Skip to content
Jul 7 / thebrotherswisp

TheBrothersWISP 92 – IPAMs, Verizon Cust BGP Leak, Linux TCP DoS

This week Greg, Tomas, and almost Tom Smyth(but not quite) catch up on a month’s worth of stuff. The show is complete with a Tomas rant(your life is now complete).

This week we talk about:
Greg is looking for a reasonably priced OTDR
Lightning hitting a tree can take out your fiber
PHPIPAM for address management
Mikrotik CVE (linux in general) TCP DOS – fix in 6.45.1
Mikrotik 6.45.1 – API has changed so sonar and other systems aren’t working with it
Bridge filter in MIkrotik can block rogue DHCP servers without sacrificing hardware filtering.
Quick article on installing Mikrotik CHR on proxmox
Nick A. wanted a looking glass, and Greg’s favorite is routeviews
HFS webserver is a good way to test ports through a firewall – thanks Tomas
Physically security APs
Verizon customer leaked full routes due to a route optimizer
The “Tomas corner”:
Tomas loves his Linux Desktop – fully migrated from Windows to Linux on primary PC
RadMan – FOSS FreeRadius Management GUI
Unimus 1.10.2 release
Dealing with CAs as a non-US company is stupid

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) or

Click the link below to view the article!

Jun 19 / Greg

Mikrotik Bridge Filter to Block Rogue DHCP Servers

Mikrotik has introduces a LOT of great features in their switching line CRS100, CRS200, and CRS300. One thing of note is DHCP snooping which blocks rogue DHCP servers on your network. This feature works a treat in the CRS300 series switches as it also allows hardware offloading. Unfortunately if it is enabled on the CRS 100 or CRS 200 series switches, hardware offloading is disable, and spoiler alert, this is very bad.

If, however, you use bridge filtering to block rogue DHCP servers, hardware offloading remains enabled. Having said that, here’s some simple steps you can take to put a bridge filter in place to block rogues.

In this example, ether1 is the uplink port where the DHCP server lives, so no filtering is done here.

First create an interface list for all user/customer interfaces:

#this creates a customer list
/interface list
add name=customers

Next add all of the customer interfaces to the interface list:

#**add all customer interfaces to this list**
/interface list member
add interface=ether2 list=customers
add interface=ether3 list=customers

Last, apply the bridge filter to the forward train to catch traffic moving through the bridge.

#this filter rule will block DHCP servers
/interface bridge filter
add action=drop chain=forward in-interface-list=customers ip-protocol=udp mac-protocol=ip src-port=67

Go forth and happy non-rogue-dhcping 😉

Jun 19 / Greg

Install CHR On Proxmox

The first time I went about installing a Mikrotik CHR on a Proxmox server I ran into a lot of problems. I’ve distilled the steps down to something as simple as possible, all based on this wiki post.

1. Go to the mikrotik download page and grab the raw image of whichever version of CHR you prefer.
2. Extract the img file and transfer it into your proxmox /root folder.
3. On proxmox issue the following “qm list”. Pick the next sequential number that isn’t already taken.
4. Create the directory for this VM: “mkdir /var/lib/vz/images/150”
5. Create the qcow2 image. Adjust the image name “/root/chr-6.44.3.img” to whatever you downloaded and adjust the VM number from 150 to whatever you choose “/var/lib/vz/images/150/vm-150-disk-1.qcow2”

qemu-img convert \
-f raw \
-O qcow2 \
/root/chr-6.44.3.img \

6. Create the VM inside of proxmox. Be sure to change the VM number “150” in all lines to yours and also adjust the name to whatever you prefer:
qm create 150 \
–name chr-cust1 \
–net0 virtio,bridge=vmbr0 \
–bootdisk virtio0 \
–ostype l26 \
–memory 256 \
–onboot no \
–sockets 1 \
–cores 1 \
–virtio0 local:150/vm-150-disk-1.qcow2

After this you can refresh your console and make and adjustments you like.

That should get you up and working quickly. Good luck and happy routing.

Jun 10 / thebrotherswisp

TheBrothersWISP 91 – Flapgate, MAAS, Hypervisors

This week Greg, Dave, Nick, and Tomas try yet another podcast recording suite; spoiler, we didn’t use the audio from it this time, but will next. Don’t stop believing.

This week we talk about:
Mikrotik flapping issue CRS317 on SFP+ with newer firmwares – “flapgate”
Veeam has a community edition – 10 free VMs
Tomas didn’t like GUI options for Freeradius, so of course, he wrote his own. Opensouce link to come
VDSL2 media converters – 190Mb/110Mb
MikroTik L2 QoS – normally works on L3 only – but can be done for L2 as well
Hyper-v, Proxmox, ESXi, Zen – everyone has an opinion on which they prefer.
Alisdair using BFD
Dan fell victim to the Mikrotik LTE simcard; sometimes you just want to put it in upside down.
How many people go new on servers vs Gray market?
Cameo for all your B list celebrity shout outs.
D&D is hard to get started with and fantsy grounds is confusing.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) or

Click the link below to view the article!

May 26 / thebrotherswisp

TheBrothersWISP 90 – Ubnt Vs Cambium, Ubiquiti LTU, Nobody Sees The Same Internet

This week Greg, Mike, Dave, and Alex fail at using Zencastr for the first time. We have failed back to the old audio…it is a sadness. 🙁

This week we talk about:
Feature Request Doc
Ubiquiti v Cambium
Ubiquiti LTU
UniFi Certification
Dan was having unifi APs with wireless backhauls not find the controller and fall back to default addressing. Miller says turn off “Uplink Connectivity Monitor” under unifi settings > site
Greg was today years old when he learned IPv6 doesn’t do fragmentation. Path MTU Discovery.
Limit MACs per interface on a Mikrotik.
Danny is trecking through the US soon; he needs mega uploads for his videos…anyone wanna help?
Nobody is looking at the same internet.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) or

Click the link below to view the article!

May 12 / thebrotherswisp

TheBrothersWISP 89 – CNheat, Unifi Access, Taking Custom Projects

This week Greg, Tomas, Dave, and Nick never stop never stopping. This is a long one, so put it on 2x speed and kick back 😉

This week we talk about:
Jim Jones recorded his tips video, thanks!
Cambium CNheat
Ubiquiti unifi access – access control system(strike and mag control)
Ken asks about VRRP on the inside and outside interfaces at the same time…how to have one transition when the other does.
Jim Jones was asking about a light web proxy, would Mikrotik work.
Michael Rhone asks for opinions on “Why run ipv6 in a small network?” – of course Nick says “Why would you not” LOL
Taking on custom projects – what are the signs you are in danger, and when to day no.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) or

Click the link below to view the article!

May 8 / thebrotherswisp

TheBrothersWISP Jim Jones’ Top 5 Tips

This week Greg talks to Jim Jones about his top 5 tips.

The Tips:

1. Show up.
– If you’re early you’re on time. If you’re on time you’re late. If you’re late, you’re fired.
– Never be late… especially to a client.
– It’s never DNS… till it is.
– Use DNS!
3. Be humble. Ask for help.
– Have a network of peers.
– Don’t wait too long to call support! That’s what they’re there for!
4. Backup all the things.
– File data
– Systems
– Configs
5. Don’t be married to vendors. Use the right tool for the job.
– Windows vs Linux
– Mikrotik vs Cisco
– Cisco SMB vs Bruhcade
– Unifi vs Meraki
6. Bonus: Learn. Go outside your comfort zone, silo.
– Podcasts.
– Books, audio.
– Youtube, pluralsight, etc.
7. Bonus: Teach. Mentor. Give more than you take.
– Don’t limit this to tech.
– True happiness is in serving others.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) or

Click the link below to view the article!