Split a FTTP Connection between businesses

[System Error Message]

You may not have to use your switch after all. The RB3011 has 10 ethernet ports. Dont however buy from end point shops, buy from suppliers or europe because the prices of hardware in the UK have doubled.

I've heard rumours of vdsl/adsl SFP modules and mikrotik sells GPON SFP modules.

Using a layer 3 switch would work to easily provide the link but you forgot about the QoS i talked about. However using a layer 3 switch will allow inter routing such as for sharing servers much faster than a router. You could also filter the connection with a router as well.

If you use something like mikrotik you dont actually need to use your own router as a router, you could use routerOS interface capability to make it work as both your router and the edgerouter. However you still need to apply a passive vlan to your interface and your interface would also be assigned one of the IPs seperate from the router's IP. You can do this for other clients so no routers are needed but it is better for them to use their routers to control their own network.

 

[delid4ve]

I've had a look and the rb1100ahx2 is £327 inc vat, this off of amazon and few others.

I'll keep it as they use their own routers as they need to be able to setup their own port forwarding/dmz/vpns etc for their allocated IP, plus they will need wireless to so may aswell buy a consumer grade router with wireless, ie the asus I have- damn good router in its class

Most of the businesses won't even have a server tbh. We have 2, 1 for redundancy, the other for ad,sql,and file. We use a synology for data storage and few other bits. Most of them will just have few windows client PCs not even domain joined.

They just want on board due to the slow 200k download speed and less upload, jeez they gonna be shocked when they have 10mb each way - not gonna know what's hit em [emoji23]

So edgerouter = public facing router.

The rb1100 can do qos?



Sent from my iPhone using Tapatalk

 

[System Error Message]

All mikrotik routerboards use the same routerOS with minor differences usually in packages and switch.

The RB1100AHx2 can do QoS however the RB3011 has SFP if you plan to use it. The RB3011 has 2Gb/s per switch to CPU unlike other routers that only have 1 Gb/s per switch to CPU but the RB1100AHx2 has 3 ports that directly connect to CPU.

You configure the router with the IP block and route. You can use the DHCP server to assign those IP addresses to them via VLANs (make sure to use a binding so you give them a static IP assigned dynamically and it authenticates them via mac address). You can also use the DNS and NTP server as a cache and as they are. If you look in the routers thread i have an example config that works well for securing the router but you might want to also block the blacklist in forward chain as well. If you use the DHCP server with binding they will only have to use dynamic IP for their WAN config.

You only need to NAT your own vlan interface and run another DHCP instance on your vlan to assign LAN IP addresses to your own devices. You can still use your own router behind it if you want. Dont forget to leave a port free for management. Under the firewall rules you only need to deny input except for management interface (and for DNS and NTP coming from LAN and external server).

fasttrack is not an option as you will be doing QoS.

 

[Cloud200]

The RB1100AHx2 can do QoS however the RB3011 has SFP if you plan to use it. The RB3011 has 2Gb/s per switch to CPU unlike other routers that only have 1 Gb/s per switch to CPU but the RB1100AHx2 has 3 ports that directly connect to CPU.

All Mikrotik routers can do QoS. The main difference is how fast they can process. The RB1100AHx2 actually only has a single port directly connected to the CPU, port 11. Avoid using ports 12 and 13 due to the fact that they are connected through a PCI-e bus.

You only need to NAT your own vlan interface and run another DHCP instance on your vlan to assign LAN IP addresses to your own devices. You can still use your own router behind it if you want. Dont forget to leave a port free for management. Under the firewall rules you only need to deny input except for management interface (and for DNS and NTP coming from LAN and external server).

Once more, I strongly suggest treating this router as a distinct entity and treating your own network topology wise as one of the tenants. NAT need not be enabled at all.

So edgerouter = public facing router.

Both the tenant and edge routers are public facing.
The difference is the edge is where the control goes off to a different entity.
The tenant routers need to pass through the edge first before they can hit the WAN.

 

[sfx2000]

Question:
Could you check with your tech team the type of IP addresses that are allocated. Are they /29 or /30?
Answer back:
The ones we supply you with will be /30, however we can request /30 and would do that using the RIPE form

With the initial setup we are allocated 2 x IP address's, to which we will apply for more.
Obviously my question was very vague to them, what do i really need to ask? I'm going to be teaching myself sub-netting over the next couple weeks to understand the /28 /29 /30 in depth, as at present im only used to a standard adsl connection dhcp assigned by ISP and a single internal subnet.

Ok, let's back up a step... the ISP is being a bit of a smart-a** by saying here's a few /30 addresses - most folks when they see CIDR, unless they live/breath networking, it's a bit obtuse compared to here's your IP (range)/Gateway/Netmask, but CIDR basically says the same thing, just in a different way...

1) ISP is providing a Cisco 891 Router - this has at least four ports on the customer facing side (some have more than that depending on options)

2) ISP is providing multiple /30 addresses - allocate one per tenant - this will go into a tenant side router/Router-AP (whatever they decide) - the /30's give them one usable public facing address, and some interesting things for broadcast, but basically, to protect the tenants, give them the one public /30, and they can NAT behind that

3) Don't need to do fancy VLAN's, whatever, the 891 is doing that for you already - you'll have 4 hot connections, independent of each other on the 891 - just run ethernet to a drop in the tenant location.

----- ISP ----> 891 <----> PublicIP/Tenant <-(n+1 connections)--> their end-point, I recommend a router there - the only time you might need a switch behind the 891 is if the IP's are more than the number of available ports on the 891...

Keep it simple... lowest cost and less headaches.

 

[sfx2000]

Ok, let's back up a step... the ISP is being a bit of a smart-a** by saying here's a few /30 addresses - most folks when they see CIDR, unless they live/breath networking, it's a bit obtuse compared to here's your IP (range)/Gateway/Netmask, but CIDR basically says the same thing, just in a different way...

BTW - not saying anything bad against ISP - seems likely they're pretty clued in - the short fall for them perhaps, is that they're assuming the really smart person on the other end (who doesn't speak CIDR or their level) understands them. Not everyone does this on a day-to-day basis...

 

[delid4ve]

Thanks.

The ISPs forget that they are dealing here with SMBs, we can't afford an I.T department, even external contractors, where to be quite frank we was in this route before I joined the company and had issue after issue, them not fully understanding requirements etc etc.

As this may and probably will exceed 4 businesses I would rather go for the mikrotik than the Cisco so we don't get into a now we've got to buy more hardware situation.

We will have our current adsl connection running concurrently in the first instance so will take the plunge and learn as I go, I've learnt Active directory, software deployment, group policy, dfs, etc etc in a year or so how hard can it be [emoji51]

I'm sure you'll see me pop up again in 45ish days [emoji23]

Thanks very much for your help and guidance, the thread is more than likely going to be my most visited site over the coming months.


Sent from my iPhone using Tapatalk

 

[System Error Message]

You can always ask me for help with firewall on mikrotik.
In terms of performances for suggested routerboards in
Routing:
CCR1009
RB3011
RB1100AHx2
RB2011
Firewall/VPN:
CCR1009 (hardware IPSEC, AES)
RB1100AHx2 (hardware IPSEC)
RB3011
RB2011

In terms of architecture The CCR1009 has 5 ethernet ports connected to a switch, the rest CPU connected, the RB1100AHx2 has 2 switch chips each connected to 5 ports, 1 CPU connected port, 2 CPU connected ports via PCI-X (this doesnt matter unless you are doing IPSEC in which the ports should be avoided if you refer to wiki for acceleration)

Since you are going to use the RB1100AHx2 i suggest using ports 1-10 for tenants and yourself, ports 11 for WAN, ports 12 or 13 for management. Use passive vlans and dont assign any master/slave ports to do segmentations. This will take care of your layer 1 and 2 segmentations and just allow inter routing without going through WAN. I also suggest you look at the block diagram to understand more. Essentially you want to switch chips in there not to do any work. you could assign vlans from the switch chip but than you wont be able to use them in QoS.

Under your simple queues you can create a global or simple one and apply the rate you want. For example if you have 10 tenants including yourself set the minimum to 9.5Mb/s and the maximum to 98Mb/s per direction. Use a queue algorithm like bfifo without any packet buffers so there will be no delays. If the link between you and your ISP is 100Mb/s on physical (not the allocated) than you will have to lower to max to 90Mb/s and lower the minimum to 9Mb/s.

If you use the DNS server you still will need to define an external one such as google's or even your ISP if they have one but it will let you cache entries (8-16MB suggested) and make it faster allowing your tenants devices to all directly use it instead of having their routers cache so it can reduce some load on your tenant's routers. DHCP server with mac bindings will give static IP and add more security but without bindings it will be a dynamic IP like any other ISP (both setups will use the dynamic IP config on the routers).

If you are confirmed with your internet and what device you want to get than getting your device early will let you tinker around with it to learn more first. In some areas you may not find competent or fair ISPs that you would have to resort to the more difficult method. Some things can be done on the routerboard to reduce the load on the routers that will be behind it so the less work you give them the better but they still need to have their own routers so they control their own network. Mikrotik winbox works on layer 2 as well and if you arent using ipv6 on your router disable the package. The management interface wont require an IP address for winbox.

fasttrack/fastpath should be avoided as they will not follow your QoS

Edit: I also just noticed that your subnet is /30 which is 4 ip addresses. This means aside from the router itself you can only have 3 others with public ip address. How you wish to manage this is up to you or you can request more from your ISP which may increase the cost. Double NAT is fine but it means using things like UPNP and port forwarding for your tenants if they request so it will increase admin work.

You could still use routes and not give the router an IP address to get 4 tenants with public IP but there will be some layer 2 trickery and complications. For example in my case my ISP does NAT but i need inter routing so i use layer 2 to hijack specific packets and make them use my router as the gateway for routing despite my network clients configured to use my ISP's gateway. The complication done in my router so my network clients wont need any configurations.

 

[Cloud200]

Edit: I also just noticed that your subnet is /30 which is 4 ip addresses. This means aside from the router itself you can only have 3 others with public ip address. How you wish to manage this is up to you or you can request more from your ISP which may increase the cost. Double NAT is fine but it means using things like UPNP and port forwarding for your tenants if they request so it will increase admin work.

Why make things so insanely complicated? Pay a bit more money per month for more address blocks.
A /30 is 1 network address, 1 broadcast address, 1 gateway address and 1 single usable address.

 

[sfx2000]

A /30 is 1 network address, 1 broadcast address, 1 gateway address and 1 single usable address.

Reading back thru the thread - OP has multiple /30's... so he's got what he needs from the ISP, and his Cisco 891 already breaks them out - so cable up to the tenants office, give them a drop, and it's up to the tenant perhaps if they want to do more inside their office...

 

[sfx2000]

I also just noticed that your subnet is /30 which is 4 ip addresses. This means aside from the router itself you can only have 3 others with public ip address.

a /30 by itself results in a single usable address - this has been mentioned multiple times...

 

[Cloud200]

Reading back thru the thread - OP has multiple /30's... so he's got what he needs from the ISP, and his Cisco 891 already breaks them out - so cable up to the tenants office, give them a drop, and it's up to the tenant perhaps if they want to do more inside their office...

Well OP mentioned that they don't have the 891. The ISP only offered it for a fee . . . possibly a very large initial and monthly fee. You also lose the ability to set your own QOS and limits.
Usually those are the biggest reasons a business gets its own router instead the ISP supplied/offered unit.

It could also be the OP just wanted a challenge . . .

 

[delid4ve]

UPDATE / Help Required:

So
After numerous issues along the way we finally have our FTTP connection on.

Now I am having issues with DNS resolution and just want to make sure its not my end before i get on the phone.

Current setup:
8 clients (windows 7) --> Windows server 2008 (domain controller,dns,dhcp) --> Asus N66u router ---> WAN

Local LAN is 192.168.23.255 subnet (think thats right)
DNS/DHCP server: 192.168.23.252
Gateway(router): 192.168.23.254

Now, although slow, we had no issues with PPPoe connection setup in the router.
I've now changed to static IP and plugged the new connection in.
Our ISP gave us the following:
WAN IP
WAN Subnet Mask
Default Gateway
Routed IPs network number
Routed IP mask
First Host (IP address)
Last host (IP Address)
2 x DNS server address'

So, input IP, Gateway, DNS into router. Connection is up, speed about right, but, DNS is taking forever, if at all, to resolve.
I've tried Google DNS server also but doesn't improve. A ping from a client machine comes back in 1ms for the DNS servers.

Im not really sure where to start to be honest. Im convinced it has something to do with the DNS between the server and router but im just guessing.
I also have no clue what Routed IP network number,Routed IP mask, First Host, Last Host are for? Do i need to use these somewhere or are they for information purposes only?

Any help would be greatly appreciated. Many thanks

 

[System Error Message]

So your windows server 2008 does the DNS and DHCP? Make sure the router isnt doing DHCP in your case. Set the router to use your windows server as the DNS server and if you were to do any dns hijacking make sure that it is sent to the windows server with the exclusion of hijacking from windows server itself. The problem is that some programs (like google chrome, mobile phones, tv boxes and such) are hard coded to use specific DNS servers, this can make it difficult when you're running domain controller if there are specific things you specify locally.

Step by step check you can do is this :
In the windows server make sure your DNS server is set to use google or openDNS or some reliable DNS service.
Enable DNS forwarding (make sure windows firewall allows the DNS server to receive traffic from your DNS service, believe me i've had headaches trying to get services working from internet)
in the router you will need RMerlin's firmware as you will need to use iptables for DNS hijacking.
First set the router to use your windows server as DNS server.
Under IPTables redirect traffic under NAT that uses TCP and UDP (from LAN) of destination port 53 except for the windows server. (this rule can be tricky to do in 1 rule)
Some consumer routers have the ability for DNS hijacking naturally but dont have to ability to exclude a host from this.

You may not need to do DNS hijacking but i would first check if your windows server DNS server is capable of working first. There is a test you can run though, use one of your windows client and open command prompt. Type in nslookup. try a few domains like google.com and other websites to see if your DNS is working.

 

[delid4ve]

Thanks for the reply.

Had a delve earlier and have managed to find the issue but would still like your advice if the setup is the way it should be:

So the domain controller (server 2008r2) is just for local active directory, not public facing and only a basic tower server (dell t110). DHCP and dns had to be installed as a requirement (pre myself looking after it).

8 client PCs plus mobile devices --> server 2008 (dhcp and dns server) ---> router (gateway only, Dhcp disabled)

At present DNS requests go to the server, it is then setup as a forwarder to the router if no resolution can be made locally (this is where I found the issue that a couple of IPs were defined here, assuming by the guy that looked after the system many moons ago, that clearly did not work correctly. I have replaced with the router IP and it now works).

All our website/ email etc is hosted externally at present, although I will be bringing the website in house eventually (separate server).

Only external access is a VPN(server) and SSH for offsite backup using rsync. All other ports are closed.

So you were saying about hijacking, had a quick read and understand the bad side of this obviously, but why would this be done legitimately?

Nat is also turned on for the router wan connection.