A few weeks ago we received a nice little letter from nbnco, advising that we would soon be able to get an HFC connection installed.

I was disappointed to discover that Internode was not going to offer either static IPv4 or an IPv6 service, let alone their Professional pack with NBN connections, and cast around for another ISP. Word of mouth got me to Skymesh and guineapig status (since they haven't formally started accepting HFC connections).

Since we're quite happy with the functionality of the Mikrotik CRS109-8G-1S-2HnD-IN, I declined purchasing a new modem; the nbnco installer provided the Blessed Arris cablemodem and all I needed then was for the connection to be activated.

Once it was, I very quickly reconfigured the mtik to do what I needed. Since Skymesh is using IPoE, I disabled the pppoe client activity. I also needed to change my firewall rules a little, to reflect that actions should be occurring on a different physical port (which I had to remember to take out of the bridge). Finally, a bunch of mucking around with IPv6 address assignment got me to the point where traceroute6.net was able to ping my server's designated public address. Yay!

While Skymesh doesn't offer PTR records, I'm still able to get A, AAAA, CNAME and MX records setup, courtesy of the free service at https://www.dynu.com.

Now that we're back up and running with a shiny new connection, I'm really pleased to see that http://beta.speedtest.net/result/5894030060 is pretty much what we get for both uploads and downloads on wired connections. Last week I celebrated that by having an hour-long video chat with a colleague down in Melbourne. With the 720p camera in my mbp, over the wireless connection. No dropouts, no blockiness :-)

I need to set up Smokeping, and see about a few other analytics things I can get going, but in general it's been a seamless transition.

... I wrote this: https://www.jmcpdotcom.com/blog/posts/2012-04-18-js-being-admitted-to-the-wesley/

F.You blobby, she's with us and in muchmuch better shape than back then.

I recently took delivery of a Mikrotik Cloud Router Switch (CRS109-8G-1S-2HnD-IN), purchased via their Australian distributor Duxtel ; which happens to be a sponsor of SAGE-Au.

I'd been thinking for while about putting my modem into pure bridge mode and using something smarter to do routing and firewall duties, and with the addition of some new networking kit to our home environment, now was the time to make it happen.

Our existing AP is another Mikrotik unit, the 5-port RB951G-2HnD (also purchased via Duxtel), and we've been really happy with its performance sitting in the loungeroom under the tv. Ok, when I say "we" I mean "me" because it's been absolutely rock solid and very high performance. That makes for a happy userbase.

Back to the new kit. The first thing I did was to set up the pppoe client (easy) running on port ether1. Then I proceeded to port mapping, so that my public services (like the one you're reading this on) were appropriately mapped to my dmz host. Certain useful firewall rules were added, and then I tried to get IPv6 setup, and managed to muck things up. Boo.

I'm not exactly sure what I got wrong, but it took me until just a few days ago to get it right. In that time I've read quite a few blog and forum posts, all of which helped me get to the right place. I don't recall specifically whether any one was more useful than another, so I'll just offer a general thankyou to everybody who posted in any form about their problems and solutions.

Here's my solution.

Firstly, I've got a bridge, comprised of all the ports except ether1; and named allports-1. Secondly, I run the IPv6 dhcp client on the virtual interface for the pppoe connection. This is not asking for an address, only a prefix delegation. Until I turned off asking for an address as well, I couldn't get the client to bind. That feeds into my local pool, which is providing a prefix hint of ::/64, and a prefix length of 64. (I get a /56 from Internode, which I think is more than I'm ever going to need, even if I IoT all the things under this roof).

Thirdly, while I could run an IPv6 server on one of my Solaris systems, I choose not to, using the Mikrotik's server instead. This is running on ether2-master, and serving out from the local pool.

Fourth, addresses. It was this bit which caused me all the grief. In the config which now works, I have assigned an address to my bridge allports-1 and an address to my gateway port ether1. The address I assigned to ether1 is in fact that of my /56 from Internode.

Finally, firewalling. I'm using the standard set of rules here; accept icmpv6 and https, drop telnet.

Other notes

I've found the serial console to be indispensable, especially since I managed to muck up the IPv4 routing a few times. The ability to send sniffed packets to a different system for capture using wireshark is incredibly useful. Just remember that your wireshark session needs to listen on udp port 37008.

Here's the config export; I hope it's useful to you:

/interface bridge
add name=allports-1 protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=sfp1 ] disabled=yes master-port=ether2-master

/interface wireless
set [ find default-name=wlan1 ] disabled=yes

/interface pppoe-client
add add-default-route=yes default-route-distance=1 disabled=no interface=ether1 keepalive-timeout=disabled name=node-pppoe password=YOURPASSWORD service-name=node \
    use-peer-dns=yes user=YOURUSERNAME

/ip neighbor discovery
set ether1 discover=no

/interface ethernet switch
set use-cvid-in-one2one-vlan-lookup=no

/ipv6 dhcp-server
add address-pool=localpool interface=allports-1 name=localserver

/interface bridge port
add bridge=allports-1 interface=ether2-master
add comment=defconf interface=wlan1
add bridge=allports-1 interface=ether3
add bridge=allports-1 interface=ether5
add bridge=allports-1 interface=ether6
add bridge=allports-1 interface=ether7
add bridge=allports-1 interface=ether8
add bridge=allports-1 interface=ether4

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

/ip settings
set accept-redirects=yes accept-source-route=yes

/ipv6 settings
set accept-router-advertisements=yes


/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=drop chain=input dst-port=23 in-interface=all-ppp log=yes log-prefix=drop23- protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related,new in-interface=!all-ppp
add chain=input connection-state=established,related,new
add action=drop chain=input connection-state=invalid
add action=fasttrack-connection chain=input in-interface=!all-ppp
add chain=forward connection-state=established,related,new
add chain=forward in-interface=!all-ppp

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25 protocol=tcp to-addresses=DMZHOST to-ports=25
add action=dst-nat chain=dstnat dst-port=53 in-interface=all-ppp protocol=udp to-addresses=DMZHOST to-ports=53
add action=dst-nat chain=dstnat dst-port=443 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=80
add action=masquerade chain=srcnat out-interface=node-pppoe

/ip route
add distance=1 dst-address=192.168.0.0/16 gateway=ether2-master pref-src=192.168.1.2
add distance=1 dst-address=192.168.10.0/24 gateway=allports-1
add distance=1 dst-address=192.168.10.0/24 gateway=ether2-master

/ipv6 address
add address=2001:44b8:2188:f001:: from-pool=localpool interface=allports-1
add address=2001:44b8:2188:f000:: from-pool=localpool interface=ether1

/ipv6 dhcp-client
add add-default-route=yes interface=node-pppoe pool-name=localpool prefix-hint=::/64 request=prefix
/ipv6 firewall filter
add action=drop chain=forward dst-port=23 in-interface=node-pppoe protocol=tcp
add chain=input port=443 protocol=udp
add chain=forward port=443 protocol=udp
add chain=input port=443 protocol=tcp
add chain=forward port=443 protocol=tcp
add action=drop chain=forward in-interface=node-pppoe
add chain=input in-interface=node-pppoe protocol=icmpv6
add chain=input dst-port=546 in-interface=node-pppoe protocol=udp
add action=drop chain=input in-interface=node-pppoe
add action=drop chain=input in-interface=ether1
add chain=forward in-interface=node-pppoe log=yes port=9876 protocol=tcp

/ipv6 nd
set [ find default=yes ] advertise-dns=yes hop-limit=64 managed-address-configuration=yes mtu=9000 other-configuration=yes ra-lifetime=10m reachable-time=10s \
    retransmit-interval=10s

/ipv6 nd prefix
add interface=ether2-master

/system clock
set time-zone-name=Australia/Brisbane

/system ntp client
set enabled=yes primary-ntp=202.81.208.160 secondary-ntp=119.148.81.6

In a while, once work has quietened down a bit, I'm going to play around with mac-address based VLANs. Because they seem cool, and a really neat thing. Who knows, they might even be useful someday!