Mikrotik with Bridged Spark VDSL - traceroute missing first two hops

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik with Bridged Spark VDSL - traceroute missing first two hops

1 | 2 | 3

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2059838 21-Jul-2018 10:54

cyril7:

Just as an example, my MT here at home on Spark UFB has a MTU of 1480 on the pppoe interface, this was set by the MT which is infact a routeros default for pppoe.

Cyril

Despite recent changes MTU negotiation is still broken in RouterOS IMHO.

You should force this to 1500 as Spark support full 1500 byte MTU via PPPoE.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

cyril7

9050 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2059856 21-Jul-2018 11:17

Hi, no you mention it I do recall reading that this is now supported, just upped the phy and vlan10 somewhat and then pppoe to 1500, all going

Cyril

MadEngineer

4224 posts

Uber Geek

Trusted

#2059911 21-Jul-2018 12:59

sfrasernz:

IPv6 - I'm not sure I follow sorry. I'm only using IPv4 on the network.

I know this all sounds crazy. If I wasn't sitting here losing my hair I wouldn't believe me either.

I've have another Windows machine with Wifi and its exhibiting same symptoms as the other devices. So I've got one Windows machine working perfectly on wifi and another 4 devices (Windows, iPhone and Mibox) that don't.

On the non-working Windows box I can access Google and even YouTube. Like the other devices I'm unable to browse other websites but can successfully ping them. Telnet will open a connection on port 80 to any website.

I'm going to revert to how everything was before I started and will report back.

I was wondering if your mikrotik is serving IPv6 yet you don't have a properly working IPv6 connection.

You're not on Atlantis anymore, Duncan Idaho.

MadEngineer

4224 posts

Uber Geek

Trusted

#2059915 21-Jul-2018 13:03

if you haven't already reverted everything, is dns working on the mikrotik from terminal? Care to post your configuration (> /export)?

sfrasernz:

Windows is picking up the following DNS servers:

10.0.0.2
122.56.237.1
210.55.111.1

On the MT under DNS there are two dynamic servers (being the last two in the list above).

Do I need to setup forwarding somewhere? I've had a look around and haven't found anything specific.

seeing that you're using the router as the dns server, you need to allow remote requests, AFTER ensuring your firewall rules are correct.

You're not on Atlantis anymore, Duncan Idaho.

sfrasernz

226 posts

Master Geek

#2059962 21-Jul-2018 13:56

Thanks for the input. I really appreciate it.

Here is the current config:

interface bridge
add admin-mac=B8:69:F4:01:CE:51 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 name=pppoe-out1 password=password use-peer-dns=yes user=user@spark.co.nz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=dmz ranges=10.0.0.10-10.0.0.50
add name=data ranges=10.0.10.100-10.0.10.200
add name=voice ranges=10.0.20.100-10.0.20.200
add name=cctv ranges=10.0.30.100-10.0.30.200

/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.2 netmask=24
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1

/ip dhcp-server
add address-pool=dmz disabled=no interface=bridge name=defconf
add address-pool=data authoritative=yes disabled=no interface=bridge lease-time=1w name=data relay=10.0.10.1
add address-pool=voice authoritative=yes disabled=no interface=bridge lease-time=1w name=voice relay=10.0.20.1
add address-pool=cctv authoritative=yes disabled=no interface=bridge lease-time=1w name=cctv relay=10.0.30.1

/ppp profile
set *0 change-tcp-mss=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.0.0.2/24 comment=defconf interface=ether2 network=10.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.2 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=10.0.0.0/16 gateway=10.0.0.1
/system clock
set time-zone-name=Pacific/Auckland
/system logging
add disabled=yes topics=pppoe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

cyril7

9050 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2059969 21-Jul-2018 14:27

Hi the firewall rules are generic and should work but try changing the Nat outbound interface to the pppoe interface

Cyril

RunningMan

8882 posts

Uber Geek

#2059980 21-Jul-2018 15:13

Do you need that DHCP client on ether1 as well?

hashbrown

463 posts

Ultimate Geek

#2059981 21-Jul-2018 15:19

sfrasernz:

/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 name=pppoe-out1 password=password use-peer-dns=yes user=user@spark.co.nz

Agree this is looking like a MTU issue.

I'd suggest adding the following to your pppoe-client interface config.

max-mru=1492 max-mtu=1492

MadEngineer

4224 posts

Uber Geek

Trusted

#2060018 21-Jul-2018 15:30

/ip route
add distance=1 dst-address=10.0.0.0/16 gateway=10.0.0.1

???

You're not on Atlantis anymore, Duncan Idaho.

MadEngineer

4224 posts

Uber Geek

Trusted

#2060024 21-Jul-2018 15:42

Also, don't set an IP address to an interface that's part of a bridge. Rather add the IP address to the bridge directly.

(
add bridge=bridge comment=defconf interface=ether2

/ip address
add address=10.0.0.2/24 comment=defconf interface=ether2 network=10.0.0.0
)

Should be:
/ip address
add address=10.0.0.2/24 comment=defconf interface=bridge network=10.0.0.0

You're not on Atlantis anymore, Duncan Idaho.

sfrasernz

226 posts

Master Geek

#2060241 22-Jul-2018 08:59

Thanks for the feedback guys. I've modified the MTU but made no difference. Also tried to double-nat the two routers but didn't get too far because I can't get a static route from the hg659 back to the MT. I'm going to put this to rest for now.

I expect when I connect the MT to the Spark UFB and follow murfys instructions it'll be good to go.

cyril7

9050 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2060294 22-Jul-2018 09:10

Hi, it will most definitely work as I have setup several on Spark VDSL with both bridge behind a Huawei and with a Metnoia vdsl sfp module, and never had an issue.

Why not for now, just do a config reset (if its a hex device, hold in reset button while applying power, as soon as usr led starts to flash release, other devices see the website) and leave it as that, then setup a pppoe on interface1 as usual, see how that goes, then start moving the lan networks.

Cyril

sfrasernz

226 posts

Master Geek

#2060326 22-Jul-2018 10:04

Good idea. I'll let you know how I get on this afternoon. Thnanks

BarTender

3588 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2060330 22-Jul-2018 10:08

Just a heads up your first hop to the BNG won't respond to pings / traceroute. That's by design of the BNG config. So at least one hop won't respond or give you a very high TTL which is meaningless as the BNG.

If the end point you are trying to ping / traceroute to responds in the time you expect then you're fine.

sfrasernz

226 posts

Master Geek

#2060399 22-Jul-2018 13:31

cyril7:

Why not for now, just do a config reset (if its a hex device, hold in reset button while applying power, as soon as usr led starts to flash release, other devices see the website) and leave it as that, then setup a pppoe on interface1 as usual, see how that goes, then start moving the lan networks.

Cyril

Legend! A full reset and starting from scratch has done the trick. PPPoE MTU still reports an actual of 1480 but it's working. Vlans and DHCP scopes are working as well. Phew. Config looks pretty much the same as before *except* these two lines are not in the working config:

/ppp profile
set *0 change-tcp-mss=no

I guess I could add them back to see what happens but I'd rather not :-)

1 | 2 | 3