save export your config, factory reset and 
>>>> reimport the config.
>>>>
>>>> What ports do you use on the 2011?  Are the ports on 1Gb side 
>>>> slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 
>>>> and Eth6 bridged?
>>>> Which port is connected to the modem?  It should be on it's own, 
>>>> not slaved or bridged.
>>>>
>>>> Since 6.20 there have been some packet engine speedups that operate 
>>>> at the bridge level and some interfaces (not PPPoE unfortunately).  
>>>> You will definitely benefit using the new speedup options with NAT 
>>>> on a DHCP based modem.
>>>>
>>>> Jason
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
>>>>
>>>> > Hi Jason,
>>>> >
>>>> > I have customers at on few different ROS versions, normally 
>>>> > nothing
>>>> earier
>>>> > than 6.18 - and I always make sure the firmware is at a matching
>>>> level. I
>>>> > think the majority right now are at 6.20.
>>>> >
>>>> > Thanks
>>>> >
>>>> > Ben Jackson
>>>> > eLogik
>>>> > m:0404 924745
>>>> > e: ben@elogik.net
>>>> > w: www.elogik.com.au
>>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>> >
>>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) 
>>>> > < jason@upandrunningtech.com.au> wrote:
>>>> >
>>>> >> What version of RouterOS are you using and what level is the
>>>> firmware at?
>>>> >>
>>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
>>>> >>
>>>> >> > Hi RJ,
>>>> >> >
>>>> >> > Yep - that's exactly what I do.
>>>> >> >
>>>> >> > I know it's not congestion because when I reboot the mikrotik 
>>>> >> > or
>>>> simply
>>>> >> > renew the dhcp client address on the gateway port the whole 
>>>> >> > system
>>>> >> springs
>>>> >> > back to life.
>>>> >> >
>>>> >> > Thanks,
>>>> >> >
>>>> >> > Ben Jackson
>>>> >> > eLogik
>>>> >> > m:0404 924745
>>>> >> > e: ben@elogik.net
>>>> >> > w: www.elogik.com.au
>>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>> >> >
>>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <
>>>> RJ.Plummer@4logic.com.au>
>>>> >> > wrote:
>>>> >> >
>>>> >> > > Hi Ben,
>>>> >> > >
>>>> >> > > We have a few staff with bigpond cable and mikrotiks who 
>>>> >> > > don't
>>>> exhibit
>>>> >> > > this behaviour.
>>>> >> > >
>>>> >> > > Their setups are very straight forward:
>>>> >> > > -Bridge the cable modem (same cable modem model as you 
>>>> >> > > describe) -DHCP client on the appropriate physical mkt 
>>>> >> > > interface -masq that interface -firewall filter as usual
>>>> >> > >
>>>> >> > > Do you have anything different in your configurations?
>>>> >> > >
>>>> >> > > Cheers,
>>>> >> > > RJ
>>>> >> > > -----Original Message-----
>>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>>> Behalf
>>>> >> Of
>>>> >> > > Paul Julian
>>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM
>>>> >> > > To: 'MikroTik Australia Public List' <
>>>> public@talk.mikrotik.com.au>
>>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>> >> > >
>>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or 
>>>> >> > > at
>>>> least
>>>> >> the
>>>> >> > > one they present, this usually happens if a config has been
>>>> uploaded
>>>> >> to
>>>> >> > > them without MAC addresses removed.
>>>> >> > >
>>>> >> > > There is an option in the interface settings called "Reset 
>>>> >> > > MAC
>>>> >> Address",
>>>> >> > > try clicking this on the interface you have plugged into the
>>>> NTU, it
>>>> >> will
>>>> >> > > reset the MAC address back to or force it to be the actually
>>>> physical
>>>> >> MAC
>>>> >> > > just in case anything has changed.
>>>> >> > >
>>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in
>>>> hundreds of
>>>> >> > > locations for ADSL and Ethernet services and never have one
>>>> issue.
>>>> >> > >
>>>> >> > > Regards
>>>> >> > > Paul
>>>> >> > >
>>>> >> > > -----Original Message-----
>>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>>> Behalf
>>>> >> Of
>>>> >> > > Ben Jackson
>>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM
>>>> >> > > To: MikroTik Australia Public List
>>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>>> >> > >
>>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there
>>>> should be
>>>> >> > > almost nothing to go wrong in this type of set-up. The NTU 
>>>> >> > > is
>>>> >> definitely
>>>> >> > in
>>>> >> > > bridge mode - as evidenced by the radio button saying 
>>>> >> > > "Bridge
>>>> Mode" on
>>>> >> > the
>>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of 
>>>> >> > > the
>>>> CRS (or
>>>> >> > > sometimes ether 1) which immediately binds the public IP 
>>>> >> > > address
>>>> to
>>>> >> > itself.
>>>> >> > >
>>>> >> > > I understand about the MAC based DHCP which the ISP's use, I
>>>> have had
>>>> >> > > issues in the past (no longer seems to be as issue) where I 
>>>> >> > > have
>>>> had
>>>> >> to
>>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I 
>>>> >> > > have
>>>> also
>>>> >> > noticed
>>>> >> > > if my MBP is the first device to connect to the NTU while in
>>>> bridge
>>>> >> mode,
>>>> >> > > sometimes I need to power cycle the device to "deregister" 
>>>> >> > > the
>>>> MAC
>>>> >> > address
>>>> >> > > of the MBP. I am able to get a binding on the MikroTik after 
>>>> >> > > this
>>>> >> process
>>>> >> > > is complete.
>>>> >> > >
>>>> >> > > But, in this instance this is not the problem unless somehow 
>>>> >> > > the
>>>> MAC
>>>> >> > > address of the MikroTik ether port is changing - is this
>>>> possible? I
>>>> >> must
>>>> >> > > admit, my progress on this is somewhat hampered by not 
>>>> >> > > having a
>>>> cable
>>>> >> > setup
>>>> >> > > to test on at home - I run ADSL.
>>>> >> > >
>>>> >> > > I'm pretty sure that nothing else on the network would be 
>>>> >> > > able
>>>> to bind
>>>> >> > > it's MAC address to the public IP before the MikroTik has 
>>>> >> > > had a
>>>> chance
>>>> >> > to -
>>>> >> > > although I must admit I hadn't though of that so I'll check 
>>>> >> > > it
>>>> out in
>>>> >> > more
>>>> >> > > detail.
>>>> >> > >
>>>> >> > > I am also inclined to agree with you that this is not solely 
>>>> >> > > a
>>>> >> Mikrotik
>>>> >> > > issue. It seems to me that it is the magic (or not so magic)
>>>> >> combination
>>>> >> > of
>>>> >> > > the ISP's hardware and the MikroTik that seems to cause the
>>>> problem. I
>>>> >> > have
>>>> >> > > tried other brands of router which do not seem to exhibit 
>>>> >> > > the
>>>> issue,
>>>> >> > > however these devices do not have the great feature set of 
>>>> >> > > the
>>>> >> MikroTik
>>>> >> > and
>>>> >> > > are often not rack-mountable. Trotting out the "It's not a
>>>> Mikrotik
>>>> >> > issue"
>>>> >> > > line is starting to wear very thin with both my customers 
>>>> >> > > and
>>>> >> colleagues.
>>>> >> > > Although my gut feeling is that it isn't - I need proof and 
>>>> >> > > I
>>>> don't
>>>> >> know
>>>> >> > > where to start. This is happening far too often for it to be 
>>>> >> > > a
>>>> >> > coincidence
>>>> >> > > or a faulty device.
>>>> >> > >
>>>> >> > > I have, unfortunately also seen very strange behaviour over 
>>>> >> > > ADSL
>>>> /
>>>> >> pppoe
>>>> >> > > connections in bridge mode too, I sent an email about this 
>>>> >> > > some
>>>> time
>>>> >> ago
>>>> >> > > and it still plagues me from time to time.
>>>> >> > >
>>>> >> > > The type of installations I am doing are not your typical 
>>>> >> > > home
>>>> setups
>>>> >> and
>>>> >> > > customers are paying a lot of money for a supposedly
>>>> >> "commercial-grade"
>>>> >> > > solution which is only adding to my stresses.
>>>> >> > >
>>>> >> > > Do any of you guys out there use a MikroTik as your home 
>>>> >> > > router
>>>> - how
>>>> >> do
>>>> >> > > you set it up? Have you seen issues like this?
>>>> >> > >
>>>> >> > > One thing I have noticed is that the issue seems to be much 
>>>> >> > > more
>>>> >> > prevalent
>>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. 
>>>> >> > > No
>>>> idea
>>>> >> why.
>>>> >> > > Any cable experts out there?
>>>> >> > >
>>>> >> > > Thanks again,
>>>> >> > >
>>>> >> > >
>>>> >> > > Ben Jackson
>>>> >> > > eLogik
>>>> >> > > m:0404 924745
>>>> >> > > e: ben@elogik.net
>>>> >> > > w: www.elogik.com.au
>>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>>> >> > >
>>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <
>>>> >> > paul@oxygennetworks.com.au>
>>>> >> > > wrote:
>>>> >> > >
>>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and
>>>> Optus
>>>> >> Cable
>>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC 
>>>> >> > > > of
>>>> the NTU
>>>> >> or
>>>> >> > > > in the case of bridge mode the first client that makes a
>>>> request,
>>>> >> and
>>>> >> > > > often you have trouble with these things because of this, 
>>>> >> > > > I
>>>> don't
>>>> >> > > > really think it's a Mikrotik thing.
>>>> >> > > >
>>>> >> > > > However, as long as the Mikrotik is maintaining the same 
>>>> >> > > > MAC
>>>> on the
>>>> >> > > > interface plugged into the NTU and the NTU is truly in 
>>>> >> > > > bridge
>>>> mode
>>>> >> and
>>>> >> > > > the Mikrotik is the only thing plugged into the NTU  I 
>>>> >> > > > can't
>>>> see why
>>>> >> > > > it would be having issues.
>>>> >> > > >
>>>> >> > > > Is there any chance that another device might somehow be
>>>> getting a
>>>> >> > > > DHCP request through to the NTU somehow the way you have 
>>>> >> > > > it all
>>>> >> plugged
>>>> >> > > in ?
>>>> >> > > >
>>>> >> > > > Regards
>>>> >> > > > Paul
>>>> >> > > >
>>>> >> > > > -----Original Message-----
>>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] 
>>>> >> > > > On
>>>> >> Behalf Of
>>>> >> > > > Ben Jackson
>>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM
>>>> >> > > > To: MikroTik Australia Public List
>>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues
>>>> >> > > >
>>>> >> > > > Hi All,
>>>> >> > > >
>>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with
>>>> this one.
>>>> >> > > >
>>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more 
>>>> >> > > > recently,
>>>> the
>>>> >> > > > CRS125-24G) in large residential AV situations where
>>>> invariably, the
>>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet 
>>>> >> > > > scenario
>>>> where
>>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" 
>>>> >> > > > mode
>>>> (NAT
>>>> >> > > > switched
>>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to 
>>>> >> > > > the
>>>> >> gateway
>>>> >> > > > interface of the Mikrotik.
>>>> >> > > >
>>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3
>>>> UniFi
>>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial 
>>>> >> > > > set
>>>> up,
>>>> >> > > > everything seems to work great, with the full bandwidth of 
>>>> >> > > > the
>>>> cable
>>>> >> > > > modem getting passed on to the rest of the network, even 
>>>> >> > > > when
>>>> 802.11
>>>> >> > > > clients are connected (a testament to the UniFi's I my 
>>>> >> > > > opinion
>>>> - I
>>>> >> > > > only use dual band Pro AP's).
>>>> >> > > >
>>>> >> > > > However, after a week or so the internet connection seems 
>>>> >> > > > to
>>>> get
>>>> >> > > > either very slow, or stop working altogether. If I look in 
>>>> >> > > > the
>>>> logs
>>>> >> > > > (with dhcp logging switched on) I can see regular NAK's 
>>>> >> > > > getting
>>>> >> passed
>>>> >> > > > from the dhcp server on the cable modem. The problem is I 
>>>> >> > > > don't
>>>> >> really
>>>> >> > > > understand how DHCP works on cable modems. I'm assuming 
>>>> >> > > > every
>>>> so
>>>> >> often
>>>> >> > > > the cable modem gets a new IP address from the carrier
>>>> (normally
>>>> >> after
>>>> >> > > > a reset) and at this point the modem is not passing this 
>>>> >> > > > new
>>>> address
>>>> >> > > > onto the Mikrotik which is effectively cut off from the
>>>> internet.
>>>> >> > > > Since we are stuck with using Bigpond and Optus modems 
>>>> >> > > > these
>>>> are the
>>>> >> > > > only solutions I have discovered which seem to stop the 
>>>> >> > > > issue
>>>> from
>>>> >> > > occurring (at least as regularly).
>>>> >> > > >
>>>> >> > > > 1) Leave the cable modem in "router" mode and switch off 
>>>> >> > > > all extraneous services such as Wi-Fi, and also put one IP 
>>>> >> > > > address
>>>> in
>>>> >> the
>>>> >> > > > dhcp pool so that the Mikrotik always gets the same 
>>>> >> > > > private IP address. However, this creates a double nat 
>>>> >> > > > situation which
>>>> means I
>>>> >> > > > can no longer perform reliable port forwarding for things 
>>>> >> > > > such
>>>> as
>>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's 
>>>> >> > > > great
>>>> for).
>>>> >> > > >
>>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, 
>>>> >> > > > port
>>>> >> forwarding
>>>> >> > > > (which is a joke on these devices) and firewall tasks for 
>>>> >> > > > the
>>>> entire
>>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main
>>>> problem
>>>> >> > > > here is that these Bigpond devices simply do not have the
>>>> grunt to
>>>> >> > > > deal with large networks with lots of AV streaming and 
>>>> >> > > > control
>>>> >> > happening.
>>>> >> > > >
>>>> >> > > > Since both of the above have severe drawbacks in terms of 
>>>> >> > > > functionality, I wonder if anyone has had similar 
>>>> >> > > > experiences
>>>> as I
>>>> >> am
>>>> >> > > > just about ready to dump the MikroTik's and start looking 
>>>> >> > > > at
>>>> other
>>>> >> > > > options in the hope that they play better with the Bigpond
>>>> gear.
>>>> >> > > >
>>>> >> > > > Thanks in advance,
>>>> >> > > >
>>>> >> > > >
>>>> >> > > > Ben Jackson
>>>> >> > > > eLogik
>>>> >> > > > m:0404 924745
>>>> >> > > > e: ben@elogik.net
>>>> >> > > > w: www.elogik.com.au
>>>> >> > > > [image: http://www.elogik.com.au] 
>>>> >> > > > <http://www.elogik.com.au> 
>>>> >> > > > _______________________________________________
>>>> >> > > > Public mailing list
>>>> >> > > > Public@talk.mikrotik.com.au
>>>> >> > > >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
>>>> >> > > > au
>>>> >> > > >
>>>> >> > > >
>>>> >> > > > _______________________________________________
>>>> >> > > > Public mailing list
>>>> >> > > > Public@talk.mikrotik.com.au
>>>> >> > > >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
>>>> >> > > > au
>>>> >> > > >
>>>> >> > > _______________________________________________
>>>> >> > > Public mailing list
>>>> >> > > Public@talk.mikrotik.com.au
>>>> >> > >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>> >> > >
>>>> >> > >
>>>> >> > > _______________________________________________
>>>> >> > > Public mailing list
>>>> >> > > Public@talk.mikrotik.com.au
>>>> >> > >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>> >> > >
>>>> >> > > _______________________________________________
>>>> >> > > Public mailing list
>>>> >> > > Public@talk.mikrotik.com.au
>>>> >> > >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>> >> > >
>>>> >> > _______________________________________________
>>>> >> > Public mailing list
>>>> >> > Public@talk.mikrotik.com.au
>>>> >> >
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> _______________________________________________
>>>> >> Public mailing list
>>>> >> Public@talk.mikrotik.com.au
>>>> >>
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>> >>
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> _______________________________________________
>>>> Public mailing list
>>>> Public@talk.mikrotik.com.au
>>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c
>>>> om.au
>>>>
>>>
>>>
>>
>>
>> --
>>
>>
>
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au