Skip to content
Feb 1 / thebrotherswisp

TheBrothersWISP 25 – Wireless Gear, Monitoring, SDN

Mike(Mom), Tom, Tomas, Justin Miller, and Alex talk about how much they wish Greg was no this cast…but alas, he is not.

Some of the things discussed:
WISPAPalooza video interviews
WISPAPalooza in general
Cambium ePMP
Mimosa B11
AirFiber NxN
The Dude
SDN\OpenFlow\Performant Networks\Bonding\ etc.
New TBW formats
Other stuff I probably forgot

To see the video please visit the link below!!!

Jan 30 / thebrotherswisp

TheBrothersWISP 26 – Mikrotik Newsletter 70, Switches, upcoming conferences

Andrew Cox, Mike(Mom), Tom, Tomas, Justin Miller, and Greg talk about the meaning of life and how routing makes it just a little bit better.

I point out in the video that MTK donated money to, yet another, children’s hospital. I know they did this quietly, but people doing good things for a good reason need to be heard! Big ups to the Tik crew. I also stated that Robert Pera has been doing a lot for the Memphis community, and I admire the hell out of him for that.
Good people doing good things!

Some of the things discussed:
Mikrotik Newsletter 70
Ubiquiti switches
MUM Slovenia
MUM Dallas

To see the video please visit the link below!!!

Dec 28 / Greg

Cisco DMVPN With DHCP Failure

With Cisco’s DMVPN it should be a snap to pickup your router and move it to a new site…at least it was previously for my client. The difference was, they were statically configured before, and now they are DHCP.

Cisco Dynamic Multipoint VPN is a system where by you plug in, and remote sites will dial back to a hub site, create a tunnel, then encrypt the tunnel. Everything is done automatically…so why did it fail when switching to DHCP.

When the tunnel interface was enabled, everything flapped up and down. Connectivity was shot through the tunnel as well as regular internet access.

I first looked at the log on their router:

000573: Dec 28 2015 13:33:21.669 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor (Tunnel0) is down: holding time expired
000574: Dec 28 2015 13:33:49.926 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor (Tunnel0) is up: new adjacency
000575: Dec 28 2015 13:34:09.846 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor (Tunnel0) is down: Peer goodbye received
000576: Dec 28 2015 13:34:13.026 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor (Tunnel0) is up: new adjacency

As soon as the tunnel interface came up “Tunnel0”, EIGRP started going bananas. I was thinking…what would make EIGRP flap as well as connectivity to go crazy?

When the tunnel establishes it starts to learn routes from the the tunnel interface…perhaps it is getting a default route. That can’t be the issue, right, because our DHCP learned default route should have preference, right…WRONG.

By default the DHCP learned default route has an administrative distance of 254 as evidenced when issuing a show ip route command:
S* [254/0] via

Since EIGRP has an AD of 90, when that default route comes it is is installed into the route table in place of our DHCP learned default. This then breaks our internet connectivity and the tunnel fails, which then repeats the cycle. It worked before because they were statically configuring default which has an AD of 1.

Cisco has a special command for just such an issue:

ip dhcp-client default-router distance X

X can be a value of 1 – 255. I chose 1 since that is consistent with a static route.

After you enter the command you have to shut/no shut the interface to have the default route be relearned. As soon as it is it acquires the new AD we set.
S* [1/0] via

After that I enabled the tunnel interface, everything came up and all was right with the world.

Good luck and God’s speed little networkers!

Dec 3 / Greg

Update Root Hints Bind 9

The root hint file is used by your bind server to lookup domains it doesn’t have cached. Every so often the root server IPs change, so keeping this file updated is a good idea.

Here’s a quick and dirty way you can update your bind 9 root hints via a cron job. You can schedule it to run every 6 months or so.

Your root hings file may be either or named.root. Do a quick search and locate where the file lives on your server and update everything accordingly.

This will download a new version, then restart DNS services.

wget -O /var/named/ && rndc reload
Nov 13 / Greg

Mikrotik Newsletter 68 – Andrew/Greg Chat

Andrew Cox and Greg Sowell dish about some of the new stuffs in the 68th newsletter:
mANT 15, 19 sector antennas
hEX PoE Lite
mANT 30 45° horn tilt
LNS supprot
DNS on tunnels and such
PoE manager

This was impromptu conversation…taking it back old school.

Grab the MP3 here if you prefer:Mikrotik Newsletter 68 Audio (378)

Nov 9 / Greg

Mikrotik Changelog 6.33 … A Novel

What’s new in 6.33 (2015-Nov-06 12:49):

*) dns – initial fix for situation when dynamic dns servers could disappear;
*) winbox – dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0);
*) dhcpv6 – various improvement and fixes for dhcp-pd client and ippool6;
*) defconf – fixed rare situation where configuration was only partially loaded;
*) net – fix possible never ending loop when bad CDP discovery packet is received; Snap…interesting DOS vector
*) log – make default disk file name to reside in flash dir if it exists;
*) romon – change port list to be not ordered in export;
*) capsman – limit number of simultaneous DTLS handshakes;
*) capsman – fixed memory leak on CAP joining CAPsMAN when ssld is used;
*) winbox – added allow-fast-path to eoip, gre & ipip;
*) winbox – do not show power-cycle properties on non poe ports;
*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;Just for Thrift hehe
*) webfig – some of the setting were shifted to the right;
*) packages – allow to reinstall from bundle to separate packages & vice versa;
*) packages – prefer out of bundle packages when both of them are installed;
*) packages – fix a problem of upgrading bundle package to non bundled ones;
*) ipsec – force flow cache validation once in 1h;
*) winbox – make sure that all setting names get shown in full;
*) winbox – added poe power-cycle-ping settings to ethernet interfaces;
*) ppp – handle properly case were ppp client is given same address for local & remote end;
*) winbox – added vlan-mode & vlan-id to virtual-ap interface;
*) winbox – added timeout column to ipv6 address lists;
*) winbox – show SFP Tx/Rx Power properly;niceeee
*) winbox – added min-links to bonding interface;
*) winbox – do not show health menu on RB951Ui-2HnD;
*) winbox – added support for Login-Timeout & MAC-Auth-Mode in hotspot;
*) cerm – added option to disable crl download in ‘/certificate settings’;
*) winbox – make user ssh key import work again;
*) webfig – make “Copy to Access List” work in CAPsMAN Registration Table;
*) userman – fix report generation problem which could result in some users being skipped from it;
*) winbox – fix to allow cpu-port as mirror-target
*) proxy – error.html parsing enhancement to improve performance
*) CCR1072 – improve ether1 performance under heavy loadHow odd…I wonder why ether1 alone was having issues. I thought the 1072 had individual pipes to the CPU for each port.
*) routerboard – indicate RouterBOOT type in /system routerboard print;
*) mpls – properly use mpls mtu for routes;
*) cerm – fix key description for signed certificates;
*) trafflow – report flow addresses in v1 and v5 without NAT awareness;
*) hotspot – add mac-auth-mode setting for mac-as-passwd option;
*) hotspot – add login-timeout setting to force login for unauth hosts;
*) auto-upgrade – fixed auto upgrade for smipsbe;
*) dns – do not create duplicate entries for same dynamic dns server addresses;
*) ipsec – fix set on multiple policies which could result in adding non existent dynamic policies to the list;
*) email – allow server to be specified as fqdn which is resolved on each send;Killer
*) fastpath – eoip,gre,ipip tunnels support fastpath (new per tunnel setting “allow-fast-path”);Sick…anyone test yet?
*) ppp, pptp, l2tp, pppoe – fix ppp compression related crashes;Nice…I use this in a few places
*) cerm – also accept downloaded CRLs in PEM format;
*) userman – added ‘history clear’ to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users;
*) health – fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter;
*) userman – added phone number support to signup form;
*) ip pool6 – try to acquire the same prefix if info matches recently freed;
*) ipsec – fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) ipsec – use local-address for phase 1 matching and initiation;
*) route – fixed crash on removing route that was aggregated;
*) ipsec – fix replay window, was accidentally disabled since version 6.30;
*) ssh – allow host key import/export;
*) ssh – use 2048bit RSA host key when strong-crypto enabled;
*) ssh – support RSA keys for user authentication;
*) wlan – improved WMM-PowerSave support in wireless-cm2 package;
*) pptp & l2tp – fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30);
*) auto-upgrade – added ability to select which versions to select when upgrading;
*) quickset – fixed HomeAP mode;
*) lte – improved modem identification to better support multiple identical modems;
*) snmp – fix system scripts table;
*) tunnels – eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;I believe this is only on initial connection. I wonder if there is a way that if the connection drops it would attempt to DNS query again – if the remote address changed it would reconnect
*) fastpath – active mac-winbox or mac-telnet session no longer suspends fastpath;
*) fastpath – added per interface fastpath counters;
*) fastpath – added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;
*) ppp – added on-up & on-down scripts to ppp profile;
*) winbox – allow to specify dns name in all the tunnels;
*) pppoe – added support for MTU > 1492 on PPPoE;
*) cerm – fix scep server certificate-reply degenerate PKCS#7 signed-data content;
*) ppp-client – added default channels for Alcatel OneTouch L100V;
*) defconf – fix for boards that had bridge with only wlan ports;
*) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);
*) cerm – use certificate file name for imported cert name;
*) fetch – fixed error message when error code 200 was received;
*) cerm – rebuild crl for local ca if crl file does not exist;
*) winbox – make directed broadcasts work for neighbor discovery;
*) upnp: automatically adjust mappings to new external ip change;
*) ppp – added ppp interface to upnp internals/externals if requested;
*) ppp – when adding ipv6 default route use user provided distance;
*) userman – allow to correctly enable CoA on router;
*) cerm – show crl nextupdate time;
*) ppp – added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout);
*) ppp – added new option under “ppp aaa” – “use-circuit-id-in-nas-port-id”;
*) userman – refresh active sessions/users view dynamically;
*) package – added version tag and show everywhere alongside of version number;
*) wlan – improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package.

So some of A Thrift’s changes were in there…anyone else see some action they like here?

Oct 20 / Greg

Mikrotik ROS Change Log 6.32.3

First, it’s been ages since I’ve posted, and even longer since it was a change log hehe. So here we gooooooo

I’m sure you’ve also noticed how MTK is now doing bug fix releases. They only introduce new features when you change middle revision numbers. This allows you to find a stable version, and just pull bug fixes…unless you are brave, then you can just straight to the newest version 😉

What’s new in 6.32.3 (2015-Oct-19 11:13):

*) switch – fixed CRS settings set back to defaults after a reboot;Seems like a major fix. I wonder what odds you had of it resetting?
*) netinstall – include missing RB1200 drivers;
*) firewall – fixed connection-rate matcher;Big one I use frequently
*) ppp, pptp, l2tp, pppoe: fixed router dead locked if compression was enabled on link;I use this regularly also…haven’t seen the lockup, though.
*) quickset – create proper firewall rules when PPPoE is used for address acquisition;
*) sstp – fixed kernel crash when other party started to fragment ppp packets in the middle;
*) ippool6 – optimize same prefix acquisition;
*) winbox – Shift+Ins & Shift+Del did not work in multi entry fields;I didn’t even know this was a thing…
*) winbox – allow to specify ipv6 address in traffic flow target;
*) winbox – allow to specify eap-radius-accounting in CAPsMAN;
*) winbox – allow to enter dns name in email server;Awesome
*) ups – fix console oid print;
*) tunnel – fix loopback keepalives on gre and ipip;
*) pptp,l 2tp, sstp, pppoe: do not send data packets before we have negotiated connection with other
side (happens on dial-on-demand interfaces), this brakes when connecting to other party servers;
*) pptp, l2tp, sstp – make it work when add-default-route & dial-on-demand both are enabled;
*) pptp, l2tp, sstp, pppoe clients – fixed problem where they failed to connect
at startup and only reboot helped; Ugh…tshooting nightmare on that one
*) nv2 – fixed kernel failure with frame size accounting;
*) ovpn client – fixed crash when ovpn didn’t receive it’s ip address;
*) lcd – fix slideshow for CCR1072, and possible sign issues for temperatures;
*) winbox – make console notice correct screen size;
*) ssh – allow to specify pass as argument for private key import;
*) winbox – refetch hotspot walled garden hit counter;
*) winbox – added client-connections & server-connections to web proxy status;
*) cerm – fix scep server certificate-reply degenerate PKCS#7 signed-data content;
*) bgp – specific BGP networks were changed to different ones;Ugh
*) cerm – allow export for all types except templates;
*) wlan – update brazil-anatel country;
*) winbox – fixed context menu actions to apply to all selected items;

A lot of good bug fixes!