MSGID: 2:2/2.0 10488836   
   REPLY: 2:2/2.0 10488835   
   CHRS: CP850 2   
   =================================================================   
                           GENERAL ARTICLES   
   =================================================================   
      
                Configuring my own fiberglass modem/router part 2   
                By Michiel van der Vlist, 2:280/5555   
      
   Part 1 was about installing and registering my own Optical Network   
   Terminator (ONT). This part will be about installing and configuring   
   my own router.   
      
   My choice fell on the Mikrotik hEX. It is a no nonsence router, No   
   fancy enclosure, no flashing GUI. But it is very powerfull. It is   
   aimed at the professional user. Almost anything is configurable and   
   it is relatively cheap. While the ONT has the potential for 10 Gbps   
   and the fiber company has an option for 8 Gbps, the Mikrotek hEX is   
   limited to 1 Gpbs. So I won't use the full potential of the fiber   
   connection. No problem, my LAN is designed for 1 Gbps and my contract   
   with the provider is 500/500 Mbps. So for now the router will not be   
   the bottleneck. Who needs more than 1 Gbps? Not me anyway, not for   
   now.   
      
   The price for all these goodies is a steep learning curve. Its OS,   
   RouterOS is based on Linux. For Windows users most of the configura-   
   tion is counter intuitive. And much of it for Linux users as well I   
   guess. Getting started is quit a challenge. Mikrotik is European which   
   in these times of world-wide turmoil has its merits for a European   
   like me...   
      
   So I connected the ethernet port of the ONT to the WAN port of the   
   Mikrotik and my laptop to the router's first LAN port and I tried to   
   access its GUI to start the configuration. I was unable to. The GUI   
   should be accesable at 192.168.88.1 but no respons. The laoptop did   
   not even get an address in the range 192.168.88.xx. Hmm... So maybe   
   it does nothing without an "upstream" connection. For an upstream   
   connection via the ONT it needs VLAN 100 and to configure  that I need   
   access to the router's GUI. So let me connect it to the LAN of my   
   cable connection. I connected the WAN interface of the Mikrotik - or   
   what I thought was the WAN port - to a LAN port of the modem/router of   
   my cable connection. Still nothing on 192.168.88.xx. But.. my laptop   
   got an IP in the range from the cable connections's LAN. Hmmm...   
   So let's look into the config of the cable modem/router to see if the   
   Mikrotik got an address in that range. And it had! So I tried to   
   access the Mikrotik's GUI at that address and Bingo! I was in.   
      
   I got a log in screen and to my surprise I did not need a password.   
   The  second surprise came with the first screen after log in. The   
   device has two modes. Router and switch. It was in switch mode! That   
   explains a lot. What remains unexplained is how it got there in the   
   first place.   
   Nevermind, let's move on. I put it in router mode and configured   
   192.168.88.xx as the addresses to use for the LAN. After a restart I   
   could address it at 192.168.88.1. While exploring the device I found   
   how to update the firmware. It was delivered with RouterOs 6.xx   
   which by default did not support IPv6. For IPv6 one had to add a   
   "package". Hmmm.. Looking a bit further revealed that there was   
   RouterOs 7,xx and that included IPv6 by default. So I upgraded  to   
   RouterOs 7.18.2, the latest version.   
      
   I configured VLAN 100 and reconnected to the ONT. Still no IP from   
   Delta, the fiberglass provider. I checked and checked again but could   
   find nothing that could explain why I did not get an IP from the   
   provider. Further trial and error revealed that the GUI was accesable   
   via the LAN port. THAT I diddn't like. Ik could find nothing in the   
   config to block that and I found it strange that the default   
   configuration allowed it. All that made me decide to follow the   
   procedure for resetting the device to the default configuration.   
   Remove the power, press the reset button and hold it while restoring   
   the power until one of the green lights starts flashing. Sounds easy   
   but you need three hands for that. It took more that one attempt to   
   get it right. After the first attempts the VLAN did not disappear but   
   at the fourth attempt the VLAN was gone and I could no longer access   
   the GUI from the WAN port. So I figured this time I really had the   
   default configurtation. I reconfigured the VLAN but still no IP from   
   the provider. It was at this point that I actually configred VLAN 100   
   on my laptop, directly connected it to the ONT and got an IP from the   
   provider.   
      
   Now we get to the steep learning curve of RouterOs. In Windows it is   
   enough to configure a VLAN. Windows presumes that if you configure a   
   VLAN for an interface that you actually want to use it to make a   
   connection with it. Not so with Mikrotik. After getting some help on   
   a Mikrotik forum I found out that in addition to just configuring a   
   VLAN for the port used as WAN, you also have to configure a DHCP   
   client and add the interface created for the VLAN to the WAN list.   
   ANd THEN finally I got an IPv4 address from the provider. Wauw!   
      
   So now I had outgoing IPv4 on the devices connected to the LAN. I   
   could make outgoing binkp connections. Configuring a port forward   
   seemed easy. But that didn't work. I wasn't really surprised, almost   
   nothing with Mikrotik seems to work at the first go.   
      
   OK, let's try somethimg else. Let's activate IPv6. Contrary to what I   
   encountered so far that was releatively easy. Or maybe I already got   
   used to the peculartities of RouterOs. First we have to configure a   
   DHCPv6 client for the VLAN interface. Specify what you want to   
   request, address, prefix or info. I specified both address and prefix.   
   The address turned out to be not needed, but it didn't hurt for now.   
   For the prefix size specify the prefix size that the provider issues,   
   56 in my case. Specify a pool name, any name will do but something   
   logical like the name of the provider can be handy. Specify nothing   
   for the address hint and voila, you get a pefix from the provider.   
   So we now have a prefix, what is next ask for an address range for the   
   subnet where our LAN will be. So we go ask fo an addrees for the   
   interface "bridge" that is our local LAN. Ask for a ::/64 from the   
   pool that we defined in the previous step and leave the rest as   
   default. And the first /64 from the /56 that we got before is assigned   
   to the LAN. IPv6 capable devices on the LAN now automatically get a   
   global IPv6 address. So far so good. But.. no access to the IPv6 part   
   of the InterNet. And there it is: another Mikrotik thing. It turned   
   out that one needs to click on "add default route" when configuring   
   the DHCPv6 client for the VLAN interface. No ideau why this isn't set   
   by default like "Use peer DNS" and "Rapid Commit", but that's   
   Mikrotik. Anyway, we now have outgoing IPv6.   
      
   OK, back to IPv4. Why does the port forwarding not work? Not only does   
   the port fowarding not work, I could not even reach the binkp server   
   from the local LAN using the local IPv4 addresses. It seems to be   
   totally isolated for incoming, even locally. I asked for suggestions   
   in a Mikrotek forum and posted my config there. None of Mikrotik gurus   
   could find anything wrong with it. But I got a few suggestions. One of   
   them was the Windows firewall of the PC running the servers. My first   
   reaction was: "of course not. This system has been running for a very   
   long time and so has the port forwarding." But I checked anyway. Yes,   
   binkp was in the rules of the Windows firewall. So I decided on some   
   more tests. I could not access my binkp server from my laptop that was   
   on the same LAN. What about it being connected on the same port of the   
   router via an extra switch? It was also unaccessable. That seemed   
   impossible because in that case it it didn't even go through the   
   router, So what about the client running on the same PC as my binkp   
   system? I still had 280/5556 installed on the same system. So I fired   
   that up. And low and behold, 280/5556 could connect to 280/5555. Now   
   I wasn't so sure anymore that the problem was not in the Windows'   
   firewall. So I turned it around. Let me see if I can make a connection   
   when I configure my point 1 on the laptop as the server. And, yes I   
   could.   
      
   At this point I should mention that I kept my connection with the   
   cable company and that I installed a second network card for the   
   connection with the fiber boys. I already mentioned this in part 1 but   
   the reader may have forgotten. As I did. Sort of...   
      
   So I looked at configuation of the Windows firewall once more and then   
   it suddenly hit me. While there is only one setting for the list of   
   programs that are allowed access, there are actually two networks. One   
   associated with each interface. For each network there is a setting   
   that defines it as a home network or a public network. And the second   
   network, the one for the fiber connection was configured as a public   
   network. I have no idea how this happened an how long it had been that   
   way. Well, I was moaning about RouterOs having it pecularities, we all   
   know that Windows has some strange ideas of its own too. Anyway, when   
   I changed the setting from public network to home network the problem   
   was solved and port forwarding worked as expected.   
      
   The IPv6 pinhole for port 24554 was not a poblem. Except for the fact   
   that a rule added with the Mikrotik's GUI puts it on the bottom of the   
   list of rules and the order is relevant. The original last line was a   
   rule that rejects "all else that doen not come from the LAN" and so   
   the new rule had no effect. But there is no way to influence where in   
   the list the new rule comes when entering it wiyh the GUI. That   
   problem was solved when I discovered that when displayng the list one   
   can grab a line with the mouse and drag it to another place in the   
   list. So I moved that last line one place up and that activated the   
   pinhole for port 24554.   
      
   Now there was one thing left. The internet communication between the   
   router and the ONT goes via interface VLAN 100. The physical interface   
   ether1 is configured by default to have a DHCP client and it is added   
   to the WAN list. That is not needed in this setup. But there still is   
   one little thing that I wanted to add. I mentioned in part 1 that the   
   ONT has a GUI that can be accessed by connecting a PC or laptop   
   configured with a fixed IP of 192.168.100.xx to the ethernet port. But   
   that ethernet port is now connected to the WAN port of the router.   
   What I wanted was to make the ONT accessable via the router. That   
   turned out to be easy. I added a fixed address of 192.168.100.10 to   
   the interface "ether1". It was already on the WAN list. The DHCP   
   client associated with it was no longer needed, so I disabled that.   
   After that I could indeed access the ONT's GUI by browsing to   
   192.168.100.1 from any PC on the LAN. That was easy. It seems I am   
   getting a little bit familiar with RouterOs.   
      
   My Fidonet system is now reachable via both providers. IPv4 and IPv6.   
   The IPv4 address starting with 83 and the IPv6 address starting with   
   2001.1c02 are from the cable provider. (Ziggo)  The IPv4 address   
   starting with 81 and the IPv6 address starting with 2001.4c3c are from   
   the fiberglass provider. (Delta) Feel free to try it.   
      
   That completes the installation and configuration of my own ONT and   
   router for my fiberglass connection. For now of course. On a Fidonet   
   system there is always room for further tuning and experiments. But   
   for now I will leave it as is.   
      
   -----------------------------------------------------------------   
      
   --- Azure/NewsPrep 3.0   
    * Origin: Home of the Fidonews (2:2/2.0)   
   SEEN-BY: 2/2 10/0 1 103/705 105/81 124/5016 128/187 154/30 110 203/0   
   SEEN-BY: 203/2 124 412 218/0 1 700 221/0 226/30 227/114 229/110 114   
   SEEN-BY: 229/426 428 470 700 705 230/0 240/1120 5832 280/464 5003   
   SEEN-BY: 280/5555 291/111 292/8125 301/1 320/219 341/66 234 423/81   
   SEEN-BY: 423/120 467/888 712/848 902/26 5020/400   
   PATH: 2/2 203/0 280/464 103/705 218/700 229/426