Can you run the modems in a PPPoE bridged mode? On 13 August 2015 at 17:49, Ben Jackson <ben@elogik.net> wrote:
OK all the problems are back. I'm still getting customers whose networks are grinding to a halt after making the changes I detailed above. As always after changing the config, everything seems to run great for a few weeks and then everything falls over in a heap again. If I run direct through the modem (any DOCSIS version) the speeds return to normal immediately.
I did find this post on the forum http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try in a controlled environment.
Someone somewhere HAS to be expereincing this same issue - it's happening with too many customers to be a coincidence.
You guys have checked my config and no-one has flagged anything as being immediately wrong so I'm really at a loss. The only other common factor here seems to be SONOS and I am talking to playback about any issues they may have seen with MikroTik (which they unofficially recommend).
Ben
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here.
Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also.
Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log.
I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version.
Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs.
These actions also improved my customers who run PPPoE over ADSL.
It's been a very busy week!
Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems.
Ben
On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
> Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ > # /interface ethernet set [ find default-name=ether1 ] > name=ether1-master-local set [ find default-name=ether2 ] > master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway set [ find > default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 /ip dhcp-client add > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e > \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 add > address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 add > address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 add > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > firewall address-list add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > you nee\ > d this subnet before enable it" disabled=yes list=bogons > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if > you \ > need this subnet before enable it" disabled=yes list=bogons > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > if you\ > \_need this subnet before enable it" disabled=yes list=bogons > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE > SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=yes > \ > dst-port=25,587 protocol=tcp src-address-list=spammers > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp > add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp > add chain=input comment="Accept to established connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes > add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp > add action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes > /ip firewall nat > add action=masquerade chain=srcnat out-interface=ether24-gateway > /ip firewall service-port > set ftp disabled=yes > set tftp disabled=yes > set irc disabled=yes > set h323 disabled=yes > set sip disabled=yes > set pptp disabled=yes > /ip ipsec policy > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > /ip service > set telnet disabled=yes > set ftp disabled=yes > set www disabled=yes > set ssh disabled=yes > set api disabled=yes > set api-ssl disabled=yes > /system clock > set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port > add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and check >> profiling to see just what is keeping the CPU busy. Don't overestimate the >> CPU in the 2011, it's not as quick as you think. The new FastPath and >> FastTrack features will be something you'll be interested in when routing >> something as fast as a cable modem so read up on them and do try the latest >> firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >>> bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the other >>> ports, which I know uses the main CPU and not the switch chip, but my >>> thinking was that the main CPU is more powerful and the router isn't >>> exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch chip >>> function, especially on the 24 port CRS. On the RB2011's I slave all the >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>>> current is at 6.30 so I can't even see if some related bug has been >>>> fixed >>>> since 6.20. I'd suggest updating the software, reboot, update the >>>> firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>>> bridged? >>>> Which port is connected to the modem? It should be on it's own, not >>>> slaved >>>> or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate at >>>> the >>>> bridge level and some interfaces (not PPPoE unfortunately). You will >>>> definitely benefit using the new speedup options with NAT on a DHCP >>>> based >>>> modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au
>>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>>> > jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>>> >> > > -DHCP client on the appropriate physical mkt interface >>>> >> > > -masq that interface >>>> >> > > -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit the >>>> issue, >>>> >> > > however these devices do not have the great feature set of the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au ] On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>>> >> > > > address. However, this creates a double nat situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >>> >>> >> >> >> -- >> >> >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
--