Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers. I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled. As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it. Anyone with Insights or comments would be appreciated. Thanks, Nate Burke
I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less hassle because it handles NAT, but you can do GRE instead -- just make sure you assign yourself a public static IP. First, go into the gateway and make sure all firewalls are disabled (it has a web GUI). Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the device is somewhat retarded. You plug into the switch and pull DHCP, and you get a natted address and it routes. You can plug into the same switch and set a static IP on your device (internet public IP), and it will work without NAT, assuming your account has a static IP. Set said static IP on your microtik box and it should pass end-to-end without drops. On Tue, Jul 26, 2011 at 9:07 AM, Nate Burke <nate@blastcomm.com> wrote:
Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.
I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled.
As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it.
Anyone with Insights or comments would be appreciated.
Thanks, Nate Burke
On Tue, Jul 26, 2011 at 11:38 AM, PC <paul4004@gmail.com> wrote:
I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less hassle because it handles NAT, but you can do GRE instead -- just make sure you assign yourself a public static IP.
First, go into the gateway and make sure all firewalls are disabled (it has a web GUI).
Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the device is somewhat retarded. You plug into the switch and pull DHCP, and you get a natted address and it routes.
You can plug into the same switch and set a static IP on your device (internet public IP), and it will work without NAT, assuming your account has a static IP.
Set said static IP on your microtik box and it should pass end-to-end without drops.
Was working on the same reply as Paul. You assign your static to your Mircotik box and check the box in the WebGUI (default is http://10.1.10.1) to "Disable Firewall for True Static IP Subnet Only" on the firewall tab. -Jon
Thanks for all the replies, I have all the firewalls disabled on the SMC Modem, with my Static IP set on the Mikrotik. The PPTP Tunnel came up and ran just fine when I configured it, it was working great when I left the office last night, but this morning It was running very slow. I just setup an IPIP tunnel, and did my EOIP tunnel over that, and it came right up, we'll see if it's still working in a few hours. Nate On 7/26/2011 10:45 AM, Jon Bane wrote:
On Tue, Jul 26, 2011 at 11:38 AM, PC<paul4004@gmail.com> wrote:
I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less hassle because it handles NAT, but you can do GRE instead -- just make sure you assign yourself a public static IP.
First, go into the gateway and make sure all firewalls are disabled (it has a web GUI).
Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the device is somewhat retarded. You plug into the switch and pull DHCP, and you get a natted address and it routes.
You can plug into the same switch and set a static IP on your device (internet public IP), and it will work without NAT, assuming your account has a static IP.
Set said static IP on your microtik box and it should pass end-to-end without drops.
Was working on the same reply as Paul. You assign your static to your Mircotik box and check the box in the WebGUI (default is http://10.1.10.1) to "Disable Firewall for True Static IP Subnet Only" on the firewall tab.
-Jon
Good luck. My experience with GRE over comcast business was a *nightmare*. The web interface seems like it has a random roll to corrupt the firewall config when doing any GRE config, and you must get level 2 support to fix it each time using a l2 only CLI. -Blake
The best thing to do is supply your own GRE router and have the Comcast gateway operate as a dumb simple ethernet bridge. Owen On Jul 26, 2011, at 10:03 AM, Blake Dunlap wrote:
Good luck. My experience with GRE over comcast business was a *nightmare*. The web interface seems like it has a random roll to corrupt the firewall config when doing any GRE config, and you must get level 2 support to fix it each time using a l2 only CLI.
-Blake
On 07/26/2011 11:45 AM, Jon Bane wrote:
On Tue, Jul 26, 2011 at 11:38 AM, PC <paul4004@gmail.com> wrote:
... Was working on the same reply as Paul. You assign your static to your Mircotik box and check the box in the WebGUI (default is http://10.1.10.1) to "Disable Firewall for True Static IP Subnet Only" on the firewall tab.
-Jon
Also make sure that Smart Packet Detection is turned off... (that affects most services and slows things down at best. It is a checkbox right under the above one. -- Pete
I needed fast reliable internet access at home, so, I have Comcast Business Class for fast and Raw Bandwidth DSL for reliable. I have my own ARIN direct assignments for my internal networks and I have routers in a couple of colo's where I get my true upstream connectivity. I run a Juniper router here at home and in one of the colo's. In the other colo, I use the datacenter's router to terminate the tunnels. I use GRE tunnels to both cool's across both Comcast and Raw Bandwidth and run BGP to my house (small router) feeding default to the house and getting the local prefixes (192.159.10.0/24, 192.124.40.0/23, 2620:0:930::/48) advertised upstream to the colo routers. The colo routers are full-feed BGP speakers. My Comcast gateway is running in straight L2 bridge mode, so, there is no issue there. When Comcast changes my IP address, things get very slow until I can reconfigure the tunnel end-points. Raw Bandwidth provides me with a static address. I'm not doing any NAT and the GRE tunnels carry all of my actual traffic. The Comcast and Raw Bandwidth internet feeds are used only to provide L2 transport for the GRE tunnels. This allows me to do convenient cost-effective multihoming without NAT at home using commodity internet access. Owen On Jul 26, 2011, at 8:38 AM, PC wrote:
I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less hassle because it handles NAT, but you can do GRE instead -- just make sure you assign yourself a public static IP.
First, go into the gateway and make sure all firewalls are disabled (it has a web GUI).
Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the device is somewhat retarded. You plug into the switch and pull DHCP, and you get a natted address and it routes.
You can plug into the same switch and set a static IP on your device (internet public IP), and it will work without NAT, assuming your account has a static IP.
Set said static IP on your microtik box and it should pass end-to-end without drops.
On Tue, Jul 26, 2011 at 9:07 AM, Nate Burke <nate@blastcomm.com> wrote:
Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.
I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled.
As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it.
Anyone with Insights or comments would be appreciated.
Thanks, Nate Burke
I also have pretty much the exact same setup and it works very well for me On Tue, Jul 26, 2011 at 1:14 PM, Owen DeLong <owen@delong.com> wrote:
I needed fast reliable internet access at home, so, I have Comcast Business Class for fast and Raw Bandwidth DSL for reliable. I have my own ARIN direct assignments for my internal networks and I have routers in a couple of colo's where I get my true upstream connectivity.
I run a Juniper router here at home and in one of the colo's. In the other colo, I use the datacenter's router to terminate the tunnels. I use GRE tunnels to both cool's across both Comcast and Raw Bandwidth and run BGP to my house (small router) feeding default to the house and getting the local prefixes (192.159.10.0/24, 192.124.40.0/23, 2620:0:930::/48) advertised upstream to the colo routers.
The colo routers are full-feed BGP speakers.
My Comcast gateway is running in straight L2 bridge mode, so, there is no issue there. When Comcast changes my IP address, things get very slow until I can reconfigure the tunnel end-points. Raw Bandwidth provides me with a static address.
I'm not doing any NAT and the GRE tunnels carry all of my actual traffic. The Comcast and Raw Bandwidth internet feeds are used only to provide L2 transport for the GRE tunnels.
This allows me to do convenient cost-effective multihoming without NAT at home using commodity internet access.
Owen
On Jul 26, 2011, at 8:38 AM, PC wrote:
I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less hassle because it handles NAT, but you can do GRE instead -- just make sure you assign yourself a public static IP.
First, go into the gateway and make sure all firewalls are disabled (it has a web GUI).
Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the device is somewhat retarded. You plug into the switch and pull DHCP, and you get a natted address and it routes.
You can plug into the same switch and set a static IP on your device (internet public IP), and it will work without NAT, assuming your account has a static IP.
Set said static IP on your microtik box and it should pass end-to-end without drops.
On Tue, Jul 26, 2011 at 9:07 AM, Nate Burke <nate@blastcomm.com> wrote:
Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.
I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled.
As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it.
Anyone with Insights or comments would be appreciated.
Thanks, Nate Burke
On Jul 26, 2011, at 11:07 37AM, Nate Burke wrote:
Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.
I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled.
As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it.
I had to make the LAN end of the tunnel the "DMZ host" (under Firewall settings on my SMC). --Steve Bellovin, https://www.cs.columbia.edu/~smb
Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers. ...
Anyone with Insights or comments would be appreciated. Mikrotik EOIP are not following standards, it is just their own hack, so it is very possible that some SPI in Comcast breaking it. Additionally some Mikrotik versions doesn't work properly with their own EOIP even, plus it has fragmentation issues. Fragmentation issues usually appears on large transfers, such as "stalling" sessions. I wrote my own implementation of Mikrotik EOIP for Linux, so i know what i am talking about, also in same code i wrote alternative tunnel,
On Tue, 26 Jul 2011 10:07:37 -0500, Nate Burke wrote: that has much less overhead than EOIP (compression + packets aggregation), but sure you need linux both side. I can recommend you to try to use openvpn, if you are "Mikrotik only". At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP. --- System administrator Denys Fedoryshchenko Virtual ISP S.A.L.
On Wed, Jul 27, 2011 at 12:17:16PM +0300, Denys Fedoryshchenko wrote:
I can recommend you to try to use openvpn, if you are "Mikrotik only". At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP.
Au contraire, OpenVPN only runs over TCP if you explicitly tell it to; default configuration, and widespread practice, is to run it over UDP. - Matt
On Wed, Jul 27, 2011 at 12:17:16PM +0300, Denys Fedoryshchenko wrote:
I can recommend you to try to use openvpn, if you are "Mikrotik only". At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP.
Au contraire, OpenVPN only runs over TCP if you explicitly tell it to; default configuration, and widespread practice, is to run it over UDP.
- Matt On Linux, yes, it is by default configuration is UDP, but in current case , on Mikrotik, it is working _only_ in TCP mode, and has few more
On Wed, 27 Jul 2011 19:23:33 +1000, Matthew Palmer wrote: limitations. http://forum.mikrotik.com/viewtopic.php?f=1&t=20537 --- System administrator Denys Fedoryshchenko Virtual ISP S.A.L.
On Wed, Jul 27, 2011 at 12:30:36PM +0300, Denys Fedoryshchenko wrote:
On Wed, 27 Jul 2011 19:23:33 +1000, Matthew Palmer wrote:
On Wed, Jul 27, 2011 at 12:17:16PM +0300, Denys Fedoryshchenko wrote:
I can recommend you to try to use openvpn, if you are "Mikrotik only". At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP.
Au contraire, OpenVPN only runs over TCP if you explicitly tell it to; default configuration, and widespread practice, is to run it over UDP.
On Linux, yes, it is by default configuration is UDP, but in current case , on Mikrotik, it is working _only_ in TCP mode, and has few more limitations. http://forum.mikrotik.com/viewtopic.php?f=1&t=20537
WT*F*? I've never understood the appeal of Microtik, and now I understand it even less. - Matt
On Wed, 27 Jul 2011 20:15:16 +1000, Matthew Palmer wrote:
WT*F*? I've never understood the appeal of Microtik, and now I understand it even less.
- Matt
Well, it is luring people because it has easy GUI and it is cheap. Even noob can setup VPN in few clicks. At same time they hidden bugs, that can cause packetloss, sessions stalling, improper UDP NAT handling, lack of proper interoperability. Maybe discussed issue lays not in comcast, but in some Mikrotik bug. --- System administrator Denys Fedoryshchenko Virtual ISP S.A.L.
WT*F*? I've never understood the appeal of Microtik, and now I understand it even less.
The software is... quirky, at times, but some of their hardware, especially on the very low-end, is hard to beat. For instance, they make a SOHO router with five Gigabit Ethernet ports for $70, which has point-and-click access to MPLS, DHCP (server and client), a few different flavors of VPN including IPSec, and a bunch of other stuff. It even supports BGP, though you're not going to do very much with that system's 32MB RAM. If you really wanted, you could buy the hardware then re-flash it with something else; the CPU on this particular system is a MIPS 24K, and there's probably other embedded Linux/*BSD distributions that would work well enough. David Smith MVN.net
We're evaluating a good spread of Mikrotik products as well, both for wireless AP's and general routers. Almost worked out all the features(some features have names that conflict with other vendors, or operate unlike you expect them to), but for the price, even of their higher end ones (RB1100, online for $399) it has 13 Ge ports, and appears to be able to route traffic at faster speeds than I can get a competitor (cisco/juniper) box for. We used the built-in speed test (iperf) and got 970mbit (and about 70% cpu usage) between 2 RB1100's (connected by a single routed gigabit connection) and about 1.4gbit to a local address on the box, which isn't probably a fair throughput test, but is a good test of where the cpu maxes out, since there doesn't appear to be any asic level forwarding unless you are switching layer 2 traffic. For the price, I'm impressed, also the operating temperature range being so wide lets us put them in places we couldn't (supportably) put a cisco or juniper low-end (or high end) box, since we have some remotes where we need to go down to -10C or so. Walter Keen Network Engineer Rainier Connect (P) 360-832-4024 (C) 253-302-0194 On 07/27/2011 08:15 AM, David E. Smith wrote:
WT*F*? I've never understood the appeal of Microtik, and now I understand it even less.
The software is... quirky, at times, but some of their hardware, especially on the very low-end, is hard to beat.
For instance, they make a SOHO router with five Gigabit Ethernet ports for $70, which has point-and-click access to MPLS, DHCP (server and client), a few different flavors of VPN including IPSec, and a bunch of other stuff. It even supports BGP, though you're not going to do very much with that system's 32MB RAM.
If you really wanted, you could buy the hardware then re-flash it with something else; the CPU on this particular system is a MIPS 24K, and there's probably other embedded Linux/*BSD distributions that would work well enough.
David Smith MVN.net
On Wed, 27 Jul 2011 10:15:04 -0500, David E. Smith wrote:
WT*F*? I've never understood the appeal of Microtik, and now I understand it even less.
The software is... quirky, at times, but some of their hardware, especially on the very low-end, is hard to beat.
For instance, they make a SOHO router with five Gigabit Ethernet ports for $70, which has point-and-click access to MPLS, DHCP (server and client), a few different flavors of VPN including IPSec, and a bunch of other stuff. It even supports BGP, though you're not going to do very much with that system's 32MB RAM.
If you really wanted, you could buy the hardware then re-flash it with something else; the CPU on this particular system is a MIPS 24K, and there's probably other embedded Linux/*BSD distributions that would work well enough.
David Smith MVN.net I guess vendors are just not interested.
D-Link DIR-600, here in Lebanon $30. Zyxel Keenetic also similar price. Only one problem, Mikrotik are 32Mbyte flash, and those are 8Mbyte. My friend developing firmware for this platform (RT3050/3052, Wive-RTNL project) and can put almost any software there, it is opensource project. As benefit this Ralink platform has hardware wirespeed(100Mbit) NAT offload on RT3052, and guy able to make it work even on 3050 (even officially it is not supported there). Technically it is possible to run gigabit there even, but current vendors do not produce such products. I think on cheap platforms, they have wirespeed gigabit only on switching functions, but rest will suck. Their top products can do more, but they are still cannot beat PC with Linux. RB1100, $400 for 150 Kpps with NAT and 300 Kpps without, it is not that good. The only major and important difference in "schematics" with routers that can be reflashed is flash size and sometimes RAM. 64Mbit SPI flash 2.12$, and Mikrotik uses this days 512Mbit NAND, $7.01 . ALso they have nice circuits for variable power, with DC-DC converter, but nothing unusual or innovative, like Cisco or others has. Before they had some funny circuit with Xilinx FPGA to run NOR flash over SPI. Note: DD-WRT on RT305x suck. Their wireless support are incomplete, and no NAT offload. --- System administrator Denys Fedoryshchenko Virtual ISP S.A.L.
On Jul 27, 2011, at 5:05 PM, Denys Fedoryshchenko wrote:
On Wed, 27 Jul 2011 10:15:04 -0500, David E. Smith wrote:
<snip>
I think on cheap platforms, they have wirespeed gigabit only on switching functions, but rest will suck. Their top products can do more, but they are still cannot beat PC with Linux. RB1100, $400 for 150 Kpps with NAT and 300 Kpps without, it is not that good.
atheros ar7161 system on a chip can run as fast as 800mhz has dual gig-e macs and supports 32bit 66mhz pci operation and when coupled with a companion ethernet switch it can result in a fairly hefty little router platform. an example of one would be routerboard 433AH or ubiquiti router-station pro. BOM and flexibility is going to ultimately determine cost but these are substatially more powerful than a lot of smaller embedded platforms we've be using including geode/elan based pc devices.
The only major and important difference in "schematics" with routers that can be reflashed is flash size and sometimes RAM. 64Mbit SPI flash 2.12$, and Mikrotik uses this days 512Mbit NAND, $7.01 . ALso they have nice circuits for variable power, with DC-DC converter, but nothing unusual or innovative, like Cisco or others has. Before they had some funny circuit with Xilinx FPGA to run NOR flash over SPI. Note: DD-WRT on RT305x suck. Their wireless support are incomplete, and no NAT offload.
--- System administrator Denys Fedoryshchenko Virtual ISP S.A.L.
participants (13)
-
Blake Dunlap -
chris -
David E. Smith -
Denys Fedoryshchenko -
Joel Jaeggli -
Jon Bane -
Matthew Palmer -
Nate Burke -
Owen DeLong -
PC -
Pete Carah -
Steven Bellovin -
Walter Keen