Skip to content
Apr 19 / thebrotherswisp

Mikrotik MUM 2019 Austin After Movie



Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Here’s the video:(if you don’t see it, hit refresh)

Apr 14 / thebrotherswisp

TheBrothersWISP 87 – Confluence RCE, BGP On Various Kit, Configuring Edge Switches



This week Greg, Tomas, Mike, Wilson, and TOM SMYTH get all Irish up on it. Tom and I go on some deep tangents, prepare thy self.

This cast we talk about:
Confluence RCE in all but latest v6 versions
wpa3 vulnerability
GPENs will have water proof enclosures
V7 we saw was an internal alpha

*Slack Updates*
ESXi set port group vlan to 4095 to pass all vlans to a VM
Edwin is asking about spacing APs in public wifi – start with client density and go from there
BGP on arista and openBGPd routers
Manipulating tcam tables
Jeremy(aussie hipster) – diverse routers with different ISPs, transport both to one or terminate ISP on each and full mesh?
MC-LAG vs Stacking – as many opinions as there are engineers. Answer…add both features LOL
Configuring switches for edge user connections – DHCP snooping, port isolation, port security, storm contol, dynamic arp inspection,vlan acl

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!

Apr 11 / Greg

Bridging all VLANs Into/Through A VMware ESXi VM

Recently I was assisting with a Preseem server configuration. These boxes want to be bridged in the traffic path. If you want to do this in an ESXi VM, this can be a little obtuse.

First create two new virtual switches.


Next add a single physical NIC to each virtual switch.


Edit each virtual switch and under security, enable all of the things.


Next, add a port group to to each virtual switch.


Here’s the secret sauce. Edit the port groups and set the VLAN to 4095!

As per this VMware link, setting the VLAN to 4095 will instruct the vswitch to pass all VLANs through unmolested. Of course the switch or router ports on either end need to be trunking all vlans you want to move across your connection.

Your VM server will need to configure a bridge interface, and the NICs added to it, thus the traffic will move through.

Good luck, and happy bridging 😉

Apr 7 / thebrotherswisp

TheBrothersWISP MUM USA 2019



This is recorded from a random conference room at the US MUM, which we get kicked out of after 10 minutes…LOL. Enjoy what’s there 🙂

This cast we talk about:
Stuff at the MUM, duh.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!

Apr 4 / thebrotherswisp

Mikrotik ROS V7 BGP CCR Performance – Leaked Video!



Greg Sowell, Justin Miller, and Justin Wilson get a live demo of 6 BGP peers loading on a CCR1016 running a build version of router OS version 7.
We give all the details we have on the inner workings of the new engine.

3.5 million routes in around 3 minutes and the UI didn’t bat an eye. Per table memory utilization is about 145MB.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Here’s the video:(if you don’t see it, hit refresh)

Apr 4 / Greg

Accessing Geolocked Content The Easy Way With Mikrotik – MUM 2019 Presentation

This is a virtual light switch to turn routing rules on and off on a Mikrotik. My example here allows me to route my roku through a remote VPN, then easily turn that off. This allows me to access remote geolocked streaming video as well as local geolocked content.

Here’s the presentation:

Here’s my lab configuration:

Here’s the HTML for the “on/off” buttons:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head>
</head>
<body>
 
<div style="width:50%">
<form action="http://4.4.4.1:85">
    <input type="submit" value="VPN Off" />
</form>
<form action="http://4.4.4.2:85">
    <input type="submit" value="VPN On" />
</form>
</div>
 
</body>
</html>

Here’s the USA Mikrotik:

1
2
3
4
5
6
7
8
9
10
11
12
/interface pptp-server server
set enabled=yes
/ip address
add address=100.64.0.1/30 interface=ether1 network=100.64.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=100.64.0.2
/ppp secret
add local-address=4.4.4.3 name=roku password=rokupassword remote-address=4.4.4.4
/system identity
set name=USA

Here’s the AUS Mikrotik:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
/interface bridge
add name=loop1
/interface pptp-client
add connect-to=100.64.0.1 disabled=no name=pptp-usa password=rokupassword user=roku
/ip address
add address=100.64.1.1/30 interface=ether2 network=100.64.1.0
add address=192.168.10.1/24 interface=ether1 network=192.168.10.0
add address=4.4.4.1 interface=loop1 network=4.4.4.1
add address=4.4.4.2 interface=loop1 network=4.4.4.2
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether5
/ip firewall filter
add action=drop chain=input comment="tunnel off" dst-address=4.4.4.1 src-address-list=tunnel-off
add action=drop chain=input comment="tunnel on" dst-address=4.4.4.2 src-address-list=tunnel-on
add action=add-dst-to-address-list address-list=tunnel-off address-list-timeout=6s chain=input \
    comment="tunnel off" dst-address=4.4.4.1 protocol=tcp
add action=add-dst-to-address-list address-list=tunnel-on address-list-timeout=6s chain=input \
    comment="tunnel on" dst-address=4.4.4.2 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=pptp-usa
/ip route
add distance=1 gateway=4.4.4.3 routing-mark=roku
add distance=1 gateway=100.64.1.2
/ip route rule
add action=lookup-only-in-table disabled=yes src-address=192.168.10.100/32 table=roku
/system identity
set name=AUS
/tool netwatch
add comment="turn off" down-script="/ip route rule set 0 dis=yes" host=4.4.4.1 interval=5s
add comment="turn on" down-script="/ip route rule set 0 dis=no" host=4.4.4.2 interval=5s
Apr 1 / Greg

ASR9000/IOS-XR OSPF Fun With MTU

I’m going to start by saying IOS-XR has some pretty cool features, I mean just look at the addition of “commit”. It does, however, have some quirks that can confound you, especially when you are migrating from one architecture over to the ASR9000 series. In particular, I’m going to look at the OSPF implementation.

Here’s a sample config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
router ospf 10
 log adjacency changes detail
 router-id 1.1.1.1
 nsf cisco
 auto-cost reference-bandwidth 10000
 default-information originate route-policy cond_ospf_default
 redistribute connected metric-type 2
 redistribute static route-policy static-ospf
 area 0
  interface Loopback0
  !
  interface TenGigE0/0/0/4
   network point-to-point
  !
  interface TenGigE0/0/0/5
   network point-to-point
  !
 !
 area 0.2.0.2
  interface TenGigE0/0/0/6
   authentication message-digest
   message-digest-key 10 md5 tacos
   network point-to-point
  !
 !
 area 0.2.0.3
  interface TenGigE0/0/0/7
   authentication message-digest
   message-digest-key 10 md5 tacos
   network point-to-point
  !
  interface TenGigE0/0/0/8
   authentication message-digest
   message-digest-key 10 md5 tacos
   network point-to-point
  !
 !
!

Looking at the config above you can see we’ve done away with network statements in favor of simply enabling the process on an interface, which is nice. This cuts down on the network command covering some undesired interfaces.

You can also see that I’ve enabled authentication per interface, and not per area, which means you can be more granular with passwords.

I’ve also adjusted the network type per interface right here int he process instead of under the interface configuration itself; this means all OSPF configuration is done from the process, so there is a single place to to view all OSPF configurations, which I really like.

A normal behavior of OSPF is once communication begins and DBDs begin to be exchanged by peers, OSPF will send these packets at the max MTU configured on the interface. This means that if you have an MTU mismatch between OSPF neighbors, then they won’t be able to properly exchange OSPF information, and the neighborship will fail. I mention all of this here because ASR9000s have a quirk with the configured MTU. Note my below interface configurations:

Cisco 7606:

1
2
3
4
5
6
TenGigabitEthernet1/7 is up, line protocol is up (connected)
  Hardware is C6k 10000Mb 802.3, address is 0019.07a8.4500 (bia 0019.07a8.4500)
  Description: [ to ASR9000 ]
  Internet address is 2.2.2.2/30
  MTU 1524 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 2/255, rxload 1/255

Cisco ASR9006:

1
2
3
4
5
6
7
8
9
10
11
12
TenGigE0/0/0/4 is up, line protocol is up
  Interface state transitions: 1
  Dampening enabled: penalty 0, not suppressed
    half-life:        1        reuse:             750
    suppress:         2000     max-suppress-time: 4
    restart-penalty:  0
  Hardware is TenGigE, address is 78ba.f906.3cc4 (bia 78ba.f906.3cc4)
  Layer 1 Transport Mode is LAN
  Description: [ to 7606 ]
  Internet address is 2.2.2.1/30
  MTU 1524 bytes, BW 10000000 Kbit (Max: 10000000 Kbit)
     reliability 255/255, txload 0/255, rxload 2/255

Note in the configuration of both it shows an MTU of 1524. The problem here is there’s actually an MTU mismatch!
Here’s the Cisco doc on IOS-XR MTU. If I were to run a debug on OSPF between these peers I would see that my ASR9000 is 14 bytes less than my standard 7600. The Layer 2 header without any dot1q information is 14 bytes, so the standard ASR9000 configuration doesn’t take this into account like most other Cisco devices…so how do you fix the issue; increase the MTU by 14 Bytes:

Cisco ASR9000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
interface ten0/0/0/4
mtu 1538
commit
!
RP/0/RSP0/CPU0:asr9000#show int te0/0/0/4
TenGigE0/0/0/4 is up, line protocol is up
  Interface state transitions: 1
  Dampening enabled: penalty 0, not suppressed
    half-life:        1        reuse:             750
    suppress:         2000     max-suppress-time: 4
    restart-penalty:  0
  Hardware is TenGigE, address is 78ba.f906.3cc4 (bia 78ba.f906.3cc4)
  Layer 1 Transport Mode is LAN
  Description: [ to 7606 ]
  Internet address is 2.2.2.1/30
  MTU 1538 bytes, BW 10000000 Kbit (Max: 10000000 Kbit)

So even though the MTU shows 1538 it now allows the OSPF neighbors to establish on this link where the configuration is:
7600 MTU 1524
ASR MTU 1538

Just another interesting twist you need to account for when connecting kit to your IOS-XR gear.

Thanks and let me know what you think in the comments below!