28 Jul
2015
28 Jul
'15
6:34 p.m.
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2
# software id = IU9F-WHTQ
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=\
ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=\
ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=\
ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether1-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-master-local name=\
ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-master-local name=\
ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-master-local name=\
ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-master-local name=\
ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-master-local name=\
ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-master-local name=\
ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-master-local name=\
ether16-slave-local
set [ find default-name=ether17 ] master-port=ether1-master-local name=\
ether17-slave-local
set [ find default-name=ether18 ] master-port=ether1-master-local name=\
ether18-slave-local
set [ find default-name=ether19 ] master-port=ether1-master-local name=\
ether19-slave-local
set [ find default-name=ether20 ] master-port=ether1-master-local name=\
ether20-slave-local
set [ find default-name=ether21 ] master-port=ether1-master-local name=\
ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-master-local name=\
ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-master-local name=\
ether23-slave-local
set [ find default-name=ether24 ] name=ether24-gateway
set [ find default-name=sfp1 ] master-port=ether1-master-local name=\
sfp1-slave-local
/ip pool
add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \
lease-time=1d name=dhcp1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether1-master-local network=192.168.88.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether24-gateway use-peer-ntp=yes
/ip dhcp-server lease
add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \
comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \
server=dhcp1
add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \
mac-address=00:0E:58:32:0E:1E server=dhcp1
add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \
mac-address=00:0E:58:32:0E:A0 server=dhcp1
add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \
mac-address=00:0E:58:32:0E:DA server=dhcp1
add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \
mac-address=00:0E:58:32:0E:AC server=dhcp1
add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\
"Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \
server=dhcp1
add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\
00:0E:58:24:65:B6 server=dhcp1
add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e
\
mac-address=00:0E:58:24:64:9E server=dhcp1
add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40
\
mac-address=00:0E:58:24:59:40 server=dhcp1
add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \
mac-address=00:0E:58:32:0F:9A server=dhcp1
add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac
\
mac-address=00:0E:58:32:15:AC server=dhcp1
add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\
00:0E:58:24:6B:E8 server=dhcp1
add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \
server=dhcp1
add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\
"Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1
add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\
"UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D
server=dhcp1
add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\
04:18:D6:80:B3:85 server=dhcp1
add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\
"Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\
dhcp1
add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\
04:18:D6:80:B2:F9 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.88.0/24 comment=\
"Support address list - full access to router allowed from this range" \
list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you
nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes
list=\
bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if
you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if
you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \
list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]"
disabled=\
yes list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2"
disabled=yes \
list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3"
disabled=yes \
list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \
protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=yes \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=yes
\
jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox -
except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE
SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow"
disabled=\
yes jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop IP's in bogon list"
disabled=yes \
dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
yes dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=yes \
dst-port=25,587 protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp
add chain=output disabled=yes dst-port=1723 protocol=tcp
add chain=input disabled=yes dst-port=1723 protocol=tcp
add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp
add chain=input comment="Accept to established connections"
connection-state=\
established disabled=yes
add chain=input comment="Accept related connections"
connection-state=related \
disabled=yes
add chain=input comment="Allow SUPPORT address list full access"
disabled=yes \
src-address-list=support
add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \
icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\
icmp
add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \
protocol=icmp
add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\
3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid disabled=yes
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=yes \
jump-target=ICMP protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
\
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE
THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether24-gateway
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Sydney
/tool romon port
add
Ben Jackson
eLogik
m:0404 924745
e: ben@elogik.net
w: www.elogik.com.au
[image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) <
jason@upandrunningtech.com.au> wrote:
> Hi Ben,
>
> When the problem occurs again check the Routerboard for CPU use and check
> profiling to see just what is keeping the CPU busy. Don't overestimate the
> CPU in the 2011, it's not as quick as you think. The new FastPath and
> FastTrack features will be something you'll be interested in when routing
> something as fast as a cable modem so read up on them and do try the latest
> firmware images.
>
> Jason
>
> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
>
>> Hi Jason,
>>
>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any
>> bridge or switch config and is routing only.
>>
>> When I first started installing Mikrotiks I used to bridge all the other
>> ports, which I know uses the main CPU and not the switch chip, but my
>> thinking was that the main CPU is more powerful and the router isn't
>> exactly doing anything complex such as queues or heaps of firewall rules.
>>
>> However since then I have started using the master - slave switch chip
>> function, especially on the 24 port CRS. On the RB2011's I slave all the
>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then
>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the
>> ports apart from ether24 to ether1. I then use ether24 as the WAN port.
>>
>> Ben Jackson
>> eLogik
>> m:0404 924745
>> e: ben@elogik.net
>> w: www.elogik.com.au
>> [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>
>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) <
>> jason@upandrunningtech.com.au> wrote:
>>
>>> Hi
>>>
>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the
>>> current is at 6.30 so I can't even see if some related bug has been fixed
>>> since 6.20. I'd suggest updating the software, reboot, update the
>>> firmware, reboot and see if that helps.
>>>
>>> If in doubt beyond that, save export your config, factory reset and
>>> reimport the config.
>>>
>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to
>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged?
>>> Which port is connected to the modem? It should be on it's own, not
>>> slaved
>>> or bridged.
>>>
>>> Since 6.20 there have been some packet engine speedups that operate at
>>> the
>>> bridge level and some interfaces (not PPPoE unfortunately). You will
>>> definitely benefit using the new speedup options with NAT on a DHCP based
>>> modem.
>>>
>>> Jason
>>>
>>>
>>>
>>>
>>>
>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
>>>
>>> > Hi Jason,
>>> >
>>> > I have customers at on few different ROS versions, normally nothing
>>> earier
>>> > than 6.18 - and I always make sure the firmware is at a matching
>>> level. I
>>> > think the majority right now are at 6.20.
>>> >
>>> > Thanks
>>> >
>>> > Ben Jackson
>>> > eLogik
>>> > m:0404 924745
>>> > e: ben@elogik.net
>>> > w: www.elogik.com.au
>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>> >
>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) <
>>> > jason@upandrunningtech.com.au> wrote:
>>> >
>>> >> What version of RouterOS are you using and what level is the firmware
>>> at?
>>> >>
>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
>>> >>
>>> >> > Hi RJ,
>>> >> >
>>> >> > Yep - that's exactly what I do.
>>> >> >
>>> >> > I know it's not congestion because when I reboot the mikrotik or
>>> simply
>>> >> > renew the dhcp client address on the gateway port the whole system
>>> >> springs
>>> >> > back to life.
>>> >> >
>>> >> > Thanks,
>>> >> >
>>> >> > Ben Jackson
>>> >> > eLogik
>>> >> > m:0404 924745
>>> >> > e: ben@elogik.net
>>> >> > w: www.elogik.com.au
>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>> >> >
>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <
>>> RJ.Plummer@4logic.com.au>
>>> >> > wrote:
>>> >> >
>>> >> > > Hi Ben,
>>> >> > >
>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't
>>> exhibit
>>> >> > > this behaviour.
>>> >> > >
>>> >> > > Their setups are very straight forward:
>>> >> > > -Bridge the cable modem (same cable modem model as you describe)
>>> >> > > -DHCP client on the appropriate physical mkt interface
>>> >> > > -masq that interface
>>> >> > > -firewall filter as usual
>>> >> > >
>>> >> > > Do you have anything different in your configurations?
>>> >> > >
>>> >> > > Cheers,
>>> >> > > RJ
>>> >> > > -----Original Message-----
>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>> Behalf
>>> >> Of
>>> >> > > Paul Julian
>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM
>>> >> > > To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au
>>> >
>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>> >> > >
>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at
>>> least
>>> >> the
>>> >> > > one they present, this usually happens if a config has been
>>> uploaded
>>> >> to
>>> >> > > them without MAC addresses removed.
>>> >> > >
>>> >> > > There is an option in the interface settings called "Reset MAC
>>> >> Address",
>>> >> > > try clicking this on the interface you have plugged into the NTU,
>>> it
>>> >> will
>>> >> > > reset the MAC address back to or force it to be the actually
>>> physical
>>> >> MAC
>>> >> > > just in case anything has changed.
>>> >> > >
>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in hundreds
>>> of
>>> >> > > locations for ADSL and Ethernet services and never have one issue.
>>> >> > >
>>> >> > > Regards
>>> >> > > Paul
>>> >> > >
>>> >> > > -----Original Message-----
>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>> Behalf
>>> >> Of
>>> >> > > Ben Jackson
>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM
>>> >> > > To: MikroTik Australia Public List
>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
>>> >> > >
>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there
>>> should be
>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is
>>> >> definitely
>>> >> > in
>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge
>>> Mode" on
>>> >> > the
>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the CRS
>>> (or
>>> >> > > sometimes ether 1) which immediately binds the public IP address
>>> to
>>> >> > itself.
>>> >> > >
>>> >> > > I understand about the MAC based DHCP which the ISP's use, I have
>>> had
>>> >> > > issues in the past (no longer seems to be as issue) where I have
>>> had
>>> >> to
>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have
>>> also
>>> >> > noticed
>>> >> > > if my MBP is the first device to connect to the NTU while in
>>> bridge
>>> >> mode,
>>> >> > > sometimes I need to power cycle the device to "deregister" the MAC
>>> >> > address
>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this
>>> >> process
>>> >> > > is complete.
>>> >> > >
>>> >> > > But, in this instance this is not the problem unless somehow the
>>> MAC
>>> >> > > address of the MikroTik ether port is changing - is this
>>> possible? I
>>> >> must
>>> >> > > admit, my progress on this is somewhat hampered by not having a
>>> cable
>>> >> > setup
>>> >> > > to test on at home - I run ADSL.
>>> >> > >
>>> >> > > I'm pretty sure that nothing else on the network would be able to
>>> bind
>>> >> > > it's MAC address to the public IP before the MikroTik has had a
>>> chance
>>> >> > to -
>>> >> > > although I must admit I hadn't though of that so I'll check it
>>> out in
>>> >> > more
>>> >> > > detail.
>>> >> > >
>>> >> > > I am also inclined to agree with you that this is not solely a
>>> >> Mikrotik
>>> >> > > issue. It seems to me that it is the magic (or not so magic)
>>> >> combination
>>> >> > of
>>> >> > > the ISP's hardware and the MikroTik that seems to cause the
>>> problem. I
>>> >> > have
>>> >> > > tried other brands of router which do not seem to exhibit the
>>> issue,
>>> >> > > however these devices do not have the great feature set of the
>>> >> MikroTik
>>> >> > and
>>> >> > > are often not rack-mountable. Trotting out the "It's not a
>>> Mikrotik
>>> >> > issue"
>>> >> > > line is starting to wear very thin with both my customers and
>>> >> colleagues.
>>> >> > > Although my gut feeling is that it isn't - I need proof and I
>>> don't
>>> >> know
>>> >> > > where to start. This is happening far too often for it to be a
>>> >> > coincidence
>>> >> > > or a faulty device.
>>> >> > >
>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL /
>>> >> pppoe
>>> >> > > connections in bridge mode too, I sent an email about this some
>>> time
>>> >> ago
>>> >> > > and it still plagues me from time to time.
>>> >> > >
>>> >> > > The type of installations I am doing are not your typical home
>>> setups
>>> >> and
>>> >> > > customers are paying a lot of money for a supposedly
>>> >> "commercial-grade"
>>> >> > > solution which is only adding to my stresses.
>>> >> > >
>>> >> > > Do any of you guys out there use a MikroTik as your home router -
>>> how
>>> >> do
>>> >> > > you set it up? Have you seen issues like this?
>>> >> > >
>>> >> > > One thing I have noticed is that the issue seems to be much more
>>> >> > prevalent
>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No
>>> idea
>>> >> why.
>>> >> > > Any cable experts out there?
>>> >> > >
>>> >> > > Thanks again,
>>> >> > >
>>> >> > >
>>> >> > > Ben Jackson
>>> >> > > eLogik
>>> >> > > m:0404 924745
>>> >> > > e: ben@elogik.net
>>> >> > > w: www.elogik.com.au
>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>> >> > >
>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <
>>> >> > paul@oxygennetworks.com.au>
>>> >> > > wrote:
>>> >> > >
>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and Optus
>>> >> Cable
>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of the
>>> NTU
>>> >> or
>>> >> > > > in the case of bridge mode the first client that makes a
>>> request,
>>> >> and
>>> >> > > > often you have trouble with these things because of this, I
>>> don't
>>> >> > > > really think it's a Mikrotik thing.
>>> >> > > >
>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC on
>>> the
>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge
>>> mode
>>> >> and
>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't
>>> see why
>>> >> > > > it would be having issues.
>>> >> > > >
>>> >> > > > Is there any chance that another device might somehow be
>>> getting a
>>> >> > > > DHCP request through to the NTU somehow the way you have it all
>>> >> plugged
>>> >> > > in ?
>>> >> > > >
>>> >> > > > Regards
>>> >> > > > Paul
>>> >> > > >
>>> >> > > > -----Original Message-----
>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On
>>> >> Behalf Of
>>> >> > > > Ben Jackson
>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM
>>> >> > > > To: MikroTik Australia Public List
>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues
>>> >> > > >
>>> >> > > > Hi All,
>>> >> > > >
>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with this
>>> one.
>>> >> > > >
>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the
>>> >> > > > CRS125-24G) in large residential AV situations where
>>> invariably, the
>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario
>>> where
>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode
>>> (NAT
>>> >> > > > switched
>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the
>>> >> gateway
>>> >> > > > interface of the Mikrotik.
>>> >> > > >
>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi
>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set
>>> up,
>>> >> > > > everything seems to work great, with the full bandwidth of the
>>> cable
>>> >> > > > modem getting passed on to the rest of the network, even when
>>> 802.11
>>> >> > > > clients are connected (a testament to the UniFi's I my opinion
>>> - I
>>> >> > > > only use dual band Pro AP's).
>>> >> > > >
>>> >> > > > However, after a week or so the internet connection seems to get
>>> >> > > > either very slow, or stop working altogether. If I look in the
>>> logs
>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting
>>> >> passed
>>> >> > > > from the dhcp server on the cable modem. The problem is I don't
>>> >> really
>>> >> > > > understand how DHCP works on cable modems. I'm assuming every so
>>> >> often
>>> >> > > > the cable modem gets a new IP address from the carrier (normally
>>> >> after
>>> >> > > > a reset) and at this point the modem is not passing this new
>>> address
>>> >> > > > onto the Mikrotik which is effectively cut off from the
>>> internet.
>>> >> > > > Since we are stuck with using Bigpond and Optus modems these
>>> are the
>>> >> > > > only solutions I have discovered which seem to stop the issue
>>> from
>>> >> > > occurring (at least as regularly).
>>> >> > > >
>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all
>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address
>>> in
>>> >> the
>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP
>>> >> > > > address. However, this creates a double nat situation which
>>> means I
>>> >> > > > can no longer perform reliable port forwarding for things such
>>> as
>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great
>>> for).
>>> >> > > >
>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port
>>> >> forwarding
>>> >> > > > (which is a joke on these devices) and firewall tasks for the
>>> entire
>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main
>>> problem
>>> >> > > > here is that these Bigpond devices simply do not have the grunt
>>> to
>>> >> > > > deal with large networks with lots of AV streaming and control
>>> >> > happening.
>>> >> > > >
>>> >> > > > Since both of the above have severe drawbacks in terms of
>>> >> > > > functionality, I wonder if anyone has had similar experiences
>>> as I
>>> >> am
>>> >> > > > just about ready to dump the MikroTik's and start looking at
>>> other
>>> >> > > > options in the hope that they play better with the Bigpond gear.
>>> >> > > >
>>> >> > > > Thanks in advance,
>>> >> > > >
>>> >> > > >
>>> >> > > > Ben Jackson
>>> >> > > > eLogik
>>> >> > > > m:0404 924745
>>> >> > > > e: ben@elogik.net
>>> >> > > > w: www.elogik.com.au
>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au>
>>> >> > > > _______________________________________________
>>> >> > > > Public mailing list
>>> >> > > > Public@talk.mikrotik.com.au
>>> >> > > >
>>> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>> .
>>> >> > > > au
>>> >> > > >
>>> >> > > >
>>> >> > > > _______________________________________________
>>> >> > > > Public mailing list
>>> >> > > > Public@talk.mikrotik.com.au
>>> >> > > >
>>> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
>>> .
>>> >> > > > au
>>> >> > > >
>>> >> > > _______________________________________________
>>> >> > > Public mailing list
>>> >> > > Public@talk.mikrotik.com.au
>>> >> > >
>>> >>
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > >
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > Public mailing list
>>> >> > > Public@talk.mikrotik.com.au
>>> >> > >
>>> >>
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > Public mailing list
>>> >> > > Public@talk.mikrotik.com.au
>>> >> > >
>>> >>
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > >
>>> >> > _______________________________________________
>>> >> > Public mailing list
>>> >> > Public@talk.mikrotik.com.au
>>> >> >
>>> >>
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> _______________________________________________
>>> >> Public mailing list
>>> >> Public@talk.mikrotik.com.au
>>> >>
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >>
>>> >
>>> >
>>>
>>>
>>> --
>>> _______________________________________________
>>> Public mailing list
>>> Public@talk.mikrotik.com.au
>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>
>>
>>
>
>
> --
>
>