Quick home VPN using Mikrotik and an existing router

I had a situation today where we had an office worker needing to work from home.  This user had a Housefull of devices and a router managed by the Fiber to the home provider. This user had devices attached to the wifi on the provider router and such.  Normally I would want to replace this router, but it would be an undertaking.

For this setup, we used a Mikrotik MAP lite.
https://www.ispsupplies.com/MikroTik-RBmAPL-2nD

My quick solution was to have the user install the Mikrotik mAP as an ethernet device off of the provider’s router.  We then established a VPN tunnel from this device to the ISP’s network they work for.

 

We then added routes in the Mikrotik to the 3 networks they needed to access across the L2tp tunnel.  This user runs the Dude and Winbox. Once the tunnel was established we had two issues to overcome.

1. You have to add a nat rule in order for traffic behind the Mikrotik to reach the devices on the other side of the tunnel.  I simply added a nat rule that looks like this:

add action=masquerade chain=srcnat out-interface=all-ppp src-address=\
192.168.88.0/24

We could have done this in a few different ways, but remember this was a quick setup.

2. I needed the laptop they were working on the be able to route the three prefixes to the Mikrotik, thus going out the VPN.  In our setup, the laptop only has 2 default gateways.  It does not know any other routing info.

I created a bash script with the following in it. In short, you add the text below into a notepad file and save it with the extension of .bat.

route ADD 10.2.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.3.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.4.0.0 MASK 255.255.0.0 192.168.88.1

If you need help on creating a bash script
https://www.howtogeek.com/263177/how-to-write-a-batch-script-on-windows/

Once I had the file, which I simply saved into the Dude folder on the desktop, I created a shortcut on the desktop.  You will want to right-click on the shortcut and do the following.

It is important to note you are only able to do this on a shortcut in Windows, not the actual file itself.  No idea why. The script is important because this user brings the laptop back and forth.  I did not want to create persistent routes on the computer because the office network is different.  If you do not do persistent routes they will be after a reboot.  This way the user double clicks on the script shortcut when they login to the computer and before firing up the dude.

There are many other ways to accomplish this.  This was one of the quickest and less-impacting to the user and fewer things to support. One of the downsides to this setup is the user maintains two physical connections to two physical routers.  In this instance, the user could hardwire into the Mikrotik and maintain a wireless connection to the FIOS router.

If given more time you could have the laptop wired into the Mikoritk as your desk and have the wireless on the Mikrotik become a wireless client back to the FIOS router. This would make the setup a little more mobile.

#teleworker @packetsdownrange #j2 #vpn

Philosophies as a consultant Vendors, distributors

Over the years my views and philosophies on being a consultant have changed and are constantly evolving.  There are certain things that consultants can incorporate into their businesses in order to maintain a high level of service to clients.

Being Neutral
One of the things I have tried to do is be neutral when it comes to vendors and technology. While this is an admirable goal to have, you will find yourself gravitating toward technology you and your clients find useful and proven. It’s okay to be a certified consultant for a specific vendor. This brings up a whole new set of issues I will talk about later. There are two keys to take away from this. The first is to understand the underlying technology as a whole. If you think a particular product is superior enough for you to become certified in it, know why. Know how it is better than the competitors and where it lacks compared to the competitors.

The second key is to not be influenced by becoming a reseller/distributor for particular products. If you want to become a distributor, then focus on that. If you offer consulting services, become an integrator for that product. This way, you are not influenced by the latest promotion for a particular product and try to make it fit for a customer when something else might be better.

Vendor Expertise
As a consultant, you will probably find yourself working with specific products more than others. This is natural. I have found myself working with Cambium ePMP products more often than some others. I believe in the product, so I recommend it to my customers when it fits their situation. However, becoming an expert on a product line has pitfalls.

The first pitfall is you are an expert not paid by the vendor. If you are doing an excellent job on Social media and SEO your name should be popping up in google searches for that product. For example, if you do a search for “Cambium Consultant,” the first page that pops up is a page with my info on it. In a way, you are representing the brand without knowing it. This can lead to you answering questions about a product without any direct compensation for your time. I have always strived to answer questions on topics I am an expert on. There is a fine line between answering questions to a client who has not paid you money and one who has. Every potential contact is a potential client. You have to decide how to handle that grey area. This is an area I struggle with regularly. I am a Cambium ePMP expert and get many questions on this and that from folks who are not clients. I try and answer as many as I can, but at the end of the day, the paying clients do take priority.

Distributors and ordering
I mentioned earlier about me personally, not wanting to be a distributor or reseller. I don’t want to have to meet quotas and absolute minimums to keep stock of products. Some companies are better at this than I ever could be. Having a good relationship with a few good distributors is a good idea. Over the years, I have developed good relationships with several of these WISP distributors. There are some I shy away from due to they have competing services. There are a few vendors and distributors I have referred folks to, and the next thing I know they are offering them consulting services or saying, “I can fix that real quick for you”. They may not even realize they are hurting my business. These are distributors and vendors I personally stop referring business to. If it’s the right product, I will still include them in options for clients, but I make sure I keep on top of the relationship between myself, the vendor, and the client.

There are distributors out there who do very well offering consulting services. The question to ask is are they selling you products because the product makes them money or is it the right product for you? There is much room for either way.

Just some random 3am thoughts

Guest Article:Routers can catch viruses

Our friends over at TechWarn have their take on routers vulnerable to virus attacks

https://www.expressvpn.com/blog/can-my-router-catch-a-virus/

Big price differences between routers are often confusing to consumers as, unlike with personal computers, the quality difference is not always obvious. As routers are normally tied to a physical location, it is also rather difficult to test their reliability in different environments, unlike with highly mobile laptops or smartphones.

Routers often do not receive updates, or updates have to be manually downloaded and applied — a cumbersome process that is not an attractive option to many non-tech-savvy users.

Routers are desirable targets for attackers as they sit at a very sensitive spot on a network — right at the edge. They are a centralized point and connected to every single device in the network. Routers read all of the data that each device sends to the Internet, and if these connections are unencrypted, the router could easily inject malicious scripts and links.

The changing RF landscape for WISPs

Recently, there have been some discussions on Facebook about waining support for 2.4GHZ .  KP Performance recently published a Future of 5GHZ and beyond blog post. So why all this focus on 5GHZ and why are people forgetting about 2.4?

To answer this question, we need to update our thinking on the trends in networks, not just wireless networks.  Customers are demanding more and more speed. Network backbones and delivery nodes have to be updated to keep up with this demand. For anything but 802.11 wifi,2.4GHZ can’t keep up with the bandwidth needs.

One of the significant limitations of many 2.4 radios is they use frequency-hopping spread spectrum (FHSS) and/or direct-sequence spread spectrum (DSSS) modulation. Due to 2.4GHZ being older, the chipsets have evolved around these modulation methods because of age.  When you compare 2.4GHZ to 5GHZ radios running OFDM, you start to see a significant difference.  In a nutshell, OFDM allows for higher throughput. If you want to read all about the differences in the protocols here ya go: http://www.answers.com/Q/Difference_between_ofdm_dsss_fhss

Secondly, is the amount of spectrum available.  More spectrum means more channels to use, which translates into a high chance of mitigating interference. This interference can be self-induced or from external sources. To use an analogy, the more rooms a building has, the more simultaneous conversations can happen without noise in 2.4GHZ we only have 3 non-overlapping channels at 20mhz. Remember the part about more and more customers wanting more bandwidth? In the wireless world, one of the ways to increase capacity on your APs is to increase the channel width. Once you increase 2.4 to 30 or 40 MHz, you do not have much room to deal with noise because your available channels have shrunk.

One of the biggest arguments in support of using 2.4GHZ for a WISP environment is the physics.  Lower frequencies penetrate trees and foliage better. As with anything, there is a tradeoff.  As the signal is absorbed, so is the available “air time” for transmission of data.  As the signal travels through stuff, the radios on both sides have to reduce their modulation rates to deal with the loss of signal.  Lower modulation rates mean lower throughput for customers.  This might be fine for customers who have no other choice.  This thinking is not a long term play.

With LTE especially, the traditional thinking is being uprooted.  Multiple streams to the customer as well as various paths for the signal due to antenna stacking are allowing radios to penetrate this same foliage just as well as a 2.4 signal, but delivering more bandwidth. These systems are becoming more and more carrier class.  As the internet evolves and becomes more and more critical, ISPs are having to step up their services.  The FCC  says the definition of broadband is at least 25 meg download. A 2.4 radio just can’t keep up in a WISP environment.  I am seeing 10 meg becoming the minimum customers want. Can you get by with smaller packages? Yes, but how long can you maintain that as the customer demand grows?

So what is the answer? Cell sizes are shrinking.  This is helping 2.4 hold on.  The less expensive radios can be deployed to less dense areas and still provide decent speeds to customers.  This same trend allows 5GHZ cells to be deployed as well. With less things to go through, 5GHZ can perform in modern networks at higher modulation rates.  Antenna manufacturers are also spending R&D to get the most out of their 5GHZ antennas. More money in the pipeline means stronger products. My clients are typically deploying 3.65 and 5GHZ on their towers.  LTE is changing RF WISP design and taking the place of 2.4 and 900.

Using 8.8.8.8 or local resolvers for ISPs

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

EVPNs: The answer to your MPLS issues

I had a good discussion with my Buddy JJ tonight on kind of the next step of network evolution for provider networks.  Many providers have evolved to MPLS networks with VPLS.  There are some inherent issues with this when it comes to things like bonding, MLAG, among other issues. Nothing is perfect, right?

So as we dive into What is EVPN I want you to know I am approaching this from a service provider standpoint. I also am no EVPN expert, but I am seeing it more and more as a solution to solve specific issues.  As a result, EVPN is sliding into a natural progression of the service provider network.

So what is EVPN?
There are folks much more versed on EVPN than I am. As a result, I will lean on some already written articles.
https://blog.ipspace.net/2018/05/what-is-evpn.html

https://www.cisco.com/c/en/us/products/ios-nx-os-software/ethernet-vpn.html#~stickynav=1

Components of EVPN
Now that you have a high-level overview of EVPN, what are some of the major components and features you should know? Let’s dive into that

Unified control plane.  EVPN can be used throughout your network.  You don’t have to use one stack for data center, one for metro to the data center, and yet another for connectivity between data centers. You can bring it all under one control roof so to speak.

EVPN, through BGP, marries the Layer 2 and Layer 3 layers together.  With MPLS everything is controlled at the layer3 level.  Now with EVPN Mac addresses become much more important. For example, Each EVPN MAC route announces the customer MAC address and the Ethernet segment associated with the port where the MAC was learned from and is associated MPLS label. This EVPN MPLS label is used later by remote PEs when sending traffic destined to the advertised MAC address. Pretty cool huh?

Image result for evpn service provider

As networks grow network engineers learn about things such as north-south traffic and east-west traffic.  Microsoft has a great article which explains this concept. https://blogs.technet.microsoft.com/tip_of_the_day/2016/06/29/tip-of-the-day-demystifying-software-defined-networking-terms-the-cloud-compass-sdn-data-flows/

East-West – East-West refers to traffic flows that occur between devices within a datacenter. During convergence for example, routers exchange table information to ensure they have the same information about the internetwork in which they operate. Another example are switches, which can exchange spanning-tree information to prevent network loops.

North | South – North- South refers to traffic flows into and out of the datacenter. Traffic entering the datacenter through perimeter network devices is said to be southbound. Traffic exiting via the perimeter network devices is said to be northbound.

So, if you are a growing Service provider look at EVPN.  In some upcoming articles, I will talk more about various components of EVPN and such.

 

Why every ISP should be deploying hAP Lite to customers

This was originally posted at:
https://www.mtin.net/blog/why-every-isp-should-be-deploying-hap-lite-to-customers/

So Mikrotik has a very cheap hAP Lite coming out.   This is a 4 port, 2.4 b/g/n router/access point which retails for $21.95. Baltic networks have pre-orders for $18.95.

Why should you deploy this little gem and how? We have found over the years routers account for more than half of the support issues. In some networks, this number is closer to 80-90%. Whether it be a substandard router, one without of date firmware, or poor placement by the customer.

Deployment of the hAP lite can be approached in one of two ways.  Both ways accomplish the same goal for the ISP. That goal is to have a device to test from that closely duplicates what the customer would see. Sure you can run tests from most modern wireless CPE, but it’s not the same as running tests m the customer side of the POE.

Many ISPs are offering a managed router service to their customers.  Some charge a nominal monthly fee, while others include it in the service.  This is a pretty straightforward thing.  The customer DMARC becomes the wireless router.  The ISP sets it up, does firmware updates, and generally takes care of it should there be issues.  The managed router can be an additional revenue stream in addition to providing a better customer experience.  Having a solid router that has been professionally set up by the ISP is a huge benefit to both the provider and the customer.  We will get into this a little later.

The second option lends itself better to a product such as an hAP lite. With the relatively cheap cost you can install one as a “modem” if the customer chooses their own router option.  The actual method of setup can vary depending on your network philosophy.  You can simply bridge all the ports together and pass the data through like a switch.  The only difference is you add a “management ip” to the bridge interface on your network. This way you can reach it.  Another popular method, especially if you are running PPPoE or other radius methods, is to make the “modem” the PPPoE client.  This removes some of the burdens from the wireless CPE onto something a little more powerful.   There are definite design considerations and cons for this setup.  We will go into those in a future article. But for now, let’s just assume the hAP is just a managed switch you can access.

So what are the benefits of adding one of these cheap devices?
-You can run pings and traceroutes from the device.  This is helpful if a customer says they can’t reach a certain web-site.
-Capacity is becoming a larger and larger issue in the connected home.  iPads, gaming consoles, TVs, and even appliances are all sharing bandwidth.  If you are managing the customer router you can see the number of connected devices and do things like Torch to see what they are doing. If a customer calls and says its slow, being able to tell them that little Billy is downloading 4 megs a second on a device called “Billy’s Xbox” can help a customer. It could also lead to an upsell.
-Wireless issues are another huge benefit.  If the customer bought their own router and stuck it in the basement and now their internet is slow you have a couple of tricks to troubleshoot without a truck roll.  If the hAP is in bridge mode simply enable the wireless, set up an SSID for the customer to test with and away you go.  This could uncover issues in the house, issues with their router, or it might even point to a problem on your side.
-Physical issues and ID10T errors can be quickly diagnosed.  If you can’t reach your device it’s either off or a cabling issue.  If you can reach the hAP and the port has errors it could be cabling or POE.

These are just a few benefits you can glean from sticking a $20 Mikrotik device on your customer side network. It becomes a troubleshooting tool, which makes it money back if it saves you a single truck roll. The implementation is not as important as having a tool closer to the customer.  There are several vendors you can order the hAP lite from.  Baltic Networks is close to me so they are my go-to.  http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html .

This isn’t practical for business and Enterprise customers, but you should already be deploying a router that has these features anyway right?