A secure BGP routing infrastructure using RPKI

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Patrons Only" or higher tier
Already a Patreon member? Refresh to access this post.

10 Gig SpeedTest server Intel Nuc

Recently a client testing their 5G solution came to me asking for a solution to testing speed from their CBRS/5G/802.11ax clients.  One of the requirements was it had to support greater than 1 gig speedtests as close to the devices as possible. This particular client has a small cell device which has room for a small form factor PC. The challenge was finding a small PC that could handle a 10 gig port.

In steps my buddy John from Columbus.  John is up on hardware more than I am.  After some talks, we settled on the following two pieces of hardware.

https://www.amazon.com/NUC8i7BEH-Quad-Core-i7-8559U-Bluetooth-Thunderbolt/dp/B07JJPF8MV/

https://www.amazon.com/Sonnet-Technologies-Thunderbolt-10GBASE-T-SOLO10G-TB3/dp/B07BZRK8R8/

Intel Nuc, Sonnet 10 Gig adaptor, Mikrotik HexS

Once we assembled this we need a router for the Internet and DHCP. We chose a RouterBoard hexS
https://www.ispsupplies.com/MikroTik-RouterBOARD-RB760iGS

As a not both of these will run off DC power.  The Nuc comes with a 19Volt power supply so if you are running Pure DC you may want to drop from, say a 24volt battery bank to 19 volt with a Meanwell converter.

The Software
Proxmox was installed on the Nuc.  Nothing crazy about this. Just make sure the thunderbolt adaptor is plugged in during install.  For our purposes, we are just using the 10 gig adaptor.  Proxmox recognizes the adaptor without a hiccup.

In some earlier blog posts I wrote about the self-hosted speedtests.
https://blog.j2sw.com/networking/self-hosted-speed-test/
https://blog.j2sw.com/xisp/self-hosted-speedtest/ (Patreon Subscription Required)

I installed the self-hosted speedtest under a Centos Minimal Install. Everything was put on a 172.16.x.x network.  This was done in order to prevent any conflicts with various types of Internet the Mikrotik may be plugged into.  By default, port 1 is set up to be a DHCP client.  In our setup, the Internet is the bottleneck, but we are not testing the Internet.  We are testing clients on the 5g/CBRS/802.11ax network. Our 10 gig port on the nuc will be plugged into a 10 gig switch at the small cell, and not into our routerboard.  The routerboard is just there to hand out DHCP and allow Internet access, if available.

 

 

 

 

Why every ISP should be deploying hAP Lite to customers

This was originally posted at:
https://www.mtin.net/blog/why-every-isp-should-be-deploying-hap-lite-to-customers/

So Mikrotik has a very cheap hAP Lite coming out.   This is a 4 port, 2.4 b/g/n router/access point which retails for $21.95. Baltic networks have pre-orders for $18.95.

Why should you deploy this little gem and how? We have found over the years routers account for more than half of the support issues. In some networks, this number is closer to 80-90%. Whether it be a substandard router, one without of date firmware, or poor placement by the customer.

Deployment of the hAP lite can be approached in one of two ways.  Both ways accomplish the same goal for the ISP. That goal is to have a device to test from that closely duplicates what the customer would see. Sure you can run tests from most modern wireless CPE, but it’s not the same as running tests m the customer side of the POE.

Many ISPs are offering a managed router service to their customers.  Some charge a nominal monthly fee, while others include it in the service.  This is a pretty straightforward thing.  The customer DMARC becomes the wireless router.  The ISP sets it up, does firmware updates, and generally takes care of it should there be issues.  The managed router can be an additional revenue stream in addition to providing a better customer experience.  Having a solid router that has been professionally set up by the ISP is a huge benefit to both the provider and the customer.  We will get into this a little later.

The second option lends itself better to a product such as an hAP lite. With the relatively cheap cost you can install one as a “modem” if the customer chooses their own router option.  The actual method of setup can vary depending on your network philosophy.  You can simply bridge all the ports together and pass the data through like a switch.  The only difference is you add a “management ip” to the bridge interface on your network. This way you can reach it.  Another popular method, especially if you are running PPPoE or other radius methods, is to make the “modem” the PPPoE client.  This removes some of the burdens from the wireless CPE onto something a little more powerful.   There are definite design considerations and cons for this setup.  We will go into those in a future article. But for now, let’s just assume the hAP is just a managed switch you can access.

So what are the benefits of adding one of these cheap devices?
-You can run pings and traceroutes from the device.  This is helpful if a customer says they can’t reach a certain web-site.
-Capacity is becoming a larger and larger issue in the connected home.  iPads, gaming consoles, TVs, and even appliances are all sharing bandwidth.  If you are managing the customer router you can see the number of connected devices and do things like Torch to see what they are doing. If a customer calls and says its slow, being able to tell them that little Billy is downloading 4 megs a second on a device called “Billy’s Xbox” can help a customer. It could also lead to an upsell.
-Wireless issues are another huge benefit.  If the customer bought their own router and stuck it in the basement and now their internet is slow you have a couple of tricks to troubleshoot without a truck roll.  If the hAP is in bridge mode simply enable the wireless, set up an SSID for the customer to test with and away you go.  This could uncover issues in the house, issues with their router, or it might even point to a problem on your side.
-Physical issues and ID10T errors can be quickly diagnosed.  If you can’t reach your device it’s either off or a cabling issue.  If you can reach the hAP and the port has errors it could be cabling or POE.

These are just a few benefits you can glean from sticking a $20 Mikrotik device on your customer side network. It becomes a troubleshooting tool, which makes it money back if it saves you a single truck roll. The implementation is not as important as having a tool closer to the customer.  There are several vendors you can order the hAP lite from.  Baltic Networks is close to me so they are my go-to.  http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html .

This isn’t practical for business and Enterprise customers, but you should already be deploying a router that has these features anyway right?

How to disable one of the dumbest things ever: AKA DNS over HTTPS (DoH)

So the folks over at Mozilla thought it would be cool to do DNS over HTTPS.  This is a dumb idea. If you happen to be running Mozzilla Firefox you should disable this for your own sake.

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

If you want the functionality of DNS over HTTPS (DoH) then use a VPN and make your life easier.

RouterOS v7 limited beta

I did an overall video of the New Mikrotik RouterOS v7.

From Mikrotik forum: https://forum.mikrotik.com/viewtopic.php?f=1&t=152003

We have released a very limited test variant of RouterOS v7. Currently only available for ARM systems with a slightly limited feature set.

What is currently unlocked / available:

– Only available for ARM architecture
– Based on Kernel 4.14.131, which is currently the latest and most supported LTS version
– New CLI style, but compatible with the old one for compatibility
– New routing features, but see below
– OpenVPN UDP protocol support
– NTP client and server now in one, rewritten application
– removed individual packages, only bundle and extra packages will remain

Other features not yet public.

What is not available:

– BGP / MPLS disabled
– Extra packages
– Winbox does not show all features, use CLI for most functionality

DO NOT USE IT FOR ANYTHING IMPORTANT, THIS RELEASE IS STRICTLY FOR TESTING AND DOES CONTAIN BUGS

Download link: https://mt.lv/v7

Ubiquiti launches Speedtest Server/network

https://blog.ui.com/2019/08/13/ubiquiti-launches-a-speed-test-network/

Ubiquiti launches the Ubiquiti Speedtest, the first public test network integrated with enterprise network equipment. Ubiquiti Speedtest comprises a network of test servers and built-in speed test capabilities. Reports include uplink/downlink throughput and latency. Sharing the results is easy via email or social media.

It appears you can run this on a Ubuntu server or VM. They have an installer and a docker image.   You can do browser-based speed tests or their WiFiman App.

Tests may run over LAN, Wi-Fi, or mobile networks. Ubiquiti Speedtest uses Ubiquiti test endpoints and provides automated and manual test target selection. The automated selection uses a combination of geolocation and latency measurements for determining the best servers. The algorithm may use several parallel endpoints for the best measurement accuracy.

Corporate vs ISP networks for the ISP

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Patrons Only" or higher tier
Already a Patreon member? Refresh to access this post.