Ben, What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns? On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi Ben,
When the problem occurs again check the Routerboard for CPU use and check profiling to see just what is keeping the CPU busy. Don't overestimate the CPU in the 2011, it's not as quick as you think. The new FastPath and FastTrack features will be something you'll be interested in when routing something as fast as a cable modem so read up on them and do try the latest firmware images.
Jason
On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
Yes - when I am using the RB2011's the gateway (WAN) port is not in any bridge or switch config and is routing only.
When I first started installing Mikrotiks I used to bridge all the other ports, which I know uses the main CPU and not the switch chip, but my thinking was that the main CPU is more powerful and the router isn't exactly doing anything complex such as queues or heaps of firewall rules.
However since then I have started using the master - slave switch chip function, especially on the 24 port CRS. On the RB2011's I slave all the gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then bridge the two, with ether1 as the WAN port. On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
> Hi > > OK, the current changelog on Mikrotik only goes back to 6.27 and the > current is at 6.30 so I can't even see if some related bug has been > fixed > since 6.20. I'd suggest updating the software, reboot, update the > firmware, reboot and see if that helps. > > If in doubt beyond that, save export your config, factory reset and > reimport the config. > > What ports do you use on the 2011? Are the ports on 1Gb side slaved to > ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > bridged? > Which port is connected to the modem? It should be on it's own, not > slaved > or bridged. > > Since 6.20 there have been some packet engine speedups that operate at > the > bridge level and some interfaces (not PPPoE unfortunately). You will > definitely benefit using the new speedup options with NAT on a DHCP > based > modem. > > Jason > > > > > > On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > > > Hi Jason, > > > > I have customers at on few different ROS versions, normally nothing > earier > > than 6.18 - and I always make sure the firmware is at a matching > level. I > > think the majority right now are at 6.20. > > > > Thanks > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> What version of RouterOS are you using and what level is the > firmware at? > >> > >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >> > >> > Hi RJ, > >> > > >> > Yep - that's exactly what I do. > >> > > >> > I know it's not congestion because when I reboot the mikrotik or > simply > >> > renew the dhcp client address on the gateway port the whole system > >> springs > >> > back to life. > >> > > >> > Thanks, > >> > > >> > Ben Jackson > >> > eLogik > >> > m:0404 924745 > >> > e: ben@elogik.net > >> > w: www.elogik.com.au > >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >> > > >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > RJ.Plummer@4logic.com.au> > >> > wrote: > >> > > >> > > Hi Ben, > >> > > > >> > > We have a few staff with bigpond cable and mikrotiks who don't > exhibit > >> > > this behaviour. > >> > > > >> > > Their setups are very straight forward: > >> > > -Bridge the cable modem (same cable modem model as you describe) > >> > > -DHCP client on the appropriate physical mkt interface > >> > > -masq that interface > >> > > -firewall filter as usual > >> > > > >> > > Do you have anything different in your configurations? > >> > > > >> > > Cheers, > >> > > RJ > >> > > -----Original Message----- > >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf > >> Of > >> > > Paul Julian > >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >> > > To: 'MikroTik Australia Public List' < > public@talk.mikrotik.com.au> > >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >> > > > >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > least > >> the > >> > > one they present, this usually happens if a config has been > uploaded > >> to > >> > > them without MAC addresses removed. > >> > > > >> > > There is an option in the interface settings called "Reset MAC > >> Address", > >> > > try clicking this on the interface you have plugged into the > NTU, it > >> will > >> > > reset the MAC address back to or force it to be the actually > physical > >> MAC > >> > > just in case anything has changed. > >> > > > >> > > We use bridge mode in modems and NTU's with Mikrotiks in > hundreds of > >> > > locations for ADSL and Ethernet services and never have one > issue. > >> > > > >> > > Regards > >> > > Paul > >> > > > >> > > -----Original Message----- > >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf > >> Of > >> > > Ben Jackson > >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >> > > To: MikroTik Australia Public List > >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >> > > > >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > should be > >> > > almost nothing to go wrong in this type of set-up. The NTU is > >> definitely > >> > in > >> > > bridge mode - as evidenced by the radio button saying "Bridge > Mode" on > >> > the > >> > > web GUI ;) and I have a DHCP client running on ether24 of the > CRS (or > >> > > sometimes ether 1) which immediately binds the public IP address > to > >> > itself. > >> > > > >> > > I understand about the MAC based DHCP which the ISP's use, I > have had > >> > > issues in the past (no longer seems to be as issue) where I have > had > >> to > >> > > spoof the MAC address of the NTU to get a DHCP address. I have > also > >> > noticed > >> > > if my MBP is the first device to connect to the NTU while in > bridge > >> mode, > >> > > sometimes I need to power cycle the device to "deregister" the > MAC > >> > address > >> > > of the MBP. I am able to get a binding on the MikroTik after this > >> process > >> > > is complete. > >> > > > >> > > But, in this instance this is not the problem unless somehow the > MAC > >> > > address of the MikroTik ether port is changing - is this > possible? I > >> must > >> > > admit, my progress on this is somewhat hampered by not having a > cable > >> > setup > >> > > to test on at home - I run ADSL. > >> > > > >> > > I'm pretty sure that nothing else on the network would be able > to bind > >> > > it's MAC address to the public IP before the MikroTik has had a > chance > >> > to - > >> > > although I must admit I hadn't though of that so I'll check it > out in > >> > more > >> > > detail. > >> > > > >> > > I am also inclined to agree with you that this is not solely a > >> Mikrotik > >> > > issue. It seems to me that it is the magic (or not so magic) > >> combination > >> > of > >> > > the ISP's hardware and the MikroTik that seems to cause the > problem. I > >> > have > >> > > tried other brands of router which do not seem to exhibit the > issue, > >> > > however these devices do not have the great feature set of the > >> MikroTik > >> > and > >> > > are often not rack-mountable. Trotting out the "It's not a > Mikrotik > >> > issue" > >> > > line is starting to wear very thin with both my customers and > >> colleagues. > >> > > Although my gut feeling is that it isn't - I need proof and I > don't > >> know > >> > > where to start. This is happening far too often for it to be a > >> > coincidence > >> > > or a faulty device. > >> > > > >> > > I have, unfortunately also seen very strange behaviour over ADSL > / > >> pppoe > >> > > connections in bridge mode too, I sent an email about this some > time > >> ago > >> > > and it still plagues me from time to time. > >> > > > >> > > The type of installations I am doing are not your typical home > setups > >> and > >> > > customers are paying a lot of money for a supposedly > >> "commercial-grade" > >> > > solution which is only adding to my stresses. > >> > > > >> > > Do any of you guys out there use a MikroTik as your home router > - how > >> do > >> > > you set it up? Have you seen issues like this? > >> > > > >> > > One thing I have noticed is that the issue seems to be much more > >> > prevalent > >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No > idea > >> why. > >> > > Any cable experts out there? > >> > > > >> > > Thanks again, > >> > > > >> > > > >> > > Ben Jackson > >> > > eLogik > >> > > m:0404 924745 > >> > > e: ben@elogik.net > >> > > w: www.elogik.com.au > >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >> > > > >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >> > paul@oxygennetworks.com.au> > >> > > wrote: > >> > > > >> > > > Hey Ben, the only thing I can think of is that Telstra and > Optus > >> Cable > >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > the NTU > >> or > >> > > > in the case of bridge mode the first client that makes a > request, > >> and > >> > > > often you have trouble with these things because of this, I > don't > >> > > > really think it's a Mikrotik thing. > >> > > > > >> > > > However, as long as the Mikrotik is maintaining the same MAC > on the > >> > > > interface plugged into the NTU and the NTU is truly in bridge > mode > >> and > >> > > > the Mikrotik is the only thing plugged into the NTU I can't > see why > >> > > > it would be having issues. > >> > > > > >> > > > Is there any chance that another device might somehow be > getting a > >> > > > DHCP request through to the NTU somehow the way you have it all > >> plugged > >> > > in ? > >> > > > > >> > > > Regards > >> > > > Paul > >> > > > > >> > > > -----Original Message----- > >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au ] On > >> Behalf Of > >> > > > Ben Jackson > >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >> > > > To: MikroTik Australia Public List > >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >> > > > > >> > > > Hi All, > >> > > > > >> > > > I'm hoping someone can help me as I'm at my wit's end with > this one. > >> > > > > >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, > the > >> > > > CRS125-24G) in large residential AV situations where > invariably, the > >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario > where > >> > > > Telstra's / Optus's modem has been placed into "bridge" mode > (NAT > >> > > > switched > >> > > > off) and the carrier-supplied WAN IP address gets bound to the > >> gateway > >> > > > interface of the Mikrotik. > >> > > > > >> > > > The Mikrotik, in turn is connected to, on average, about 3 > UniFi > >> > > > access points, and at least 3-4 zones of Sonos. On initial set > up, > >> > > > everything seems to work great, with the full bandwidth of the > cable > >> > > > modem getting passed on to the rest of the network, even when > 802.11 > >> > > > clients are connected (a testament to the UniFi's I my opinion > - I > >> > > > only use dual band Pro AP's). > >> > > > > >> > > > However, after a week or so the internet connection seems to > get > >> > > > either very slow, or stop working altogether. If I look in the > logs > >> > > > (with dhcp logging switched on) I can see regular NAK's getting > >> passed > >> > > > from the dhcp server on the cable modem. The problem is I don't > >> really > >> > > > understand how DHCP works on cable modems. I'm assuming every > so > >> often > >> > > > the cable modem gets a new IP address from the carrier > (normally > >> after > >> > > > a reset) and at this point the modem is not passing this new > address > >> > > > onto the Mikrotik which is effectively cut off from the > internet. > >> > > > Since we are stuck with using Bigpond and Optus modems these > are the > >> > > > only solutions I have discovered which seem to stop the issue > from > >> > > occurring (at least as regularly). > >> > > > > >> > > > 1) Leave the cable modem in "router" mode and switch off all > >> > > > extraneous services such as Wi-Fi, and also put one IP address > in > >> the > >> > > > dhcp pool so that the Mikrotik always gets the same private IP > >> > > > address. However, this creates a double nat situation which > means I > >> > > > can no longer perform reliable port forwarding for things such > as > >> > > > DVR's and CBus controllers (which I find the Mikrotik's great > for). > >> > > > > >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > >> forwarding > >> > > > (which is a joke on these devices) and firewall tasks for the > entire > >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > problem > >> > > > here is that these Bigpond devices simply do not have the > grunt to > >> > > > deal with large networks with lots of AV streaming and control > >> > happening. > >> > > > > >> > > > Since both of the above have severe drawbacks in terms of > >> > > > functionality, I wonder if anyone has had similar experiences > as I > >> am > >> > > > just about ready to dump the MikroTik's and start looking at > other > >> > > > options in the hope that they play better with the Bigpond > gear. > >> > > > > >> > > > Thanks in advance, > >> > > > > >> > > > > >> > > > Ben Jackson > >> > > > eLogik > >> > > > m:0404 924745 > >> > > > e: ben@elogik.net > >> > > > w: www.elogik.com.au > >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >> > > > _______________________________________________ > >> > > > Public mailing list > >> > > > Public@talk.mikrotik.com.au > >> > > > > >> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . > >> > > > au > >> > > > > >> > > > > >> > > > _______________________________________________ > >> > > > Public mailing list > >> > > > Public@talk.mikrotik.com.au > >> > > > > >> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . > >> > > > au > >> > > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > _______________________________________________ > >> > Public mailing list > >> > Public@talk.mikrotik.com.au > >> > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > >> > >> > >> > >> -- > >> _______________________________________________ > >> Public mailing list > >> Public@talk.mikrotik.com.au > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > > > > > -- > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>
--
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--