Cable Modem DHCP Issues
Hi All, I'm hoping someone can help me as I'm at my wit's end with this one. We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik. The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's). However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly). 1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for). 2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening. Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear. Thanks in advance, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing. However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues. Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ? Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues Hi All, I'm hoping someone can help me as I'm at my wit's end with this one. We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik. The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's). However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly). 1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for). 2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening. Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear. Thanks in advance, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself. I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete. But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL. I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail. I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device. I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time. The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses. Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this? One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there? Thanks again, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed. There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed. We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself. I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete. But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL. I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail. I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device. I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time. The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses. Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this? One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there? Thanks again, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Ben, We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour. Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual Do you have anything different in your configurations? Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed. There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed. We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself. I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete. But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL. I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail. I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device. I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time. The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses. Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this? One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there? Thanks again, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I have yet to encounter an NBN connection but I recall seeing something about extra DHCP Client options on page 17 of: http://www.nbnco.com.au/content/dam/nbnco/documents/sfaa-wba-uni-v-functiona... Do cable modems now need some extra tweaks in their DHCP client requests? At least we don't have to still deal with Ye Olde BPALogin clients! On 28 July 2015 at 13:03, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Hi Jason - this isn't NBN, just plain old Telstra / Optus cable! I'm praying for the NBN to come along and hopefully ameliorate some of these issues with crappy Telstra supplied modems! Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:08 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
I have yet to encounter an NBN connection but I recall seeing something about extra DHCP Client options on page 17 of:
http://www.nbnco.com.au/content/dam/nbnco/documents/sfaa-wba-uni-v-functiona...
Do cable modems now need some extra tweaks in their DHCP client requests?
At least we don't have to still deal with Ye Olde BPALogin clients!
On 28 July 2015 at 13:03, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi RJ, Yep - that's exactly what I do. I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life. Thanks, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
What version of RouterOS are you using and what level is the firmware at? On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Hi Jason, I have customers at on few different ROS versions, normally nothing earier than 6.18 - and I always make sure the firmware is at a matching level. I think the majority right now are at 6.20. Thanks Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
What version of RouterOS are you using and what level is the firmware at?
On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and
colleagues. > > Although my gut feeling is that it isn't - I need proof and I don't know > > where to start. This is happening far too often for it to be a > coincidence > > or a faulty device. > > > > I have, unfortunately also seen very strange behaviour over ADSL / pppoe > > connections in bridge mode too, I sent an email about this some time ago > > and it still plagues me from time to time. > > > > The type of installations I am doing are not your typical home setups and > > customers are paying a lot of money for a supposedly "commercial-grade" > > solution which is only adding to my stresses. > > > > Do any of you guys out there use a MikroTik as your home router - how do > > you set it up? Have you seen issues like this? > > > > One thing I have noticed is that the issue seems to be much more > prevalent > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. > > Any cable experts out there? > > > > Thanks again, > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > paul@oxygennetworks.com.au> > > wrote: > > > > > Hey Ben, the only thing I can think of is that Telstra and Optus Cable > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU or > > > in the case of bridge mode the first client that makes a request, and > > > often you have trouble with these things because of this, I don't > > > really think it's a Mikrotik thing. > > > > > > However, as long as the Mikrotik is maintaining the same MAC on the > > > interface plugged into the NTU and the NTU is truly in bridge mode and > > > the Mikrotik is the only thing plugged into the NTU I can't see why > > > it would be having issues. > > > > > > Is there any chance that another device might somehow be getting a > > > DHCP request through to the NTU somehow the way you have it all plugged > > in ? > > > > > > Regards > > > Paul > > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > > Ben Jackson > > > Sent: Tuesday, 28 July 2015 10:53 AM > > > To: MikroTik Australia Public List > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > > > > > Hi All, > > > > > > I'm hoping someone can help me as I'm at my wit's end with this one. > > > > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the > > > CRS125-24G) in large residential AV situations where invariably, the > > > Mikrotik is in dhcp client mode, in a cable internet scenario where > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT > > > switched > > > off) and the carrier-supplied WAN IP address gets bound to the gateway > > > interface of the Mikrotik. > > > > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi > > > access points, and at least 3-4 zones of Sonos. On initial set up, > > > everything seems to work great, with the full bandwidth of the cable > > > modem getting passed on to the rest of the network, even when 802.11 > > > clients are connected (a testament to the UniFi's I my opinion - I > > > only use dual band Pro AP's). > > > > > > However, after a week or so the internet connection seems to get > > > either very slow, or stop working altogether. If I look in the logs > > > (with dhcp logging switched on) I can see regular NAK's getting passed > > > from the dhcp server on the cable modem. The problem is I don't really > > > understand how DHCP works on cable modems. I'm assuming every so often > > > the cable modem gets a new IP address from the carrier (normally after > > > a reset) and at this point the modem is not passing this new address > > > onto the Mikrotik which is effectively cut off from the internet. > > > Since we are stuck with using Bigpond and Optus modems these are the > > > only solutions I have discovered which seem to stop the issue from > > occurring (at least as regularly). > > > > > > 1) Leave the cable modem in "router" mode and switch off all > > > extraneous services such as Wi-Fi, and also put one IP address in the > > > dhcp pool so that the Mikrotik always gets the same private IP > > > address. However, this creates a double nat situation which means I > > > can no longer perform reliable port forwarding for things such as > > > DVR's and CBus controllers (which I find the Mikrotik's great for). > > > > > > 2) Allow the cable modem to perform all dhcp, routing, port forwarding > > > (which is a joke on these devices) and firewall tasks for the entire > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem > > > here is that these Bigpond devices simply do not have the grunt to > > > deal with large networks with lots of AV streaming and control > happening. > > > > > > Since both of the above have severe drawbacks in terms of > > > functionality, I wonder if anyone has had similar experiences as I am > > > just about ready to dump the MikroTik's and start looking at other > > > options in the hope that they play better with the Bigpond gear. > > > > > > Thanks in advance, > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I do have a supout.rif from a CRS which was exhibiting the issue at the time I ran it. Can anyone analyse this for me? Ben Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:25 PM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I have customers at on few different ROS versions, normally nothing earier than 6.18 - and I always make sure the firmware is at a matching level. I think the majority right now are at 6.20.
Thanks
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
What version of RouterOS are you using and what level is the firmware at?
On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and
colleagues. > > Although my gut feeling is that it isn't - I need proof and I don't know > > where to start. This is happening far too often for it to be a > coincidence > > or a faulty device. > > > > I have, unfortunately also seen very strange behaviour over ADSL / pppoe > > connections in bridge mode too, I sent an email about this some time ago > > and it still plagues me from time to time. > > > > The type of installations I am doing are not your typical home setups and > > customers are paying a lot of money for a supposedly "commercial-grade" > > solution which is only adding to my stresses. > > > > Do any of you guys out there use a MikroTik as your home router - how do > > you set it up? Have you seen issues like this? > > > > One thing I have noticed is that the issue seems to be much more > prevalent > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. > > Any cable experts out there? > > > > Thanks again, > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > paul@oxygennetworks.com.au> > > wrote: > > > > > Hey Ben, the only thing I can think of is that Telstra and Optus Cable > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU or > > > in the case of bridge mode the first client that makes a request, and > > > often you have trouble with these things because of this, I don't > > > really think it's a Mikrotik thing. > > > > > > However, as long as the Mikrotik is maintaining the same MAC on the > > > interface plugged into the NTU and the NTU is truly in bridge mode and > > > the Mikrotik is the only thing plugged into the NTU I can't see why > > > it would be having issues. > > > > > > Is there any chance that another device might somehow be getting a > > > DHCP request through to the NTU somehow the way you have it all plugged > > in ? > > > > > > Regards > > > Paul > > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > > Ben Jackson > > > Sent: Tuesday, 28 July 2015 10:53 AM > > > To: MikroTik Australia Public List > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > > > > > Hi All, > > > > > > I'm hoping someone can help me as I'm at my wit's end with this one. > > > > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the > > > CRS125-24G) in large residential AV situations where invariably, the > > > Mikrotik is in dhcp client mode, in a cable internet scenario where > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT > > > switched > > > off) and the carrier-supplied WAN IP address gets bound to the gateway > > > interface of the Mikrotik. > > > > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi > > > access points, and at least 3-4 zones of Sonos. On initial set up, > > > everything seems to work great, with the full bandwidth of the cable > > > modem getting passed on to the rest of the network, even when 802.11 > > > clients are connected (a testament to the UniFi's I my opinion - I > > > only use dual band Pro AP's). > > > > > > However, after a week or so the internet connection seems to get > > > either very slow, or stop working altogether. If I look in the logs > > > (with dhcp logging switched on) I can see regular NAK's getting passed > > > from the dhcp server on the cable modem. The problem is I don't really > > > understand how DHCP works on cable modems. I'm assuming every so often > > > the cable modem gets a new IP address from the carrier (normally after > > > a reset) and at this point the modem is not passing this new address > > > onto the Mikrotik which is effectively cut off from the internet. > > > Since we are stuck with using Bigpond and Optus modems these are the > > > only solutions I have discovered which seem to stop the issue from > > occurring (at least as regularly). > > > > > > 1) Leave the cable modem in "router" mode and switch off all > > > extraneous services such as Wi-Fi, and also put one IP address in the > > > dhcp pool so that the Mikrotik always gets the same private IP > > > address. However, this creates a double nat situation which means I > > > can no longer perform reliable port forwarding for things such as > > > DVR's and CBus controllers (which I find the Mikrotik's great for). > > > > > > 2) Allow the cable modem to perform all dhcp, routing, port forwarding > > > (which is a joke on these devices) and firewall tasks for the entire > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem > > > here is that these Bigpond devices simply do not have the grunt to > > > deal with large networks with lots of AV streaming and control > happening. > > > > > > Since both of the above have severe drawbacks in terms of > > > functionality, I wonder if anyone has had similar experiences as I am > > > just about ready to dump the MikroTik's and start looking at other > > > options in the hope that they play better with the Bigpond gear. > > > > > > Thanks in advance, > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi OK, the current changelog on Mikrotik only goes back to 6.27 and the current is at 6.30 so I can't even see if some related bug has been fixed since 6.20. I'd suggest updating the software, reboot, update the firmware, reboot and see if that helps. If in doubt beyond that, save export your config, factory reset and reimport the config. What ports do you use on the 2011? Are the ports on 1Gb side slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged? Which port is connected to the modem? It should be on it's own, not slaved or bridged. Since 6.20 there have been some packet engine speedups that operate at the bridge level and some interfaces (not PPPoE unfortunately). You will definitely benefit using the new speedup options with NAT on a DHCP based modem. Jason On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I have customers at on few different ROS versions, normally nothing earier than 6.18 - and I always make sure the firmware is at a matching level. I think the majority right now are at 6.20.
Thanks
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
What version of RouterOS are you using and what level is the firmware at?
On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and
colleagues. > > Although my gut feeling is that it isn't - I need proof and I don't know > > where to start. This is happening far too often for it to be a > coincidence > > or a faulty device. > > > > I have, unfortunately also seen very strange behaviour over ADSL / pppoe > > connections in bridge mode too, I sent an email about this some time ago > > and it still plagues me from time to time. > > > > The type of installations I am doing are not your typical home setups and > > customers are paying a lot of money for a supposedly "commercial-grade" > > solution which is only adding to my stresses. > > > > Do any of you guys out there use a MikroTik as your home router - how do > > you set it up? Have you seen issues like this? > > > > One thing I have noticed is that the issue seems to be much more > prevalent > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. > > Any cable experts out there? > > > > Thanks again, > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > paul@oxygennetworks.com.au> > > wrote: > > > > > Hey Ben, the only thing I can think of is that Telstra and Optus Cable > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU or > > > in the case of bridge mode the first client that makes a request, and > > > often you have trouble with these things because of this, I don't > > > really think it's a Mikrotik thing. > > > > > > However, as long as the Mikrotik is maintaining the same MAC on the > > > interface plugged into the NTU and the NTU is truly in bridge mode and > > > the Mikrotik is the only thing plugged into the NTU I can't see why > > > it would be having issues. > > > > > > Is there any chance that another device might somehow be getting a > > > DHCP request through to the NTU somehow the way you have it all plugged > > in ? > > > > > > Regards > > > Paul > > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > > Ben Jackson > > > Sent: Tuesday, 28 July 2015 10:53 AM > > > To: MikroTik Australia Public List > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > > > > > Hi All, > > > > > > I'm hoping someone can help me as I'm at my wit's end with this one. > > > > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the > > > CRS125-24G) in large residential AV situations where invariably, the > > > Mikrotik is in dhcp client mode, in a cable internet scenario where > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT > > > switched > > > off) and the carrier-supplied WAN IP address gets bound to the gateway > > > interface of the Mikrotik. > > > > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi > > > access points, and at least 3-4 zones of Sonos. On initial set up, > > > everything seems to work great, with the full bandwidth of the cable > > > modem getting passed on to the rest of the network, even when 802.11 > > > clients are connected (a testament to the UniFi's I my opinion - I > > > only use dual band Pro AP's). > > > > > > However, after a week or so the internet connection seems to get > > > either very slow, or stop working altogether. If I look in the logs > > > (with dhcp logging switched on) I can see regular NAK's getting passed > > > from the dhcp server on the cable modem. The problem is I don't really > > > understand how DHCP works on cable modems. I'm assuming every so often > > > the cable modem gets a new IP address from the carrier (normally after > > > a reset) and at this point the modem is not passing this new address > > > onto the Mikrotik which is effectively cut off from the internet. > > > Since we are stuck with using Bigpond and Optus modems these are the > > > only solutions I have discovered which seem to stop the issue from > > occurring (at least as regularly). > > > > > > 1) Leave the cable modem in "router" mode and switch off all > > > extraneous services such as Wi-Fi, and also put one IP address in the > > > dhcp pool so that the Mikrotik always gets the same private IP > > > address. However, this creates a double nat situation which means I > > > can no longer perform reliable port forwarding for things such as > > > DVR's and CBus controllers (which I find the Mikrotik's great for). > > > > > > 2) Allow the cable modem to perform all dhcp, routing, port forwarding > > > (which is a joke on these devices) and firewall tasks for the entire > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem > > > here is that these Bigpond devices simply do not have the grunt to > > > deal with large networks with lots of AV streaming and control > happening. > > > > > > Since both of the above have severe drawbacks in terms of > > > functionality, I wonder if anyone has had similar experiences as I am > > > just about ready to dump the MikroTik's and start looking at other > > > options in the hope that they play better with the Bigpond gear. > > > > > > Thanks in advance, > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Hi Jason, Yes - when I am using the RB2011's the gateway (WAN) port is not in any bridge or switch config and is routing only. When I first started installing Mikrotiks I used to bridge all the other ports, which I know uses the main CPU and not the switch chip, but my thinking was that the main CPU is more powerful and the router isn't exactly doing anything complex such as queues or heaps of firewall rules. However since then I have started using the master - slave switch chip function, especially on the 24 port CRS. On the RB2011's I slave all the gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then bridge the two, with ether1 as the WAN port. On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi
OK, the current changelog on Mikrotik only goes back to 6.27 and the current is at 6.30 so I can't even see if some related bug has been fixed since 6.20. I'd suggest updating the software, reboot, update the firmware, reboot and see if that helps.
If in doubt beyond that, save export your config, factory reset and reimport the config.
What ports do you use on the 2011? Are the ports on 1Gb side slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged? Which port is connected to the modem? It should be on it's own, not slaved or bridged.
Since 6.20 there have been some packet engine speedups that operate at the bridge level and some interfaces (not PPPoE unfortunately). You will definitely benefit using the new speedup options with NAT on a DHCP based modem.
Jason
On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I have customers at on few different ROS versions, normally nothing earier than 6.18 - and I always make sure the firmware is at a matching level. I think the majority right now are at 6.20.
Thanks
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
What version of RouterOS are you using and what level is the firmware at?
On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer <RJ.Plummer@4logic.com.au
wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and
colleagues. > > Although my gut feeling is that it isn't - I need proof and I don't know > > where to start. This is happening far too often for it to be a > coincidence > > or a faulty device. > > > > I have, unfortunately also seen very strange behaviour over ADSL / pppoe > > connections in bridge mode too, I sent an email about this some time ago > > and it still plagues me from time to time. > > > > The type of installations I am doing are not your typical home setups and > > customers are paying a lot of money for a supposedly "commercial-grade" > > solution which is only adding to my stresses. > > > > Do any of you guys out there use a MikroTik as your home router - how do > > you set it up? Have you seen issues like this? > > > > One thing I have noticed is that the issue seems to be much more > prevalent > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. > > Any cable experts out there? > > > > Thanks again, > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > paul@oxygennetworks.com.au> > > wrote: > > > > > Hey Ben, the only thing I can think of is that Telstra and Optus Cable > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU or > > > in the case of bridge mode the first client that makes a request, and > > > often you have trouble with these things because of this, I don't > > > really think it's a Mikrotik thing. > > > > > > However, as long as the Mikrotik is maintaining the same MAC on the > > > interface plugged into the NTU and the NTU is truly in bridge mode and > > > the Mikrotik is the only thing plugged into the NTU I can't see why > > > it would be having issues. > > > > > > Is there any chance that another device might somehow be getting a > > > DHCP request through to the NTU somehow the way you have it all plugged > > in ? > > > > > > Regards > > > Paul > > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > > Ben Jackson > > > Sent: Tuesday, 28 July 2015 10:53 AM > > > To: MikroTik Australia Public List > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > > > > > Hi All, > > > > > > I'm hoping someone can help me as I'm at my wit's end with this one. > > > > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the > > > CRS125-24G) in large residential AV situations where invariably, the > > > Mikrotik is in dhcp client mode, in a cable internet scenario where > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT > > > switched > > > off) and the carrier-supplied WAN IP address gets bound to the gateway > > > interface of the Mikrotik. > > > > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi > > > access points, and at least 3-4 zones of Sonos. On initial set up, > > > everything seems to work great, with the full bandwidth of the cable > > > modem getting passed on to the rest of the network, even when 802.11 > > > clients are connected (a testament to the UniFi's I my opinion - I > > > only use dual band Pro AP's). > > > > > > However, after a week or so the internet connection seems to get > > > either very slow, or stop working altogether. If I look in the logs > > > (with dhcp logging switched on) I can see regular NAK's getting passed > > > from the dhcp server on the cable modem. The problem is I don't really > > > understand how DHCP works on cable modems. I'm assuming every so often > > > the cable modem gets a new IP address from the carrier (normally after > > > a reset) and at this point the modem is not passing this new address > > > onto the Mikrotik which is effectively cut off from the internet. > > > Since we are stuck with using Bigpond and Optus modems these are the > > > only solutions I have discovered which seem to stop the issue from > > occurring (at least as regularly). > > > > > > 1) Leave the cable modem in "router" mode and switch off all > > > extraneous services such as Wi-Fi, and also put one IP address in the > > > dhcp pool so that the Mikrotik always gets the same private IP > > > address. However, this creates a double nat situation which means I > > > can no longer perform reliable port forwarding for things such as > > > DVR's and CBus controllers (which I find the Mikrotik's great for). > > > > > > 2) Allow the cable modem to perform all dhcp, routing, port forwarding > > > (which is a joke on these devices) and firewall tasks for the entire > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem > > > here is that these Bigpond devices simply do not have the grunt to > > > deal with large networks with lots of AV streaming and control > happening. > > > > > > Since both of the above have severe drawbacks in terms of > > > functionality, I wonder if anyone has had similar experiences as I am > > > just about ready to dump the MikroTik's and start looking at other > > > options in the hope that they play better with the Bigpond gear. > > > > > > Thanks in advance, > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Ben, When the problem occurs again check the Routerboard for CPU use and check profiling to see just what is keeping the CPU busy. Don't overestimate the CPU in the 2011, it's not as quick as you think. The new FastPath and FastTrack features will be something you'll be interested in when routing something as fast as a cable modem so read up on them and do try the latest firmware images. Jason On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
Yes - when I am using the RB2011's the gateway (WAN) port is not in any bridge or switch config and is routing only.
When I first started installing Mikrotiks I used to bridge all the other ports, which I know uses the main CPU and not the switch chip, but my thinking was that the main CPU is more powerful and the router isn't exactly doing anything complex such as queues or heaps of firewall rules.
However since then I have started using the master - slave switch chip function, especially on the 24 port CRS. On the RB2011's I slave all the gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then bridge the two, with ether1 as the WAN port. On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi
OK, the current changelog on Mikrotik only goes back to 6.27 and the current is at 6.30 so I can't even see if some related bug has been fixed since 6.20. I'd suggest updating the software, reboot, update the firmware, reboot and see if that helps.
If in doubt beyond that, save export your config, factory reset and reimport the config.
What ports do you use on the 2011? Are the ports on 1Gb side slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged? Which port is connected to the modem? It should be on it's own, not slaved or bridged.
Since 6.20 there have been some packet engine speedups that operate at the bridge level and some interfaces (not PPPoE unfortunately). You will definitely benefit using the new speedup options with NAT on a DHCP based modem.
Jason
On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I have customers at on few different ROS versions, normally nothing earier than 6.18 - and I always make sure the firmware is at a matching level. I think the majority right now are at 6.20.
Thanks
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
What version of RouterOS are you using and what level is the firmware at?
On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote:
Hi RJ,
Yep - that's exactly what I do.
I know it's not congestion because when I reboot the mikrotik or simply renew the dhcp client address on the gateway port the whole system springs back to life.
Thanks,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < RJ.Plummer@4logic.com.au> wrote:
Hi Ben,
We have a few staff with bigpond cable and mikrotiks who don't exhibit this behaviour.
Their setups are very straight forward: -Bridge the cable modem (same cable modem model as you describe) -DHCP client on the appropriate physical mkt interface -masq that interface -firewall filter as usual
Do you have anything different in your configurations?
Cheers, RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 July 2015 10:55 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and
colleagues. > > Although my gut feeling is that it isn't - I need proof and I don't know > > where to start. This is happening far too often for it to be a > coincidence > > or a faulty device. > > > > I have, unfortunately also seen very strange behaviour over ADSL / pppoe > > connections in bridge mode too, I sent an email about this some time ago > > and it still plagues me from time to time. > > > > The type of installations I am doing are not your typical home setups and > > customers are paying a lot of money for a supposedly "commercial-grade" > > solution which is only adding to my stresses. > > > > Do any of you guys out there use a MikroTik as your home router - how do > > you set it up? Have you seen issues like this? > > > > One thing I have noticed is that the issue seems to be much more > prevalent > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. > > Any cable experts out there? > > > > Thanks again, > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > paul@oxygennetworks.com.au> > > wrote: > > > > > Hey Ben, the only thing I can think of is that Telstra and Optus Cable > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU or > > > in the case of bridge mode the first client that makes a request, and > > > often you have trouble with these things because of this, I don't > > > really think it's a Mikrotik thing. > > > > > > However, as long as the Mikrotik is maintaining the same MAC on the > > > interface plugged into the NTU and the NTU is truly in bridge mode and > > > the Mikrotik is the only thing plugged into the NTU I can't see why > > > it would be having issues. > > > > > > Is there any chance that another device might somehow be getting a > > > DHCP request through to the NTU somehow the way you have it all plugged > > in ? > > > > > > Regards > > > Paul > > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > > Ben Jackson > > > Sent: Tuesday, 28 July 2015 10:53 AM > > > To: MikroTik Australia Public List > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > > > > > Hi All, > > > > > > I'm hoping someone can help me as I'm at my wit's end with this one. > > > > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the > > > CRS125-24G) in large residential AV situations where invariably, the > > > Mikrotik is in dhcp client mode, in a cable internet scenario where > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT > > > switched > > > off) and the carrier-supplied WAN IP address gets bound to the gateway > > > interface of the Mikrotik. > > > > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi > > > access points, and at least 3-4 zones of Sonos. On initial set up, > > > everything seems to work great, with the full bandwidth of the cable > > > modem getting passed on to the rest of the network, even when 802.11 > > > clients are connected (a testament to the UniFi's I my opinion - I > > > only use dual band Pro AP's). > > > > > > However, after a week or so the internet connection seems to get > > > either very slow, or stop working altogether. If I look in the logs > > > (with dhcp logging switched on) I can see regular NAK's getting passed > > > from the dhcp server on the cable modem. The problem is I don't really > > > understand how DHCP works on cable modems. I'm assuming every so often > > > the cable modem gets a new IP address from the carrier (normally after > > > a reset) and at this point the modem is not passing this new address > > > onto the Mikrotik which is effectively cut off from the internet. > > > Since we are stuck with using Bigpond and Optus modems these are the > > > only solutions I have discovered which seem to stop the issue from > > occurring (at least as regularly). > > > > > > 1) Leave the cable modem in "router" mode and switch off all > > > extraneous services such as Wi-Fi, and also put one IP address in the > > > dhcp pool so that the Mikrotik always gets the same private IP > > > address. However, this creates a double nat situation which means I > > > can no longer perform reliable port forwarding for things such as > > > DVR's and CBus controllers (which I find the Mikrotik's great for). > > > > > > 2) Allow the cable modem to perform all dhcp, routing, port forwarding > > > (which is a joke on these devices) and firewall tasks for the entire > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem > > > here is that these Bigpond devices simply do not have the grunt to > > > deal with large networks with lots of AV streaming and control > happening. > > > > > > Since both of the above have severe drawbacks in terms of > > > functionality, I wonder if anyone has had similar experiences as I am > > > just about ready to dump the MikroTik's and start looking at other > > > options in the hope that they play better with the Bigpond gear. > > > > > > Thanks in advance, > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > > au > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Guys, Here is a typical config from one of my clients: # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote: > Hi Ben, > > When the problem occurs again check the Routerboard for CPU use and check > profiling to see just what is keeping the CPU busy. Don't overestimate the > CPU in the 2011, it's not as quick as you think. The new FastPath and > FastTrack features will be something you'll be interested in when routing > something as fast as a cable modem so read up on them and do try the latest > firmware images. > > Jason > > On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> Hi Jason, >> >> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >> bridge or switch config and is routing only. >> >> When I first started installing Mikrotiks I used to bridge all the other >> ports, which I know uses the main CPU and not the switch chip, but my >> thinking was that the main CPU is more powerful and the router isn't >> exactly doing anything complex such as queues or heaps of firewall rules. >> >> However since then I have started using the master - slave switch chip >> function, especially on the 24 port CRS. On the RB2011's I slave all the >> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >> >> Ben Jackson >> eLogik >> m:0404 924745 >> e: ben@elogik.net >> w: www.elogik.com.au >> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >> >> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >> jason@upandrunningtech.com.au> wrote: >> >>> Hi >>> >>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>> current is at 6.30 so I can't even see if some related bug has been fixed >>> since 6.20. I'd suggest updating the software, reboot, update the >>> firmware, reboot and see if that helps. >>> >>> If in doubt beyond that, save export your config, factory reset and >>> reimport the config. >>> >>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged? >>> Which port is connected to the modem? It should be on it's own, not >>> slaved >>> or bridged. >>> >>> Since 6.20 there have been some packet engine speedups that operate at >>> the >>> bridge level and some interfaces (not PPPoE unfortunately). You will >>> definitely benefit using the new speedup options with NAT on a DHCP based >>> modem. >>> >>> Jason >>> >>> >>> >>> >>> >>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>> >>> > Hi Jason, >>> > >>> > I have customers at on few different ROS versions, normally nothing >>> earier >>> > than 6.18 - and I always make sure the firmware is at a matching >>> level. I >>> > think the majority right now are at 6.20. >>> > >>> > Thanks >>> > >>> > Ben Jackson >>> > eLogik >>> > m:0404 924745 >>> > e: ben@elogik.net >>> > w: www.elogik.com.au >>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> > >>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>> > jason@upandrunningtech.com.au> wrote: >>> > >>> >> What version of RouterOS are you using and what level is the firmware >>> at? >>> >> >>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>> >> >>> >> > Hi RJ, >>> >> > >>> >> > Yep - that's exactly what I do. >>> >> > >>> >> > I know it's not congestion because when I reboot the mikrotik or >>> simply >>> >> > renew the dhcp client address on the gateway port the whole system >>> >> springs >>> >> > back to life. >>> >> > >>> >> > Thanks, >>> >> > >>> >> > Ben Jackson >>> >> > eLogik >>> >> > m:0404 924745 >>> >> > e: ben@elogik.net >>> >> > w: www.elogik.com.au >>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >> > >>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>> RJ.Plummer@4logic.com.au> >>> >> > wrote: >>> >> > >>> >> > > Hi Ben, >>> >> > > >>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>> exhibit >>> >> > > this behaviour. >>> >> > > >>> >> > > Their setups are very straight forward: >>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>> >> > > -DHCP client on the appropriate physical mkt interface >>> >> > > -masq that interface >>> >> > > -firewall filter as usual >>> >> > > >>> >> > > Do you have anything different in your configurations? >>> >> > > >>> >> > > Cheers, >>> >> > > RJ >>> >> > > -----Original Message----- >>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>> Behalf >>> >> Of >>> >> > > Paul Julian >>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>> >> > > To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au >>> > >>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > >>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>> least >>> >> the >>> >> > > one they present, this usually happens if a config has been >>> uploaded >>> >> to >>> >> > > them without MAC addresses removed. >>> >> > > >>> >> > > There is an option in the interface settings called "Reset MAC >>> >> Address", >>> >> > > try clicking this on the interface you have plugged into the NTU, >>> it >>> >> will >>> >> > > reset the MAC address back to or force it to be the actually >>> physical >>> >> MAC >>> >> > > just in case anything has changed. >>> >> > > >>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in hundreds >>> of >>> >> > > locations for ADSL and Ethernet services and never have one issue. >>> >> > > >>> >> > > Regards >>> >> > > Paul >>> >> > > >>> >> > > -----Original Message----- >>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>> Behalf >>> >> Of >>> >> > > Ben Jackson >>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>> >> > > To: MikroTik Australia Public List >>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > >>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>> should be >>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>> >> definitely >>> >> > in >>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>> Mode" on >>> >> > the >>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the CRS >>> (or >>> >> > > sometimes ether 1) which immediately binds the public IP address >>> to >>> >> > itself. >>> >> > > >>> >> > > I understand about the MAC based DHCP which the ISP's use, I have >>> had >>> >> > > issues in the past (no longer seems to be as issue) where I have >>> had >>> >> to >>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>> also >>> >> > noticed >>> >> > > if my MBP is the first device to connect to the NTU while in >>> bridge >>> >> mode, >>> >> > > sometimes I need to power cycle the device to "deregister" the MAC >>> >> > address >>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>> >> process >>> >> > > is complete. >>> >> > > >>> >> > > But, in this instance this is not the problem unless somehow the >>> MAC >>> >> > > address of the MikroTik ether port is changing - is this >>> possible? I >>> >> must >>> >> > > admit, my progress on this is somewhat hampered by not having a >>> cable >>> >> > setup >>> >> > > to test on at home - I run ADSL. >>> >> > > >>> >> > > I'm pretty sure that nothing else on the network would be able to >>> bind >>> >> > > it's MAC address to the public IP before the MikroTik has had a >>> chance >>> >> > to - >>> >> > > although I must admit I hadn't though of that so I'll check it >>> out in >>> >> > more >>> >> > > detail. >>> >> > > >>> >> > > I am also inclined to agree with you that this is not solely a >>> >> Mikrotik >>> >> > > issue. It seems to me that it is the magic (or not so magic) >>> >> combination >>> >> > of >>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>> problem. I >>> >> > have >>> >> > > tried other brands of router which do not seem to exhibit the >>> issue, >>> >> > > however these devices do not have the great feature set of the >>> >> MikroTik >>> >> > and >>> >> > > are often not rack-mountable. Trotting out the "It's not a >>> Mikrotik >>> >> > issue" >>> >> > > line is starting to wear very thin with both my customers and >>> >> colleagues. >>> >> > > Although my gut feeling is that it isn't - I need proof and I >>> don't >>> >> know >>> >> > > where to start. This is happening far too often for it to be a >>> >> > coincidence >>> >> > > or a faulty device. >>> >> > > >>> >> > > I have, unfortunately also seen very strange behaviour over ADSL / >>> >> pppoe >>> >> > > connections in bridge mode too, I sent an email about this some >>> time >>> >> ago >>> >> > > and it still plagues me from time to time. >>> >> > > >>> >> > > The type of installations I am doing are not your typical home >>> setups >>> >> and >>> >> > > customers are paying a lot of money for a supposedly >>> >> "commercial-grade" >>> >> > > solution which is only adding to my stresses. >>> >> > > >>> >> > > Do any of you guys out there use a MikroTik as your home router - >>> how >>> >> do >>> >> > > you set it up? Have you seen issues like this? >>> >> > > >>> >> > > One thing I have noticed is that the issue seems to be much more >>> >> > prevalent >>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>> idea >>> >> why. >>> >> > > Any cable experts out there? >>> >> > > >>> >> > > Thanks again, >>> >> > > >>> >> > > >>> >> > > Ben Jackson >>> >> > > eLogik >>> >> > > m:0404 924745 >>> >> > > e: ben@elogik.net >>> >> > > w: www.elogik.com.au >>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >> > > >>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>> >> > paul@oxygennetworks.com.au> >>> >> > > wrote: >>> >> > > >>> >> > > > Hey Ben, the only thing I can think of is that Telstra and Optus >>> >> Cable >>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of the >>> NTU >>> >> or >>> >> > > > in the case of bridge mode the first client that makes a >>> request, >>> >> and >>> >> > > > often you have trouble with these things because of this, I >>> don't >>> >> > > > really think it's a Mikrotik thing. >>> >> > > > >>> >> > > > However, as long as the Mikrotik is maintaining the same MAC on >>> the >>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>> mode >>> >> and >>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>> see why >>> >> > > > it would be having issues. >>> >> > > > >>> >> > > > Is there any chance that another device might somehow be >>> getting a >>> >> > > > DHCP request through to the NTU somehow the way you have it all >>> >> plugged >>> >> > > in ? >>> >> > > > >>> >> > > > Regards >>> >> > > > Paul >>> >> > > > >>> >> > > > -----Original Message----- >>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>> >> Behalf Of >>> >> > > > Ben Jackson >>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>> >> > > > To: MikroTik Australia Public List >>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > > >>> >> > > > Hi All, >>> >> > > > >>> >> > > > I'm hoping someone can help me as I'm at my wit's end with this >>> one. >>> >> > > > >>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the >>> >> > > > CRS125-24G) in large residential AV situations where >>> invariably, the >>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>> where >>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>> (NAT >>> >> > > > switched >>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>> >> gateway >>> >> > > > interface of the Mikrotik. >>> >> > > > >>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi >>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>> up, >>> >> > > > everything seems to work great, with the full bandwidth of the >>> cable >>> >> > > > modem getting passed on to the rest of the network, even when >>> 802.11 >>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>> - I >>> >> > > > only use dual band Pro AP's). >>> >> > > > >>> >> > > > However, after a week or so the internet connection seems to get >>> >> > > > either very slow, or stop working altogether. If I look in the >>> logs >>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>> >> passed >>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>> >> really >>> >> > > > understand how DHCP works on cable modems. I'm assuming every so >>> >> often >>> >> > > > the cable modem gets a new IP address from the carrier (normally >>> >> after >>> >> > > > a reset) and at this point the modem is not passing this new >>> address >>> >> > > > onto the Mikrotik which is effectively cut off from the >>> internet. >>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>> are the >>> >> > > > only solutions I have discovered which seem to stop the issue >>> from >>> >> > > occurring (at least as regularly). >>> >> > > > >>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>> in >>> >> the >>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>> >> > > > address. However, this creates a double nat situation which >>> means I >>> >> > > > can no longer perform reliable port forwarding for things such >>> as >>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>> for). >>> >> > > > >>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>> >> forwarding >>> >> > > > (which is a joke on these devices) and firewall tasks for the >>> entire >>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>> problem >>> >> > > > here is that these Bigpond devices simply do not have the grunt >>> to >>> >> > > > deal with large networks with lots of AV streaming and control >>> >> > happening. >>> >> > > > >>> >> > > > Since both of the above have severe drawbacks in terms of >>> >> > > > functionality, I wonder if anyone has had similar experiences >>> as I >>> >> am >>> >> > > > just about ready to dump the MikroTik's and start looking at >>> other >>> >> > > > options in the hope that they play better with the Bigpond gear. >>> >> > > > >>> >> > > > Thanks in advance, >>> >> > > > >>> >> > > > >>> >> > > > Ben Jackson >>> >> > > > eLogik >>> >> > > > m:0404 924745 >>> >> > > > e: ben@elogik.net >>> >> > > > w: www.elogik.com.au >>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >> > > > _______________________________________________ >>> >> > > > Public mailing list >>> >> > > > Public@talk.mikrotik.com.au >>> >> > > > >>> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com >>> . >>> >> > > > au >>> >> > > > >>> >> > > > >>> >> > > > _______________________________________________ >>> >> > > > Public mailing list >>> >> > > > Public@talk.mikrotik.com.au >>> >> > > > >>> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com >>> . >>> >> > > > au >>> >> > > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> > > >>> >> > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> > > >>> >> > _______________________________________________ >>> >> > Public mailing list >>> >> > Public@talk.mikrotik.com.au >>> >> > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> _______________________________________________ >>> >> Public mailing list >>> >> Public@talk.mikrotik.com.au >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> >>> > >>> > >>> >>> >>> -- >>> _______________________________________________ >>> Public mailing list >>> Public@talk.mikrotik.com.au >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>> >> >> > > > -- > >
Just FYI, I normally disable all the bogon IP address stuff just in case that is having an impact. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 6:34 PM, Ben Jackson <ben@elogik.net> wrote: > Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 > # software id = IU9F-WHTQ > # > /interface ethernet > set [ find default-name=ether1 ] name=ether1-master-local > set [ find default-name=ether2 ] master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway > set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 > /ip dhcp-client > add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes > /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e > \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 > add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 > add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 > add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 > add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 > add address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 > add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 > add address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 > add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 > add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 > /ip dns > set allow-remote-requests=yes > /ip firewall address-list > add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > you nee\ > d this subnet before enable it" disabled=yes list=bogons > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if > you \ > need this subnet before enable it" disabled=yes list=bogons > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > if you\ > \_need this subnet before enable it" disabled=yes list=bogons > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE > SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=yes > \ > dst-port=25,587 protocol=tcp src-address-list=spammers > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp > add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp > add chain=input comment="Accept to established connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes > add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp > add action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes > /ip firewall nat > add action=masquerade chain=srcnat out-interface=ether24-gateway > /ip firewall service-port > set ftp disabled=yes > set tftp disabled=yes > set irc disabled=yes > set h323 disabled=yes > set sip disabled=yes > set pptp disabled=yes > /ip ipsec policy > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > /ip service > set telnet disabled=yes > set ftp disabled=yes > set www disabled=yes > set ssh disabled=yes > set api disabled=yes > set api-ssl disabled=yes > /system clock > set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port > add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and check >> profiling to see just what is keeping the CPU busy. Don't overestimate the >> CPU in the 2011, it's not as quick as you think. The new FastPath and >> FastTrack features will be something you'll be interested in when routing >> something as fast as a cable modem so read up on them and do try the latest >> firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >>> bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the other >>> ports, which I know uses the main CPU and not the switch chip, but my >>> thinking was that the main CPU is more powerful and the router isn't >>> exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch chip >>> function, especially on the 24 port CRS. On the RB2011's I slave all the >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>>> current is at 6.30 so I can't even see if some related bug has been >>>> fixed >>>> since 6.20. I'd suggest updating the software, reboot, update the >>>> firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>>> bridged? >>>> Which port is connected to the modem? It should be on it's own, not >>>> slaved >>>> or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate at >>>> the >>>> bridge level and some interfaces (not PPPoE unfortunately). You will >>>> definitely benefit using the new speedup options with NAT on a DHCP >>>> based >>>> modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>>> > jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>>> >> > > -DHCP client on the appropriate physical mkt interface >>>> >> > > -masq that interface >>>> >> > > -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit the >>>> issue, >>>> >> > > however these devices do not have the great feature set of the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>>> >> > > > address. However, this creates a double nat situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >>> >>> >> >> >> -- >> >> >
Are you 100% sure this is only the internet connection which is affected when you see the issues and not the whole LAN. This may be left field here but I note the sonos commented in your config. These things are terrible with any semi smart network due to their STP operation (or lack of) and generally cause issues if not designed around, most notably their path cost. Are all these customers of yours running sonos in a similar setup (with a mtk being the 'core' of the switching as well)?. The issue may very well be a loop/storm event rather than the ISP side of things in which case you may need to work with a mtk bridge interface to get some STP control. RJ -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 4:41 PM To: Jason Hecker <jason@upandrunningtech.com.au> Cc: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Just FYI, I normally disable all the bogon IP address stuff just in case that is having an impact. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 6:34 PM, Ben Jackson <ben@elogik.net> wrote: > Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # > /interface ethernet set [ find default-name=ether1 ] > name=ether1-master-local set [ find default-name=ether2 ] > master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway set [ find > default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 /ip dhcp-client add > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes > client-id=1:0:e:58:32:e:1e \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 add > address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 add > address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 add > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > firewall address-list add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS > A # Check if you nee\ > d this subnet before enable it" disabled=yes list=bogons add > address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add > address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > if you \ > need this subnet before enable it" disabled=yes list=bogons add > address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if > you\ > \_need this subnet before enable it" disabled=yes list=bogons add > address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop > chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > THE SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp add action=drop chain=forward > comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop > chain=forward comment="Avoid spammers action" disabled=yes \ > dst-port=25,587 protocol=tcp src-address-list=spammers add > chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp add > chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp add chain=input comment="Accept to established > connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP > comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 > protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes add action=drop chain=ICMP > comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist add > chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp add > action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist add > action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 add > action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 add > action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 add > action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT > ENABLE THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > disabled=yes /ip firewall nat add action=masquerade chain=srcnat > out-interface=ether24-gateway /ip firewall service-port set ftp > disabled=yes set tftp disabled=yes set irc disabled=yes set h323 > disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec > policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service > set telnet disabled=yes set ftp disabled=yes set www disabled=yes set > ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system > clock set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and >> check profiling to see just what is keeping the CPU busy. Don't >> overestimate the CPU in the 2011, it's not as quick as you think. >> The new FastPath and FastTrack features will be something you'll be >> interested in when routing something as fast as a cable modem so read >> up on them and do try the latest firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in >>> any bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the >>> other ports, which I know uses the main CPU and not the switch chip, >>> but my thinking was that the main CPU is more powerful and the >>> router isn't exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch >>> chip function, especially on the 24 port CRS. On the RB2011's I >>> slave all the gigabit ports to ether2 and, slave all the 10/100 >>> ports to ether6, then bridge the two, with ether1 as the WAN port. >>> On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and >>>> the current is at 6.30 so I can't even see if some related bug has >>>> been fixed since 6.20. I'd suggest updating the software, reboot, >>>> update the firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side >>>> slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 >>>> and Eth6 bridged? >>>> Which port is connected to the modem? It should be on it's own, >>>> not slaved or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate >>>> at the bridge level and some interfaces (not PPPoE unfortunately). >>>> You will definitely benefit using the new speedup options with NAT >>>> on a DHCP based modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally >>>> > nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) >>>> > < jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik >>>> >> > or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole >>>> >> > system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who >>>> >> > > don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you >>>> >> > > describe) -DHCP client on the appropriate physical mkt >>>> >> > > interface -masq that interface -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or >>>> >> > > at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset >>>> >> > > MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU >>>> >> > > is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying >>>> >> > > "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of >>>> >> > > the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP >>>> >> > > address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I >>>> >> > > have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I >>>> >> > > have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" >>>> >> > > the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after >>>> >> > > this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow >>>> >> > > the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not >>>> >> > > having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be >>>> >> > > able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has >>>> >> > > had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check >>>> >> > > it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely >>>> >> > > a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit >>>> >> > > the >>>> issue, >>>> >> > > however these devices do not have the great feature set of >>>> >> > > the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers >>>> >> > > and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and >>>> >> > > I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be >>>> >> > > a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over >>>> >> > > ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this >>>> >> > > some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical >>>> >> > > home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home >>>> >> > > router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much >>>> >> > > more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. >>>> >> > > No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC >>>> >> > > > of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, >>>> >> > > > I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same >>>> >> > > > MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in >>>> >> > > > bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I >>>> >> > > > can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have >>>> >> > > > it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] >>>> >> > > > On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more >>>> >> > > > recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet >>>> >> > > > scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" >>>> >> > > > mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to >>>> >> > > > the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial >>>> >> > > > set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of >>>> >> > > > the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even >>>> >> > > > when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my >>>> >> > > > opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems >>>> >> > > > to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in >>>> >> > > > the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's >>>> >> > > > getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I >>>> >> > > > don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming >>>> >> > > > every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this >>>> >> > > > new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems >>>> >> > > > these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the >>>> >> > > > issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off >>>> >> > > > all extraneous services such as Wi-Fi, and also put one IP >>>> >> > > > address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same >>>> >> > > > private IP address. However, this creates a double nat >>>> >> > > > situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things >>>> >> > > > such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's >>>> >> > > > great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, >>>> >> > > > port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for >>>> >> > > > the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and >>>> >> > > > control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar >>>> >> > > > experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking >>>> >> > > > at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] >>>> >> > > > <http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c >>>> om.au >>>> >>> >>> >> >> >> -- >> >> > _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi RJ, Not left-field at all, I am aware of Sonos's STP requirements and in this particular case the customer had 10 Sonos zones. My understanding is that as long as the switch forwards BPDU's in all cases, there shouldn't be a problem. As far as I know the MikroTik switch will do this unless someone knows better. I have also been in touch with Playback who are Sonos's main distributor in Australia and tried using the bridge with the values they recommended. Either way seems to work OK. In any case, I am seeing this problem even when all Sonos products are physically unplugged from the CRS, and I am also seeing it with customers who don't have any Sonos at all. The only thing that seems to stop this issue is when the NTU is not bridged and set up to route between two discreet networks for example 192.168.88.0/24 on the Mikrotik and 192.168.0.0/24 on the NTU. Also as I mentioned before the problem only seemed to start with the new DOCSIS 3.0 modems. I am starting to think I need to get wireshark out and refresh my knowledge of how to use it. Ben Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 6:56 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote: > Are you 100% sure this is only the internet connection which is affected > when you see the issues and not the whole LAN. > > This may be left field here but I note the sonos commented in your config. > These things are terrible with any semi smart network due to their STP > operation (or lack of) and generally cause issues if not designed around, > most notably their path cost. Are all these customers of yours running > sonos in a similar setup (with a mtk being the 'core' of the switching as > well)?. The issue may very well be a loop/storm event rather than the ISP > side of things in which case you may need to work with a mtk bridge > interface to get some STP control. > > RJ > -----Original Message----- > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > Ben Jackson > Sent: Tuesday, 28 July 2015 4:41 PM > To: Jason Hecker <jason@upandrunningtech.com.au> > Cc: MikroTik Australia Public List <public@talk.mikrotik.com.au> > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > > Just FYI, I normally disable all the bogon IP address stuff just in case > that is having an impact. > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 6:34 PM, Ben Jackson <ben@elogik.net> wrote: > > > Guys, > > > > Here is a typical config from one of my clients: > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # > > /interface ethernet set [ find default-name=ether1 ] > > name=ether1-master-local set [ find default-name=ether2 ] > > master-port=ether1-master-local name=\ > > ether2-slave-local > > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > > ether3-slave-local > > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > > ether4-slave-local > > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > > ether5-slave-local > > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > > ether6-slave-local > > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > > ether7-slave-local > > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > > ether8-slave-local > > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > > ether9-slave-local > > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > > ether10-slave-local > > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > > ether11-slave-local > > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > > ether12-slave-local > > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > > ether13-slave-local > > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > > ether14-slave-local > > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > > ether15-slave-local > > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > > ether16-slave-local > > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > > ether17-slave-local > > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > > ether18-slave-local > > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > > ether19-slave-local > > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > > ether20-slave-local > > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > > ether21-slave-local > > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > > ether22-slave-local > > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > > ether23-slave-local > > set [ find default-name=ether24 ] name=ether24-gateway set [ find > > default-name=sfp1 ] master-port=ether1-master-local name=\ > > sfp1-slave-local > > /ip pool > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > > /ip dhcp-server > > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > > lease-time=1d name=dhcp1 > > /ip address > > add address=192.168.88.1/24 comment="default configuration" interface=\ > > ether1-master-local network=192.168.88.0 /ip dhcp-client add > > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > > add address=192.168.88.100 always-broadcast=yes > client-id=1:0:e:58:32:e:c \ > > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > > server=dhcp1 > > add address=192.168.88.101 always-broadcast=yes > > client-id=1:0:e:58:32:e:1e \ > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > > address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > > \ > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > > address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > > \ > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > > address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > > \ > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > > server=dhcp1 > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > > 00:0E:58:24:65:B6 server=dhcp1 > > add address=192.168.88.106 always-broadcast=yes > > client-id=1:0:e:58:24:64:9e \ > > mac-address=00:0E:58:24:64:9E server=dhcp1 add > > address=192.168.88.107 always-broadcast=yes > > client-id=1:0:e:58:24:59:40 \ > > mac-address=00:0E:58:24:59:40 server=dhcp1 add > > address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > > \ > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > > address=192.168.88.109 always-broadcast=yes > > client-id=1:0:e:58:32:15:ac \ > > mac-address=00:0E:58:32:15:AC server=dhcp1 add > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > > 00:0E:58:24:6B:E8 server=dhcp1 > > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > > server=dhcp1 > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d > comment=\ > > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > > server=dhcp1 > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > > 04:18:D6:80:B3:85 server=dhcp1 > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 > server=\ > > dhcp1 > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > > 04:18:D6:80:B2:F9 server=dhcp1 > > /ip dhcp-server network > > add address=192.168.88.0/24 dns-server=192.168.88.1 > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > > firewall address-list add address=192.168.88.0/24 comment=\ > > "Support address list - full access to router allowed from this > range" > > \ > > list=support > > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > > list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS > > A # Check if you nee\ > > d this subnet before enable it" disabled=yes list=bogons add > > address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add > > address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > > list=\ > > bogons > > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > > if you \ > > need this subnet before enable it" disabled=yes list=bogons add > > address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if > > you\ > > \_need this subnet before enable it" disabled=yes list=bogons add > > address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > > disabled=yes \ > > list=bogons > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > > disabled=\ > > yes list=bogons > > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > > list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - > TestNet2" > > disabled=yes \ > > list=bogons > > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > > disabled=yes \ > > list=bogons > > add address=224.0.0.0/4 comment=\ > > "MC, Class D, IANA # Check if you need this subnet before enable it" > \ > > disabled=yes list=bogons > > /ip firewall filter > > add action=add-src-to-address-list address-list=Syn_Flooder \ > > address-list-timeout=30m chain=input comment=\ > > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > > protocol=tcp tcp-flags=syn > > add action=drop chain=input comment="Drop to syn flood list" > disabled=yes \ > > src-address-list=Syn_Flooder > > add action=add-src-to-address-list address-list=Port_Scanner \ > > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > > disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop > > chain=input comment="Drop to port scan list" disabled=yes \ > > src-address-list=Port_Scanner > > add action=jump chain=input comment="Jump for icmp input flow" > > disabled=yes \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="Block all access to the winbox - > > except t\ > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > > THE SUP\ > > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > > src-address-list=!support > > add action=jump chain=forward comment="Jump for icmp forward flow" > > disabled=\ > > yes jump-target=ICMP protocol=icmp add action=drop chain=forward > > comment="Drop IP's in bogon list" > > disabled=yes \ > > dst-address-list=bogons > > add action=add-src-to-address-list address-list=spammers \ > > address-list-timeout=3h chain=forward comment=\ > > "Add Spammers to the list for 3 hours" connection-limit=30,32 > > disabled=\ > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop > > chain=forward comment="Avoid spammers action" disabled=yes \ > > dst-port=25,587 protocol=tcp src-address-list=spammers add > > chain=input comment="Accept DNS - UDP" disabled=yes port=53 > > protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp > > add chain=input disabled=yes dst-port=1723 protocol=tcp add > > chain=input comment="Accept DNS - TCP" disabled=yes port=53 > > protocol=tcp add chain=input comment="Accept to established > > connections" > > connection-state=\ > > established disabled=yes > > add chain=input comment="Accept related connections" > > connection-state=related \ > > disabled=yes > > add chain=input comment="Allow SUPPORT address list full access" > > disabled=yes \ > > src-address-list=support > > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes > \ > > icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP > > comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ > > icmp > > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > > protocol=icmp > > add chain=ICMP comment="Destination unreachable" disabled=yes > > icmp-options=\ > > 3:0-1 protocol=icmp > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 > > protocol=icmp add action=drop chain=input comment="Drop invalid > connections" \ > > connection-state=invalid disabled=yes add action=drop chain=ICMP > > comment="Drop to the other ICMPs" disabled=yes \ > > protocol=icmp > > add action=jump chain=output comment="Jump for icmp output" disabled=yes > \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="drop ftp brute forcers" > disabled=yes \ > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist add > > chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > > 1/1m,9,dst-address/1m protocol=tcp add > > action=add-dst-to-address-list address-list=ftp_blacklist \ > > address-list-timeout=3h chain=output content="530 Login incorrect" \ > > disabled=yes protocol=tcp > > add action=drop chain=input comment="drop ssh brute forcers" > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist add > > action=add-src-to-address-list address-list=ssh_blacklist \ > > address-list-timeout=1w3d chain=input connection-state=new > > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage3 add > > action=add-src-to-address-list address-list=ssh_stage3 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage2 add > > action=add-src-to-address-list address-list=ssh_stage2 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage1 add > > action=add-src-to-address-list address-list=ssh_stage1 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp > > add action=drop chain=input comment="Drop anything else! # DO NOT > > ENABLE THIS \ > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > > disabled=yes /ip firewall nat add action=masquerade chain=srcnat > > out-interface=ether24-gateway /ip firewall service-port set ftp > > disabled=yes set tftp disabled=yes set irc disabled=yes set h323 > > disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec > > policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service > > set telnet disabled=yes set ftp disabled=yes set www disabled=yes set > > ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system > > clock set time-zone-autodetect=no time-zone-name=Australia/Sydney > > /tool romon port add > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> Hi Ben, > >> > >> When the problem occurs again check the Routerboard for CPU use and > >> check profiling to see just what is keeping the CPU busy. Don't > >> overestimate the CPU in the 2011, it's not as quick as you think. > >> The new FastPath and FastTrack features will be something you'll be > >> interested in when routing something as fast as a cable modem so read > >> up on them and do try the latest firmware images. > >> > >> Jason > >> > >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> > >>> Hi Jason, > >>> > >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in > >>> any bridge or switch config and is routing only. > >>> > >>> When I first started installing Mikrotiks I used to bridge all the > >>> other ports, which I know uses the main CPU and not the switch chip, > >>> but my thinking was that the main CPU is more powerful and the > >>> router isn't exactly doing anything complex such as queues or heaps of > firewall rules. > >>> > >>> However since then I have started using the master - slave switch > >>> chip function, especially on the 24 port CRS. On the RB2011's I > >>> slave all the gigabit ports to ether2 and, slave all the 10/100 > >>> ports to ether6, then bridge the two, with ether1 as the WAN port. > >>> On the CRS I slave all the ports apart from ether24 to ether1. I then > use ether24 as the WAN port. > >>> > >>> Ben Jackson > >>> eLogik > >>> m:0404 924745 > >>> e: ben@elogik.net > >>> w: www.elogik.com.au > >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>> > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > >>> jason@upandrunningtech.com.au> wrote: > >>> > >>>> Hi > >>>> > >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and > >>>> the current is at 6.30 so I can't even see if some related bug has > >>>> been fixed since 6.20. I'd suggest updating the software, reboot, > >>>> update the firmware, reboot and see if that helps. > >>>> > >>>> If in doubt beyond that, save export your config, factory reset and > >>>> reimport the config. > >>>> > >>>> What ports do you use on the 2011? Are the ports on 1Gb side > >>>> slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 > >>>> and Eth6 bridged? > >>>> Which port is connected to the modem? It should be on it's own, > >>>> not slaved or bridged. > >>>> > >>>> Since 6.20 there have been some packet engine speedups that operate > >>>> at the bridge level and some interfaces (not PPPoE unfortunately). > >>>> You will definitely benefit using the new speedup options with NAT > >>>> on a DHCP based modem. > >>>> > >>>> Jason > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > >>>> > >>>> > Hi Jason, > >>>> > > >>>> > I have customers at on few different ROS versions, normally > >>>> > nothing > >>>> earier > >>>> > than 6.18 - and I always make sure the firmware is at a matching > >>>> level. I > >>>> > think the majority right now are at 6.20. > >>>> > > >>>> > Thanks > >>>> > > >>>> > Ben Jackson > >>>> > eLogik > >>>> > m:0404 924745 > >>>> > e: ben@elogik.net > >>>> > w: www.elogik.com.au > >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) > >>>> > < jason@upandrunningtech.com.au> wrote: > >>>> > > >>>> >> What version of RouterOS are you using and what level is the > >>>> firmware at? > >>>> >> > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >>>> >> > >>>> >> > Hi RJ, > >>>> >> > > >>>> >> > Yep - that's exactly what I do. > >>>> >> > > >>>> >> > I know it's not congestion because when I reboot the mikrotik > >>>> >> > or > >>>> simply > >>>> >> > renew the dhcp client address on the gateway port the whole > >>>> >> > system > >>>> >> springs > >>>> >> > back to life. > >>>> >> > > >>>> >> > Thanks, > >>>> >> > > >>>> >> > Ben Jackson > >>>> >> > eLogik > >>>> >> > m:0404 924745 > >>>> >> > e: ben@elogik.net > >>>> >> > w: www.elogik.com.au > >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > >>>> RJ.Plummer@4logic.com.au> > >>>> >> > wrote: > >>>> >> > > >>>> >> > > Hi Ben, > >>>> >> > > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who > >>>> >> > > don't > >>>> exhibit > >>>> >> > > this behaviour. > >>>> >> > > > >>>> >> > > Their setups are very straight forward: > >>>> >> > > -Bridge the cable modem (same cable modem model as you > >>>> >> > > describe) -DHCP client on the appropriate physical mkt > >>>> >> > > interface -masq that interface -firewall filter as usual > >>>> >> > > > >>>> >> > > Do you have anything different in your configurations? > >>>> >> > > > >>>> >> > > Cheers, > >>>> >> > > RJ > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Paul Julian > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >>>> >> > > To: 'MikroTik Australia Public List' < > >>>> public@talk.mikrotik.com.au> > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or > >>>> >> > > at > >>>> least > >>>> >> the > >>>> >> > > one they present, this usually happens if a config has been > >>>> uploaded > >>>> >> to > >>>> >> > > them without MAC addresses removed. > >>>> >> > > > >>>> >> > > There is an option in the interface settings called "Reset > >>>> >> > > MAC > >>>> >> Address", > >>>> >> > > try clicking this on the interface you have plugged into the > >>>> NTU, it > >>>> >> will > >>>> >> > > reset the MAC address back to or force it to be the actually > >>>> physical > >>>> >> MAC > >>>> >> > > just in case anything has changed. > >>>> >> > > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in > >>>> hundreds of > >>>> >> > > locations for ADSL and Ethernet services and never have one > >>>> issue. > >>>> >> > > > >>>> >> > > Regards > >>>> >> > > Paul > >>>> >> > > > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Ben Jackson > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >>>> >> > > To: MikroTik Australia Public List > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > >>>> should be > >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU > >>>> >> > > is > >>>> >> definitely > >>>> >> > in > >>>> >> > > bridge mode - as evidenced by the radio button saying > >>>> >> > > "Bridge > >>>> Mode" on > >>>> >> > the > >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of > >>>> >> > > the > >>>> CRS (or > >>>> >> > > sometimes ether 1) which immediately binds the public IP > >>>> >> > > address > >>>> to > >>>> >> > itself. > >>>> >> > > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I > >>>> have had > >>>> >> > > issues in the past (no longer seems to be as issue) where I > >>>> >> > > have > >>>> had > >>>> >> to > >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I > >>>> >> > > have > >>>> also > >>>> >> > noticed > >>>> >> > > if my MBP is the first device to connect to the NTU while in > >>>> bridge > >>>> >> mode, > >>>> >> > > sometimes I need to power cycle the device to "deregister" > >>>> >> > > the > >>>> MAC > >>>> >> > address > >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after > >>>> >> > > this > >>>> >> process > >>>> >> > > is complete. > >>>> >> > > > >>>> >> > > But, in this instance this is not the problem unless somehow > >>>> >> > > the > >>>> MAC > >>>> >> > > address of the MikroTik ether port is changing - is this > >>>> possible? I > >>>> >> must > >>>> >> > > admit, my progress on this is somewhat hampered by not > >>>> >> > > having a > >>>> cable > >>>> >> > setup > >>>> >> > > to test on at home - I run ADSL. > >>>> >> > > > >>>> >> > > I'm pretty sure that nothing else on the network would be > >>>> >> > > able > >>>> to bind > >>>> >> > > it's MAC address to the public IP before the MikroTik has > >>>> >> > > had a > >>>> chance > >>>> >> > to - > >>>> >> > > although I must admit I hadn't though of that so I'll check > >>>> >> > > it > >>>> out in > >>>> >> > more > >>>> >> > > detail. > >>>> >> > > > >>>> >> > > I am also inclined to agree with you that this is not solely > >>>> >> > > a > >>>> >> Mikrotik > >>>> >> > > issue. It seems to me that it is the magic (or not so magic) > >>>> >> combination > >>>> >> > of > >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the > >>>> problem. I > >>>> >> > have > >>>> >> > > tried other brands of router which do not seem to exhibit > >>>> >> > > the > >>>> issue, > >>>> >> > > however these devices do not have the great feature set of > >>>> >> > > the > >>>> >> MikroTik > >>>> >> > and > >>>> >> > > are often not rack-mountable. Trotting out the "It's not a > >>>> Mikrotik > >>>> >> > issue" > >>>> >> > > line is starting to wear very thin with both my customers > >>>> >> > > and > >>>> >> colleagues. > >>>> >> > > Although my gut feeling is that it isn't - I need proof and > >>>> >> > > I > >>>> don't > >>>> >> know > >>>> >> > > where to start. This is happening far too often for it to be > >>>> >> > > a > >>>> >> > coincidence > >>>> >> > > or a faulty device. > >>>> >> > > > >>>> >> > > I have, unfortunately also seen very strange behaviour over > >>>> >> > > ADSL > >>>> / > >>>> >> pppoe > >>>> >> > > connections in bridge mode too, I sent an email about this > >>>> >> > > some > >>>> time > >>>> >> ago > >>>> >> > > and it still plagues me from time to time. > >>>> >> > > > >>>> >> > > The type of installations I am doing are not your typical > >>>> >> > > home > >>>> setups > >>>> >> and > >>>> >> > > customers are paying a lot of money for a supposedly > >>>> >> "commercial-grade" > >>>> >> > > solution which is only adding to my stresses. > >>>> >> > > > >>>> >> > > Do any of you guys out there use a MikroTik as your home > >>>> >> > > router > >>>> - how > >>>> >> do > >>>> >> > > you set it up? Have you seen issues like this? > >>>> >> > > > >>>> >> > > One thing I have noticed is that the issue seems to be much > >>>> >> > > more > >>>> >> > prevalent > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. > >>>> >> > > No > >>>> idea > >>>> >> why. > >>>> >> > > Any cable experts out there? > >>>> >> > > > >>>> >> > > Thanks again, > >>>> >> > > > >>>> >> > > > >>>> >> > > Ben Jackson > >>>> >> > > eLogik > >>>> >> > > m:0404 924745 > >>>> >> > > e: ben@elogik.net > >>>> >> > > w: www.elogik.com.au > >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >>>> >> > paul@oxygennetworks.com.au> > >>>> >> > > wrote: > >>>> >> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and > >>>> Optus > >>>> >> Cable > >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC > >>>> >> > > > of > >>>> the NTU > >>>> >> or > >>>> >> > > > in the case of bridge mode the first client that makes a > >>>> request, > >>>> >> and > >>>> >> > > > often you have trouble with these things because of this, > >>>> >> > > > I > >>>> don't > >>>> >> > > > really think it's a Mikrotik thing. > >>>> >> > > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same > >>>> >> > > > MAC > >>>> on the > >>>> >> > > > interface plugged into the NTU and the NTU is truly in > >>>> >> > > > bridge > >>>> mode > >>>> >> and > >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I > >>>> >> > > > can't > >>>> see why > >>>> >> > > > it would be having issues. > >>>> >> > > > > >>>> >> > > > Is there any chance that another device might somehow be > >>>> getting a > >>>> >> > > > DHCP request through to the NTU somehow the way you have > >>>> >> > > > it all > >>>> >> plugged > >>>> >> > > in ? > >>>> >> > > > > >>>> >> > > > Regards > >>>> >> > > > Paul > >>>> >> > > > > >>>> >> > > > -----Original Message----- > >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] > >>>> >> > > > On > >>>> >> Behalf Of > >>>> >> > > > Ben Jackson > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >>>> >> > > > To: MikroTik Australia Public List > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > > >>>> >> > > > Hi All, > >>>> >> > > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with > >>>> this one. > >>>> >> > > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more > >>>> >> > > > recently, > >>>> the > >>>> >> > > > CRS125-24G) in large residential AV situations where > >>>> invariably, the > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet > >>>> >> > > > scenario > >>>> where > >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" > >>>> >> > > > mode > >>>> (NAT > >>>> >> > > > switched > >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to > >>>> >> > > > the > >>>> >> gateway > >>>> >> > > > interface of the Mikrotik. > >>>> >> > > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 > >>>> UniFi > >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial > >>>> >> > > > set > >>>> up, > >>>> >> > > > everything seems to work great, with the full bandwidth of > >>>> >> > > > the > >>>> cable > >>>> >> > > > modem getting passed on to the rest of the network, even > >>>> >> > > > when > >>>> 802.11 > >>>> >> > > > clients are connected (a testament to the UniFi's I my > >>>> >> > > > opinion > >>>> - I > >>>> >> > > > only use dual band Pro AP's). > >>>> >> > > > > >>>> >> > > > However, after a week or so the internet connection seems > >>>> >> > > > to > >>>> get > >>>> >> > > > either very slow, or stop working altogether. If I look in > >>>> >> > > > the > >>>> logs > >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's > >>>> >> > > > getting > >>>> >> passed > >>>> >> > > > from the dhcp server on the cable modem. The problem is I > >>>> >> > > > don't > >>>> >> really > >>>> >> > > > understand how DHCP works on cable modems. I'm assuming > >>>> >> > > > every > >>>> so > >>>> >> often > >>>> >> > > > the cable modem gets a new IP address from the carrier > >>>> (normally > >>>> >> after > >>>> >> > > > a reset) and at this point the modem is not passing this > >>>> >> > > > new > >>>> address > >>>> >> > > > onto the Mikrotik which is effectively cut off from the > >>>> internet. > >>>> >> > > > Since we are stuck with using Bigpond and Optus modems > >>>> >> > > > these > >>>> are the > >>>> >> > > > only solutions I have discovered which seem to stop the > >>>> >> > > > issue > >>>> from > >>>> >> > > occurring (at least as regularly). > >>>> >> > > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off > >>>> >> > > > all extraneous services such as Wi-Fi, and also put one IP > >>>> >> > > > address > >>>> in > >>>> >> the > >>>> >> > > > dhcp pool so that the Mikrotik always gets the same > >>>> >> > > > private IP address. However, this creates a double nat > >>>> >> > > > situation which > >>>> means I > >>>> >> > > > can no longer perform reliable port forwarding for things > >>>> >> > > > such > >>>> as > >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's > >>>> >> > > > great > >>>> for). > >>>> >> > > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, > >>>> >> > > > port > >>>> >> forwarding > >>>> >> > > > (which is a joke on these devices) and firewall tasks for > >>>> >> > > > the > >>>> entire > >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > >>>> problem > >>>> >> > > > here is that these Bigpond devices simply do not have the > >>>> grunt to > >>>> >> > > > deal with large networks with lots of AV streaming and > >>>> >> > > > control > >>>> >> > happening. > >>>> >> > > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of > >>>> >> > > > functionality, I wonder if anyone has had similar > >>>> >> > > > experiences > >>>> as I > >>>> >> am > >>>> >> > > > just about ready to dump the MikroTik's and start looking > >>>> >> > > > at > >>>> other > >>>> >> > > > options in the hope that they play better with the Bigpond > >>>> gear. > >>>> >> > > > > >>>> >> > > > Thanks in advance, > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > Ben Jackson > >>>> >> > > > eLogik > >>>> >> > > > m:0404 924745 > >>>> >> > > > e: ben@elogik.net > >>>> >> > > > w: www.elogik.com.au > >>>> >> > > > [image: http://www.elogik.com.au] > >>>> >> > > > <http://www.elogik.com.au> > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> >> > > > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> >> > > > >>>> >> > _______________________________________________ > >>>> >> > Public mailing list > >>>> >> > Public@talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> >> > > >>>> >> > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> _______________________________________________ > >>>> >> Public mailing list > >>>> >> Public@talk.mikrotik.com.au > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> >> > >>>> > > >>>> > > >>>> > >>>> > >>>> -- > >>>> _______________________________________________ > >>>> Public mailing list > >>>> Public@talk.mikrotik.com.au > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c > >>>> om.au > >>>> > >>> > >>> > >> > >> > >> -- > >> > >> > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >
Maybe enable these Firewall->Service-port as it doesn't hurt to have those helpers on.
Nothing sticks out as overtly wrong. If you are still up brown creek try simplifying the config by: * Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place). Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox? Jason On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 > # software id = IU9F-WHTQ > # > /interface ethernet > set [ find default-name=ether1 ] name=ether1-master-local > set [ find default-name=ether2 ] master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway > set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 > /ip dhcp-client > add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes > /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e > \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 > add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 > add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 > add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 > add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 > add address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 > add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 > add address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 > add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 > add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 > /ip dns > set allow-remote-requests=yes > /ip firewall address-list > add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > you nee\ > d this subnet before enable it" disabled=yes list=bogons > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if > you \ > need this subnet before enable it" disabled=yes list=bogons > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > if you\ > \_need this subnet before enable it" disabled=yes list=bogons > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE > SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=yes > \ > dst-port=25,587 protocol=tcp src-address-list=spammers > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp > add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp > add chain=input comment="Accept to established connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes > add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp > add action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes > /ip firewall nat > add action=masquerade chain=srcnat out-interface=ether24-gateway > /ip firewall service-port > set ftp disabled=yes > set tftp disabled=yes > set irc disabled=yes > set h323 disabled=yes > set sip disabled=yes > set pptp disabled=yes > /ip ipsec policy > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > /ip service > set telnet disabled=yes > set ftp disabled=yes > set www disabled=yes > set ssh disabled=yes > set api disabled=yes > set api-ssl disabled=yes > /system clock > set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port > add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and check >> profiling to see just what is keeping the CPU busy. Don't overestimate the >> CPU in the 2011, it's not as quick as you think. The new FastPath and >> FastTrack features will be something you'll be interested in when routing >> something as fast as a cable modem so read up on them and do try the latest >> firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >>> bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the other >>> ports, which I know uses the main CPU and not the switch chip, but my >>> thinking was that the main CPU is more powerful and the router isn't >>> exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch chip >>> function, especially on the 24 port CRS. On the RB2011's I slave all the >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>>> current is at 6.30 so I can't even see if some related bug has been >>>> fixed >>>> since 6.20. I'd suggest updating the software, reboot, update the >>>> firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>>> bridged? >>>> Which port is connected to the modem? It should be on it's own, not >>>> slaved >>>> or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate at >>>> the >>>> bridge level and some interfaces (not PPPoE unfortunately). You will >>>> definitely benefit using the new speedup options with NAT on a DHCP >>>> based >>>> modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>>> > jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>>> >> > > -DHCP client on the appropriate physical mkt interface >>>> >> > > -masq that interface >>>> >> > > -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit the >>>> issue, >>>> >> > > however these devices do not have the great feature set of the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>>> >> > > > address. However, this creates a double nat situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >>>> >>> >>> >> >> >> -- >> >> > --
Thanks for the input Jason, I'll see if that makes a difference. Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty. It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :) I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch. Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote: > Nothing sticks out as overtly wrong. > > If you are still up brown creek try simplifying the config by: > > * Using the simple firewall here: > http://wiki.mikrotik.com/wiki/Securing_your_router > * Use basic NAT (no change); > * Use the DCHP client (no change); > * Use DHCP server without any reservations; > * Slave and bridge the switch ports appropriately (no change); > * Lastest software and Routerboard firmware (System->Routerboard->Upgrade > if different versions in place). > > Are you any wiser today? Are there any red highlighted (invalid) settings > in Winbox? > > Jason > > On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > > > Guys, > > > > Here is a typical config from one of my clients: > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 > > # software id = IU9F-WHTQ > > # > > /interface ethernet > > set [ find default-name=ether1 ] name=ether1-master-local > > set [ find default-name=ether2 ] master-port=ether1-master-local name=\ > > ether2-slave-local > > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > > ether3-slave-local > > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > > ether4-slave-local > > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > > ether5-slave-local > > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > > ether6-slave-local > > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > > ether7-slave-local > > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > > ether8-slave-local > > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > > ether9-slave-local > > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > > ether10-slave-local > > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > > ether11-slave-local > > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > > ether12-slave-local > > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > > ether13-slave-local > > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > > ether14-slave-local > > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > > ether15-slave-local > > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > > ether16-slave-local > > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > > ether17-slave-local > > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > > ether18-slave-local > > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > > ether19-slave-local > > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > > ether20-slave-local > > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > > ether21-slave-local > > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > > ether22-slave-local > > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > > ether23-slave-local > > set [ find default-name=ether24 ] name=ether24-gateway > > set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ > > sfp1-slave-local > > /ip pool > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > > /ip dhcp-server > > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > > lease-time=1d name=dhcp1 > > /ip address > > add address=192.168.88.1/24 comment="default configuration" interface=\ > > ether1-master-local network=192.168.88.0 > > /ip dhcp-client > > add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > > interface=ether24-gateway use-peer-ntp=yes > > /ip dhcp-server lease > > add address=192.168.88.100 always-broadcast=yes > client-id=1:0:e:58:32:e:c \ > > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > > server=dhcp1 > > add address=192.168.88.101 always-broadcast=yes > client-id=1:0:e:58:32:e:1e > > \ > > mac-address=00:0E:58:32:0E:1E server=dhcp1 > > add address=192.168.88.102 always-broadcast=yes > client-id=1:0:e:58:32:e:a0 > > \ > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 > > add address=192.168.88.103 always-broadcast=yes > client-id=1:0:e:58:32:e:da > > \ > > mac-address=00:0E:58:32:0E:DA server=dhcp1 > > add address=192.168.88.104 always-broadcast=yes > client-id=1:0:e:58:32:e:ac > > \ > > mac-address=00:0E:58:32:0E:AC server=dhcp1 > > add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > > server=dhcp1 > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > > 00:0E:58:24:65:B6 server=dhcp1 > > add address=192.168.88.106 always-broadcast=yes > > client-id=1:0:e:58:24:64:9e \ > > mac-address=00:0E:58:24:64:9E server=dhcp1 > > add address=192.168.88.107 always-broadcast=yes > > client-id=1:0:e:58:24:59:40 \ > > mac-address=00:0E:58:24:59:40 server=dhcp1 > > add address=192.168.88.108 always-broadcast=yes > client-id=1:0:e:58:32:f:9a > > \ > > mac-address=00:0E:58:32:0F:9A server=dhcp1 > > add address=192.168.88.109 always-broadcast=yes > > client-id=1:0:e:58:32:15:ac \ > > mac-address=00:0E:58:32:15:AC server=dhcp1 > > add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > > 00:0E:58:24:6B:E8 server=dhcp1 > > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > > server=dhcp1 > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 > > add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > > server=dhcp1 > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > > 04:18:D6:80:B3:85 server=dhcp1 > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 > server=\ > > dhcp1 > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > > 04:18:D6:80:B2:F9 server=dhcp1 > > /ip dhcp-server network > > add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 > > /ip dns > > set allow-remote-requests=yes > > /ip firewall address-list > > add address=192.168.88.0/24 comment=\ > > "Support address list - full access to router allowed from this > range" > > \ > > list=support > > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > list=bogons > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > > you nee\ > > d this subnet before enable it" disabled=yes list=bogons > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > > list=\ > > bogons > > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > if > > you \ > > need this subnet before enable it" disabled=yes list=bogons > > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > > if you\ > > \_need this subnet before enable it" disabled=yes list=bogons > > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > > disabled=yes \ > > list=bogons > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > > disabled=\ > > yes list=bogons > > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > list=bogons > > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > > disabled=yes \ > > list=bogons > > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > > disabled=yes \ > > list=bogons > > add address=224.0.0.0/4 comment=\ > > "MC, Class D, IANA # Check if you need this subnet before enable it" > \ > > disabled=yes list=bogons > > /ip firewall filter > > add action=add-src-to-address-list address-list=Syn_Flooder \ > > address-list-timeout=30m chain=input comment=\ > > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > > protocol=tcp tcp-flags=syn > > add action=drop chain=input comment="Drop to syn flood list" > disabled=yes \ > > src-address-list=Syn_Flooder > > add action=add-src-to-address-list address-list=Port_Scanner \ > > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > > disabled=yes protocol=tcp psd=21,3s,3,1 > > add action=drop chain=input comment="Drop to port scan list" > disabled=yes \ > > src-address-list=Port_Scanner > > add action=jump chain=input comment="Jump for icmp input flow" > > disabled=yes \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="Block all access to the winbox - > > except t\ > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > THE > > SUP\ > > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > > src-address-list=!support > > add action=jump chain=forward comment="Jump for icmp forward flow" > > disabled=\ > > yes jump-target=ICMP protocol=icmp > > add action=drop chain=forward comment="Drop IP's in bogon list" > > disabled=yes \ > > dst-address-list=bogons > > add action=add-src-to-address-list address-list=spammers \ > > address-list-timeout=3h chain=forward comment=\ > > "Add Spammers to the list for 3 hours" connection-limit=30,32 > > disabled=\ > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > > add action=drop chain=forward comment="Avoid spammers action" > disabled=yes > > \ > > dst-port=25,587 protocol=tcp src-address-list=spammers > > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > > protocol=udp > > add chain=output disabled=yes dst-port=1723 protocol=tcp > > add chain=input disabled=yes dst-port=1723 protocol=tcp > > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > > protocol=tcp > > add chain=input comment="Accept to established connections" > > connection-state=\ > > established disabled=yes > > add chain=input comment="Accept related connections" > > connection-state=related \ > > disabled=yes > > add chain=input comment="Allow SUPPORT address list full access" > > disabled=yes \ > > src-address-list=support > > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes > \ > > icmp-options=8:0 limit=1,5 protocol=icmp > > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > > protocol=\ > > icmp > > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > > protocol=icmp > > add chain=ICMP comment="Destination unreachable" disabled=yes > > icmp-options=\ > > 3:0-1 protocol=icmp > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > > add action=drop chain=input comment="Drop invalid connections" \ > > connection-state=invalid disabled=yes > > add action=drop chain=ICMP comment="Drop to the other ICMPs" > disabled=yes \ > > protocol=icmp > > add action=jump chain=output comment="Jump for icmp output" disabled=yes > \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="drop ftp brute forcers" > disabled=yes \ > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > > 1/1m,9,dst-address/1m protocol=tcp > > add action=add-dst-to-address-list address-list=ftp_blacklist \ > > address-list-timeout=3h chain=output content="530 Login incorrect" \ > > disabled=yes protocol=tcp > > add action=drop chain=input comment="drop ssh brute forcers" > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > > add action=add-src-to-address-list address-list=ssh_blacklist \ > > address-list-timeout=1w3d chain=input connection-state=new > > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > > add action=add-src-to-address-list address-list=ssh_stage3 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > > add action=add-src-to-address-list address-list=ssh_stage2 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > > add action=add-src-to-address-list address-list=ssh_stage1 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp > > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > > THIS \ > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > disabled=yes > > /ip firewall nat > > add action=masquerade chain=srcnat out-interface=ether24-gateway > > /ip firewall service-port > > set ftp disabled=yes > > set tftp disabled=yes > > set irc disabled=yes > > set h323 disabled=yes > > set sip disabled=yes > > set pptp disabled=yes > > /ip ipsec policy > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > > /ip service > > set telnet disabled=yes > > set ftp disabled=yes > > set www disabled=yes > > set ssh disabled=yes > > set api disabled=yes > > set api-ssl disabled=yes > > /system clock > > set time-zone-autodetect=no time-zone-name=Australia/Sydney > > /tool romon port > > add > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> Hi Ben, > >> > >> When the problem occurs again check the Routerboard for CPU use and > check > >> profiling to see just what is keeping the CPU busy. Don't overestimate > the > >> CPU in the 2011, it's not as quick as you think. The new FastPath and > >> FastTrack features will be something you'll be interested in when > routing > >> something as fast as a cable modem so read up on them and do try the > latest > >> firmware images. > >> > >> Jason > >> > >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> > >>> Hi Jason, > >>> > >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any > >>> bridge or switch config and is routing only. > >>> > >>> When I first started installing Mikrotiks I used to bridge all the > other > >>> ports, which I know uses the main CPU and not the switch chip, but my > >>> thinking was that the main CPU is more powerful and the router isn't > >>> exactly doing anything complex such as queues or heaps of firewall > rules. > >>> > >>> However since then I have started using the master - slave switch chip > >>> function, especially on the 24 port CRS. On the RB2011's I slave all > the > >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then > >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the > >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. > >>> > >>> Ben Jackson > >>> eLogik > >>> m:0404 924745 > >>> e: ben@elogik.net > >>> w: www.elogik.com.au > >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>> > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > >>> jason@upandrunningtech.com.au> wrote: > >>> > >>>> Hi > >>>> > >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the > >>>> current is at 6.30 so I can't even see if some related bug has been > >>>> fixed > >>>> since 6.20. I'd suggest updating the software, reboot, update the > >>>> firmware, reboot and see if that helps. > >>>> > >>>> If in doubt beyond that, save export your config, factory reset and > >>>> reimport the config. > >>>> > >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved > to > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > >>>> bridged? > >>>> Which port is connected to the modem? It should be on it's own, not > >>>> slaved > >>>> or bridged. > >>>> > >>>> Since 6.20 there have been some packet engine speedups that operate at > >>>> the > >>>> bridge level and some interfaces (not PPPoE unfortunately). You will > >>>> definitely benefit using the new speedup options with NAT on a DHCP > >>>> based > >>>> modem. > >>>> > >>>> Jason > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > >>>> > >>>> > Hi Jason, > >>>> > > >>>> > I have customers at on few different ROS versions, normally nothing > >>>> earier > >>>> > than 6.18 - and I always make sure the firmware is at a matching > >>>> level. I > >>>> > think the majority right now are at 6.20. > >>>> > > >>>> > Thanks > >>>> > > >>>> > Ben Jackson > >>>> > eLogik > >>>> > m:0404 924745 > >>>> > e: ben@elogik.net > >>>> > w: www.elogik.com.au > >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > >>>> > jason@upandrunningtech.com.au> wrote: > >>>> > > >>>> >> What version of RouterOS are you using and what level is the > >>>> firmware at? > >>>> >> > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >>>> >> > >>>> >> > Hi RJ, > >>>> >> > > >>>> >> > Yep - that's exactly what I do. > >>>> >> > > >>>> >> > I know it's not congestion because when I reboot the mikrotik or > >>>> simply > >>>> >> > renew the dhcp client address on the gateway port the whole > system > >>>> >> springs > >>>> >> > back to life. > >>>> >> > > >>>> >> > Thanks, > >>>> >> > > >>>> >> > Ben Jackson > >>>> >> > eLogik > >>>> >> > m:0404 924745 > >>>> >> > e: ben@elogik.net > >>>> >> > w: www.elogik.com.au > >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > >>>> RJ.Plummer@4logic.com.au> > >>>> >> > wrote: > >>>> >> > > >>>> >> > > Hi Ben, > >>>> >> > > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't > >>>> exhibit > >>>> >> > > this behaviour. > >>>> >> > > > >>>> >> > > Their setups are very straight forward: > >>>> >> > > -Bridge the cable modem (same cable modem model as you > describe) > >>>> >> > > -DHCP client on the appropriate physical mkt interface > >>>> >> > > -masq that interface > >>>> >> > > -firewall filter as usual > >>>> >> > > > >>>> >> > > Do you have anything different in your configurations? > >>>> >> > > > >>>> >> > > Cheers, > >>>> >> > > RJ > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Paul Julian > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >>>> >> > > To: 'MikroTik Australia Public List' < > >>>> public@talk.mikrotik.com.au> > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > >>>> least > >>>> >> the > >>>> >> > > one they present, this usually happens if a config has been > >>>> uploaded > >>>> >> to > >>>> >> > > them without MAC addresses removed. > >>>> >> > > > >>>> >> > > There is an option in the interface settings called "Reset MAC > >>>> >> Address", > >>>> >> > > try clicking this on the interface you have plugged into the > >>>> NTU, it > >>>> >> will > >>>> >> > > reset the MAC address back to or force it to be the actually > >>>> physical > >>>> >> MAC > >>>> >> > > just in case anything has changed. > >>>> >> > > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in > >>>> hundreds of > >>>> >> > > locations for ADSL and Ethernet services and never have one > >>>> issue. > >>>> >> > > > >>>> >> > > Regards > >>>> >> > > Paul > >>>> >> > > > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Ben Jackson > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >>>> >> > > To: MikroTik Australia Public List > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > >>>> should be > >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is > >>>> >> definitely > >>>> >> > in > >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge > >>>> Mode" on > >>>> >> > the > >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the > >>>> CRS (or > >>>> >> > > sometimes ether 1) which immediately binds the public IP > address > >>>> to > >>>> >> > itself. > >>>> >> > > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I > >>>> have had > >>>> >> > > issues in the past (no longer seems to be as issue) where I > have > >>>> had > >>>> >> to > >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have > >>>> also > >>>> >> > noticed > >>>> >> > > if my MBP is the first device to connect to the NTU while in > >>>> bridge > >>>> >> mode, > >>>> >> > > sometimes I need to power cycle the device to "deregister" the > >>>> MAC > >>>> >> > address > >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after > this > >>>> >> process > >>>> >> > > is complete. > >>>> >> > > > >>>> >> > > But, in this instance this is not the problem unless somehow > the > >>>> MAC > >>>> >> > > address of the MikroTik ether port is changing - is this > >>>> possible? I > >>>> >> must > >>>> >> > > admit, my progress on this is somewhat hampered by not having a > >>>> cable > >>>> >> > setup > >>>> >> > > to test on at home - I run ADSL. > >>>> >> > > > >>>> >> > > I'm pretty sure that nothing else on the network would be able > >>>> to bind > >>>> >> > > it's MAC address to the public IP before the MikroTik has had a > >>>> chance > >>>> >> > to - > >>>> >> > > although I must admit I hadn't though of that so I'll check it > >>>> out in > >>>> >> > more > >>>> >> > > detail. > >>>> >> > > > >>>> >> > > I am also inclined to agree with you that this is not solely a > >>>> >> Mikrotik > >>>> >> > > issue. It seems to me that it is the magic (or not so magic) > >>>> >> combination > >>>> >> > of > >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the > >>>> problem. I > >>>> >> > have > >>>> >> > > tried other brands of router which do not seem to exhibit the > >>>> issue, > >>>> >> > > however these devices do not have the great feature set of the > >>>> >> MikroTik > >>>> >> > and > >>>> >> > > are often not rack-mountable. Trotting out the "It's not a > >>>> Mikrotik > >>>> >> > issue" > >>>> >> > > line is starting to wear very thin with both my customers and > >>>> >> colleagues. > >>>> >> > > Although my gut feeling is that it isn't - I need proof and I > >>>> don't > >>>> >> know > >>>> >> > > where to start. This is happening far too often for it to be a > >>>> >> > coincidence > >>>> >> > > or a faulty device. > >>>> >> > > > >>>> >> > > I have, unfortunately also seen very strange behaviour over > ADSL > >>>> / > >>>> >> pppoe > >>>> >> > > connections in bridge mode too, I sent an email about this some > >>>> time > >>>> >> ago > >>>> >> > > and it still plagues me from time to time. > >>>> >> > > > >>>> >> > > The type of installations I am doing are not your typical home > >>>> setups > >>>> >> and > >>>> >> > > customers are paying a lot of money for a supposedly > >>>> >> "commercial-grade" > >>>> >> > > solution which is only adding to my stresses. > >>>> >> > > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router > >>>> - how > >>>> >> do > >>>> >> > > you set it up? Have you seen issues like this? > >>>> >> > > > >>>> >> > > One thing I have noticed is that the issue seems to be much > more > >>>> >> > prevalent > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No > >>>> idea > >>>> >> why. > >>>> >> > > Any cable experts out there? > >>>> >> > > > >>>> >> > > Thanks again, > >>>> >> > > > >>>> >> > > > >>>> >> > > Ben Jackson > >>>> >> > > eLogik > >>>> >> > > m:0404 924745 > >>>> >> > > e: ben@elogik.net > >>>> >> > > w: www.elogik.com.au > >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >>>> >> > paul@oxygennetworks.com.au> > >>>> >> > > wrote: > >>>> >> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and > >>>> Optus > >>>> >> Cable > >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > >>>> the NTU > >>>> >> or > >>>> >> > > > in the case of bridge mode the first client that makes a > >>>> request, > >>>> >> and > >>>> >> > > > often you have trouble with these things because of this, I > >>>> don't > >>>> >> > > > really think it's a Mikrotik thing. > >>>> >> > > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC > >>>> on the > >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge > >>>> mode > >>>> >> and > >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't > >>>> see why > >>>> >> > > > it would be having issues. > >>>> >> > > > > >>>> >> > > > Is there any chance that another device might somehow be > >>>> getting a > >>>> >> > > > DHCP request through to the NTU somehow the way you have it > all > >>>> >> plugged > >>>> >> > > in ? > >>>> >> > > > > >>>> >> > > > Regards > >>>> >> > > > Paul > >>>> >> > > > > >>>> >> > > > -----Original Message----- > >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> >> Behalf Of > >>>> >> > > > Ben Jackson > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >>>> >> > > > To: MikroTik Australia Public List > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > > >>>> >> > > > Hi All, > >>>> >> > > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with > >>>> this one. > >>>> >> > > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, > >>>> the > >>>> >> > > > CRS125-24G) in large residential AV situations where > >>>> invariably, the > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario > >>>> where > >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode > >>>> (NAT > >>>> >> > > > switched > >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to > the > >>>> >> gateway > >>>> >> > > > interface of the Mikrotik. > >>>> >> > > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 > >>>> UniFi > >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial > set > >>>> up, > >>>> >> > > > everything seems to work great, with the full bandwidth of > the > >>>> cable > >>>> >> > > > modem getting passed on to the rest of the network, even when > >>>> 802.11 > >>>> >> > > > clients are connected (a testament to the UniFi's I my > opinion > >>>> - I > >>>> >> > > > only use dual band Pro AP's). > >>>> >> > > > > >>>> >> > > > However, after a week or so the internet connection seems to > >>>> get > >>>> >> > > > either very slow, or stop working altogether. If I look in > the > >>>> logs > >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's > getting > >>>> >> passed > >>>> >> > > > from the dhcp server on the cable modem. The problem is I > don't > >>>> >> really > >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every > >>>> so > >>>> >> often > >>>> >> > > > the cable modem gets a new IP address from the carrier > >>>> (normally > >>>> >> after > >>>> >> > > > a reset) and at this point the modem is not passing this new > >>>> address > >>>> >> > > > onto the Mikrotik which is effectively cut off from the > >>>> internet. > >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these > >>>> are the > >>>> >> > > > only solutions I have discovered which seem to stop the issue > >>>> from > >>>> >> > > occurring (at least as regularly). > >>>> >> > > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all > >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP > address > >>>> in > >>>> >> the > >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private > IP > >>>> >> > > > address. However, this creates a double nat situation which > >>>> means I > >>>> >> > > > can no longer perform reliable port forwarding for things > such > >>>> as > >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great > >>>> for). > >>>> >> > > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > >>>> >> forwarding > >>>> >> > > > (which is a joke on these devices) and firewall tasks for the > >>>> entire > >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > >>>> problem > >>>> >> > > > here is that these Bigpond devices simply do not have the > >>>> grunt to > >>>> >> > > > deal with large networks with lots of AV streaming and > control > >>>> >> > happening. > >>>> >> > > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of > >>>> >> > > > functionality, I wonder if anyone has had similar experiences > >>>> as I > >>>> >> am > >>>> >> > > > just about ready to dump the MikroTik's and start looking at > >>>> other > >>>> >> > > > options in the hope that they play better with the Bigpond > >>>> gear. > >>>> >> > > > > >>>> >> > > > Thanks in advance, > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > Ben Jackson > >>>> >> > > > eLogik > >>>> >> > > > m:0404 924745 > >>>> >> > > > e: ben@elogik.net > >>>> >> > > > w: www.elogik.com.au > >>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > _______________________________________________ > >>>> >> > Public mailing list > >>>> >> > Public@talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> _______________________________________________ > >>>> >> Public mailing list > >>>> >> Public@talk.mikrotik.com.au > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > >>>> > > >>>> > > >>>> > >>>> > >>>> -- > >>>> _______________________________________________ > >>>> Public mailing list > >>>> Public@talk.mikrotik.com.au > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> > >>> > >>> > >> > >> > >> -- > >> > >> > > > > > -- > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au >
Hi Ben, Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;) For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none) Then just add ip address firewall filters etc on the master port. Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports. Hope it makes sense! :-) Cheers, Mike -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Thanks for the input Jason, I'll see if that makes a difference. Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty. It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :) I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch. Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote: > Nothing sticks out as overtly wrong. > > If you are still up brown creek try simplifying the config by: > > * Using the simple firewall here: > http://wiki.mikrotik.com/wiki/Securing_your_router > * Use basic NAT (no change); > * Use the DCHP client (no change); > * Use DHCP server without any reservations; > * Slave and bridge the switch ports appropriately (no change); > * Lastest software and Routerboard firmware > (System->Routerboard->Upgrade if different versions in place). > > Are you any wiser today? Are there any red highlighted (invalid) > settings in Winbox? > > Jason > > On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > > > Guys, > > > > Here is a typical config from one of my clients: > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ > > # /interface ethernet set [ find default-name=ether1 ] > > name=ether1-master-local set [ find default-name=ether2 ] > > master-port=ether1-master-local name=\ > > ether2-slave-local > > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > > ether3-slave-local > > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > > ether4-slave-local > > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > > ether5-slave-local > > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > > ether6-slave-local > > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > > ether7-slave-local > > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > > ether8-slave-local > > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > > ether9-slave-local > > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > > ether10-slave-local > > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > > ether11-slave-local > > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > > ether12-slave-local > > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > > ether13-slave-local > > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > > ether14-slave-local > > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > > ether15-slave-local > > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > > ether16-slave-local > > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > > ether17-slave-local > > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > > ether18-slave-local > > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > > ether19-slave-local > > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > > ether20-slave-local > > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > > ether21-slave-local > > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > > ether22-slave-local > > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > > ether23-slave-local > > set [ find default-name=ether24 ] name=ether24-gateway set [ find > > default-name=sfp1 ] master-port=ether1-master-local name=\ > > sfp1-slave-local > > /ip pool > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > > /ip dhcp-server > > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > > lease-time=1d name=dhcp1 > > /ip address > > add address=192.168.88.1/24 comment="default configuration" interface=\ > > ether1-master-local network=192.168.88.0 /ip dhcp-client add > > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > > add address=192.168.88.100 always-broadcast=yes > client-id=1:0:e:58:32:e:c \ > > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > > server=dhcp1 > > add address=192.168.88.101 always-broadcast=yes > client-id=1:0:e:58:32:e:1e > > \ > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > > address=192.168.88.102 always-broadcast=yes > client-id=1:0:e:58:32:e:a0 > > \ > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > > address=192.168.88.103 always-broadcast=yes > client-id=1:0:e:58:32:e:da > > \ > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > > address=192.168.88.104 always-broadcast=yes > client-id=1:0:e:58:32:e:ac > > \ > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > > server=dhcp1 > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > > 00:0E:58:24:65:B6 server=dhcp1 > > add address=192.168.88.106 always-broadcast=yes > > client-id=1:0:e:58:24:64:9e \ > > mac-address=00:0E:58:24:64:9E server=dhcp1 add > > address=192.168.88.107 always-broadcast=yes > > client-id=1:0:e:58:24:59:40 \ > > mac-address=00:0E:58:24:59:40 server=dhcp1 add > > address=192.168.88.108 always-broadcast=yes > client-id=1:0:e:58:32:f:9a > > \ > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > > address=192.168.88.109 always-broadcast=yes > > client-id=1:0:e:58:32:15:ac \ > > mac-address=00:0E:58:32:15:AC server=dhcp1 add > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > > 00:0E:58:24:6B:E8 server=dhcp1 > > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > > server=dhcp1 > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > > server=dhcp1 > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > > 04:18:D6:80:B3:85 server=dhcp1 > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 > server=\ > > dhcp1 > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > > 04:18:D6:80:B2:F9 server=dhcp1 > > /ip dhcp-server network > > add address=192.168.88.0/24 dns-server=192.168.88.1 > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > > firewall address-list add address=192.168.88.0/24 comment=\ > > "Support address list - full access to router allowed from this > range" > > \ > > list=support > > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > list=bogons > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > > you nee\ > > d this subnet before enable it" disabled=yes list=bogons > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > > list=\ > > bogons > > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > if > > you \ > > need this subnet before enable it" disabled=yes list=bogons > > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > > if you\ > > \_need this subnet before enable it" disabled=yes list=bogons > > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > > disabled=yes \ > > list=bogons > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > > disabled=\ > > yes list=bogons > > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > list=bogons > > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > > disabled=yes \ > > list=bogons > > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > > disabled=yes \ > > list=bogons > > add address=224.0.0.0/4 comment=\ > > "MC, Class D, IANA # Check if you need this subnet before enable it" > \ > > disabled=yes list=bogons > > /ip firewall filter > > add action=add-src-to-address-list address-list=Syn_Flooder \ > > address-list-timeout=30m chain=input comment=\ > > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > > protocol=tcp tcp-flags=syn > > add action=drop chain=input comment="Drop to syn flood list" > disabled=yes \ > > src-address-list=Syn_Flooder > > add action=add-src-to-address-list address-list=Port_Scanner \ > > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > > disabled=yes protocol=tcp psd=21,3s,3,1 > > add action=drop chain=input comment="Drop to port scan list" > disabled=yes \ > > src-address-list=Port_Scanner > > add action=jump chain=input comment="Jump for icmp input flow" > > disabled=yes \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="Block all access to the winbox - > > except t\ > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > THE > > SUP\ > > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > > src-address-list=!support > > add action=jump chain=forward comment="Jump for icmp forward flow" > > disabled=\ > > yes jump-target=ICMP protocol=icmp > > add action=drop chain=forward comment="Drop IP's in bogon list" > > disabled=yes \ > > dst-address-list=bogons > > add action=add-src-to-address-list address-list=spammers \ > > address-list-timeout=3h chain=forward comment=\ > > "Add Spammers to the list for 3 hours" connection-limit=30,32 > > disabled=\ > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > > add action=drop chain=forward comment="Avoid spammers action" > disabled=yes > > \ > > dst-port=25,587 protocol=tcp src-address-list=spammers > > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > > protocol=udp > > add chain=output disabled=yes dst-port=1723 protocol=tcp > > add chain=input disabled=yes dst-port=1723 protocol=tcp > > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > > protocol=tcp > > add chain=input comment="Accept to established connections" > > connection-state=\ > > established disabled=yes > > add chain=input comment="Accept related connections" > > connection-state=related \ > > disabled=yes > > add chain=input comment="Allow SUPPORT address list full access" > > disabled=yes \ > > src-address-list=support > > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes > \ > > icmp-options=8:0 limit=1,5 protocol=icmp > > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > > protocol=\ > > icmp > > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > > protocol=icmp > > add chain=ICMP comment="Destination unreachable" disabled=yes > > icmp-options=\ > > 3:0-1 protocol=icmp > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > > add action=drop chain=input comment="Drop invalid connections" \ > > connection-state=invalid disabled=yes > > add action=drop chain=ICMP comment="Drop to the other ICMPs" > disabled=yes \ > > protocol=icmp > > add action=jump chain=output comment="Jump for icmp output" disabled=yes > \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="drop ftp brute forcers" > disabled=yes \ > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > > 1/1m,9,dst-address/1m protocol=tcp > > add action=add-dst-to-address-list address-list=ftp_blacklist \ > > address-list-timeout=3h chain=output content="530 Login incorrect" \ > > disabled=yes protocol=tcp > > add action=drop chain=input comment="drop ssh brute forcers" > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > > add action=add-src-to-address-list address-list=ssh_blacklist \ > > address-list-timeout=1w3d chain=input connection-state=new > > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > > add action=add-src-to-address-list address-list=ssh_stage3 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > > add action=add-src-to-address-list address-list=ssh_stage2 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > > add action=add-src-to-address-list address-list=ssh_stage1 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp > > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > > THIS \ > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > disabled=yes > > /ip firewall nat > > add action=masquerade chain=srcnat out-interface=ether24-gateway > > /ip firewall service-port > > set ftp disabled=yes > > set tftp disabled=yes > > set irc disabled=yes > > set h323 disabled=yes > > set sip disabled=yes > > set pptp disabled=yes > > /ip ipsec policy > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > > /ip service > > set telnet disabled=yes > > set ftp disabled=yes > > set www disabled=yes > > set ssh disabled=yes > > set api disabled=yes > > set api-ssl disabled=yes > > /system clock > > set time-zone-autodetect=no time-zone-name=Australia/Sydney > > /tool romon port > > add > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> Hi Ben, > >> > >> When the problem occurs again check the Routerboard for CPU use and > check > >> profiling to see just what is keeping the CPU busy. Don't overestimate > the > >> CPU in the 2011, it's not as quick as you think. The new FastPath and > >> FastTrack features will be something you'll be interested in when > routing > >> something as fast as a cable modem so read up on them and do try the > latest > >> firmware images. > >> > >> Jason > >> > >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> > >>> Hi Jason, > >>> > >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any > >>> bridge or switch config and is routing only. > >>> > >>> When I first started installing Mikrotiks I used to bridge all the > other > >>> ports, which I know uses the main CPU and not the switch chip, but my > >>> thinking was that the main CPU is more powerful and the router isn't > >>> exactly doing anything complex such as queues or heaps of firewall > rules. > >>> > >>> However since then I have started using the master - slave switch chip > >>> function, especially on the 24 port CRS. On the RB2011's I slave all > the > >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then > >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the > >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. > >>> > >>> Ben Jackson > >>> eLogik > >>> m:0404 924745 > >>> e: ben@elogik.net > >>> w: www.elogik.com.au > >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>> > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > >>> jason@upandrunningtech.com.au> wrote: > >>> > >>>> Hi > >>>> > >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the > >>>> current is at 6.30 so I can't even see if some related bug has been > >>>> fixed > >>>> since 6.20. I'd suggest updating the software, reboot, update the > >>>> firmware, reboot and see if that helps. > >>>> > >>>> If in doubt beyond that, save export your config, factory reset and > >>>> reimport the config. > >>>> > >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved > to > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > >>>> bridged? > >>>> Which port is connected to the modem? It should be on it's own, not > >>>> slaved > >>>> or bridged. > >>>> > >>>> Since 6.20 there have been some packet engine speedups that operate at > >>>> the > >>>> bridge level and some interfaces (not PPPoE unfortunately). You will > >>>> definitely benefit using the new speedup options with NAT on a DHCP > >>>> based > >>>> modem. > >>>> > >>>> Jason > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > >>>> > >>>> > Hi Jason, > >>>> > > >>>> > I have customers at on few different ROS versions, normally nothing > >>>> earier > >>>> > than 6.18 - and I always make sure the firmware is at a matching > >>>> level. I > >>>> > think the majority right now are at 6.20. > >>>> > > >>>> > Thanks > >>>> > > >>>> > Ben Jackson > >>>> > eLogik > >>>> > m:0404 924745 > >>>> > e: ben@elogik.net > >>>> > w: www.elogik.com.au > >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > >>>> > jason@upandrunningtech.com.au> wrote: > >>>> > > >>>> >> What version of RouterOS are you using and what level is the > >>>> firmware at? > >>>> >> > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >>>> >> > >>>> >> > Hi RJ, > >>>> >> > > >>>> >> > Yep - that's exactly what I do. > >>>> >> > > >>>> >> > I know it's not congestion because when I reboot the mikrotik or > >>>> simply > >>>> >> > renew the dhcp client address on the gateway port the whole > system > >>>> >> springs > >>>> >> > back to life. > >>>> >> > > >>>> >> > Thanks, > >>>> >> > > >>>> >> > Ben Jackson > >>>> >> > eLogik > >>>> >> > m:0404 924745 > >>>> >> > e: ben@elogik.net > >>>> >> > w: www.elogik.com.au > >>>> >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > >>>> RJ.Plummer@4logic.com.au> > >>>> >> > wrote: > >>>> >> > > >>>> >> > > Hi Ben, > >>>> >> > > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't > >>>> exhibit > >>>> >> > > this behaviour. > >>>> >> > > > >>>> >> > > Their setups are very straight forward: > >>>> >> > > -Bridge the cable modem (same cable modem model as you > describe) > >>>> >> > > -DHCP client on the appropriate physical mkt interface > >>>> >> > > -masq that interface > >>>> >> > > -firewall filter as usual > >>>> >> > > > >>>> >> > > Do you have anything different in your configurations? > >>>> >> > > > >>>> >> > > Cheers, > >>>> >> > > RJ > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Paul Julian > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >>>> >> > > To: 'MikroTik Australia Public List' < > >>>> public@talk.mikrotik.com.au> > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > >>>> least > >>>> >> the > >>>> >> > > one they present, this usually happens if a config has been > >>>> uploaded > >>>> >> to > >>>> >> > > them without MAC addresses removed. > >>>> >> > > > >>>> >> > > There is an option in the interface settings called "Reset MAC > >>>> >> Address", > >>>> >> > > try clicking this on the interface you have plugged into the > >>>> NTU, it > >>>> >> will > >>>> >> > > reset the MAC address back to or force it to be the actually > >>>> physical > >>>> >> MAC > >>>> >> > > just in case anything has changed. > >>>> >> > > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in > >>>> hundreds of > >>>> >> > > locations for ADSL and Ethernet services and never have one > >>>> issue. > >>>> >> > > > >>>> >> > > Regards > >>>> >> > > Paul > >>>> >> > > > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Ben Jackson > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >>>> >> > > To: MikroTik Australia Public List > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > >>>> should be > >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is > >>>> >> definitely > >>>> >> > in > >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge > >>>> Mode" on > >>>> >> > the > >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the > >>>> CRS (or > >>>> >> > > sometimes ether 1) which immediately binds the public IP > address > >>>> to > >>>> >> > itself. > >>>> >> > > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I > >>>> have had > >>>> >> > > issues in the past (no longer seems to be as issue) where I > have > >>>> had > >>>> >> to > >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have > >>>> also > >>>> >> > noticed > >>>> >> > > if my MBP is the first device to connect to the NTU while in > >>>> bridge > >>>> >> mode, > >>>> >> > > sometimes I need to power cycle the device to "deregister" the > >>>> MAC > >>>> >> > address > >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after > this > >>>> >> process > >>>> >> > > is complete. > >>>> >> > > > >>>> >> > > But, in this instance this is not the problem unless somehow > the > >>>> MAC > >>>> >> > > address of the MikroTik ether port is changing - is this > >>>> possible? I > >>>> >> must > >>>> >> > > admit, my progress on this is somewhat hampered by not having a > >>>> cable > >>>> >> > setup > >>>> >> > > to test on at home - I run ADSL. > >>>> >> > > > >>>> >> > > I'm pretty sure that nothing else on the network would be able > >>>> to bind > >>>> >> > > it's MAC address to the public IP before the MikroTik has had a > >>>> chance > >>>> >> > to - > >>>> >> > > although I must admit I hadn't though of that so I'll check it > >>>> out in > >>>> >> > more > >>>> >> > > detail. > >>>> >> > > > >>>> >> > > I am also inclined to agree with you that this is not solely a > >>>> >> Mikrotik > >>>> >> > > issue. It seems to me that it is the magic (or not so magic) > >>>> >> combination > >>>> >> > of > >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the > >>>> problem. I > >>>> >> > have > >>>> >> > > tried other brands of router which do not seem to exhibit the > >>>> issue, > >>>> >> > > however these devices do not have the great feature set of the > >>>> >> MikroTik > >>>> >> > and > >>>> >> > > are often not rack-mountable. Trotting out the "It's not a > >>>> Mikrotik > >>>> >> > issue" > >>>> >> > > line is starting to wear very thin with both my customers and > >>>> >> colleagues. > >>>> >> > > Although my gut feeling is that it isn't - I need proof and I > >>>> don't > >>>> >> know > >>>> >> > > where to start. This is happening far too often for it to be a > >>>> >> > coincidence > >>>> >> > > or a faulty device. > >>>> >> > > > >>>> >> > > I have, unfortunately also seen very strange behaviour over > ADSL > >>>> / > >>>> >> pppoe > >>>> >> > > connections in bridge mode too, I sent an email about this some > >>>> time > >>>> >> ago > >>>> >> > > and it still plagues me from time to time. > >>>> >> > > > >>>> >> > > The type of installations I am doing are not your typical home > >>>> setups > >>>> >> and > >>>> >> > > customers are paying a lot of money for a supposedly > >>>> >> "commercial-grade" > >>>> >> > > solution which is only adding to my stresses. > >>>> >> > > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router > >>>> - how > >>>> >> do > >>>> >> > > you set it up? Have you seen issues like this? > >>>> >> > > > >>>> >> > > One thing I have noticed is that the issue seems to be much > more > >>>> >> > prevalent > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No > >>>> idea > >>>> >> why. > >>>> >> > > Any cable experts out there? > >>>> >> > > > >>>> >> > > Thanks again, > >>>> >> > > > >>>> >> > > > >>>> >> > > Ben Jackson > >>>> >> > > eLogik > >>>> >> > > m:0404 924745 > >>>> >> > > e: ben@elogik.net > >>>> >> > > w: www.elogik.com.au > >>>> >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >>>> >> > paul@oxygennetworks.com.au> > >>>> >> > > wrote: > >>>> >> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and > >>>> Optus > >>>> >> Cable > >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > >>>> the NTU > >>>> >> or > >>>> >> > > > in the case of bridge mode the first client that makes a > >>>> request, > >>>> >> and > >>>> >> > > > often you have trouble with these things because of this, I > >>>> don't > >>>> >> > > > really think it's a Mikrotik thing. > >>>> >> > > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC > >>>> on the > >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge > >>>> mode > >>>> >> and > >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't > >>>> see why > >>>> >> > > > it would be having issues. > >>>> >> > > > > >>>> >> > > > Is there any chance that another device might somehow be > >>>> getting a > >>>> >> > > > DHCP request through to the NTU somehow the way you have it > all > >>>> >> plugged > >>>> >> > > in ? > >>>> >> > > > > >>>> >> > > > Regards > >>>> >> > > > Paul > >>>> >> > > > > >>>> >> > > > -----Original Message----- > >>>> >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > >>>> >> Behalf Of > >>>> >> > > > Ben Jackson > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >>>> >> > > > To: MikroTik Australia Public List > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > > >>>> >> > > > Hi All, > >>>> >> > > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with > >>>> this one. > >>>> >> > > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, > >>>> the > >>>> >> > > > CRS125-24G) in large residential AV situations where > >>>> invariably, the > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario > >>>> where > >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode > >>>> (NAT > >>>> >> > > > switched > >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to > the > >>>> >> gateway > >>>> >> > > > interface of the Mikrotik. > >>>> >> > > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 > >>>> UniFi > >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial > set > >>>> up, > >>>> >> > > > everything seems to work great, with the full bandwidth of > the > >>>> cable > >>>> >> > > > modem getting passed on to the rest of the network, even when > >>>> 802.11 > >>>> >> > > > clients are connected (a testament to the UniFi's I my > opinion > >>>> - I > >>>> >> > > > only use dual band Pro AP's). > >>>> >> > > > > >>>> >> > > > However, after a week or so the internet connection seems to > >>>> get > >>>> >> > > > either very slow, or stop working altogether. If I look in > the > >>>> logs > >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's > getting > >>>> >> passed > >>>> >> > > > from the dhcp server on the cable modem. The problem is I > don't > >>>> >> really > >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every > >>>> so > >>>> >> often > >>>> >> > > > the cable modem gets a new IP address from the carrier > >>>> (normally > >>>> >> after > >>>> >> > > > a reset) and at this point the modem is not passing this new > >>>> address > >>>> >> > > > onto the Mikrotik which is effectively cut off from the > >>>> internet. > >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these > >>>> are the > >>>> >> > > > only solutions I have discovered which seem to stop the issue > >>>> from > >>>> >> > > occurring (at least as regularly). > >>>> >> > > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all > >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP > address > >>>> in > >>>> >> the > >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private > IP > >>>> >> > > > address. However, this creates a double nat situation which > >>>> means I > >>>> >> > > > can no longer perform reliable port forwarding for things > such > >>>> as > >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great > >>>> for). > >>>> >> > > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > >>>> >> forwarding > >>>> >> > > > (which is a joke on these devices) and firewall tasks for the > >>>> entire > >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > >>>> problem > >>>> >> > > > here is that these Bigpond devices simply do not have the > >>>> grunt to > >>>> >> > > > deal with large networks with lots of AV streaming and > control > >>>> >> > happening. > >>>> >> > > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of > >>>> >> > > > functionality, I wonder if anyone has had similar experiences > >>>> as I > >>>> >> am > >>>> >> > > > just about ready to dump the MikroTik's and start looking at > >>>> other > >>>> >> > > > options in the hope that they play better with the Bigpond > >>>> gear. > >>>> >> > > > > >>>> >> > > > Thanks in advance, > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > Ben Jackson > >>>> >> > > > eLogik > >>>> >> > > > m:0404 924745 > >>>> >> > > > e: ben@elogik.net > >>>> >> > > > w: www.elogik.com.au > >>>> >> > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > > >>>> >> > _______________________________________________ > >>>> >> > Public mailing list > >>>> >> > Public@talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> _______________________________________________ > >>>> >> Public mailing list > >>>> >> Public@talk.mikrotik.com.au > >>>> >> > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> >> > >>>> > > >>>> > > >>>> > >>>> > >>>> -- > >>>> _______________________________________________ > >>>> Public mailing list > >>>> Public@talk.mikrotik.com.au > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > >>>> > >>> > >>> > >> > >> > >> -- > >> > >> > > > > > -- > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :) Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi Ben,
When the problem occurs again check the Routerboard for CPU use and check profiling to see just what is keeping the CPU busy. Don't overestimate the CPU in the 2011, it's not as quick as you think. The new FastPath and FastTrack features will be something you'll be interested in when routing something as fast as a cable modem so read up on them and do try the latest firmware images.
Jason
On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
Yes - when I am using the RB2011's the gateway (WAN) port is not in any bridge or switch config and is routing only.
When I first started installing Mikrotiks I used to bridge all the other ports, which I know uses the main CPU and not the switch chip, but my thinking was that the main CPU is more powerful and the router isn't exactly doing anything complex such as queues or heaps of firewall rules.
However since then I have started using the master - slave switch chip function, especially on the 24 port CRS. On the RB2011's I slave all the gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then bridge the two, with ether1 as the WAN port. On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi
OK, the current changelog on Mikrotik only goes back to 6.27 and the current is at 6.30 so I can't even see if some related bug has been fixed since 6.20. I'd suggest updating the software, reboot, update the firmware, reboot and see if that helps.
If in doubt beyond that, save export your config, factory reset and reimport the config.
What ports do you use on the 2011? Are the ports on 1Gb side slaved to ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 bridged? Which port is connected to the modem? It should be on it's own, not slaved or bridged.
Since 6.20 there have been some packet engine speedups that operate at the bridge level and some interfaces (not PPPoE unfortunately). You will definitely benefit using the new speedup options with NAT on a DHCP based modem.
Jason
On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote:
> Hi Jason, > > I have customers at on few different ROS versions, normally nothing earier > than 6.18 - and I always make sure the firmware is at a matching level. I > think the majority right now are at 6.20. > > Thanks > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> What version of RouterOS are you using and what level is the firmware at? >> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >> >> > Hi RJ, >> > >> > Yep - that's exactly what I do. >> > >> > I know it's not congestion because when I reboot the mikrotik or simply >> > renew the dhcp client address on the gateway port the whole system >> springs >> > back to life. >> > >> > Thanks, >> > >> > Ben Jackson >> > eLogik >> > m:0404 924745 >> > e: ben@elogik.net >> > w: www.elogik.com.au >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >> > >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < RJ.Plummer@4logic.com.au> >> > wrote: >> > >> > > Hi Ben, >> > > >> > > We have a few staff with bigpond cable and mikrotiks who don't exhibit >> > > this behaviour. >> > > >> > > Their setups are very straight forward: >> > > -Bridge the cable modem (same cable modem model as you describe) >> > > -DHCP client on the appropriate physical mkt interface >> > > -masq that interface >> > > -firewall filter as usual >> > > >> > > Do you have anything different in your configurations? >> > > >> > > Cheers, >> > > RJ >> > > -----Original Message----- >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf >> Of >> > > Paul Julian >> > > Sent: Tuesday, 28 July 2015 10:55 AM >> > > To: 'MikroTik Australia Public List' < public@talk.mikrotik.com.au> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >> > > >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at least >> the >> > > one they present, this usually happens if a config has been uploaded >> to >> > > them without MAC addresses removed. >> > > >> > > There is an option in the interface settings called "Reset MAC >> Address", >> > > try clicking this on the interface you have plugged into the NTU, it >> will >> > > reset the MAC address back to or force it to be the actually physical >> MAC >> > > just in case anything has changed. >> > > >> > > We use bridge mode in modems and NTU's with Mikrotiks in hundreds of >> > > locations for ADSL and Ethernet services and never have one issue. >> > > >> > > Regards >> > > Paul >> > > >> > > -----Original Message----- >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf >> Of >> > > Ben Jackson >> > > Sent: Tuesday, 28 July 2015 12:47 PM >> > > To: MikroTik Australia Public List >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >> > > >> > > Thanks for the reply Paul. Yes I agree with you 100%, there should be >> > > almost nothing to go wrong in this type of set-up. The NTU is >> definitely >> > in >> > > bridge mode - as evidenced by the radio button saying "Bridge Mode" on >> > the >> > > web GUI ;) and I have a DHCP client running on ether24 of the CRS (or >> > > sometimes ether 1) which immediately binds the public IP address to >> > itself. >> > > >> > > I understand about the MAC based DHCP which the ISP's use, I have had >> > > issues in the past (no longer seems to be as issue) where I have had >> to >> > > spoof the MAC address of the NTU to get a DHCP address. I have also >> > noticed >> > > if my MBP is the first device to connect to the NTU while in bridge >> mode, >> > > sometimes I need to power cycle the device to "deregister" the MAC >> > address >> > > of the MBP. I am able to get a binding on the MikroTik after this >> process >> > > is complete. >> > > >> > > But, in this instance this is not the problem unless somehow the MAC >> > > address of the MikroTik ether port is changing - is this possible? I >> must >> > > admit, my progress on this is somewhat hampered by not having a cable >> > setup >> > > to test on at home - I run ADSL. >> > > >> > > I'm pretty sure that nothing else on the network would be able to bind >> > > it's MAC address to the public IP before the MikroTik has had a chance >> > to - >> > > although I must admit I hadn't though of that so I'll check it out in >> > more >> > > detail. >> > > >> > > I am also inclined to agree with you that this is not solely a >> Mikrotik >> > > issue. It seems to me that it is the magic (or not so magic) >> combination >> > of >> > > the ISP's hardware and the MikroTik that seems to cause the problem. I >> > have >> > > tried other brands of router which do not seem to exhibit the issue, >> > > however these devices do not have the great feature set of the >> MikroTik >> > and >> > > are often not rack-mountable. Trotting out the "It's not a Mikrotik >> > issue" >> > > line is starting to wear very thin with both my customers and >> colleagues. >> > > Although my gut feeling is that it isn't - I need proof and I don't >> know >> > > where to start. This is happening far too often for it to be a >> > coincidence >> > > or a faulty device. >> > > >> > > I have, unfortunately also seen very strange behaviour over ADSL / >> pppoe >> > > connections in bridge mode too, I sent an email about this some time >> ago >> > > and it still plagues me from time to time. >> > > >> > > The type of installations I am doing are not your typical home setups >> and >> > > customers are paying a lot of money for a supposedly >> "commercial-grade" >> > > solution which is only adding to my stresses. >> > > >> > > Do any of you guys out there use a MikroTik as your home router - how >> do >> > > you set it up? Have you seen issues like this? >> > > >> > > One thing I have noticed is that the issue seems to be much more >> > prevalent >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea >> why. >> > > Any cable experts out there? >> > > >> > > Thanks again, >> > > >> > > >> > > Ben Jackson >> > > eLogik >> > > m:0404 924745 >> > > e: ben@elogik.net >> > > w: www.elogik.com.au >> > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >> > > >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >> > paul@oxygennetworks.com.au> >> > > wrote: >> > > >> > > > Hey Ben, the only thing I can think of is that Telstra and Optus >> Cable >> > > > networks use MAC based DHCP, they bind the IP to the MAC of the NTU >> or >> > > > in the case of bridge mode the first client that makes a request, >> and >> > > > often you have trouble with these things because of this, I don't >> > > > really think it's a Mikrotik thing. >> > > > >> > > > However, as long as the Mikrotik is maintaining the same MAC on the >> > > > interface plugged into the NTU and the NTU is truly in bridge mode >> and >> > > > the Mikrotik is the only thing plugged into the NTU I can't see why >> > > > it would be having issues. >> > > > >> > > > Is there any chance that another device might somehow be getting a >> > > > DHCP request through to the NTU somehow the way you have it all >> plugged >> > > in ? >> > > > >> > > > Regards >> > > > Paul >> > > > >> > > > -----Original Message----- >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On >> Behalf Of >> > > > Ben Jackson >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >> > > > To: MikroTik Australia Public List >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >> > > > >> > > > Hi All, >> > > > >> > > > I'm hoping someone can help me as I'm at my wit's end with this one. >> > > > >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, the >> > > > CRS125-24G) in large residential AV situations where invariably, the >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario where >> > > > Telstra's / Optus's modem has been placed into "bridge" mode (NAT >> > > > switched >> > > > off) and the carrier-supplied WAN IP address gets bound to the >> gateway >> > > > interface of the Mikrotik. >> > > > >> > > > The Mikrotik, in turn is connected to, on average, about 3 UniFi >> > > > access points, and at least 3-4 zones of Sonos. On initial set up, >> > > > everything seems to work great, with the full bandwidth of the cable >> > > > modem getting passed on to the rest of the network, even when 802.11 >> > > > clients are connected (a testament to the UniFi's I my opinion - I >> > > > only use dual band Pro AP's). >> > > > >> > > > However, after a week or so the internet connection seems to get >> > > > either very slow, or stop working altogether. If I look in the logs >> > > > (with dhcp logging switched on) I can see regular NAK's getting >> passed >> > > > from the dhcp server on the cable modem. The problem is I don't >> really >> > > > understand how DHCP works on cable modems. I'm assuming every so >> often >> > > > the cable modem gets a new IP address from the carrier (normally >> after >> > > > a reset) and at this point the modem is not passing this new address >> > > > onto the Mikrotik which is effectively cut off from the internet. >> > > > Since we are stuck with using Bigpond and Optus modems these are the >> > > > only solutions I have discovered which seem to stop the issue from >> > > occurring (at least as regularly). >> > > > >> > > > 1) Leave the cable modem in "router" mode and switch off all >> > > > extraneous services such as Wi-Fi, and also put one IP address in >> the >> > > > dhcp pool so that the Mikrotik always gets the same private IP >> > > > address. However, this creates a double nat situation which means I >> > > > can no longer perform reliable port forwarding for things such as >> > > > DVR's and CBus controllers (which I find the Mikrotik's great for). >> > > > >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >> forwarding >> > > > (which is a joke on these devices) and firewall tasks for the entire >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main problem >> > > > here is that these Bigpond devices simply do not have the grunt to >> > > > deal with large networks with lots of AV streaming and control >> > happening. >> > > > >> > > > Since both of the above have severe drawbacks in terms of >> > > > functionality, I wonder if anyone has had similar experiences as I >> am >> > > > just about ready to dump the MikroTik's and start looking at other >> > > > options in the hope that they play better with the Bigpond gear. >> > > > >> > > > Thanks in advance, >> > > > >> > > > >> > > > Ben Jackson >> > > > eLogik >> > > > m:0404 924745 >> > > > e: ben@elogik.net >> > > > w: www.elogik.com.au >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >> > > > _______________________________________________ >> > > > Public mailing list >> > > > Public@talk.mikrotik.com.au >> > > > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com .
>> > > > au >> > > > >> > > > >> > > > _______________________________________________ >> > > > Public mailing list >> > > > Public@talk.mikrotik.com.au >> > > > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com .
>> > > > au >> > > > >> > > _______________________________________________ >> > > Public mailing list >> > > Public@talk.mikrotik.com.au >> > > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > > >> > > >> > > _______________________________________________ >> > > Public mailing list >> > > Public@talk.mikrotik.com.au >> > > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > > >> > > _______________________________________________ >> > > Public mailing list >> > > Public@talk.mikrotik.com.au >> > > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > > >> > _______________________________________________ >> > Public mailing list >> > Public@talk.mikrotik.com.au >> > >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > >> >> >> >> -- >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Ben, What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns? On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Hi Ben,
When the problem occurs again check the Routerboard for CPU use and check profiling to see just what is keeping the CPU busy. Don't overestimate the CPU in the 2011, it's not as quick as you think. The new FastPath and FastTrack features will be something you'll be interested in when routing something as fast as a cable modem so read up on them and do try the latest firmware images.
Jason
On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
Yes - when I am using the RB2011's the gateway (WAN) port is not in any bridge or switch config and is routing only.
When I first started installing Mikrotiks I used to bridge all the other ports, which I know uses the main CPU and not the switch chip, but my thinking was that the main CPU is more powerful and the router isn't exactly doing anything complex such as queues or heaps of firewall rules.
However since then I have started using the master - slave switch chip function, especially on the 24 port CRS. On the RB2011's I slave all the gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then bridge the two, with ether1 as the WAN port. On the CRS I slave all the ports apart from ether24 to ether1. I then use ether24 as the WAN port.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
> Hi > > OK, the current changelog on Mikrotik only goes back to 6.27 and the > current is at 6.30 so I can't even see if some related bug has been > fixed > since 6.20. I'd suggest updating the software, reboot, update the > firmware, reboot and see if that helps. > > If in doubt beyond that, save export your config, factory reset and > reimport the config. > > What ports do you use on the 2011? Are the ports on 1Gb side slaved to > ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > bridged? > Which port is connected to the modem? It should be on it's own, not > slaved > or bridged. > > Since 6.20 there have been some packet engine speedups that operate at > the > bridge level and some interfaces (not PPPoE unfortunately). You will > definitely benefit using the new speedup options with NAT on a DHCP > based > modem. > > Jason > > > > > > On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > > > Hi Jason, > > > > I have customers at on few different ROS versions, normally nothing > earier > > than 6.18 - and I always make sure the firmware is at a matching > level. I > > think the majority right now are at 6.20. > > > > Thanks > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> What version of RouterOS are you using and what level is the > firmware at? > >> > >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >> > >> > Hi RJ, > >> > > >> > Yep - that's exactly what I do. > >> > > >> > I know it's not congestion because when I reboot the mikrotik or > simply > >> > renew the dhcp client address on the gateway port the whole system > >> springs > >> > back to life. > >> > > >> > Thanks, > >> > > >> > Ben Jackson > >> > eLogik > >> > m:0404 924745 > >> > e: ben@elogik.net > >> > w: www.elogik.com.au > >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >> > > >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > RJ.Plummer@4logic.com.au> > >> > wrote: > >> > > >> > > Hi Ben, > >> > > > >> > > We have a few staff with bigpond cable and mikrotiks who don't > exhibit > >> > > this behaviour. > >> > > > >> > > Their setups are very straight forward: > >> > > -Bridge the cable modem (same cable modem model as you describe) > >> > > -DHCP client on the appropriate physical mkt interface > >> > > -masq that interface > >> > > -firewall filter as usual > >> > > > >> > > Do you have anything different in your configurations? > >> > > > >> > > Cheers, > >> > > RJ > >> > > -----Original Message----- > >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf > >> Of > >> > > Paul Julian > >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >> > > To: 'MikroTik Australia Public List' < > public@talk.mikrotik.com.au> > >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >> > > > >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > least > >> the > >> > > one they present, this usually happens if a config has been > uploaded > >> to > >> > > them without MAC addresses removed. > >> > > > >> > > There is an option in the interface settings called "Reset MAC > >> Address", > >> > > try clicking this on the interface you have plugged into the > NTU, it > >> will > >> > > reset the MAC address back to or force it to be the actually > physical > >> MAC > >> > > just in case anything has changed. > >> > > > >> > > We use bridge mode in modems and NTU's with Mikrotiks in > hundreds of > >> > > locations for ADSL and Ethernet services and never have one > issue. > >> > > > >> > > Regards > >> > > Paul > >> > > > >> > > -----Original Message----- > >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf > >> Of > >> > > Ben Jackson > >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >> > > To: MikroTik Australia Public List > >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >> > > > >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > should be > >> > > almost nothing to go wrong in this type of set-up. The NTU is > >> definitely > >> > in > >> > > bridge mode - as evidenced by the radio button saying "Bridge > Mode" on > >> > the > >> > > web GUI ;) and I have a DHCP client running on ether24 of the > CRS (or > >> > > sometimes ether 1) which immediately binds the public IP address > to > >> > itself. > >> > > > >> > > I understand about the MAC based DHCP which the ISP's use, I > have had > >> > > issues in the past (no longer seems to be as issue) where I have > had > >> to > >> > > spoof the MAC address of the NTU to get a DHCP address. I have > also > >> > noticed > >> > > if my MBP is the first device to connect to the NTU while in > bridge > >> mode, > >> > > sometimes I need to power cycle the device to "deregister" the > MAC > >> > address > >> > > of the MBP. I am able to get a binding on the MikroTik after this > >> process > >> > > is complete. > >> > > > >> > > But, in this instance this is not the problem unless somehow the > MAC > >> > > address of the MikroTik ether port is changing - is this > possible? I > >> must > >> > > admit, my progress on this is somewhat hampered by not having a > cable > >> > setup > >> > > to test on at home - I run ADSL. > >> > > > >> > > I'm pretty sure that nothing else on the network would be able > to bind > >> > > it's MAC address to the public IP before the MikroTik has had a > chance > >> > to - > >> > > although I must admit I hadn't though of that so I'll check it > out in > >> > more > >> > > detail. > >> > > > >> > > I am also inclined to agree with you that this is not solely a > >> Mikrotik > >> > > issue. It seems to me that it is the magic (or not so magic) > >> combination > >> > of > >> > > the ISP's hardware and the MikroTik that seems to cause the > problem. I > >> > have > >> > > tried other brands of router which do not seem to exhibit the > issue, > >> > > however these devices do not have the great feature set of the > >> MikroTik > >> > and > >> > > are often not rack-mountable. Trotting out the "It's not a > Mikrotik > >> > issue" > >> > > line is starting to wear very thin with both my customers and > >> colleagues. > >> > > Although my gut feeling is that it isn't - I need proof and I > don't > >> know > >> > > where to start. This is happening far too often for it to be a > >> > coincidence > >> > > or a faulty device. > >> > > > >> > > I have, unfortunately also seen very strange behaviour over ADSL > / > >> pppoe > >> > > connections in bridge mode too, I sent an email about this some > time > >> ago > >> > > and it still plagues me from time to time. > >> > > > >> > > The type of installations I am doing are not your typical home > setups > >> and > >> > > customers are paying a lot of money for a supposedly > >> "commercial-grade" > >> > > solution which is only adding to my stresses. > >> > > > >> > > Do any of you guys out there use a MikroTik as your home router > - how > >> do > >> > > you set it up? Have you seen issues like this? > >> > > > >> > > One thing I have noticed is that the issue seems to be much more > >> > prevalent > >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No > idea > >> why. > >> > > Any cable experts out there? > >> > > > >> > > Thanks again, > >> > > > >> > > > >> > > Ben Jackson > >> > > eLogik > >> > > m:0404 924745 > >> > > e: ben@elogik.net > >> > > w: www.elogik.com.au > >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >> > > > >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >> > paul@oxygennetworks.com.au> > >> > > wrote: > >> > > > >> > > > Hey Ben, the only thing I can think of is that Telstra and > Optus > >> Cable > >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > the NTU > >> or > >> > > > in the case of bridge mode the first client that makes a > request, > >> and > >> > > > often you have trouble with these things because of this, I > don't > >> > > > really think it's a Mikrotik thing. > >> > > > > >> > > > However, as long as the Mikrotik is maintaining the same MAC > on the > >> > > > interface plugged into the NTU and the NTU is truly in bridge > mode > >> and > >> > > > the Mikrotik is the only thing plugged into the NTU I can't > see why > >> > > > it would be having issues. > >> > > > > >> > > > Is there any chance that another device might somehow be > getting a > >> > > > DHCP request through to the NTU somehow the way you have it all > >> plugged > >> > > in ? > >> > > > > >> > > > Regards > >> > > > Paul > >> > > > > >> > > > -----Original Message----- > >> > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au ] On > >> Behalf Of > >> > > > Ben Jackson > >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >> > > > To: MikroTik Australia Public List > >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >> > > > > >> > > > Hi All, > >> > > > > >> > > > I'm hoping someone can help me as I'm at my wit's end with > this one. > >> > > > > >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, > the > >> > > > CRS125-24G) in large residential AV situations where > invariably, the > >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario > where > >> > > > Telstra's / Optus's modem has been placed into "bridge" mode > (NAT > >> > > > switched > >> > > > off) and the carrier-supplied WAN IP address gets bound to the > >> gateway > >> > > > interface of the Mikrotik. > >> > > > > >> > > > The Mikrotik, in turn is connected to, on average, about 3 > UniFi > >> > > > access points, and at least 3-4 zones of Sonos. On initial set > up, > >> > > > everything seems to work great, with the full bandwidth of the > cable > >> > > > modem getting passed on to the rest of the network, even when > 802.11 > >> > > > clients are connected (a testament to the UniFi's I my opinion > - I > >> > > > only use dual band Pro AP's). > >> > > > > >> > > > However, after a week or so the internet connection seems to > get > >> > > > either very slow, or stop working altogether. If I look in the > logs > >> > > > (with dhcp logging switched on) I can see regular NAK's getting > >> passed > >> > > > from the dhcp server on the cable modem. The problem is I don't > >> really > >> > > > understand how DHCP works on cable modems. I'm assuming every > so > >> often > >> > > > the cable modem gets a new IP address from the carrier > (normally > >> after > >> > > > a reset) and at this point the modem is not passing this new > address > >> > > > onto the Mikrotik which is effectively cut off from the > internet. > >> > > > Since we are stuck with using Bigpond and Optus modems these > are the > >> > > > only solutions I have discovered which seem to stop the issue > from > >> > > occurring (at least as regularly). > >> > > > > >> > > > 1) Leave the cable modem in "router" mode and switch off all > >> > > > extraneous services such as Wi-Fi, and also put one IP address > in > >> the > >> > > > dhcp pool so that the Mikrotik always gets the same private IP > >> > > > address. However, this creates a double nat situation which > means I > >> > > > can no longer perform reliable port forwarding for things such > as > >> > > > DVR's and CBus controllers (which I find the Mikrotik's great > for). > >> > > > > >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > >> forwarding > >> > > > (which is a joke on these devices) and firewall tasks for the > entire > >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > problem > >> > > > here is that these Bigpond devices simply do not have the > grunt to > >> > > > deal with large networks with lots of AV streaming and control > >> > happening. > >> > > > > >> > > > Since both of the above have severe drawbacks in terms of > >> > > > functionality, I wonder if anyone has had similar experiences > as I > >> am > >> > > > just about ready to dump the MikroTik's and start looking at > other > >> > > > options in the hope that they play better with the Bigpond > gear. > >> > > > > >> > > > Thanks in advance, > >> > > > > >> > > > > >> > > > Ben Jackson > >> > > > eLogik > >> > > > m:0404 924745 > >> > > > e: ben@elogik.net > >> > > > w: www.elogik.com.au > >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >> > > > _______________________________________________ > >> > > > Public mailing list > >> > > > Public@talk.mikrotik.com.au > >> > > > > >> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . > >> > > > au > >> > > > > >> > > > > >> > > > _______________________________________________ > >> > > > Public mailing list > >> > > > Public@talk.mikrotik.com.au > >> > > > > >> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . > >> > > > au > >> > > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > > _______________________________________________ > >> > > Public mailing list > >> > > Public@talk.mikrotik.com.au > >> > > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > >> > _______________________________________________ > >> > Public mailing list > >> > Public@talk.mikrotik.com.au > >> > > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > >> > >> > >> > >> -- > >> _______________________________________________ > >> Public mailing list > >> Public@talk.mikrotik.com.au > >> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >> > > > > > > > -- > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>
--
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Hi Jason, I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here. Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also. Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log. I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version. Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs. These actions also improved my customers who run PPPoE over ADSL. It's been a very busy week! Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems. Ben On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net <javascript:;>> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net <javascript:;> w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com <javascript:;>> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au <javascript:;>] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au <javascript:;>>; MikroTik Australia Public List <public@talk.mikrotik.com.au <javascript:;>> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net <javascript:;> w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au <javascript:;>> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net <javascript:;>> wrote:
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net <javascript:;> w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au <javascript:;>> wrote:
Hi Ben,
When the problem occurs again check the Routerboard for CPU use and check profiling to see just what is keeping the CPU busy. Don't overestimate the CPU in the 2011, it's not as quick as you think. The new FastPath and FastTrack features will be something you'll be interested in when routing something as fast as a cable modem so read up on them and do try the latest firmware images.
Jason
On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net <javascript:;>> wrote:
> Hi Jason, > > Yes - when I am using the RB2011's the gateway (WAN) port is not in any > bridge or switch config and is routing only. > > When I first started installing Mikrotiks I used to bridge all the other > ports, which I know uses the main CPU and not the switch chip, but my > thinking was that the main CPU is more powerful and the router isn't > exactly doing anything complex such as queues or heaps of firewall rules. > > However since then I have started using the master - slave switch chip > function, especially on the 24 port CRS. On the RB2011's I slave all the > gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then > bridge the two, with ether1 as the WAN port. On the CRS I slave all the > ports apart from ether24 to ether1. I then use ether24 as the WAN port. > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net <javascript:;> > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au <javascript:;>> wrote: > >> Hi >> >> OK, the current changelog on Mikrotik only goes back to 6.27 and the >> current is at 6.30 so I can't even see if some related bug has been >> fixed >> since 6.20. I'd suggest updating the software, reboot, update the >> firmware, reboot and see if that helps. >> >> If in doubt beyond that, save export your config, factory reset and >> reimport the config. >> >> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >> bridged? >> Which port is connected to the modem? It should be on it's own, not >> slaved >> or bridged. >> >> Since 6.20 there have been some packet engine speedups that operate at >> the >> bridge level and some interfaces (not PPPoE unfortunately). You will >> definitely benefit using the new speedup options with NAT on a DHCP >> based >> modem. >> >> Jason >> >> >> >> >> >> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net <javascript:;>> wrote: >> >> > Hi Jason, >> > >> > I have customers at on few different ROS versions, normally nothing >> earier >> > than 6.18 - and I always make sure the firmware is at a matching >> level. I >> > think the majority right now are at 6.20. >> > >> > Thanks >> > >> > Ben Jackson >> > eLogik >> > m:0404 924745 >> > e: ben@elogik.net <javascript:;> >> > w: www.elogik.com.au >> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >> > >> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >> > jason@upandrunningtech.com.au <javascript:;>> wrote: >> > >> >> What version of RouterOS are you using and what level is the >> firmware at? >> >> >> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net <javascript:;>> wrote: >> >> >> >> > Hi RJ, >> >> > >> >> > Yep - that's exactly what I do. >> >> > >> >> > I know it's not congestion because when I reboot the mikrotik or >> simply >> >> > renew the dhcp client address on the gateway port the whole system >> >> springs >> >> > back to life. >> >> > >> >> > Thanks, >> >> > >> >> > Ben Jackson >> >> > eLogik >> >> > m:0404 924745 >> >> > e: ben@elogik.net <javascript:;> >> >> > w: www.elogik.com.au >> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >> >> > >> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >> RJ.Plummer@4logic.com.au <javascript:;>> >> >> > wrote: >> >> > >> >> > > Hi Ben, >> >> > > >> >> > > We have a few staff with bigpond cable and mikrotiks who don't >> exhibit >> >> > > this behaviour. >> >> > > >> >> > > Their setups are very straight forward: >> >> > > -Bridge the cable modem (same cable modem model as you describe) >> >> > > -DHCP client on the appropriate physical mkt interface >> >> > > -masq that interface >> >> > > -firewall filter as usual >> >> > > >> >> > > Do you have anything different in your configurations? >> >> > > >> >> > > Cheers, >> >> > > RJ >> >> > > -----Original Message----- >> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au <javascript:;>] On >> Behalf >> >> Of >> >> > > Paul Julian >> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >> >> > > To: 'MikroTik Australia Public List' < >> public@talk.mikrotik.com.au <javascript:;>> >> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >> >> > > >> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >> least >> >> the >> >> > > one they present, this usually happens if a config has been >> uploaded >> >> to >> >> > > them without MAC addresses removed. >> >> > > >> >> > > There is an option in the interface settings called "Reset MAC >> >> Address", >> >> > > try clicking this on the interface you have plugged into the >> NTU, it >> >> will >> >> > > reset the MAC address back to or force it to be the actually >> physical >> >> MAC >> >> > > just in case anything has changed. >> >> > > >> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >> hundreds of >> >> > > locations for ADSL and Ethernet services and never have one >> issue. >> >> > > >> >> > > Regards >> >> > > Paul >> >> > > >> >> > > -----Original Message----- >> >> > > From: Public [mailto:public-bounces@talk.mikrotik.com.au <javascript:;>] On >> Behalf >> >> Of >> >> > > Ben Jackson >> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >> >> > > To: MikroTik Australia Public List >> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >> >> > > >> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >> should be >> >> > > almost nothing to go wrong in this type of set-up. The NTU is >> >> definitely >> >> > in >> >> > > bridge mode - as evidenced by the radio button saying "Bridge >> Mode" on >> >> > the >> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >> CRS (or >> >> > > sometimes ether 1) which immediately binds the public IP address >> to >> >> > itself. >> >> > > >> >> > > I understand about the MAC based DHCP which the ISP's use, I >> have had >> >> > > issues in the past (no longer seems to be as issue) where I have >> had >> >> to >> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >> also >> >> > noticed >> >> > > if my MBP is the first device to connect to the NTU while in >> bridge >> >> mode, >> >> > > sometimes I need to power cycle the device to "deregister" the >> MAC >> >> > address >> >> > > of the MBP. I am able to get a binding on the MikroTik after this >> >> process >> >> > > is complete. >> >> > > >> >> > > But, in this instance this is not the problem unless somehow the >> MAC >> >> > > address of the MikroTik ether port is changing - is this >> possible? I >> >> must >> >> > > admit, my progress on this is somewhat hampered by not having a >> cable >> >> > setup >> >> > > to test on at home - I run ADSL. >> >> > > >> >> > > I'm pretty sure that nothing else on the network would be able >> to bind >> >> > > it's MAC address to the public IP before the MikroTik has had a >> chance >> >> > to - >> >> > > although I must admit I hadn't though of that so I'll check it >> out in >> >> > more >> >> > > detail. >> >> > > >> >> > > I am also inclined to agree with you that this is not solely a >> >> Mikrotik >> >> > > issue. It seems to me that it is the magic (or not so magic) >> >> combination >> >> > of >> >> > > the ISP's hardware and the MikroTik that seems to cause the >> problem. I >> >> > have >> >> > > tried other brands of router which do not seem to exhibit the >> issue, >> >> > > however these devices do not have the great feature set of the >> >> MikroTik >> >> > and >> >> > > are often not rack-mountable. Trotting out the "It's not a >> Mikrotik >> >> > issue" >> >> > > line is starting to wear very thin with both my customers and >> >> colleagues. >> >> > > Although my gut feeling is that it isn't - I need proof and I >> don't >> >> know >> >> > > where to start. This is happening far too often for it to be a >> >> > coincidence >> >> > > or a faulty device. >> >> > > >> >> > > I have, unfortunately also seen very strange behaviour over ADSL >> / >> >> pppoe >> >> > > connections in bridge mode too, I sent an email about this some >> time >> >> ago >> >> > > and it still plagues me from time to time. >> >> > > >> >> > > The type of installations I am doing are not your typical home >> setups >> >> and >> >> > > customers are paying a lot of money for a supposedly >> >> "commercial-grade" >> >> > > solution which is only adding to my stresses. >> >> > > >> >> > > Do any of you guys out there use a MikroTik as your home router >> - how >> >> do >> >> > > you set it up? Have you seen issues like this? >> >> > > >> >> > > One thing I have noticed is that the issue seems to be much more >> >> > prevalent >> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >> idea >> >> why. >> >> > > Any cable experts out there? >> >> > > >> >> > > Thanks again, >> >> > > >> >> > > >> >> > > Ben Jackson >> >> > > eLogik >> >> > > m:0404 924745 >> >> > > e: ben@elogik.net <javascript:;> >> >> > > w: www.elogik.com.au >> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >> >> > > >> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >> >> > paul@oxygennetworks.com.au <javascript:;>> >> >> > > wrote: >> >> > > >> >> > > > Hey Ben, the only thing I can think of is that Telstra and >> Optus >> >> Cable >> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >> the NTU >> >> or >> >> > > > in the case of bridge mode the first client that makes a >> request, >> >> and >> >> > > > often you have trouble with these things because of this, I >> don't >> >> > > > really think it's a Mikrotik thing. >> >> > > > >> >> > > > However, as long as the Mikrotik is maintaining the same MAC >> on the >> >> > > > interface plugged into the NTU and the NTU is truly in bridge >> mode >> >> and >> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >> see why >> >> > > > it would be having issues. >> >> > > > >> >> > > > Is there any chance that another device might somehow be >> getting a >> >> > > > DHCP request through to the NTU somehow the way you have it all >> >> plugged >> >> > > in ? >> >> > > > >> >> > > > Regards >> >> > > > Paul >> >> > > > >> >> > > > -----Original Message----- >> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au <javascript:;> ] On >> >> Behalf Of >> >> > > > Ben Jackson >> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >> >> > > > To: MikroTik Australia Public List >> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >> >> > > > >> >> > > > Hi All, >> >> > > > >> >> > > > I'm hoping someone can help me as I'm at my wit's end with >> this one. >> >> > > > >> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >> the >> >> > > > CRS125-24G) in large residential AV situations where >> invariably, the >> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >> where >> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >> (NAT >> >> > > > switched >> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >> >> gateway >> >> > > > interface of the Mikrotik. >> >> > > > >> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >> UniFi >> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >> up, >> >> > > > everything seems to work great, with the full bandwidth of the >> cable >> >> > > > modem getting passed on to the rest of the network, even when >> 802.11 >> >> > > > clients are connected (a testament to the UniFi's I my opinion >> - I >> >> > > > only use dual band Pro AP's). >> >> > > > >> >> > > > However, after a week or so the internet connection seems to >> get >> >> > > > either very slow, or stop working altogether. If I look in the >> logs >> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >> >> passed >> >> > > > from the dhcp server on the cable modem. The problem is I don't >> >> really >> >> > > > understand how DHCP works on cable modems. I'm assuming every >> so >> >> often >> >> > > > the cable modem gets a new IP address from the carrier >> (normally >> >> after >> >> > > > a reset) and at this point the modem is not passing this new >> address >> >> > > > onto the Mikrotik which is effectively cut off from the >> internet. >> >> > > > Since we are stuck with using Bigpond and Optus modems these >> are the >> >> > > > only solutions I have discovered which seem to stop the issue >> from >> >> > > occurring (at least as regularly). >> >> > > > >> >> > > > 1) Leave the cable modem in "router" mode and switch off all >> >> > > > extraneous services such as Wi-Fi, and also put one IP address >> in >> >> the >> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >> >> > > > address. However, this creates a double nat situation which >> means I >> >> > > > can no longer perform reliable port forwarding for things such >> as >> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >> for). >> >> > > > >> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >> >> forwarding >> >> > > > (which is a joke on these devices) and firewall tasks for the >> entire >> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >> problem >> >> > > > here is that these Bigpond devices simply do not have the >> grunt to >> >> > > > deal with large networks with lots of AV streaming and control >> >> > happening. >> >> > > > >> >> > > > Since both of the above have severe drawbacks in terms of >> >> > > > functionality, I wonder if anyone has had similar experiences >> as I >> >> am >> >> > > > just about ready to dump the MikroTik's and start looking at >> other >> >> > > > options in the hope that they play better with the Bigpond >> gear. >> >> > > > >> >> > > > Thanks in advance, >> >> > > > >> >> > > > >> >> > > > Ben Jackson >> >> > > > eLogik >> >> > > > m:0404 924745 >> >> > > > e: ben@elogik.net <javascript:;> >> >> > > > w: www.elogik.com.au >> >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >> >> > > > _______________________________________________ >> >> > > > Public mailing list >> >> > > > Public@talk.mikrotik.com.au <javascript:;> >> >> > > > >> >> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . >> >> > > > au >> >> > > > >> >> > > > >> >> > > > _______________________________________________ >> >> > > > Public mailing list >> >> > > > Public@talk.mikrotik.com.au <javascript:;> >> >> > > > >> >> >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . >> >> > > > au >> >> > > > >> >> > > _______________________________________________ >> >> > > Public mailing list >> >> > > Public@talk.mikrotik.com.au <javascript:;> >> >> > > >> >> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> >> > > >> >> > > >> >> > > _______________________________________________ >> >> > > Public mailing list >> >> > > Public@talk.mikrotik.com.au <javascript:;> >> >> > > >> >> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> >> > > >> >> > > _______________________________________________ >> >> > > Public mailing list >> >> > > Public@talk.mikrotik.com.au <javascript:;> >> >> > > >> >> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> >> > > >> >> > _______________________________________________ >> >> > Public mailing list >> >> > Public@talk.mikrotik.com.au <javascript:;> >> >> > >> >> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> >> > >> >> >> >> >> >> >> >> -- >> >> _______________________________________________ >> >> Public mailing list >> >> Public@talk.mikrotik.com.au <javascript:;> >> >> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> >> >> > >> > >> >> >> -- >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au <javascript:;> >>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>> > >
--
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au <javascript:;>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au <javascript:;>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au <javascript:;>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au <javascript:;> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au <javascript:;> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
OK all the problems are back. I'm still getting customers whose networks are grinding to a halt after making the changes I detailed above. As always after changing the config, everything seems to run great for a few weeks and then everything falls over in a heap again. If I run direct through the modem (any DOCSIS version) the speeds return to normal immediately. I did find this post on the forum http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try in a controlled environment. Someone somewhere HAS to be expereincing this same issue - it's happening with too many customers to be a coincidence. You guys have checked my config and no-one has flagged anything as being immediately wrong so I'm really at a loss. The only other common factor here seems to be SONOS and I am talking to playback about any issues they may have seen with MikroTik (which they unofficially recommend). Ben Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here.
Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also.
Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log.
I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version.
Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs.
These actions also improved my customers who run PPPoE over ADSL.
It's been a very busy week!
Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems.
Ben
On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
Guys,
Here is a typical config from one of my clients:
# jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ # /interface ethernet set [ find default-name=ether1 ] name=ether1-master-local set [ find default-name=ether2 ] master-port=ether1-master-local name=\ ether2-slave-local set [ find default-name=ether3 ] master-port=ether1-master-local name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=ether1-master-local name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=ether1-master-local name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=ether1-master-local name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=ether1-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether1-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether1-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether1-master-local name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=ether1-master-local name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=ether1-master-local name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=ether1-master-local name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=ether1-master-local name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=ether1-master-local name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=ether1-master-local name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=ether1-master-local name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=ether1-master-local name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=ether1-master-local name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=ether1-master-local name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=ether1-master-local name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=ether1-master-local name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=ether1-master-local name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-gateway set [ find default-name=sfp1 ] master-port=ether1-master-local name=\ sfp1-slave-local /ip pool add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ lease-time=1d name=dhcp1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether1-master-local network=192.168.88.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ server=dhcp1 add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e \ mac-address=00:0E:58:32:0E:1E server=dhcp1 add address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 \ mac-address=00:0E:58:32:0E:A0 server=dhcp1 add address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da \ mac-address=00:0E:58:32:0E:DA server=dhcp1 add address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac \ mac-address=00:0E:58:32:0E:AC server=dhcp1 add address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ server=dhcp1 add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ 00:0E:58:24:65:B6 server=dhcp1 add address=192.168.88.106 always-broadcast=yes client-id=1:0:e:58:24:64:9e \ mac-address=00:0E:58:24:64:9E server=dhcp1 add address=192.168.88.107 always-broadcast=yes client-id=1:0:e:58:24:59:40 \ mac-address=00:0E:58:24:59:40 server=dhcp1 add address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a \ mac-address=00:0E:58:32:0F:9A server=dhcp1 add address=192.168.88.109 always-broadcast=yes client-id=1:0:e:58:32:15:ac \ mac-address=00:0E:58:32:15:AC server=dhcp1 add address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ 00:0E:58:24:6B:E8 server=dhcp1 add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ server=dhcp1 add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D server=dhcp1 add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ 04:18:D6:80:B3:85 server=dhcp1 add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ dhcp1 add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ 04:18:D6:80:B2:F9 server=dhcp1 /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=192.168.88.0/24 comment=\ "Support address list - full access to router allowed from this range" \ list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop IP's in bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp add chain=output disabled=yes dst-port=1723 protocol=tcp add chain=input disabled=yes dst-port=1723 protocol=tcp add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established disabled=yes add chain=input comment="Accept related connections" connection-state=related \ disabled=yes add chain=input comment="Allow SUPPORT address list full access" disabled=yes \ src-address-list=support add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 protocol=\ icmp add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ protocol=icmp add chain=ICMP comment="Destination unreachable" disabled=yes icmp-options=\ 3:0-1 protocol=icmp add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=yes add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output content="530 Login incorrect" \ disabled=yes protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=ether24-gateway /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Australia/Sydney /tool romon port add
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
> Hi Ben, > > When the problem occurs again check the Routerboard for CPU use and check > profiling to see just what is keeping the CPU busy. Don't overestimate the > CPU in the 2011, it's not as quick as you think. The new FastPath and > FastTrack features will be something you'll be interested in when routing > something as fast as a cable modem so read up on them and do try the latest > firmware images. > > Jason > > On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> Hi Jason, >> >> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >> bridge or switch config and is routing only. >> >> When I first started installing Mikrotiks I used to bridge all the other >> ports, which I know uses the main CPU and not the switch chip, but my >> thinking was that the main CPU is more powerful and the router isn't >> exactly doing anything complex such as queues or heaps of firewall rules. >> >> However since then I have started using the master - slave switch chip >> function, especially on the 24 port CRS. On the RB2011's I slave all the >> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >> >> Ben Jackson >> eLogik >> m:0404 924745 >> e: ben@elogik.net >> w: www.elogik.com.au >> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >> >> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >> jason@upandrunningtech.com.au> wrote: >> >>> Hi >>> >>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>> current is at 6.30 so I can't even see if some related bug has been >>> fixed >>> since 6.20. I'd suggest updating the software, reboot, update the >>> firmware, reboot and see if that helps. >>> >>> If in doubt beyond that, save export your config, factory reset and >>> reimport the config. >>> >>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>> bridged? >>> Which port is connected to the modem? It should be on it's own, not >>> slaved >>> or bridged. >>> >>> Since 6.20 there have been some packet engine speedups that operate at >>> the >>> bridge level and some interfaces (not PPPoE unfortunately). You will >>> definitely benefit using the new speedup options with NAT on a DHCP >>> based >>> modem. >>> >>> Jason >>> >>> >>> >>> >>> >>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>> >>> > Hi Jason, >>> > >>> > I have customers at on few different ROS versions, normally nothing >>> earier >>> > than 6.18 - and I always make sure the firmware is at a matching >>> level. I >>> > think the majority right now are at 6.20. >>> > >>> > Thanks >>> > >>> > Ben Jackson >>> > eLogik >>> > m:0404 924745 >>> > e: ben@elogik.net >>> > w: www.elogik.com.au >>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> > >>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>> > jason@upandrunningtech.com.au> wrote: >>> > >>> >> What version of RouterOS are you using and what level is the >>> firmware at? >>> >> >>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>> >> >>> >> > Hi RJ, >>> >> > >>> >> > Yep - that's exactly what I do. >>> >> > >>> >> > I know it's not congestion because when I reboot the mikrotik or >>> simply >>> >> > renew the dhcp client address on the gateway port the whole system >>> >> springs >>> >> > back to life. >>> >> > >>> >> > Thanks, >>> >> > >>> >> > Ben Jackson >>> >> > eLogik >>> >> > m:0404 924745 >>> >> > e: ben@elogik.net >>> >> > w: www.elogik.com.au >>> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>> >> > >>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>> RJ.Plummer@4logic.com.au> >>> >> > wrote: >>> >> > >>> >> > > Hi Ben, >>> >> > > >>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>> exhibit >>> >> > > this behaviour. >>> >> > > >>> >> > > Their setups are very straight forward: >>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>> >> > > -DHCP client on the appropriate physical mkt interface >>> >> > > -masq that interface >>> >> > > -firewall filter as usual >>> >> > > >>> >> > > Do you have anything different in your configurations? >>> >> > > >>> >> > > Cheers, >>> >> > > RJ >>> >> > > -----Original Message----- >>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>> Behalf >>> >> Of >>> >> > > Paul Julian >>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>> >> > > To: 'MikroTik Australia Public List' < >>> public@talk.mikrotik.com.au> >>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > >>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>> least >>> >> the >>> >> > > one they present, this usually happens if a config has been >>> uploaded >>> >> to >>> >> > > them without MAC addresses removed. >>> >> > > >>> >> > > There is an option in the interface settings called "Reset MAC >>> >> Address", >>> >> > > try clicking this on the interface you have plugged into the >>> NTU, it >>> >> will >>> >> > > reset the MAC address back to or force it to be the actually >>> physical >>> >> MAC >>> >> > > just in case anything has changed. >>> >> > > >>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>> hundreds of >>> >> > > locations for ADSL and Ethernet services and never have one >>> issue. >>> >> > > >>> >> > > Regards >>> >> > > Paul >>> >> > > >>> >> > > -----Original Message----- >>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>> Behalf >>> >> Of >>> >> > > Ben Jackson >>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>> >> > > To: MikroTik Australia Public List >>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > >>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>> should be >>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>> >> definitely >>> >> > in >>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>> Mode" on >>> >> > the >>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>> CRS (or >>> >> > > sometimes ether 1) which immediately binds the public IP address >>> to >>> >> > itself. >>> >> > > >>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>> have had >>> >> > > issues in the past (no longer seems to be as issue) where I have >>> had >>> >> to >>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>> also >>> >> > noticed >>> >> > > if my MBP is the first device to connect to the NTU while in >>> bridge >>> >> mode, >>> >> > > sometimes I need to power cycle the device to "deregister" the >>> MAC >>> >> > address >>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>> >> process >>> >> > > is complete. >>> >> > > >>> >> > > But, in this instance this is not the problem unless somehow the >>> MAC >>> >> > > address of the MikroTik ether port is changing - is this >>> possible? I >>> >> must >>> >> > > admit, my progress on this is somewhat hampered by not having a >>> cable >>> >> > setup >>> >> > > to test on at home - I run ADSL. >>> >> > > >>> >> > > I'm pretty sure that nothing else on the network would be able >>> to bind >>> >> > > it's MAC address to the public IP before the MikroTik has had a >>> chance >>> >> > to - >>> >> > > although I must admit I hadn't though of that so I'll check it >>> out in >>> >> > more >>> >> > > detail. >>> >> > > >>> >> > > I am also inclined to agree with you that this is not solely a >>> >> Mikrotik >>> >> > > issue. It seems to me that it is the magic (or not so magic) >>> >> combination >>> >> > of >>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>> problem. I >>> >> > have >>> >> > > tried other brands of router which do not seem to exhibit the >>> issue, >>> >> > > however these devices do not have the great feature set of the >>> >> MikroTik >>> >> > and >>> >> > > are often not rack-mountable. Trotting out the "It's not a >>> Mikrotik >>> >> > issue" >>> >> > > line is starting to wear very thin with both my customers and >>> >> colleagues. >>> >> > > Although my gut feeling is that it isn't - I need proof and I >>> don't >>> >> know >>> >> > > where to start. This is happening far too often for it to be a >>> >> > coincidence >>> >> > > or a faulty device. >>> >> > > >>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>> / >>> >> pppoe >>> >> > > connections in bridge mode too, I sent an email about this some >>> time >>> >> ago >>> >> > > and it still plagues me from time to time. >>> >> > > >>> >> > > The type of installations I am doing are not your typical home >>> setups >>> >> and >>> >> > > customers are paying a lot of money for a supposedly >>> >> "commercial-grade" >>> >> > > solution which is only adding to my stresses. >>> >> > > >>> >> > > Do any of you guys out there use a MikroTik as your home router >>> - how >>> >> do >>> >> > > you set it up? Have you seen issues like this? >>> >> > > >>> >> > > One thing I have noticed is that the issue seems to be much more >>> >> > prevalent >>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>> idea >>> >> why. >>> >> > > Any cable experts out there? >>> >> > > >>> >> > > Thanks again, >>> >> > > >>> >> > > >>> >> > > Ben Jackson >>> >> > > eLogik >>> >> > > m:0404 924745 >>> >> > > e: ben@elogik.net >>> >> > > w: www.elogik.com.au >>> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>> >> > > >>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>> >> > paul@oxygennetworks.com.au> >>> >> > > wrote: >>> >> > > >>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>> Optus >>> >> Cable >>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>> the NTU >>> >> or >>> >> > > > in the case of bridge mode the first client that makes a >>> request, >>> >> and >>> >> > > > often you have trouble with these things because of this, I >>> don't >>> >> > > > really think it's a Mikrotik thing. >>> >> > > > >>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>> on the >>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>> mode >>> >> and >>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>> see why >>> >> > > > it would be having issues. >>> >> > > > >>> >> > > > Is there any chance that another device might somehow be >>> getting a >>> >> > > > DHCP request through to the NTU somehow the way you have it all >>> >> plugged >>> >> > > in ? >>> >> > > > >>> >> > > > Regards >>> >> > > > Paul >>> >> > > > >>> >> > > > -----Original Message----- >>> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au ] On >>> >> Behalf Of >>> >> > > > Ben Jackson >>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>> >> > > > To: MikroTik Australia Public List >>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>> >> > > > >>> >> > > > Hi All, >>> >> > > > >>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>> this one. >>> >> > > > >>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>> the >>> >> > > > CRS125-24G) in large residential AV situations where >>> invariably, the >>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>> where >>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>> (NAT >>> >> > > > switched >>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>> >> gateway >>> >> > > > interface of the Mikrotik. >>> >> > > > >>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>> UniFi >>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>> up, >>> >> > > > everything seems to work great, with the full bandwidth of the >>> cable >>> >> > > > modem getting passed on to the rest of the network, even when >>> 802.11 >>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>> - I >>> >> > > > only use dual band Pro AP's). >>> >> > > > >>> >> > > > However, after a week or so the internet connection seems to >>> get >>> >> > > > either very slow, or stop working altogether. If I look in the >>> logs >>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>> >> passed >>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>> >> really >>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>> so >>> >> often >>> >> > > > the cable modem gets a new IP address from the carrier >>> (normally >>> >> after >>> >> > > > a reset) and at this point the modem is not passing this new >>> address >>> >> > > > onto the Mikrotik which is effectively cut off from the >>> internet. >>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>> are the >>> >> > > > only solutions I have discovered which seem to stop the issue >>> from >>> >> > > occurring (at least as regularly). >>> >> > > > >>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>> in >>> >> the >>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>> >> > > > address. However, this creates a double nat situation which >>> means I >>> >> > > > can no longer perform reliable port forwarding for things such >>> as >>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>> for). >>> >> > > > >>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>> >> forwarding >>> >> > > > (which is a joke on these devices) and firewall tasks for the >>> entire >>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>> problem >>> >> > > > here is that these Bigpond devices simply do not have the >>> grunt to >>> >> > > > deal with large networks with lots of AV streaming and control >>> >> > happening. >>> >> > > > >>> >> > > > Since both of the above have severe drawbacks in terms of >>> >> > > > functionality, I wonder if anyone has had similar experiences >>> as I >>> >> am >>> >> > > > just about ready to dump the MikroTik's and start looking at >>> other >>> >> > > > options in the hope that they play better with the Bigpond >>> gear. >>> >> > > > >>> >> > > > Thanks in advance, >>> >> > > > >>> >> > > > >>> >> > > > Ben Jackson >>> >> > > > eLogik >>> >> > > > m:0404 924745 >>> >> > > > e: ben@elogik.net >>> >> > > > w: www.elogik.com.au >>> >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>> >> > > > _______________________________________________ >>> >> > > > Public mailing list >>> >> > > > Public@talk.mikrotik.com.au >>> >> > > > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . >>> >> > > > au >>> >> > > > >>> >> > > > >>> >> > > > _______________________________________________ >>> >> > > > Public mailing list >>> >> > > > Public@talk.mikrotik.com.au >>> >> > > > >>> >> >>> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com . >>> >> > > > au >>> >> > > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > > >>> >> > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > > >>> >> > > _______________________________________________ >>> >> > > Public mailing list >>> >> > > Public@talk.mikrotik.com.au >>> >> > > >>> >> >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > > >>> >> > _______________________________________________ >>> >> > Public mailing list >>> >> > Public@talk.mikrotik.com.au >>> >> > >>> >> >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> _______________________________________________ >>> >> Public mailing list >>> >> Public@talk.mikrotik.com.au >>> >> >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> >>> > >>> > >>> >>> >>> -- >>> _______________________________________________ >>> Public mailing list >>> Public@talk.mikrotik.com.au >>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>> >> >> > > > -- > >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
Can you run the modems in a PPPoE bridged mode? On 13 August 2015 at 17:49, Ben Jackson <ben@elogik.net> wrote:
OK all the problems are back. I'm still getting customers whose networks are grinding to a halt after making the changes I detailed above. As always after changing the config, everything seems to run great for a few weeks and then everything falls over in a heap again. If I run direct through the modem (any DOCSIS version) the speeds return to normal immediately.
I did find this post on the forum http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try in a controlled environment.
Someone somewhere HAS to be expereincing this same issue - it's happening with too many customers to be a coincidence.
You guys have checked my config and no-one has flagged anything as being immediately wrong so I'm really at a loss. The only other common factor here seems to be SONOS and I am talking to playback about any issues they may have seen with MikroTik (which they unofficially recommend).
Ben
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here.
Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also.
Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log.
I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version.
Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs.
These actions also improved my customers who run PPPoE over ADSL.
It's been a very busy week!
Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems.
Ben
On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Nothing sticks out as overtly wrong.
If you are still up brown creek try simplifying the config by:
* Using the simple firewall here: http://wiki.mikrotik.com/wiki/Securing_your_router * Use basic NAT (no change); * Use the DCHP client (no change); * Use DHCP server without any reservations; * Slave and bridge the switch ports appropriately (no change); * Lastest software and Routerboard firmware (System->Routerboard->Upgrade if different versions in place).
Are you any wiser today? Are there any red highlighted (invalid) settings in Winbox?
Jason
On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote:
> Guys, > > Here is a typical config from one of my clients: > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ > # /interface ethernet set [ find default-name=ether1 ] > name=ether1-master-local set [ find default-name=ether2 ] > master-port=ether1-master-local name=\ > ether2-slave-local > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > ether3-slave-local > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > ether4-slave-local > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > ether5-slave-local > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > ether6-slave-local > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > ether7-slave-local > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > ether8-slave-local > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > ether9-slave-local > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > ether10-slave-local > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > ether11-slave-local > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > ether12-slave-local > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > ether13-slave-local > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > ether14-slave-local > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > ether15-slave-local > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > ether16-slave-local > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > ether17-slave-local > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > ether18-slave-local > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > ether19-slave-local > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > ether20-slave-local > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > ether21-slave-local > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > ether22-slave-local > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > ether23-slave-local > set [ find default-name=ether24 ] name=ether24-gateway set [ find > default-name=sfp1 ] master-port=ether1-master-local name=\ > sfp1-slave-local > /ip pool > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > /ip dhcp-server > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > lease-time=1d name=dhcp1 > /ip address > add address=192.168.88.1/24 comment="default configuration" interface=\ > ether1-master-local network=192.168.88.0 /ip dhcp-client add > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > add address=192.168.88.100 always-broadcast=yes client-id=1:0:e:58:32:e:c \ > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > server=dhcp1 > add address=192.168.88.101 always-broadcast=yes client-id=1:0:e:58:32:e:1e > \ > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > address=192.168.88.102 always-broadcast=yes client-id=1:0:e:58:32:e:a0 > \ > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > address=192.168.88.103 always-broadcast=yes client-id=1:0:e:58:32:e:da > \ > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > address=192.168.88.104 always-broadcast=yes client-id=1:0:e:58:32:e:ac > \ > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > server=dhcp1 > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > 00:0E:58:24:65:B6 server=dhcp1 > add address=192.168.88.106 always-broadcast=yes > client-id=1:0:e:58:24:64:9e \ > mac-address=00:0E:58:24:64:9E server=dhcp1 add > address=192.168.88.107 always-broadcast=yes > client-id=1:0:e:58:24:59:40 \ > mac-address=00:0E:58:24:59:40 server=dhcp1 add > address=192.168.88.108 always-broadcast=yes client-id=1:0:e:58:32:f:9a > \ > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > address=192.168.88.109 always-broadcast=yes > client-id=1:0:e:58:32:15:ac \ > mac-address=00:0E:58:32:15:AC server=dhcp1 add > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > 00:0E:58:24:6B:E8 server=dhcp1 > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > server=dhcp1 > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > server=dhcp1 > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > 04:18:D6:80:B3:85 server=dhcp1 > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 server=\ > dhcp1 > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > 04:18:D6:80:B2:F9 server=dhcp1 > /ip dhcp-server network > add address=192.168.88.0/24 dns-server=192.168.88.1 > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > firewall address-list add address=192.168.88.0/24 comment=\ > "Support address list - full access to router allowed from this range" > \ > list=support > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > you nee\ > d this subnet before enable it" disabled=yes list=bogons > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > list=\ > bogons > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if > you \ > need this subnet before enable it" disabled=yes list=bogons > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > if you\ > \_need this subnet before enable it" disabled=yes list=bogons > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > disabled=yes \ > list=bogons > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > disabled=\ > yes list=bogons > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > disabled=yes \ > list=bogons > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > disabled=yes \ > list=bogons > add address=224.0.0.0/4 comment=\ > "MC, Class D, IANA # Check if you need this subnet before enable it" \ > disabled=yes list=bogons > /ip firewall filter > add action=add-src-to-address-list address-list=Syn_Flooder \ > address-list-timeout=30m chain=input comment=\ > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner \ > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > disabled=yes protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=yes \ > src-address-list=Port_Scanner > add action=jump chain=input comment="Jump for icmp input flow" > disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="Block all access to the winbox - > except t\ > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE > SUP\ > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > src-address-list=!support > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=\ > yes jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop IP's in bogon list" > disabled=yes \ > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers \ > address-list-timeout=3h chain=forward comment=\ > "Add Spammers to the list for 3 hours" connection-limit=30,32 > disabled=\ > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=yes > \ > dst-port=25,587 protocol=tcp src-address-list=spammers > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > protocol=udp > add chain=output disabled=yes dst-port=1723 protocol=tcp > add chain=input disabled=yes dst-port=1723 protocol=tcp > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > protocol=tcp > add chain=input comment="Accept to established connections" > connection-state=\ > established disabled=yes > add chain=input comment="Accept related connections" > connection-state=related \ > disabled=yes > add chain=input comment="Allow SUPPORT address list full access" > disabled=yes \ > src-address-list=support > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes \ > icmp-options=8:0 limit=1,5 protocol=icmp > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > protocol=\ > icmp > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > protocol=icmp > add chain=ICMP comment="Destination unreachable" disabled=yes > icmp-options=\ > 3:0-1 protocol=icmp > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > add action=drop chain=input comment="Drop invalid connections" \ > connection-state=invalid disabled=yes > add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ > protocol=icmp > add action=jump chain=output comment="Jump for icmp output" disabled=yes \ > jump-target=ICMP protocol=icmp > add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \ > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > 1/1m,9,dst-address/1m protocol=tcp > add action=add-dst-to-address-list address-list=ftp_blacklist \ > address-list-timeout=3h chain=output content="530 Login incorrect" \ > disabled=yes protocol=tcp > add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist \ > address-list-timeout=1w3d chain=input connection-state=new > disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 \ > address-list-timeout=1m chain=input connection-state=new disabled=yes \ > dst-port=22 protocol=tcp > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > THIS \ > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes > /ip firewall nat > add action=masquerade chain=srcnat out-interface=ether24-gateway > /ip firewall service-port > set ftp disabled=yes > set tftp disabled=yes > set irc disabled=yes > set h323 disabled=yes > set sip disabled=yes > set pptp disabled=yes > /ip ipsec policy > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > /ip service > set telnet disabled=yes > set ftp disabled=yes > set www disabled=yes > set ssh disabled=yes > set api disabled=yes > set api-ssl disabled=yes > /system clock > set time-zone-autodetect=no time-zone-name=Australia/Sydney > /tool romon port > add > > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > >> Hi Ben, >> >> When the problem occurs again check the Routerboard for CPU use and check >> profiling to see just what is keeping the CPU busy. Don't overestimate the >> CPU in the 2011, it's not as quick as you think. The new FastPath and >> FastTrack features will be something you'll be interested in when routing >> something as fast as a cable modem so read up on them and do try the latest >> firmware images. >> >> Jason >> >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: >> >>> Hi Jason, >>> >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any >>> bridge or switch config and is routing only. >>> >>> When I first started installing Mikrotiks I used to bridge all the other >>> ports, which I know uses the main CPU and not the switch chip, but my >>> thinking was that the main CPU is more powerful and the router isn't >>> exactly doing anything complex such as queues or heaps of firewall rules. >>> >>> However since then I have started using the master - slave switch chip >>> function, especially on the 24 port CRS. On the RB2011's I slave all the >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. >>> >>> Ben Jackson >>> eLogik >>> m:0404 924745 >>> e: ben@elogik.net >>> w: www.elogik.com.au >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> >>> >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < >>> jason@upandrunningtech.com.au> wrote: >>> >>>> Hi >>>> >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the >>>> current is at 6.30 so I can't even see if some related bug has been >>>> fixed >>>> since 6.20. I'd suggest updating the software, reboot, update the >>>> firmware, reboot and see if that helps. >>>> >>>> If in doubt beyond that, save export your config, factory reset and >>>> reimport the config. >>>> >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved to >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 >>>> bridged? >>>> Which port is connected to the modem? It should be on it's own, not >>>> slaved >>>> or bridged. >>>> >>>> Since 6.20 there have been some packet engine speedups that operate at >>>> the >>>> bridge level and some interfaces (not PPPoE unfortunately). You will >>>> definitely benefit using the new speedup options with NAT on a DHCP >>>> based >>>> modem. >>>> >>>> Jason >>>> >>>> >>>> >>>> >>>> >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: >>>> >>>> > Hi Jason, >>>> > >>>> > I have customers at on few different ROS versions, normally nothing >>>> earier >>>> > than 6.18 - and I always make sure the firmware is at a matching >>>> level. I >>>> > think the majority right now are at 6.20. >>>> > >>>> > Thanks >>>> > >>>> > Ben Jackson >>>> > eLogik >>>> > m:0404 924745 >>>> > e: ben@elogik.net >>>> > w: www.elogik.com.au >>>> > [image: http://www.elogik.com.au] <http://www.elogik.com.au
>>>> > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < >>>> > jason@upandrunningtech.com.au> wrote: >>>> > >>>> >> What version of RouterOS are you using and what level is the >>>> firmware at? >>>> >> >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: >>>> >> >>>> >> > Hi RJ, >>>> >> > >>>> >> > Yep - that's exactly what I do. >>>> >> > >>>> >> > I know it's not congestion because when I reboot the mikrotik or >>>> simply >>>> >> > renew the dhcp client address on the gateway port the whole system >>>> >> springs >>>> >> > back to life. >>>> >> > >>>> >> > Thanks, >>>> >> > >>>> >> > Ben Jackson >>>> >> > eLogik >>>> >> > m:0404 924745 >>>> >> > e: ben@elogik.net >>>> >> > w: www.elogik.com.au >>>> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < >>>> RJ.Plummer@4logic.com.au> >>>> >> > wrote: >>>> >> > >>>> >> > > Hi Ben, >>>> >> > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't >>>> exhibit >>>> >> > > this behaviour. >>>> >> > > >>>> >> > > Their setups are very straight forward: >>>> >> > > -Bridge the cable modem (same cable modem model as you describe) >>>> >> > > -DHCP client on the appropriate physical mkt interface >>>> >> > > -masq that interface >>>> >> > > -firewall filter as usual >>>> >> > > >>>> >> > > Do you have anything different in your configurations? >>>> >> > > >>>> >> > > Cheers, >>>> >> > > RJ >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Paul Julian >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM >>>> >> > > To: 'MikroTik Australia Public List' < >>>> public@talk.mikrotik.com.au> >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at >>>> least >>>> >> the >>>> >> > > one they present, this usually happens if a config has been >>>> uploaded >>>> >> to >>>> >> > > them without MAC addresses removed. >>>> >> > > >>>> >> > > There is an option in the interface settings called "Reset MAC >>>> >> Address", >>>> >> > > try clicking this on the interface you have plugged into the >>>> NTU, it >>>> >> will >>>> >> > > reset the MAC address back to or force it to be the actually >>>> physical >>>> >> MAC >>>> >> > > just in case anything has changed. >>>> >> > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in >>>> hundreds of >>>> >> > > locations for ADSL and Ethernet services and never have one >>>> issue. >>>> >> > > >>>> >> > > Regards >>>> >> > > Paul >>>> >> > > >>>> >> > > -----Original Message----- >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On >>>> Behalf >>>> >> Of >>>> >> > > Ben Jackson >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM >>>> >> > > To: MikroTik Australia Public List >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there >>>> should be >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is >>>> >> definitely >>>> >> > in >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge >>>> Mode" on >>>> >> > the >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the >>>> CRS (or >>>> >> > > sometimes ether 1) which immediately binds the public IP address >>>> to >>>> >> > itself. >>>> >> > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I >>>> have had >>>> >> > > issues in the past (no longer seems to be as issue) where I have >>>> had >>>> >> to >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have >>>> also >>>> >> > noticed >>>> >> > > if my MBP is the first device to connect to the NTU while in >>>> bridge >>>> >> mode, >>>> >> > > sometimes I need to power cycle the device to "deregister" the >>>> MAC >>>> >> > address >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after this >>>> >> process >>>> >> > > is complete. >>>> >> > > >>>> >> > > But, in this instance this is not the problem unless somehow the >>>> MAC >>>> >> > > address of the MikroTik ether port is changing - is this >>>> possible? I >>>> >> must >>>> >> > > admit, my progress on this is somewhat hampered by not having a >>>> cable >>>> >> > setup >>>> >> > > to test on at home - I run ADSL. >>>> >> > > >>>> >> > > I'm pretty sure that nothing else on the network would be able >>>> to bind >>>> >> > > it's MAC address to the public IP before the MikroTik has had a >>>> chance >>>> >> > to - >>>> >> > > although I must admit I hadn't though of that so I'll check it >>>> out in >>>> >> > more >>>> >> > > detail. >>>> >> > > >>>> >> > > I am also inclined to agree with you that this is not solely a >>>> >> Mikrotik >>>> >> > > issue. It seems to me that it is the magic (or not so magic) >>>> >> combination >>>> >> > of >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the >>>> problem. I >>>> >> > have >>>> >> > > tried other brands of router which do not seem to exhibit the >>>> issue, >>>> >> > > however these devices do not have the great feature set of the >>>> >> MikroTik >>>> >> > and >>>> >> > > are often not rack-mountable. Trotting out the "It's not a >>>> Mikrotik >>>> >> > issue" >>>> >> > > line is starting to wear very thin with both my customers and >>>> >> colleagues. >>>> >> > > Although my gut feeling is that it isn't - I need proof and I >>>> don't >>>> >> know >>>> >> > > where to start. This is happening far too often for it to be a >>>> >> > coincidence >>>> >> > > or a faulty device. >>>> >> > > >>>> >> > > I have, unfortunately also seen very strange behaviour over ADSL >>>> / >>>> >> pppoe >>>> >> > > connections in bridge mode too, I sent an email about this some >>>> time >>>> >> ago >>>> >> > > and it still plagues me from time to time. >>>> >> > > >>>> >> > > The type of installations I am doing are not your typical home >>>> setups >>>> >> and >>>> >> > > customers are paying a lot of money for a supposedly >>>> >> "commercial-grade" >>>> >> > > solution which is only adding to my stresses. >>>> >> > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router >>>> - how >>>> >> do >>>> >> > > you set it up? Have you seen issues like this? >>>> >> > > >>>> >> > > One thing I have noticed is that the issue seems to be much more >>>> >> > prevalent >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No >>>> idea >>>> >> why. >>>> >> > > Any cable experts out there? >>>> >> > > >>>> >> > > Thanks again, >>>> >> > > >>>> >> > > >>>> >> > > Ben Jackson >>>> >> > > eLogik >>>> >> > > m:0404 924745 >>>> >> > > e: ben@elogik.net >>>> >> > > w: www.elogik.com.au >>>> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < >>>> >> > paul@oxygennetworks.com.au> >>>> >> > > wrote: >>>> >> > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and >>>> Optus >>>> >> Cable >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of >>>> the NTU >>>> >> or >>>> >> > > > in the case of bridge mode the first client that makes a >>>> request, >>>> >> and >>>> >> > > > often you have trouble with these things because of this, I >>>> don't >>>> >> > > > really think it's a Mikrotik thing. >>>> >> > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC >>>> on the >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge >>>> mode >>>> >> and >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't >>>> see why >>>> >> > > > it would be having issues. >>>> >> > > > >>>> >> > > > Is there any chance that another device might somehow be >>>> getting a >>>> >> > > > DHCP request through to the NTU somehow the way you have it all >>>> >> plugged >>>> >> > > in ? >>>> >> > > > >>>> >> > > > Regards >>>> >> > > > Paul >>>> >> > > > >>>> >> > > > -----Original Message----- >>>> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au ] On >>>> >> Behalf Of >>>> >> > > > Ben Jackson >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM >>>> >> > > > To: MikroTik Australia Public List >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues >>>> >> > > > >>>> >> > > > Hi All, >>>> >> > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with >>>> this one. >>>> >> > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, >>>> the >>>> >> > > > CRS125-24G) in large residential AV situations where >>>> invariably, the >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario >>>> where >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode >>>> (NAT >>>> >> > > > switched >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to the >>>> >> gateway >>>> >> > > > interface of the Mikrotik. >>>> >> > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 >>>> UniFi >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial set >>>> up, >>>> >> > > > everything seems to work great, with the full bandwidth of the >>>> cable >>>> >> > > > modem getting passed on to the rest of the network, even when >>>> 802.11 >>>> >> > > > clients are connected (a testament to the UniFi's I my opinion >>>> - I >>>> >> > > > only use dual band Pro AP's). >>>> >> > > > >>>> >> > > > However, after a week or so the internet connection seems to >>>> get >>>> >> > > > either very slow, or stop working altogether. If I look in the >>>> logs >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's getting >>>> >> passed >>>> >> > > > from the dhcp server on the cable modem. The problem is I don't >>>> >> really >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every >>>> so >>>> >> often >>>> >> > > > the cable modem gets a new IP address from the carrier >>>> (normally >>>> >> after >>>> >> > > > a reset) and at this point the modem is not passing this new >>>> address >>>> >> > > > onto the Mikrotik which is effectively cut off from the >>>> internet. >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these >>>> are the >>>> >> > > > only solutions I have discovered which seem to stop the issue >>>> from >>>> >> > > occurring (at least as regularly). >>>> >> > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP address >>>> in >>>> >> the >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private IP >>>> >> > > > address. However, this creates a double nat situation which >>>> means I >>>> >> > > > can no longer perform reliable port forwarding for things such >>>> as >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great >>>> for). >>>> >> > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port >>>> >> forwarding >>>> >> > > > (which is a joke on these devices) and firewall tasks for the >>>> entire >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main >>>> problem >>>> >> > > > here is that these Bigpond devices simply do not have the >>>> grunt to >>>> >> > > > deal with large networks with lots of AV streaming and control >>>> >> > happening. >>>> >> > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of >>>> >> > > > functionality, I wonder if anyone has had similar experiences >>>> as I >>>> >> am >>>> >> > > > just about ready to dump the MikroTik's and start looking at >>>> other >>>> >> > > > options in the hope that they play better with the Bigpond >>>> gear. >>>> >> > > > >>>> >> > > > Thanks in advance, >>>> >> > > > >>>> >> > > > >>>> >> > > > Ben Jackson >>>> >> > > > eLogik >>>> >> > > > m:0404 924745 >>>> >> > > > e: ben@elogik.net >>>> >> > > > w: www.elogik.com.au >>>> >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
. >>>> >> > > > au >>>> >> > > > >>>> >> > > > >>>> >> > > > _______________________________________________ >>>> >> > > > Public mailing list >>>> >> > > > Public@talk.mikrotik.com.au >>>> >> > > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
. >>>> >> > > > au >>>> >> > > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > Public mailing list >>>> >> > > Public@talk.mikrotik.com.au >>>> >> > > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > > >>>> >> > _______________________________________________ >>>> >> > Public mailing list >>>> >> > Public@talk.mikrotik.com.au >>>> >> > >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> _______________________________________________ >>>> >> Public mailing list >>>> >> Public@talk.mikrotik.com.au >>>> >> >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >> >>>> > >>>> > >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Public mailing list >>>> Public@talk.mikrotik.com.au >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>>>> >>> >>> >> >> >> -- >> >> >
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
--
All the DSL modems are running in full bridged mode already with the Mikrotik doing the authentication. The cable modems are also set up in "bridged" mode which essentially means that NAT is switched off. Either way, the Mikrotik ends up with a public IP on it's WAN-facing port. On 13 Aug 2015 9:51 pm, "Jason Hecker (Up & Running Tech)" < jason@upandrunningtech.com.au> wrote:
Can you run the modems in a PPPoE bridged mode?
On 13 August 2015 at 17:49, Ben Jackson <ben@elogik.net> wrote:
OK all the problems are back. I'm still getting customers whose networks are grinding to a halt after making the changes I detailed above. As always after changing the config, everything seems to run great for a few weeks and then everything falls over in a heap again. If I run direct through the modem (any DOCSIS version) the speeds return to normal immediately.
I did find this post on the forum http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try in a controlled environment.
Someone somewhere HAS to be expereincing this same issue - it's happening with too many customers to be a coincidence.
You guys have checked my config and no-one has flagged anything as being immediately wrong so I'm really at a loss. The only other common factor here seems to be SONOS and I am talking to playback about any issues they may have seen with MikroTik (which they unofficially recommend).
Ben
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here.
Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also.
Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log.
I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version.
Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs.
These actions also improved my customers who run PPPoE over ADSL.
It's been a very busy week!
Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems.
Ben
On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
Hi Ben,
Config of CRS as a simple le switch is easy - just set 'master port' on all interfaces to the same value (except for master port itself ;)
For example, set master-port=ether01 for all interfaces (including sfp) except for ether1 itself (leave it as master-port=none)
Then just add ip address firewall filters etc on the master port.
Only wlan can't be switched - in that case, you need to make a bridge then add wlan and the master-port as bridge ports.
Hope it makes sense! :-)
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Wednesday, 29 July 2015 7:27 PM To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the input Jason, I'll see if that makes a difference.
Today, after a lot of complaints from a customer, I had to pull out a Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link switch instead with the Telstra DOCSIS gateway set up to do all the heavy lifting inlcuding DHCP reservations and port forwarding. Ugh Nasty.
It seems fine so far but TBH so did the Mikrotik for about a week. I'm convinced this is to do with the new v3.0 modems Telstra are pushing not behaving themselves in bridge mode. There are a few models out there but the Netgear CG3100D seems to be the most prevalent. Telstra market this as the Gateway "Max". Perhaps because the maximum is easily reached with these devices? :)
I have raised support tickets with both MikroTik and Duxtel. Let's see how we go. Until then I'm going to try using the Ubiquiti Edge Routers with a UniFi 48v PoE+ switch.
Just as an aside does anyone have experience setting the CRS devices up as a dumb, unmanaged switch? I thought it would be fairly straightforward but I had a go today and found myself struggling a little.
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
> Nothing sticks out as overtly wrong. > > If you are still up brown creek try simplifying the config by: > > * Using the simple firewall here: > http://wiki.mikrotik.com/wiki/Securing_your_router > * Use basic NAT (no change); > * Use the DCHP client (no change); > * Use DHCP server without any reservations; > * Slave and bridge the switch ports appropriately (no change); > * Lastest software and Routerboard firmware > (System->Routerboard->Upgrade if different versions in place). > > Are you any wiser today? Are there any red highlighted (invalid) > settings in Winbox? > > Jason > > On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > > > Guys, > > > > Here is a typical config from one of my clients: > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ > > # /interface ethernet set [ find default-name=ether1 ] > > name=ether1-master-local set [ find default-name=ether2 ] > > master-port=ether1-master-local name=\ > > ether2-slave-local > > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > > ether3-slave-local > > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > > ether4-slave-local > > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > > ether5-slave-local > > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > > ether6-slave-local > > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > > ether7-slave-local > > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > > ether8-slave-local > > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > > ether9-slave-local > > set [ find default-name=ether10 ] master-port=ether1-master-local name=\ > > ether10-slave-local > > set [ find default-name=ether11 ] master-port=ether1-master-local name=\ > > ether11-slave-local > > set [ find default-name=ether12 ] master-port=ether1-master-local name=\ > > ether12-slave-local > > set [ find default-name=ether13 ] master-port=ether1-master-local name=\ > > ether13-slave-local > > set [ find default-name=ether14 ] master-port=ether1-master-local name=\ > > ether14-slave-local > > set [ find default-name=ether15 ] master-port=ether1-master-local name=\ > > ether15-slave-local > > set [ find default-name=ether16 ] master-port=ether1-master-local name=\ > > ether16-slave-local > > set [ find default-name=ether17 ] master-port=ether1-master-local name=\ > > ether17-slave-local > > set [ find default-name=ether18 ] master-port=ether1-master-local name=\ > > ether18-slave-local > > set [ find default-name=ether19 ] master-port=ether1-master-local name=\ > > ether19-slave-local > > set [ find default-name=ether20 ] master-port=ether1-master-local name=\ > > ether20-slave-local > > set [ find default-name=ether21 ] master-port=ether1-master-local name=\ > > ether21-slave-local > > set [ find default-name=ether22 ] master-port=ether1-master-local name=\ > > ether22-slave-local > > set [ find default-name=ether23 ] master-port=ether1-master-local name=\ > > ether23-slave-local > > set [ find default-name=ether24 ] name=ether24-gateway set [ find > > default-name=sfp1 ] master-port=ether1-master-local name=\ > > sfp1-slave-local > > /ip pool > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > > /ip dhcp-server > > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > > lease-time=1d name=dhcp1 > > /ip address > > add address=192.168.88.1/24 comment="default configuration" interface=\ > > ether1-master-local network=192.168.88.0 /ip dhcp-client add > > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > > add address=192.168.88.100 always-broadcast=yes > client-id=1:0:e:58:32:e:c \ > > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C \ > > server=dhcp1 > > add address=192.168.88.101 always-broadcast=yes > client-id=1:0:e:58:32:e:1e > > \ > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > > address=192.168.88.102 always-broadcast=yes > client-id=1:0:e:58:32:e:a0 > > \ > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > > address=192.168.88.103 always-broadcast=yes > client-id=1:0:e:58:32:e:da > > \ > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > > address=192.168.88.104 always-broadcast=yes > client-id=1:0:e:58:32:e:ac > > \ > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 \ > > server=dhcp1 > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > > 00:0E:58:24:65:B6 server=dhcp1 > > add address=192.168.88.106 always-broadcast=yes > > client-id=1:0:e:58:24:64:9e \ > > mac-address=00:0E:58:24:64:9E server=dhcp1 add > > address=192.168.88.107 always-broadcast=yes > > client-id=1:0:e:58:24:59:40 \ > > mac-address=00:0E:58:24:59:40 server=dhcp1 add > > address=192.168.88.108 always-broadcast=yes > client-id=1:0:e:58:32:f:9a > > \ > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > > address=192.168.88.109 always-broadcast=yes > > client-id=1:0:e:58:32:15:ac \ > > mac-address=00:0E:58:32:15:AC server=dhcp1 add > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > > 00:0E:58:24:6B:E8 server=dhcp1 > > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 \ > > server=dhcp1 > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d comment=\ > > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > > server=dhcp1 > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > > 04:18:D6:80:B3:85 server=dhcp1 > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 > server=\ > > dhcp1 > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > > 04:18:D6:80:B2:F9 server=dhcp1 > > /ip dhcp-server network > > add address=192.168.88.0/24 dns-server=192.168.88.1 > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > > firewall address-list add address=192.168.88.0/24 comment=\ > > "Support address list - full access to router allowed from this > range" > > \ > > list=support > > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > list=bogons > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > > you nee\ > > d this subnet before enable it" disabled=yes list=bogons > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes > > list=\ > > bogons > > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > if > > you \ > > need this subnet before enable it" disabled=yes list=bogons > > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check > > if you\ > > \_need this subnet before enable it" disabled=yes list=bogons > > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > > disabled=yes \ > > list=bogons > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > > disabled=\ > > yes list=bogons > > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > list=bogons > > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > > disabled=yes \ > > list=bogons > > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > > disabled=yes \ > > list=bogons > > add address=224.0.0.0/4 comment=\ > > "MC, Class D, IANA # Check if you need this subnet before enable it" > \ > > disabled=yes list=bogons > > /ip firewall filter > > add action=add-src-to-address-list address-list=Syn_Flooder \ > > address-list-timeout=30m chain=input comment=\ > > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ > > protocol=tcp tcp-flags=syn > > add action=drop chain=input comment="Drop to syn flood list" > disabled=yes \ > > src-address-list=Syn_Flooder > > add action=add-src-to-address-list address-list=Port_Scanner \ > > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > > disabled=yes protocol=tcp psd=21,3s,3,1 > > add action=drop chain=input comment="Drop to port scan list" > disabled=yes \ > > src-address-list=Port_Scanner > > add action=jump chain=input comment="Jump for icmp input flow" > > disabled=yes \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="Block all access to the winbox - > > except t\ > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > THE > > SUP\ > > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > > src-address-list=!support > > add action=jump chain=forward comment="Jump for icmp forward flow" > > disabled=\ > > yes jump-target=ICMP protocol=icmp > > add action=drop chain=forward comment="Drop IP's in bogon list" > > disabled=yes \ > > dst-address-list=bogons > > add action=add-src-to-address-list address-list=spammers \ > > address-list-timeout=3h chain=forward comment=\ > > "Add Spammers to the list for 3 hours" connection-limit=30,32 > > disabled=\ > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > > add action=drop chain=forward comment="Avoid spammers action" > disabled=yes > > \ > > dst-port=25,587 protocol=tcp src-address-list=spammers > > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > > protocol=udp > > add chain=output disabled=yes dst-port=1723 protocol=tcp > > add chain=input disabled=yes dst-port=1723 protocol=tcp > > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > > protocol=tcp > > add chain=input comment="Accept to established connections" > > connection-state=\ > > established disabled=yes > > add chain=input comment="Accept related connections" > > connection-state=related \ > > disabled=yes > > add chain=input comment="Allow SUPPORT address list full access" > > disabled=yes \ > > src-address-list=support > > add chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=yes > \ > > icmp-options=8:0 limit=1,5 protocol=icmp > > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > > protocol=\ > > icmp > > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > > protocol=icmp > > add chain=ICMP comment="Destination unreachable" disabled=yes > > icmp-options=\ > > 3:0-1 protocol=icmp > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 protocol=icmp > > add action=drop chain=input comment="Drop invalid connections" \ > > connection-state=invalid disabled=yes > > add action=drop chain=ICMP comment="Drop to the other ICMPs" > disabled=yes \ > > protocol=icmp > > add action=jump chain=output comment="Jump for icmp output" disabled=yes > \ > > jump-target=ICMP protocol=icmp > > add action=drop chain=input comment="drop ftp brute forcers" > disabled=yes \ > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > > 1/1m,9,dst-address/1m protocol=tcp > > add action=add-dst-to-address-list address-list=ftp_blacklist \ > > address-list-timeout=3h chain=output content="530 Login incorrect" \ > > disabled=yes protocol=tcp > > add action=drop chain=input comment="drop ssh brute forcers" > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > > add action=add-src-to-address-list address-list=ssh_blacklist \ > > address-list-timeout=1w3d chain=input connection-state=new > > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > > add action=add-src-to-address-list address-list=ssh_stage3 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > > add action=add-src-to-address-list address-list=ssh_stage2 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > > add action=add-src-to-address-list address-list=ssh_stage1 \ > > address-list-timeout=1m chain=input connection-state=new > disabled=yes \ > > dst-port=22 protocol=tcp > > add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE > > THIS \ > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > disabled=yes > > /ip firewall nat > > add action=masquerade chain=srcnat out-interface=ether24-gateway > > /ip firewall service-port > > set ftp disabled=yes > > set tftp disabled=yes > > set irc disabled=yes > > set h323 disabled=yes > > set sip disabled=yes > > set pptp disabled=yes > > /ip ipsec policy > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > > /ip service > > set telnet disabled=yes > > set ftp disabled=yes > > set www disabled=yes > > set ssh disabled=yes > > set api disabled=yes > > set api-ssl disabled=yes > > /system clock > > set time-zone-autodetect=no time-zone-name=Australia/Sydney > > /tool romon port > > add > > > > > > Ben Jackson > > eLogik > > m:0404 924745 > > e: ben@elogik.net > > w: www.elogik.com.au > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > > jason@upandrunningtech.com.au> wrote: > > > >> Hi Ben, > >> > >> When the problem occurs again check the Routerboard for CPU use and > check > >> profiling to see just what is keeping the CPU busy. Don't overestimate > the > >> CPU in the 2011, it's not as quick as you think. The new FastPath and > >> FastTrack features will be something you'll be interested in when > routing > >> something as fast as a cable modem so read up on them and do try the > latest > >> firmware images. > >> > >> Jason > >> > >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > >> > >>> Hi Jason, > >>> > >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in any > >>> bridge or switch config and is routing only. > >>> > >>> When I first started installing Mikrotiks I used to bridge all the > other > >>> ports, which I know uses the main CPU and not the switch chip, but my > >>> thinking was that the main CPU is more powerful and the router isn't > >>> exactly doing anything complex such as queues or heaps of firewall > rules. > >>> > >>> However since then I have started using the master - slave switch chip > >>> function, especially on the 24 port CRS. On the RB2011's I slave all > the > >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, then > >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all the > >>> ports apart from ether24 to ether1. I then use ether24 as the WAN port. > >>> > >>> Ben Jackson > >>> eLogik > >>> m:0404 924745 > >>> e: ben@elogik.net > >>> w: www.elogik.com.au > >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> > >>> > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > >>> jason@upandrunningtech.com.au> wrote: > >>> > >>>> Hi > >>>> > >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the > >>>> current is at 6.30 so I can't even see if some related bug has been > >>>> fixed > >>>> since 6.20. I'd suggest updating the software, reboot, update the > >>>> firmware, reboot and see if that helps. > >>>> > >>>> If in doubt beyond that, save export your config, factory reset and > >>>> reimport the config. > >>>> > >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved > to > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > >>>> bridged? > >>>> Which port is connected to the modem? It should be on it's own, not > >>>> slaved > >>>> or bridged. > >>>> > >>>> Since 6.20 there have been some packet engine speedups that operate at > >>>> the > >>>> bridge level and some interfaces (not PPPoE unfortunately). You will > >>>> definitely benefit using the new speedup options with NAT on a DHCP > >>>> based > >>>> modem. > >>>> > >>>> Jason > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > >>>> > >>>> > Hi Jason, > >>>> > > >>>> > I have customers at on few different ROS versions, normally nothing > >>>> earier > >>>> > than 6.18 - and I always make sure the firmware is at a matching > >>>> level. I > >>>> > think the majority right now are at 6.20. > >>>> > > >>>> > Thanks > >>>> > > >>>> > Ben Jackson > >>>> > eLogik > >>>> > m:0404 924745 > >>>> > e: ben@elogik.net > >>>> > w: www.elogik.com.au > >>>> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >>>> > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) < > >>>> > jason@upandrunningtech.com.au> wrote: > >>>> > > >>>> >> What version of RouterOS are you using and what level is the > >>>> firmware at? > >>>> >> > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > >>>> >> > >>>> >> > Hi RJ, > >>>> >> > > >>>> >> > Yep - that's exactly what I do. > >>>> >> > > >>>> >> > I know it's not congestion because when I reboot the mikrotik or > >>>> simply > >>>> >> > renew the dhcp client address on the gateway port the whole > system > >>>> >> springs > >>>> >> > back to life. > >>>> >> > > >>>> >> > Thanks, > >>>> >> > > >>>> >> > Ben Jackson > >>>> >> > eLogik > >>>> >> > m:0404 924745 > >>>> >> > e: ben@elogik.net > >>>> >> > w: www.elogik.com.au > >>>> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >>>> >> > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > >>>> RJ.Plummer@4logic.com.au> > >>>> >> > wrote: > >>>> >> > > >>>> >> > > Hi Ben, > >>>> >> > > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who don't > >>>> exhibit > >>>> >> > > this behaviour. > >>>> >> > > > >>>> >> > > Their setups are very straight forward: > >>>> >> > > -Bridge the cable modem (same cable modem model as you > describe) > >>>> >> > > -DHCP client on the appropriate physical mkt interface > >>>> >> > > -masq that interface > >>>> >> > > -firewall filter as usual > >>>> >> > > > >>>> >> > > Do you have anything different in your configurations? > >>>> >> > > > >>>> >> > > Cheers, > >>>> >> > > RJ > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Paul Julian > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM > >>>> >> > > To: 'MikroTik Australia Public List' < > >>>> public@talk.mikrotik.com.au> > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > >>>> least > >>>> >> the > >>>> >> > > one they present, this usually happens if a config has been > >>>> uploaded > >>>> >> to > >>>> >> > > them without MAC addresses removed. > >>>> >> > > > >>>> >> > > There is an option in the interface settings called "Reset MAC > >>>> >> Address", > >>>> >> > > try clicking this on the interface you have plugged into the > >>>> NTU, it > >>>> >> will > >>>> >> > > reset the MAC address back to or force it to be the actually > >>>> physical > >>>> >> MAC > >>>> >> > > just in case anything has changed. > >>>> >> > > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in > >>>> hundreds of > >>>> >> > > locations for ADSL and Ethernet services and never have one > >>>> issue. > >>>> >> > > > >>>> >> > > Regards > >>>> >> > > Paul > >>>> >> > > > >>>> >> > > -----Original Message----- > >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On > >>>> Behalf > >>>> >> Of > >>>> >> > > Ben Jackson > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM > >>>> >> > > To: MikroTik Australia Public List > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > >>>> should be > >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is > >>>> >> definitely > >>>> >> > in > >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge > >>>> Mode" on > >>>> >> > the > >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the > >>>> CRS (or > >>>> >> > > sometimes ether 1) which immediately binds the public IP > address > >>>> to > >>>> >> > itself. > >>>> >> > > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I > >>>> have had > >>>> >> > > issues in the past (no longer seems to be as issue) where I > have > >>>> had > >>>> >> to > >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I have > >>>> also > >>>> >> > noticed > >>>> >> > > if my MBP is the first device to connect to the NTU while in > >>>> bridge > >>>> >> mode, > >>>> >> > > sometimes I need to power cycle the device to "deregister" the > >>>> MAC > >>>> >> > address > >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after > this > >>>> >> process > >>>> >> > > is complete. > >>>> >> > > > >>>> >> > > But, in this instance this is not the problem unless somehow > the > >>>> MAC > >>>> >> > > address of the MikroTik ether port is changing - is this > >>>> possible? I > >>>> >> must > >>>> >> > > admit, my progress on this is somewhat hampered by not having a > >>>> cable > >>>> >> > setup > >>>> >> > > to test on at home - I run ADSL. > >>>> >> > > > >>>> >> > > I'm pretty sure that nothing else on the network would be able > >>>> to bind > >>>> >> > > it's MAC address to the public IP before the MikroTik has had a > >>>> chance > >>>> >> > to - > >>>> >> > > although I must admit I hadn't though of that so I'll check it > >>>> out in > >>>> >> > more > >>>> >> > > detail. > >>>> >> > > > >>>> >> > > I am also inclined to agree with you that this is not solely a > >>>> >> Mikrotik > >>>> >> > > issue. It seems to me that it is the magic (or not so magic) > >>>> >> combination > >>>> >> > of > >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the > >>>> problem. I > >>>> >> > have > >>>> >> > > tried other brands of router which do not seem to exhibit the > >>>> issue, > >>>> >> > > however these devices do not have the great feature set of the > >>>> >> MikroTik > >>>> >> > and > >>>> >> > > are often not rack-mountable. Trotting out the "It's not a > >>>> Mikrotik > >>>> >> > issue" > >>>> >> > > line is starting to wear very thin with both my customers and > >>>> >> colleagues. > >>>> >> > > Although my gut feeling is that it isn't - I need proof and I > >>>> don't > >>>> >> know > >>>> >> > > where to start. This is happening far too often for it to be a > >>>> >> > coincidence > >>>> >> > > or a faulty device. > >>>> >> > > > >>>> >> > > I have, unfortunately also seen very strange behaviour over > ADSL > >>>> / > >>>> >> pppoe > >>>> >> > > connections in bridge mode too, I sent an email about this some > >>>> time > >>>> >> ago > >>>> >> > > and it still plagues me from time to time. > >>>> >> > > > >>>> >> > > The type of installations I am doing are not your typical home > >>>> setups > >>>> >> and > >>>> >> > > customers are paying a lot of money for a supposedly > >>>> >> "commercial-grade" > >>>> >> > > solution which is only adding to my stresses. > >>>> >> > > > >>>> >> > > Do any of you guys out there use a MikroTik as your home router > >>>> - how > >>>> >> do > >>>> >> > > you set it up? Have you seen issues like this? > >>>> >> > > > >>>> >> > > One thing I have noticed is that the issue seems to be much > more > >>>> >> > prevalent > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. No > >>>> idea > >>>> >> why. > >>>> >> > > Any cable experts out there? > >>>> >> > > > >>>> >> > > Thanks again, > >>>> >> > > > >>>> >> > > > >>>> >> > > Ben Jackson > >>>> >> > > eLogik > >>>> >> > > m:0404 924745 > >>>> >> > > e: ben@elogik.net > >>>> >> > > w: www.elogik.com.au > >>>> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >>>> >> > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > >>>> >> > paul@oxygennetworks.com.au> > >>>> >> > > wrote: > >>>> >> > > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and > >>>> Optus > >>>> >> Cable > >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > >>>> the NTU > >>>> >> or > >>>> >> > > > in the case of bridge mode the first client that makes a > >>>> request, > >>>> >> and > >>>> >> > > > often you have trouble with these things because of this, I > >>>> don't > >>>> >> > > > really think it's a Mikrotik thing. > >>>> >> > > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same MAC > >>>> on the > >>>> >> > > > interface plugged into the NTU and the NTU is truly in bridge > >>>> mode > >>>> >> and > >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I can't > >>>> see why > >>>> >> > > > it would be having issues. > >>>> >> > > > > >>>> >> > > > Is there any chance that another device might somehow be > >>>> getting a > >>>> >> > > > DHCP request through to the NTU somehow the way you have it > all > >>>> >> plugged > >>>> >> > > in ? > >>>> >> > > > > >>>> >> > > > Regards > >>>> >> > > > Paul > >>>> >> > > > > >>>> >> > > > -----Original Message----- > >>>> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au ] On > >>>> >> Behalf Of > >>>> >> > > > Ben Jackson > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > >>>> >> > > > To: MikroTik Australia Public List > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > >>>> >> > > > > >>>> >> > > > Hi All, > >>>> >> > > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with > >>>> this one. > >>>> >> > > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more recently, > >>>> the > >>>> >> > > > CRS125-24G) in large residential AV situations where > >>>> invariably, the > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet scenario > >>>> where > >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" mode > >>>> (NAT > >>>> >> > > > switched > >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to > the > >>>> >> gateway > >>>> >> > > > interface of the Mikrotik. > >>>> >> > > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 > >>>> UniFi > >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial > set > >>>> up, > >>>> >> > > > everything seems to work great, with the full bandwidth of > the > >>>> cable > >>>> >> > > > modem getting passed on to the rest of the network, even when > >>>> 802.11 > >>>> >> > > > clients are connected (a testament to the UniFi's I my > opinion > >>>> - I > >>>> >> > > > only use dual band Pro AP's). > >>>> >> > > > > >>>> >> > > > However, after a week or so the internet connection seems to > >>>> get > >>>> >> > > > either very slow, or stop working altogether. If I look in > the > >>>> logs > >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's > getting > >>>> >> passed > >>>> >> > > > from the dhcp server on the cable modem. The problem is I > don't > >>>> >> really > >>>> >> > > > understand how DHCP works on cable modems. I'm assuming every > >>>> so > >>>> >> often > >>>> >> > > > the cable modem gets a new IP address from the carrier > >>>> (normally > >>>> >> after > >>>> >> > > > a reset) and at this point the modem is not passing this new > >>>> address > >>>> >> > > > onto the Mikrotik which is effectively cut off from the > >>>> internet. > >>>> >> > > > Since we are stuck with using Bigpond and Optus modems these > >>>> are the > >>>> >> > > > only solutions I have discovered which seem to stop the issue > >>>> from > >>>> >> > > occurring (at least as regularly). > >>>> >> > > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off all > >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP > address > >>>> in > >>>> >> the > >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private > IP > >>>> >> > > > address. However, this creates a double nat situation which > >>>> means I > >>>> >> > > > can no longer perform reliable port forwarding for things > such > >>>> as > >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's great > >>>> for). > >>>> >> > > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > >>>> >> forwarding > >>>> >> > > > (which is a joke on these devices) and firewall tasks for the > >>>> entire > >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > >>>> problem > >>>> >> > > > here is that these Bigpond devices simply do not have the > >>>> grunt to > >>>> >> > > > deal with large networks with lots of AV streaming and > control > >>>> >> > happening. > >>>> >> > > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of > >>>> >> > > > functionality, I wonder if anyone has had similar experiences > >>>> as I > >>>> >> am > >>>> >> > > > just about ready to dump the MikroTik's and start looking at > >>>> other > >>>> >> > > > options in the hope that they play better with the Bigpond > >>>> gear. > >>>> >> > > > > >>>> >> > > > Thanks in advance, > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > Ben Jackson > >>>> >> > > > eLogik > >>>> >> > > > m:0404 924745 > >>>> >> > > > e: ben@elogik.net > >>>> >> > > > w: www.elogik.com.au > >>>> >> > > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
> . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > > > >>>> >> > > > _______________________________________________ > >>>> >> > > > Public mailing list > >>>> >> > > > Public@talk.mikrotik.com.au > >>>> >> > > > > >>>> >> > >>>>
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com
> . > >>>> >> > > > au > >>>> >> > > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> >> > > > >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> >> > > > >>>> >> > > _______________________________________________ > >>>> >> > > Public mailing list > >>>> >> > > Public@talk.mikrotik.com.au > >>>> >> > > > >>>> >> > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> >> > > > >>>> >> > _______________________________________________ > >>>> >> > Public mailing list > >>>> >> > Public@talk.mikrotik.com.au > >>>> >> > > >>>> >> > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> >> > > >>>> >> > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> _______________________________________________ > >>>> >> Public mailing list > >>>> >> Public@talk.mikrotik.com.au > >>>> >> > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> >> > >>>> > > >>>> > > >>>> > >>>> > >>>> -- > >>>> _______________________________________________ > >>>> Public mailing list > >>>> Public@talk.mikrotik.com.au > >>>> >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> >>>> > >>> > >>> > >> > >> > >> -- > >> > >> > > > > > -- > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
--
I did have one case where I reinstated the cable modem as the main router and made the mikrotik CRS into an unmanaged switch. There have been no reported problems since then. I really feel this is somehow to do with the DHCP client/server interaction between the two devices. I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result. Maybe the Cable modems are expecting a certain field to be present in the DHCP challenge/response packet and the mikrotik is not providing this information ? Something like that anyway? On 14 Aug 2015 7:01 am, "Ben Jackson" <ben@elogik.net> wrote:
All the DSL modems are running in full bridged mode already with the Mikrotik doing the authentication. The cable modems are also set up in "bridged" mode which essentially means that NAT is switched off. Either way, the Mikrotik ends up with a public IP on it's WAN-facing port. On 13 Aug 2015 9:51 pm, "Jason Hecker (Up & Running Tech)" < jason@upandrunningtech.com.au> wrote:
Can you run the modems in a PPPoE bridged mode?
On 13 August 2015 at 17:49, Ben Jackson <ben@elogik.net> wrote:
OK all the problems are back. I'm still getting customers whose networks are grinding to a halt after making the changes I detailed above. As always after changing the config, everything seems to run great for a few weeks and then everything falls over in a heap again. If I run direct through the modem (any DOCSIS version) the speeds return to normal immediately.
I did find this post on the forum http://forum.mikrotik.com/viewtopic.php?t=95441 which I've yet to try in a controlled environment.
Someone somewhere HAS to be expereincing this same issue - it's happening with too many customers to be a coincidence.
You guys have checked my config and no-one has flagged anything as being immediately wrong so I'm really at a loss. The only other common factor here seems to be SONOS and I am talking to playback about any issues they may have seen with MikroTik (which they unofficially recommend).
Ben
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Sat, Aug 8, 2015 at 7:43 AM, Ben Jackson <ben@elogik.net> wrote:
Hi Jason,
I think so. I was waiting for a week or so to make absolutely certain. It seems there were a few issues at play here.
Essentially I think many of my customers were subject to a DNS escalation attack (as pointed out by Mike Everest) so I specifically blocked udp and tcp port 53. This was because I had "Allow remote requests" enabled in the DNS config. This was intentional as I wanted to use my router as a DNS relay for my internal LAN but I was unaware of the fact that these ports were open to the WAN also.
Also I trimmed down my firewall rules to the ones you suggested and then started to build them up again based on what I wanted to allow through and by looking at drops in the log.
I also enabled the helpers you suggested in firewall/service ports, and I also updated all my customers to the latest version.
Although this helped, I still think there are a lot of bugs with the newest DOCSIS 3.0 modems, especially when running in bridge mode. I am seeing random disconnects etc in the logs.
These actions also improved my customers who run PPPoE over ADSL.
It's been a very busy week!
Thank you to everyone for your input. I hope this helps someone else who may be experiencing these problems.
Ben
On Friday, August 7, 2015, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Ben,
What happened in the end? Did you get to the bottom of the DOCSIS modem slowdowns?
On 29 July 2015 at 20:36, Ben Jackson <ben@elogik.net> wrote:
Thanks Mike - that's basically what I was attempting. I'll try it again. I've been a bit stressed recently and am finding even simple tasks a bit hard :)
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Wed, Jul 29, 2015 at 7:38 PM, Mike Everest <mike@duxtel.com> wrote:
> Hi Ben, > > Config of CRS as a simple le switch is easy - just set 'master port' on all > interfaces to the same value (except for master port itself ;) > > For example, set master-port=ether01 for all interfaces (including sfp) > except for ether1 itself (leave it as master-port=none) > > Then just add ip address firewall filters etc on the master port. > > Only wlan can't be switched - in that case, you need to make a bridge then > add wlan and the master-port as bridge ports. > > Hope it makes sense! :-) > > Cheers, Mike > > -----Original Message----- > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben > Jackson > Sent: Wednesday, 29 July 2015 7:27 PM > To: Jason Hecker <jason@upandrunningtech.com.au>; MikroTik Australia > Public > List <public@talk.mikrotik.com.au> > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > > Thanks for the input Jason, I'll see if that makes a difference. > > Today, after a lot of complaints from a customer, I had to pull out a > Mikrotik CRS125-24G from a customer site and put in a 24 port TP-Link > switch > instead with the Telstra DOCSIS gateway set up to do all the heavy lifting > inlcuding DHCP reservations and port forwarding. Ugh Nasty. > > It seems fine so far but TBH so did the Mikrotik for about a week. I'm > convinced this is to do with the new v3.0 modems Telstra are pushing not > behaving themselves in bridge mode. There are a few models out there but > the > Netgear CG3100D seems to be the most prevalent. Telstra market this as the > Gateway "Max". Perhaps because the maximum is easily reached with these > devices? :) > > I have raised support tickets with both MikroTik and Duxtel. Let's see how > we go. Until then I'm going to try using the Ubiquiti Edge Routers with a > UniFi 48v PoE+ switch. > > Just as an aside does anyone have experience setting the CRS devices up as > a > dumb, unmanaged switch? I thought it would be fairly straightforward but I > had a go today and found myself struggling a little. > > Ben Jackson > eLogik > m:0404 924745 > e: ben@elogik.net > w: www.elogik.com.au > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > On Wed, Jul 29, 2015 at 2:29 PM, Jason Hecker (Up & Running Tech) < > jason@upandrunningtech.com.au> wrote: > > > Nothing sticks out as overtly wrong. > > > > If you are still up brown creek try simplifying the config by: > > > > * Using the simple firewall here: > > http://wiki.mikrotik.com/wiki/Securing_your_router > > * Use basic NAT (no change); > > * Use the DCHP client (no change); > > * Use DHCP server without any reservations; > > * Slave and bridge the switch ports appropriately (no change); > > * Lastest software and Routerboard firmware > > (System->Routerboard->Upgrade if different versions in place). > > > > Are you any wiser today? Are there any red highlighted (invalid) > > settings in Winbox? > > > > Jason > > > > On 28 July 2015 at 18:34, Ben Jackson <ben@elogik.net> wrote: > > > > > Guys, > > > > > > Here is a typical config from one of my clients: > > > > > > # jul/28/2015 17:23:06 by RouterOS 6.30.2 # software id = IU9F-WHTQ > > > # /interface ethernet set [ find default-name=ether1 ] > > > name=ether1-master-local set [ find default-name=ether2 ] > > > master-port=ether1-master-local name=\ > > > ether2-slave-local > > > set [ find default-name=ether3 ] master-port=ether1-master-local name=\ > > > ether3-slave-local > > > set [ find default-name=ether4 ] master-port=ether1-master-local name=\ > > > ether4-slave-local > > > set [ find default-name=ether5 ] master-port=ether1-master-local name=\ > > > ether5-slave-local > > > set [ find default-name=ether6 ] master-port=ether1-master-local name=\ > > > ether6-slave-local > > > set [ find default-name=ether7 ] master-port=ether1-master-local name=\ > > > ether7-slave-local > > > set [ find default-name=ether8 ] master-port=ether1-master-local name=\ > > > ether8-slave-local > > > set [ find default-name=ether9 ] master-port=ether1-master-local name=\ > > > ether9-slave-local > > > set [ find default-name=ether10 ] master-port=ether1-master-local > name=\ > > > ether10-slave-local > > > set [ find default-name=ether11 ] master-port=ether1-master-local > name=\ > > > ether11-slave-local > > > set [ find default-name=ether12 ] master-port=ether1-master-local > name=\ > > > ether12-slave-local > > > set [ find default-name=ether13 ] master-port=ether1-master-local > name=\ > > > ether13-slave-local > > > set [ find default-name=ether14 ] master-port=ether1-master-local > name=\ > > > ether14-slave-local > > > set [ find default-name=ether15 ] master-port=ether1-master-local > name=\ > > > ether15-slave-local > > > set [ find default-name=ether16 ] master-port=ether1-master-local > name=\ > > > ether16-slave-local > > > set [ find default-name=ether17 ] master-port=ether1-master-local > name=\ > > > ether17-slave-local > > > set [ find default-name=ether18 ] master-port=ether1-master-local > name=\ > > > ether18-slave-local > > > set [ find default-name=ether19 ] master-port=ether1-master-local > name=\ > > > ether19-slave-local > > > set [ find default-name=ether20 ] master-port=ether1-master-local > name=\ > > > ether20-slave-local > > > set [ find default-name=ether21 ] master-port=ether1-master-local > name=\ > > > ether21-slave-local > > > set [ find default-name=ether22 ] master-port=ether1-master-local > name=\ > > > ether22-slave-local > > > set [ find default-name=ether23 ] master-port=ether1-master-local > name=\ > > > ether23-slave-local > > > set [ find default-name=ether24 ] name=ether24-gateway set [ find > > > default-name=sfp1 ] master-port=ether1-master-local name=\ > > > sfp1-slave-local > > > /ip pool > > > add name=dhcp_pool1 ranges=192.168.88.100-192.168.88.200 > > > /ip dhcp-server > > > add address-pool=dhcp_pool1 disabled=no interface=ether1-master-local \ > > > lease-time=1d name=dhcp1 > > > /ip address > > > add address=192.168.88.1/24 comment="default configuration" > interface=\ > > > ether1-master-local network=192.168.88.0 /ip dhcp-client add > > > default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ > > > interface=ether24-gateway use-peer-ntp=yes /ip dhcp-server lease > > > add address=192.168.88.100 always-broadcast=yes > > client-id=1:0:e:58:32:e:c \ > > > comment="Sonos - 192.168.88.100-110" mac-address=00:0E:58:32:0E:0C > \ > > > server=dhcp1 > > > add address=192.168.88.101 always-broadcast=yes > > client-id=1:0:e:58:32:e:1e > > > \ > > > mac-address=00:0E:58:32:0E:1E server=dhcp1 add > > > address=192.168.88.102 always-broadcast=yes > > client-id=1:0:e:58:32:e:a0 > > > \ > > > mac-address=00:0E:58:32:0E:A0 server=dhcp1 add > > > address=192.168.88.103 always-broadcast=yes > > client-id=1:0:e:58:32:e:da > > > \ > > > mac-address=00:0E:58:32:0E:DA server=dhcp1 add > > > address=192.168.88.104 always-broadcast=yes > > client-id=1:0:e:58:32:e:ac > > > \ > > > mac-address=00:0E:58:32:0E:AC server=dhcp1 add > > > address=192.168.88.130 client-id=1:0:1f:b8:5:7:48 comment=\ > > > "Control System - 192.168.88.130 - " mac-address=00:1F:B8:05:07:48 > \ > > > server=dhcp1 > > > add address=192.168.88.105 client-id=1:0:e:58:24:65:b6 mac-address=\ > > > 00:0E:58:24:65:B6 server=dhcp1 > > > add address=192.168.88.106 always-broadcast=yes > > > client-id=1:0:e:58:24:64:9e \ > > > mac-address=00:0E:58:24:64:9E server=dhcp1 add > > > address=192.168.88.107 always-broadcast=yes > > > client-id=1:0:e:58:24:59:40 \ > > > mac-address=00:0E:58:24:59:40 server=dhcp1 add > > > address=192.168.88.108 always-broadcast=yes > > client-id=1:0:e:58:32:f:9a > > > \ > > > mac-address=00:0E:58:32:0F:9A server=dhcp1 add > > > address=192.168.88.109 always-broadcast=yes > > > client-id=1:0:e:58:32:15:ac \ > > > mac-address=00:0E:58:32:15:AC server=dhcp1 add > > > address=192.168.88.110 client-id=1:0:e:58:24:6b:e8 mac-address=\ > > > 00:0E:58:24:6B:E8 server=dhcp1 > > > add address=192.168.88.131 comment=MRX-1 mac-address=00:1F:B8:04:0C:F5 > \ > > > server=dhcp1 > > > add address=192.168.88.140 client-id=1:0:23:df:a8:7c:6a comment=\ > > > "Foxtel - 191.268.88.140-" mac-address=00:23:DF:A8:7C:6A > > > server=dhcp1 add address=192.168.88.120 client-id=1:4:18:d6:80:b3:5d > comment=\ > > > "UniFi - 192.168.88.120 - 124" mac-address=04:18:D6:80:B3:5D > > > server=dhcp1 > > > add address=192.168.88.121 client-id=1:4:18:d6:80:b3:85 mac-address=\ > > > 04:18:D6:80:B3:85 server=dhcp1 > > > add address=192.168.88.150 client-id=1:0:24:36:a2:c3:23 comment=\ > > > "Time Capsule - 192.168.88.150" mac-address=00:24:36:A2:C3:23 > > server=\ > > > dhcp1 > > > add address=192.168.88.122 client-id=1:4:18:d6:80:b2:f9 mac-address=\ > > > 04:18:D6:80:B2:F9 server=dhcp1 > > > /ip dhcp-server network > > > add address=192.168.88.0/24 dns-server=192.168.88.1 > > > gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip > > > firewall address-list add address=192.168.88.0/24 comment=\ > > > "Support address list - full access to router allowed from this > > range" > > > \ > > > list=support > > > add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" > > list=bogons > > > add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if > > > you nee\ > > > d this subnet before enable it" disabled=yes list=bogons > > > add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons > > > add address=169.254.0.0/16 comment="Link Local [RFC 3330]" > disabled=yes > > > list=\ > > > bogons > > > add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check > > if > > > you \ > > > need this subnet before enable it" disabled=yes list=bogons > > > add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # > Check > > > if you\ > > > \_need this subnet before enable it" disabled=yes list=bogons > > > add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" > > > disabled=yes \ > > > list=bogons > > > add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" > > > disabled=\ > > > yes list=bogons > > > add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes > > list=bogons > > > add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" > > > disabled=yes \ > > > list=bogons > > > add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" > > > disabled=yes \ > > > list=bogons > > > add address=224.0.0.0/4 comment=\ > > > "MC, Class D, IANA # Check if you need this subnet before enable > it" > > \ > > > disabled=yes list=bogons > > > /ip firewall filter > > > add action=add-src-to-address-list address-list=Syn_Flooder \ > > > address-list-timeout=30m chain=input comment=\ > > > "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes > \ > > > protocol=tcp tcp-flags=syn > > > add action=drop chain=input comment="Drop to syn flood list" > > disabled=yes \ > > > src-address-list=Syn_Flooder > > > add action=add-src-to-address-list address-list=Port_Scanner \ > > > address-list-timeout=1w chain=input comment="Port Scanner Detect" \ > > > disabled=yes protocol=tcp psd=21,3s,3,1 > > > add action=drop chain=input comment="Drop to port scan list" > > disabled=yes \ > > > src-address-list=Port_Scanner > > > add action=jump chain=input comment="Jump for icmp input flow" > > > disabled=yes \ > > > jump-target=ICMP protocol=icmp > > > add action=drop chain=input comment="Block all access to the winbox - > > > except t\ > > > o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN > > THE > > > SUP\ > > > PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ > > > src-address-list=!support > > > add action=jump chain=forward comment="Jump for icmp forward flow" > > > disabled=\ > > > yes jump-target=ICMP protocol=icmp > > > add action=drop chain=forward comment="Drop IP's in bogon list" > > > disabled=yes \ > > > dst-address-list=bogons > > > add action=add-src-to-address-list address-list=spammers \ > > > address-list-timeout=3h chain=forward comment=\ > > > "Add Spammers to the list for 3 hours" connection-limit=30,32 > > > disabled=\ > > > yes dst-port=25,587 limit=30/1m,0 protocol=tcp > > > add action=drop chain=forward comment="Avoid spammers action" > > disabled=yes > > > \ > > > dst-port=25,587 protocol=tcp src-address-list=spammers > > > add chain=input comment="Accept DNS - UDP" disabled=yes port=53 > > > protocol=udp > > > add chain=output disabled=yes dst-port=1723 protocol=tcp > > > add chain=input disabled=yes dst-port=1723 protocol=tcp > > > add chain=input comment="Accept DNS - TCP" disabled=yes port=53 > > > protocol=tcp > > > add chain=input comment="Accept to established connections" > > > connection-state=\ > > > established disabled=yes > > > add chain=input comment="Accept related connections" > > > connection-state=related \ > > > disabled=yes > > > add chain=input comment="Allow SUPPORT address list full access" > > > disabled=yes \ > > > src-address-list=support > > > add chain=ICMP comment="Echo request - Avoiding Ping Flood" > disabled=yes > > \ > > > icmp-options=8:0 limit=1,5 protocol=icmp > > > add chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 > > > protocol=\ > > > icmp > > > add chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=11:0 \ > > > protocol=icmp > > > add chain=ICMP comment="Destination unreachable" disabled=yes > > > icmp-options=\ > > > 3:0-1 protocol=icmp > > > add chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 > protocol=icmp > > > add action=drop chain=input comment="Drop invalid connections" \ > > > connection-state=invalid disabled=yes > > > add action=drop chain=ICMP comment="Drop to the other ICMPs" > > disabled=yes \ > > > protocol=icmp > > > add action=jump chain=output comment="Jump for icmp output" > disabled=yes > > \ > > > jump-target=ICMP protocol=icmp > > > add action=drop chain=input comment="drop ftp brute forcers" > > disabled=yes \ > > > dst-port=21 protocol=tcp src-address-list=ftp_blacklist > > > add chain=output content="530 Login incorrect" disabled=yes dst-limit=\ > > > 1/1m,9,dst-address/1m protocol=tcp > > > add action=add-dst-to-address-list address-list=ftp_blacklist \ > > > address-list-timeout=3h chain=output content="530 Login incorrect" > \ > > > disabled=yes protocol=tcp > > > add action=drop chain=input comment="drop ssh brute forcers" > > disabled=yes \ > > > dst-port=22 protocol=tcp src-address-list=ssh_blacklist > > > add action=add-src-to-address-list address-list=ssh_blacklist \ > > > address-list-timeout=1w3d chain=input connection-state=new > > > disabled=yes \ > > > dst-port=22 protocol=tcp src-address-list=ssh_stage3 > > > add action=add-src-to-address-list address-list=ssh_stage3 \ > > > address-list-timeout=1m chain=input connection-state=new > > disabled=yes \ > > > dst-port=22 protocol=tcp src-address-list=ssh_stage2 > > > add action=add-src-to-address-list address-list=ssh_stage2 \ > > > address-list-timeout=1m chain=input connection-state=new > > disabled=yes \ > > > dst-port=22 protocol=tcp src-address-list=ssh_stage1 > > > add action=add-src-to-address-list address-list=ssh_stage1 \ > > > address-list-timeout=1m chain=input connection-state=new > > disabled=yes \ > > > dst-port=22 protocol=tcp > > > add action=drop chain=input comment="Drop anything else! # DO NOT > ENABLE > > > THIS \ > > > RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" > > disabled=yes > > > /ip firewall nat > > > add action=masquerade chain=srcnat out-interface=ether24-gateway > > > /ip firewall service-port > > > set ftp disabled=yes > > > set tftp disabled=yes > > > set irc disabled=yes > > > set h323 disabled=yes > > > set sip disabled=yes > > > set pptp disabled=yes > > > /ip ipsec policy > > > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 > > > /ip service > > > set telnet disabled=yes > > > set ftp disabled=yes > > > set www disabled=yes > > > set ssh disabled=yes > > > set api disabled=yes > > > set api-ssl disabled=yes > > > /system clock > > > set time-zone-autodetect=no time-zone-name=Australia/Sydney > > > /tool romon port > > > add > > > > > > > > > Ben Jackson > > > eLogik > > > m:0404 924745 > > > e: ben@elogik.net > > > w: www.elogik.com.au > > > [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > > > > > On Tue, Jul 28, 2015 at 2:17 PM, Jason Hecker (Up & Running Tech) < > > > jason@upandrunningtech.com.au> wrote: > > > > > >> Hi Ben, > > >> > > >> When the problem occurs again check the Routerboard for CPU use and > > check > > >> profiling to see just what is keeping the CPU busy. Don't > overestimate > > the > > >> CPU in the 2011, it's not as quick as you think. The new FastPath and > > >> FastTrack features will be something you'll be interested in when > > routing > > >> something as fast as a cable modem so read up on them and do try the > > latest > > >> firmware images. > > >> > > >> Jason > > >> > > >> On 28 July 2015 at 13:48, Ben Jackson <ben@elogik.net> wrote: > > >> > > >>> Hi Jason, > > >>> > > >>> Yes - when I am using the RB2011's the gateway (WAN) port is not in > any > > >>> bridge or switch config and is routing only. > > >>> > > >>> When I first started installing Mikrotiks I used to bridge all the > > other > > >>> ports, which I know uses the main CPU and not the switch chip, but my > > >>> thinking was that the main CPU is more powerful and the router isn't > > >>> exactly doing anything complex such as queues or heaps of firewall > > rules. > > >>> > > >>> However since then I have started using the master - slave switch > chip > > >>> function, especially on the 24 port CRS. On the RB2011's I slave all > > the > > >>> gigabit ports to ether2 and, slave all the 10/100 ports to ether6, > then > > >>> bridge the two, with ether1 as the WAN port. On the CRS I slave all > the > > >>> ports apart from ether24 to ether1. I then use ether24 as the WAN > port. > > >>> > > >>> Ben Jackson > > >>> eLogik > > >>> m:0404 924745 > > >>> e: ben@elogik.net > > >>> w: www.elogik.com.au > > >>> [image: http://www.elogik.com.au] <http://www.elogik.com.au> > > >>> > > >>> On Tue, Jul 28, 2015 at 1:35 PM, Jason Hecker (Up & Running Tech) < > > >>> jason@upandrunningtech.com.au> wrote: > > >>> > > >>>> Hi > > >>>> > > >>>> OK, the current changelog on Mikrotik only goes back to 6.27 and the > > >>>> current is at 6.30 so I can't even see if some related bug has been > > >>>> fixed > > >>>> since 6.20. I'd suggest updating the software, reboot, update the > > >>>> firmware, reboot and see if that helps. > > >>>> > > >>>> If in doubt beyond that, save export your config, factory reset and > > >>>> reimport the config. > > >>>> > > >>>> What ports do you use on the 2011? Are the ports on 1Gb side slaved > > to > > >>>> ETH1, the ports on 100Mbit side slaved to Eth6 and Eth1 and Eth6 > > >>>> bridged? > > >>>> Which port is connected to the modem? It should be on it's own, not > > >>>> slaved > > >>>> or bridged. > > >>>> > > >>>> Since 6.20 there have been some packet engine speedups that operate > at > > >>>> the > > >>>> bridge level and some interfaces (not PPPoE unfortunately). You > will > > >>>> definitely benefit using the new speedup options with NAT on a DHCP > > >>>> based > > >>>> modem. > > >>>> > > >>>> Jason > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> On 28 July 2015 at 13:25, Ben Jackson <ben@elogik.net> wrote: > > >>>> > > >>>> > Hi Jason, > > >>>> > > > >>>> > I have customers at on few different ROS versions, normally > nothing > > >>>> earier > > >>>> > than 6.18 - and I always make sure the firmware is at a matching > > >>>> level. I > > >>>> > think the majority right now are at 6.20. > > >>>> > > > >>>> > Thanks > > >>>> > > > >>>> > Ben Jackson > > >>>> > eLogik > > >>>> > m:0404 924745 > > >>>> > e: ben@elogik.net > > >>>> > w: www.elogik.com.au > > >>>> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > > >>>> > > > >>>> > On Tue, Jul 28, 2015 at 1:21 PM, Jason Hecker (Up & Running Tech) > < > > >>>> > jason@upandrunningtech.com.au> wrote: > > >>>> > > > >>>> >> What version of RouterOS are you using and what level is the > > >>>> firmware at? > > >>>> >> > > >>>> >> On 28 July 2015 at 13:18, Ben Jackson <ben@elogik.net> wrote: > > >>>> >> > > >>>> >> > Hi RJ, > > >>>> >> > > > >>>> >> > Yep - that's exactly what I do. > > >>>> >> > > > >>>> >> > I know it's not congestion because when I reboot the mikrotik > or > > >>>> simply > > >>>> >> > renew the dhcp client address on the gateway port the whole > > system > > >>>> >> springs > > >>>> >> > back to life. > > >>>> >> > > > >>>> >> > Thanks, > > >>>> >> > > > >>>> >> > Ben Jackson > > >>>> >> > eLogik > > >>>> >> > m:0404 924745 > > >>>> >> > e: ben@elogik.net > > >>>> >> > w: www.elogik.com.au > > >>>> >> > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > > >>>> >> > > > >>>> >> > On Tue, Jul 28, 2015 at 1:03 PM, RJ Plummer < > > >>>> RJ.Plummer@4logic.com.au> > > >>>> >> > wrote: > > >>>> >> > > > >>>> >> > > Hi Ben, > > >>>> >> > > > > >>>> >> > > We have a few staff with bigpond cable and mikrotiks who > don't > > >>>> exhibit > > >>>> >> > > this behaviour. > > >>>> >> > > > > >>>> >> > > Their setups are very straight forward: > > >>>> >> > > -Bridge the cable modem (same cable modem model as you > > describe) > > >>>> >> > > -DHCP client on the appropriate physical mkt interface > > >>>> >> > > -masq that interface > > >>>> >> > > -firewall filter as usual > > >>>> >> > > > > >>>> >> > > Do you have anything different in your configurations? > > >>>> >> > > > > >>>> >> > > Cheers, > > >>>> >> > > RJ > > >>>> >> > > -----Original Message----- > > >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On > > >>>> Behalf > > >>>> >> Of > > >>>> >> > > Paul Julian > > >>>> >> > > Sent: Tuesday, 28 July 2015 10:55 AM > > >>>> >> > > To: 'MikroTik Australia Public List' < > > >>>> public@talk.mikrotik.com.au> > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > > >>>> >> > > > > >>>> >> > > Hi Ben, I have seen Mikrotiks change their MAC address, or at > > >>>> least > > >>>> >> the > > >>>> >> > > one they present, this usually happens if a config has been > > >>>> uploaded > > >>>> >> to > > >>>> >> > > them without MAC addresses removed. > > >>>> >> > > > > >>>> >> > > There is an option in the interface settings called "Reset > MAC > > >>>> >> Address", > > >>>> >> > > try clicking this on the interface you have plugged into the > > >>>> NTU, it > > >>>> >> will > > >>>> >> > > reset the MAC address back to or force it to be the actually > > >>>> physical > > >>>> >> MAC > > >>>> >> > > just in case anything has changed. > > >>>> >> > > > > >>>> >> > > We use bridge mode in modems and NTU's with Mikrotiks in > > >>>> hundreds of > > >>>> >> > > locations for ADSL and Ethernet services and never have one > > >>>> issue. > > >>>> >> > > > > >>>> >> > > Regards > > >>>> >> > > Paul > > >>>> >> > > > > >>>> >> > > -----Original Message----- > > >>>> >> > > From: Public [mailto: public-bounces@talk.mikrotik.com.au] On > > >>>> Behalf > > >>>> >> Of > > >>>> >> > > Ben Jackson > > >>>> >> > > Sent: Tuesday, 28 July 2015 12:47 PM > > >>>> >> > > To: MikroTik Australia Public List > > >>>> >> > > Subject: Re: [MT-AU Public] Cable Modem DHCP Issues > > >>>> >> > > > > >>>> >> > > Thanks for the reply Paul. Yes I agree with you 100%, there > > >>>> should be > > >>>> >> > > almost nothing to go wrong in this type of set-up. The NTU is > > >>>> >> definitely > > >>>> >> > in > > >>>> >> > > bridge mode - as evidenced by the radio button saying "Bridge > > >>>> Mode" on > > >>>> >> > the > > >>>> >> > > web GUI ;) and I have a DHCP client running on ether24 of the > > >>>> CRS (or > > >>>> >> > > sometimes ether 1) which immediately binds the public IP > > address > > >>>> to > > >>>> >> > itself. > > >>>> >> > > > > >>>> >> > > I understand about the MAC based DHCP which the ISP's use, I > > >>>> have had > > >>>> >> > > issues in the past (no longer seems to be as issue) where I > > have > > >>>> had > > >>>> >> to > > >>>> >> > > spoof the MAC address of the NTU to get a DHCP address. I > have > > >>>> also > > >>>> >> > noticed > > >>>> >> > > if my MBP is the first device to connect to the NTU while in > > >>>> bridge > > >>>> >> mode, > > >>>> >> > > sometimes I need to power cycle the device to "deregister" > the > > >>>> MAC > > >>>> >> > address > > >>>> >> > > of the MBP. I am able to get a binding on the MikroTik after > > this > > >>>> >> process > > >>>> >> > > is complete. > > >>>> >> > > > > >>>> >> > > But, in this instance this is not the problem unless somehow > > the > > >>>> MAC > > >>>> >> > > address of the MikroTik ether port is changing - is this > > >>>> possible? I > > >>>> >> must > > >>>> >> > > admit, my progress on this is somewhat hampered by not having > a > > >>>> cable > > >>>> >> > setup > > >>>> >> > > to test on at home - I run ADSL. > > >>>> >> > > > > >>>> >> > > I'm pretty sure that nothing else on the network would be > able > > >>>> to bind > > >>>> >> > > it's MAC address to the public IP before the MikroTik has had > a > > >>>> chance > > >>>> >> > to - > > >>>> >> > > although I must admit I hadn't though of that so I'll check > it > > >>>> out in > > >>>> >> > more > > >>>> >> > > detail. > > >>>> >> > > > > >>>> >> > > I am also inclined to agree with you that this is not solely > a > > >>>> >> Mikrotik > > >>>> >> > > issue. It seems to me that it is the magic (or not so magic) > > >>>> >> combination > > >>>> >> > of > > >>>> >> > > the ISP's hardware and the MikroTik that seems to cause the > > >>>> problem. I > > >>>> >> > have > > >>>> >> > > tried other brands of router which do not seem to exhibit the > > >>>> issue, > > >>>> >> > > however these devices do not have the great feature set of > the > > >>>> >> MikroTik > > >>>> >> > and > > >>>> >> > > are often not rack-mountable. Trotting out the "It's not a > > >>>> Mikrotik > > >>>> >> > issue" > > >>>> >> > > line is starting to wear very thin with both my customers and > > >>>> >> colleagues. > > >>>> >> > > Although my gut feeling is that it isn't - I need proof and I > > >>>> don't > > >>>> >> know > > >>>> >> > > where to start. This is happening far too often for it to be > a > > >>>> >> > coincidence > > >>>> >> > > or a faulty device. > > >>>> >> > > > > >>>> >> > > I have, unfortunately also seen very strange behaviour over > > ADSL > > >>>> / > > >>>> >> pppoe > > >>>> >> > > connections in bridge mode too, I sent an email about this > some > > >>>> time > > >>>> >> ago > > >>>> >> > > and it still plagues me from time to time. > > >>>> >> > > > > >>>> >> > > The type of installations I am doing are not your typical > home > > >>>> setups > > >>>> >> and > > >>>> >> > > customers are paying a lot of money for a supposedly > > >>>> >> "commercial-grade" > > >>>> >> > > solution which is only adding to my stresses. > > >>>> >> > > > > >>>> >> > > Do any of you guys out there use a MikroTik as your home > router > > >>>> - how > > >>>> >> do > > >>>> >> > > you set it up? Have you seen issues like this? > > >>>> >> > > > > >>>> >> > > One thing I have noticed is that the issue seems to be much > > more > > >>>> >> > prevalent > > >>>> >> > > with the newer DOCSIS 3.0 netgear / telstra / optus modems. > No > > >>>> idea > > >>>> >> why. > > >>>> >> > > Any cable experts out there? > > >>>> >> > > > > >>>> >> > > Thanks again, > > >>>> >> > > > > >>>> >> > > > > >>>> >> > > Ben Jackson > > >>>> >> > > eLogik > > >>>> >> > > m:0404 924745 > > >>>> >> > > e: ben@elogik.net > > >>>> >> > > w: www.elogik.com.au > > >>>> >> > > [image: http://www.elogik.com.au] < http://www.elogik.com.au> > > >>>> >> > > > > >>>> >> > > On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian < > > >>>> >> > paul@oxygennetworks.com.au> > > >>>> >> > > wrote: > > >>>> >> > > > > >>>> >> > > > Hey Ben, the only thing I can think of is that Telstra and > > >>>> Optus > > >>>> >> Cable > > >>>> >> > > > networks use MAC based DHCP, they bind the IP to the MAC of > > >>>> the NTU > > >>>> >> or > > >>>> >> > > > in the case of bridge mode the first client that makes a > > >>>> request, > > >>>> >> and > > >>>> >> > > > often you have trouble with these things because of this, I > > >>>> don't > > >>>> >> > > > really think it's a Mikrotik thing. > > >>>> >> > > > > > >>>> >> > > > However, as long as the Mikrotik is maintaining the same > MAC > > >>>> on the > > >>>> >> > > > interface plugged into the NTU and the NTU is truly in > bridge > > >>>> mode > > >>>> >> and > > >>>> >> > > > the Mikrotik is the only thing plugged into the NTU I > can't > > >>>> see why > > >>>> >> > > > it would be having issues. > > >>>> >> > > > > > >>>> >> > > > Is there any chance that another device might somehow be > > >>>> getting a > > >>>> >> > > > DHCP request through to the NTU somehow the way you have it > > all > > >>>> >> plugged > > >>>> >> > > in ? > > >>>> >> > > > > > >>>> >> > > > Regards > > >>>> >> > > > Paul > > >>>> >> > > > > > >>>> >> > > > -----Original Message----- > > >>>> >> > > > From: Public [mailto: public-bounces@talk.mikrotik.com.au ] > On > > >>>> >> Behalf Of > > >>>> >> > > > Ben Jackson > > >>>> >> > > > Sent: Tuesday, 28 July 2015 10:53 AM > > >>>> >> > > > To: MikroTik Australia Public List > > >>>> >> > > > Subject: [MT-AU Public] Cable Modem DHCP Issues > > >>>> >> > > > > > >>>> >> > > > Hi All, > > >>>> >> > > > > > >>>> >> > > > I'm hoping someone can help me as I'm at my wit's end with > > >>>> this one. > > >>>> >> > > > > > >>>> >> > > > We use Mikrotik gear (Mainly RB2011's and and more > recently, > > >>>> the > > >>>> >> > > > CRS125-24G) in large residential AV situations where > > >>>> invariably, the > > >>>> >> > > > Mikrotik is in dhcp client mode, in a cable internet > scenario > > >>>> where > > >>>> >> > > > Telstra's / Optus's modem has been placed into "bridge" > mode > > >>>> (NAT > > >>>> >> > > > switched > > >>>> >> > > > off) and the carrier-supplied WAN IP address gets bound to > > the > > >>>> >> gateway > > >>>> >> > > > interface of the Mikrotik. > > >>>> >> > > > > > >>>> >> > > > The Mikrotik, in turn is connected to, on average, about 3 > > >>>> UniFi > > >>>> >> > > > access points, and at least 3-4 zones of Sonos. On initial > > set > > >>>> up, > > >>>> >> > > > everything seems to work great, with the full bandwidth of > > the > > >>>> cable > > >>>> >> > > > modem getting passed on to the rest of the network, even > when > > >>>> 802.11 > > >>>> >> > > > clients are connected (a testament to the UniFi's I my > > opinion > > >>>> - I > > >>>> >> > > > only use dual band Pro AP's). > > >>>> >> > > > > > >>>> >> > > > However, after a week or so the internet connection seems > to > > >>>> get > > >>>> >> > > > either very slow, or stop working altogether. If I look in > > the > > >>>> logs > > >>>> >> > > > (with dhcp logging switched on) I can see regular NAK's > > getting > > >>>> >> passed > > >>>> >> > > > from the dhcp server on the cable modem. The problem is I > > don't > > >>>> >> really > > >>>> >> > > > understand how DHCP works on cable modems. I'm assuming > every > > >>>> so > > >>>> >> often > > >>>> >> > > > the cable modem gets a new IP address from the carrier > > >>>> (normally > > >>>> >> after > > >>>> >> > > > a reset) and at this point the modem is not passing this > new > > >>>> address > > >>>> >> > > > onto the Mikrotik which is effectively cut off from the > > >>>> internet. > > >>>> >> > > > Since we are stuck with using Bigpond and Optus modems > these > > >>>> are the > > >>>> >> > > > only solutions I have discovered which seem to stop the > issue > > >>>> from > > >>>> >> > > occurring (at least as regularly). > > >>>> >> > > > > > >>>> >> > > > 1) Leave the cable modem in "router" mode and switch off > all > > >>>> >> > > > extraneous services such as Wi-Fi, and also put one IP > > address > > >>>> in > > >>>> >> the > > >>>> >> > > > dhcp pool so that the Mikrotik always gets the same private > > IP > > >>>> >> > > > address. However, this creates a double nat situation which > > >>>> means I > > >>>> >> > > > can no longer perform reliable port forwarding for things > > such > > >>>> as > > >>>> >> > > > DVR's and CBus controllers (which I find the Mikrotik's > great > > >>>> for). > > >>>> >> > > > > > >>>> >> > > > 2) Allow the cable modem to perform all dhcp, routing, port > > >>>> >> forwarding > > >>>> >> > > > (which is a joke on these devices) and firewall tasks for > the > > >>>> entire > > >>>> >> > > > LAN and turn the CRS into an unmanaged L2 switch. The main > > >>>> problem > > >>>> >> > > > here is that these Bigpond devices simply do not have the > > >>>> grunt to > > >>>> >> > > > deal with large networks with lots of AV streaming and > > control > > >>>> >> > happening. > > >>>> >> > > > > > >>>> >> > > > Since both of the above have severe drawbacks in terms of > > >>>> >> > > > functionality, I wonder if anyone has had similar > experiences > > >>>> as I > > >>>> >> am > > >>>> >> > > > just about ready to dump the MikroTik's and start looking > at > > >>>> other > > >>>> >> > > > options in the hope that they play better with the Bigpond > > >>>> gear. > > >>>> >> > > > > > >>>> >> > > > Thanks in advance, > > >>>> >> > > > > > >>>> >> > > > > > >>>> >> > > > Ben Jackson > > >>>> >> > > > eLogik > > >>>> >> > > > m:0404 924745 > > >>>> >> > > > e: ben@elogik.net > > >>>> >> > > > w: www.elogik.com.au > > >>>> >> > > > [image: http://www.elogik.com.au] < > http://www.elogik.com.au> > > >>>> >> > > > _______________________________________________ > > >>>> >> > > > Public mailing list > > >>>> >> > > > Public@talk.mikrotik.com.au > > >>>> >> > > > > > >>>> >> > > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > > . > > >>>> >> > > > au > > >>>> >> > > > > > >>>> >> > > > > > >>>> >> > > > _______________________________________________ > > >>>> >> > > > Public mailing list > > >>>> >> > > > Public@talk.mikrotik.com.au > > >>>> >> > > > > > >>>> >> > > >>>> > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com > > . > > >>>> >> > > > au > > >>>> >> > > > > > >>>> >> > > _______________________________________________ > > >>>> >> > > Public mailing list > > >>>> >> > > Public@talk.mikrotik.com.au > > >>>> >> > > > > >>>> >> > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> >> > > > > >>>> >> > > > > >>>> >> > > _______________________________________________ > > >>>> >> > > Public mailing list > > >>>> >> > > Public@talk.mikrotik.com.au > > >>>> >> > > > > >>>> >> > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> >> > > > > >>>> >> > > _______________________________________________ > > >>>> >> > > Public mailing list > > >>>> >> > > Public@talk.mikrotik.com.au > > >>>> >> > > > > >>>> >> > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> >> > > > > >>>> >> > _______________________________________________ > > >>>> >> > Public mailing list > > >>>> >> > Public@talk.mikrotik.com.au > > >>>> >> > > > >>>> >> > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> >> > > > >>>> >> > > >>>> >> > > >>>> >> > > >>>> >> -- > > >>>> >> _______________________________________________ > > >>>> >> Public mailing list > > >>>> >> Public@talk.mikrotik.com.au > > >>>> >> > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> >> > > >>>> > > > >>>> > > > >>>> > > >>>> > > >>>> -- > > >>>> _______________________________________________ > > >>>> Public mailing list > > >>>> Public@talk.mikrotik.com.au > > >>>> > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > >>>> > > >>> > > >>> > > >> > > >> > > >> -- > > >> > > >> > > > > > > > > > -- > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
> > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
--
On Fri, 2015-08-14 at 07:11 +1000, Ben Jackson wrote:
I really feel this is somehow to do with the DHCP client/server interaction between the two devices. I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result.
Similar good or similar bad? If DHCP is the problem, it can only be that the ISP is throttling the link in the absence of whatever it is the modem does that the MT doesn't. All DHCP does is provide an address to your end, which is still happening. Throttling is usually down to way lower rates than 20Mb/s though. The obvious thing to try here is a different brand of router. If it's something to do with the router not responding the way the ISP wants, then any router will have the same problem. If some other router works fine, then it's MikroTik-specific, The most interesting part of all this is the delay. It works well for quite a long time, then suddenly slows down. Then you reboot everything and it's all good for a while, before slowing down again. That smells to me of something filling up or running out. Is the time from reboot to failure constant? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
Similar bad I'm afraid. The rates I am getting are less than 20mbps, often as low as 4-5mbps. I have tried other brands of router in the past (although not with the latest telstra modems) which seemed to be stable enough. The problem here is that these routers do not service the internal LAN very well which is important when you have a lot of media streaming happening on the network. I also feel I'm caught between a rock and a hard place with Telstra whose official line is that as soon as the modem is in bridge mode, they don't support it. I agree with you about the delay factor. I'm from a UNIX server background and remember well the filling up of ipcs queues etc which eventually brings the server to its knees. It's as if there is a resource problem of some sort anyway. On 14 Aug 2015 7:53 am, "Karl Auer" <kauer@nullarbor.com.au> wrote:
On Fri, 2015-08-14 at 07:11 +1000, Ben Jackson wrote:
I really feel this is somehow to do with the DHCP client/server interaction between the two devices. I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result.
Similar good or similar bad?
If DHCP is the problem, it can only be that the ISP is throttling the link in the absence of whatever it is the modem does that the MT doesn't. All DHCP does is provide an address to your end, which is still happening. Throttling is usually down to way lower rates than 20Mb/s though.
The obvious thing to try here is a different brand of router. If it's something to do with the router not responding the way the ISP wants, then any router will have the same problem. If some other router works fine, then it's MikroTik-specific,
The most interesting part of all this is the delay. It works well for quite a long time, then suddenly slows down. Then you reboot everything and it's all good for a while, before slowing down again. That smells to me of something filling up or running out. Is the time from reboot to failure constant?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2015-08-14 at 08:07 +1000, Ben Jackson wrote:
The rates I am getting are less than 20mbps, often as low as 4-5mbps.
Even so - throttling usually takes you down to 1Mb/s or lower.
I have tried other brands of router in the past (although not with the latest telstra modems) which seemed to be stable enough.
Try again with the modems that are in the problem domain.
The problem here is that these routers do not service the internal LAN very well which is important when you have a lot of media streaming happening on the network.
Two routers? Modem to RouterX to MikroTik.
I also feel I'm caught between a rock and a hard place with Telstra whose official line is that as soon as the modem is in bridge mode, they don't support it.
The AusNOG mailing list might be a reasonable place to ask about this; at least to clarify whether it *should* work. Lots of ISP techs hang out there, they know what's what. But: ... you said earlier:
I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result.
And "similar" = "similar bad". This seems to suggest that it's nothing to do with bridge mode or DHCP, because in the dual NAT scenario the provider's CPE is fully handling your end of the link. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
I think throttling is a red herring. If throttling were to happen it would happen as soon as the rogue device were connected and the delay would not be present. I am about to go to a customer site with problems and test a different brand of router but this doesn't really solve my problem due to the lack of media streaming capability. Having essentially three routers in the mix is no go due to port forwarding complexity problems apart from just seemingly inherently "wrong". I think the "similar bad" situation with dual NAT could well be to do with the performance hit of dual NAT rather than recreating the exact same issue. On 14 Aug 2015 8:29 am, "Karl Auer" <kauer@nullarbor.com.au> wrote:
On Fri, 2015-08-14 at 08:07 +1000, Ben Jackson wrote:
The rates I am getting are less than 20mbps, often as low as 4-5mbps.
Even so - throttling usually takes you down to 1Mb/s or lower.
I have tried other brands of router in the past (although not with the latest telstra modems) which seemed to be stable enough.
Try again with the modems that are in the problem domain.
The problem here is that these routers do not service the internal LAN very well which is important when you have a lot of media streaming happening on the network.
Two routers? Modem to RouterX to MikroTik.
I also feel I'm caught between a rock and a hard place with Telstra whose official line is that as soon as the modem is in bridge mode, they don't support it.
The AusNOG mailing list might be a reasonable place to ask about this; at least to clarify whether it *should* work. Lots of ISP techs hang out there, they know what's what. But:
... you said earlier:
I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result.
And "similar" = "similar bad". This seems to suggest that it's nothing to do with bridge mode or DHCP, because in the dual NAT scenario the provider's CPE is fully handling your end of the link.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2015-08-14 at 08:43 +1000, Ben Jackson wrote:
I think throttling is a red herring.
Yes.
Having essentially three routers in the mix is no go due to port forwarding complexity problems apart from just seemingly inherently "wrong".
No big additional complexity - the inner two are routing properly, not NATting. Only the first has to port forward. Except for a simple link network between RouterX and the MikroTik (and a static route on RouterX to the downstream network) it's no more complex than with the MikroTik handing the link. modem+bridge <-> NAT+RouterX <-> MikroTik <-> network
I think the "similar bad" situation with dual NAT could well be to do with the performance hit of dual NAT rather than recreating the exact same issue.
Not unless the slowdown was immediate. The difference is the delay. If it were a NAT performance issue, the slowdown would be immediate. If it started well and dropped after a week or so, then it's not NAT; it's the same problem. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
Thanks for your suggestions Karl. I see what you mean about the static routing etc. I was stuck in the mindset that another router meant another NAT. Assuming I can port forward correctly from the Telstra device that might work although there's a perfectionist part of me that balks at having essentially an "extra" device. Could this increase latency to the WAN? I have also been exploring other options and initial tests suggest that the Ubiquiti Edgerouter may work. I have also tested the interface queue (default-ethernet) change on a mates Mikrotik (he has cable internet - I don't) and so far it's looking good but as you all know this problem takes a while to eventuate. Cheers, Ben On 14 Aug 2015 9:01 am, "Karl Auer" <kauer@nullarbor.com.au> wrote:
On Fri, 2015-08-14 at 08:43 +1000, Ben Jackson wrote:
I think throttling is a red herring.
Yes.
Having essentially three routers in the mix is no go due to port forwarding complexity problems apart from just seemingly inherently "wrong".
No big additional complexity - the inner two are routing properly, not NATting. Only the first has to port forward. Except for a simple link network between RouterX and the MikroTik (and a static route on RouterX to the downstream network) it's no more complex than with the MikroTik handing the link.
modem+bridge <-> NAT+RouterX <-> MikroTik <-> network
I think the "similar bad" situation with dual NAT could well be to do with the performance hit of dual NAT rather than recreating the exact same issue.
Not unless the slowdown was immediate. The difference is the delay. If it were a NAT performance issue, the slowdown would be immediate. If it started well and dropped after a week or so, then it's not NAT; it's the same problem.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sun, 2015-08-16 at 12:43 +1000, Ben Jackson wrote:
NAT. Assuming I can port forward correctly from the Telstra device that might work although there's a perfectionist part of me that balks at having essentially an "extra" device. Could this increase latency to the WAN?
Firstly, you don't have to port forward from the Telstra device. You leave that in bridge mode. You port forward from RouterX. Secondly, no, I doubt it will increase latency, or at least not enough to be worth worrying about. The upstream is measured in megabits; that's a trickle to a gigabit interface. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
Great. Thanks for the clarification. Ben Jackson eLogik 0404 924745 (Sent from my mobile device) On 16 Aug 2015 8:22 pm, "Karl Auer" <kauer@nullarbor.com.au> wrote:
On Sun, 2015-08-16 at 12:43 +1000, Ben Jackson wrote:
NAT. Assuming I can port forward correctly from the Telstra device that might work although there's a perfectionist part of me that balks at having essentially an "extra" device. Could this increase latency to the WAN?
Firstly, you don't have to port forward from the Telstra device. You leave that in bridge mode. You port forward from RouterX.
Secondly, no, I doubt it will increase latency, or at least not enough to be worth worrying about. The upstream is measured in megabits; that's a trickle to a gigabit interface.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Do you know what type of traffic it is? Have you checked that allow remote dns requests is unticked? To stop dns amplifications attacks which would match with high upload and a time peeriod for it slow down? Andrew On 14/08/2015 7:53 AM, "Karl Auer" <kauer@nullarbor.com.au> wrote:
On Fri, 2015-08-14 at 07:11 +1000, Ben Jackson wrote:
I really feel this is somehow to do with the DHCP client/server interaction between the two devices. I have even tried running the modem non-bridged so that there is a dual NAT situation which gives me a very similar result.
Similar good or similar bad?
If DHCP is the problem, it can only be that the ISP is throttling the link in the absence of whatever it is the modem does that the MT doesn't. All DHCP does is provide an address to your end, which is still happening. Throttling is usually down to way lower rates than 20Mb/s though.
The obvious thing to try here is a different brand of router. If it's something to do with the router not responding the way the ISP wants, then any router will have the same problem. If some other router works fine, then it's MikroTik-specific,
The most interesting part of all this is the delay. It works well for quite a long time, then suddenly slows down. Then you reboot everything and it's all good for a while, before slowing down again. That smells to me of something filling up or running out. Is the time from reboot to failure constant?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks again Paul. Is there any chance you could post your config of how you have your DHCP stuff set up? I can then compare it with mine and see if there are any glaring omissions. Cheers, Ben Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 12:54 PM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
We just add dhcp-client or run PPPOE to the interface and that's it, nothing special, really simple stuff to be honest. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 1:10 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Thanks again Paul. Is there any chance you could post your config of how you have your DHCP stuff set up? I can then compare it with mine and see if there are any glaring omissions. Cheers, Ben Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 12:54 PM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hi Ben, I have seen Mikrotiks change their MAC address, or at least the one they present, this usually happens if a config has been uploaded to them without MAC addresses removed.
There is an option in the interface settings called "Reset MAC Address", try clicking this on the interface you have plugged into the NTU, it will reset the MAC address back to or force it to be the actually physical MAC just in case anything has changed.
We use bridge mode in modems and NTU's with Mikrotiks in hundreds of locations for ADSL and Ethernet services and never have one issue.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Sorry mate, wish I could give you more information. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 1:21 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Cable Modem DHCP Issues *Sigh* That's what I do too Paul. I was hoping there was some secret sauce :) _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I have noticed that the Netgear modems are very heat sensitive - if they are in a densely-packed rack, they can exhibit all sorts of weird behaviour. A colleague modified one by adding self-adhesive heatsinks on all of the ICs which helped in that situation, but that can't really be recommended. An easier solution would be to move it to somewhere with better airflow. For what it's worth, I'm running an RB2011 at home connected to Optus cable with a Netgear modem in bridge mode that just works. It does slow down at peak times due to congestion (although not as bad as what happens at my parent's house - it is virtually unusable there at peak times), but that's just how DOCSIS behaves. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself. I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete. But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL. I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail. I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device. I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time. The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses. Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this? One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there? Thanks again, Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks Thomas. Yes I have noticed that these things get super hot. Yet another reason for Telstra to come up with a better design or find a new manufacturer. Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> On Tue, Jul 28, 2015 at 1:00 PM, Thomas Jackson <thomas@thomax.com.au> wrote:
I have noticed that the Netgear modems are very heat sensitive - if they are in a densely-packed rack, they can exhibit all sorts of weird behaviour. A colleague modified one by adding self-adhesive heatsinks on all of the ICs which helped in that situation, but that can't really be recommended. An easier solution would be to move it to somewhere with better airflow.
For what it's worth, I'm running an RB2011 at home connected to Optus cable with a Netgear modem in bridge mode that just works. It does slow down at peak times due to congestion (although not as bad as what happens at my parent's house - it is virtually unusable there at peak times), but that's just how DOCSIS behaves.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 12:47 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Cable Modem DHCP Issues
Thanks for the reply Paul. Yes I agree with you 100%, there should be almost nothing to go wrong in this type of set-up. The NTU is definitely in bridge mode - as evidenced by the radio button saying "Bridge Mode" on the web GUI ;) and I have a DHCP client running on ether24 of the CRS (or sometimes ether 1) which immediately binds the public IP address to itself.
I understand about the MAC based DHCP which the ISP's use, I have had issues in the past (no longer seems to be as issue) where I have had to spoof the MAC address of the NTU to get a DHCP address. I have also noticed if my MBP is the first device to connect to the NTU while in bridge mode, sometimes I need to power cycle the device to "deregister" the MAC address of the MBP. I am able to get a binding on the MikroTik after this process is complete.
But, in this instance this is not the problem unless somehow the MAC address of the MikroTik ether port is changing - is this possible? I must admit, my progress on this is somewhat hampered by not having a cable setup to test on at home - I run ADSL.
I'm pretty sure that nothing else on the network would be able to bind it's MAC address to the public IP before the MikroTik has had a chance to - although I must admit I hadn't though of that so I'll check it out in more detail.
I am also inclined to agree with you that this is not solely a Mikrotik issue. It seems to me that it is the magic (or not so magic) combination of the ISP's hardware and the MikroTik that seems to cause the problem. I have tried other brands of router which do not seem to exhibit the issue, however these devices do not have the great feature set of the MikroTik and are often not rack-mountable. Trotting out the "It's not a Mikrotik issue" line is starting to wear very thin with both my customers and colleagues. Although my gut feeling is that it isn't - I need proof and I don't know where to start. This is happening far too often for it to be a coincidence or a faulty device.
I have, unfortunately also seen very strange behaviour over ADSL / pppoe connections in bridge mode too, I sent an email about this some time ago and it still plagues me from time to time.
The type of installations I am doing are not your typical home setups and customers are paying a lot of money for a supposedly "commercial-grade" solution which is only adding to my stresses.
Do any of you guys out there use a MikroTik as your home router - how do you set it up? Have you seen issues like this?
One thing I have noticed is that the issue seems to be much more prevalent with the newer DOCSIS 3.0 netgear / telstra / optus modems. No idea why. Any cable experts out there?
Thanks again,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au>
On Tue, Jul 28, 2015 at 11:11 AM, Paul Julian <paul@oxygennetworks.com.au> wrote:
Hey Ben, the only thing I can think of is that Telstra and Optus Cable networks use MAC based DHCP, they bind the IP to the MAC of the NTU or in the case of bridge mode the first client that makes a request, and often you have trouble with these things because of this, I don't really think it's a Mikrotik thing.
However, as long as the Mikrotik is maintaining the same MAC on the interface plugged into the NTU and the NTU is truly in bridge mode and the Mikrotik is the only thing plugged into the NTU I can't see why it would be having issues.
Is there any chance that another device might somehow be getting a DHCP request through to the NTU somehow the way you have it all plugged in ?
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson Sent: Tuesday, 28 July 2015 10:53 AM To: MikroTik Australia Public List Subject: [MT-AU Public] Cable Modem DHCP Issues
Hi All,
I'm hoping someone can help me as I'm at my wit's end with this one.
We use Mikrotik gear (Mainly RB2011's and and more recently, the CRS125-24G) in large residential AV situations where invariably, the Mikrotik is in dhcp client mode, in a cable internet scenario where Telstra's / Optus's modem has been placed into "bridge" mode (NAT switched off) and the carrier-supplied WAN IP address gets bound to the gateway interface of the Mikrotik.
The Mikrotik, in turn is connected to, on average, about 3 UniFi access points, and at least 3-4 zones of Sonos. On initial set up, everything seems to work great, with the full bandwidth of the cable modem getting passed on to the rest of the network, even when 802.11 clients are connected (a testament to the UniFi's I my opinion - I only use dual band Pro AP's).
However, after a week or so the internet connection seems to get either very slow, or stop working altogether. If I look in the logs (with dhcp logging switched on) I can see regular NAK's getting passed from the dhcp server on the cable modem. The problem is I don't really understand how DHCP works on cable modems. I'm assuming every so often the cable modem gets a new IP address from the carrier (normally after a reset) and at this point the modem is not passing this new address onto the Mikrotik which is effectively cut off from the internet. Since we are stuck with using Bigpond and Optus modems these are the only solutions I have discovered which seem to stop the issue from occurring (at least as regularly).
1) Leave the cable modem in "router" mode and switch off all extraneous services such as Wi-Fi, and also put one IP address in the dhcp pool so that the Mikrotik always gets the same private IP address. However, this creates a double nat situation which means I can no longer perform reliable port forwarding for things such as DVR's and CBus controllers (which I find the Mikrotik's great for).
2) Allow the cable modem to perform all dhcp, routing, port forwarding (which is a joke on these devices) and firewall tasks for the entire LAN and turn the CRS into an unmanaged L2 switch. The main problem here is that these Bigpond devices simply do not have the grunt to deal with large networks with lots of AV streaming and control happening.
Since both of the above have severe drawbacks in terms of functionality, I wonder if anyone has had similar experiences as I am just about ready to dump the MikroTik's and start looking at other options in the hope that they play better with the Bigpond gear.
Thanks in advance,
Ben Jackson eLogik m:0404 924745 e: ben@elogik.net w: www.elogik.com.au [image: http://www.elogik.com.au] <http://www.elogik.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (8)
-
Andrew Gilbett
-
Ben Jackson
-
Jason Hecker (Up & Running Tech)
-
Karl Auer
-
Mike Everest
-
Paul Julian
-
RJ Plummer
-
Thomas Jackson