Subj : FidoNews 42:19 [01/07]: General Articles
To   : All
From : FidoNews Robot
Date : Mon May 12 2025 02:58 am

=================================================================
                        GENERAL ARTICLES
=================================================================

             Configuring my own fiberglass modem/router part 2
             By Michiel van der Vlist, 2:280/5555

Part 1 was about installing and registering my own Optical Network
Terminator (ONT). This part will be about installing and configuring
my own router.

My choice fell on the Mikrotik hEX. It is a no nonsence router, No
fancy enclosure, no flashing GUI. But it is very powerfull. It is
aimed at the professional user. Almost anything is configurable and
it is relatively cheap. While the ONT has the potential for 10 Gbps
and the fiber company has an option for 8 Gbps, the Mikrotek hEX is
limited to 1 Gpbs. So I won't use the full potential of the fiber
connection. No problem, my LAN is designed for 1 Gbps and my contract
with the provider is 500/500 Mbps. So for now the router will not be
the bottleneck. Who needs more than 1 Gbps? Not me anyway, not for
now.

The price for all these goodies is a steep learning curve. Its OS,
RouterOS is based on Linux. For Windows users most of the configura-
tion is counter intuitive. And much of it for Linux users as well I
guess. Getting started is quit a challenge. Mikrotik is European which
in these times of world-wide turmoil has its merits for a European
like me...

So I connected the ethernet port of the ONT to the WAN port of the
Mikrotik and my laptop to the router's first LAN port and I tried to
access its GUI to start the configuration. I was unable to. The GUI
should be accesable at 192.168.88.1 but no respons. The laoptop did
not even get an address in the range 192.168.88.xx. Hmm... So maybe
it does nothing without an "upstream" connection. For an upstream
connection via the ONT it needs VLAN 100 and to configure  that I need
access to the router's GUI. So let me connect it to the LAN of my
cable connection. I connected the WAN interface of the Mikrotik - or
what I thought was the WAN port - to a LAN port of the modem/router of
my cable connection. Still nothing on 192.168.88.xx. But.. my laptop
got an IP in the range from the cable connections's LAN. Hmmm...
So let's look into the config of the cable modem/router to see if the
Mikrotik got an address in that range. And it had! So I tried to
access the Mikrotik's GUI at that address and Bingo! I was in.

I got a log in screen and to my surprise I did not need a password.
The  second surprise came with the first screen after log in. The
device has two modes. Router and switch. It was in switch mode! That
explains a lot. What remains unexplained is how it got there in the
first place.
Nevermind, let's move on. I put it in router mode and configured
192.168.88.xx as the addresses to use for the LAN. After a restart I
could address it at 192.168.88.1. While exploring the device I found
how to update the firmware. It was delivered with RouterOs 6.xx
which by default did not support IPv6. For IPv6 one had to add a
"package". Hmmm.. Looking a bit further revealed that there was
RouterOs 7,xx and that included IPv6 by default. So I upgraded  to
RouterOs 7.18.2, the latest version.

I configured VLAN 100 and reconnected to the ONT. Still no IP from
Delta, the fiberglass provider. I checked and checked again but could
find nothing that could explain why I did not get an IP from the
provider. Further trial and error revealed that the GUI was accesable
via the LAN port. THAT I diddn't like. Ik could find nothing in the
config to block that and I found it strange that the default
configuration allowed it. All that made me decide to follow the
procedure for resetting the device to the default configuration.
Remove the power, press the reset button and hold it while restoring
the power until one of the green lights starts flashing. Sounds easy
but you need three hands for that. It took more that one attempt to
get it right. After the first attempts the VLAN did not disappear but
at the fourth attempt the VLAN was gone and I could no longer access
the GUI from the WAN port. So I figured this time I really had the
default configurtation. I reconfigured the VLAN but still no IP from
the provider. It was at this point that I actually configred VLAN 100
on my laptop, directly connected it to the ONT and got an IP from the
provider.

Now we get to the steep learning curve of RouterOs. In Windows it is
enough to configure a VLAN. Windows presumes that if you configure a
VLAN for an interface that you actually want to use it to make a
connection with it. Not so with Mikrotik. After getting some help on
a Mikrotik forum I found out that in addition to just configuring a
VLAN for the port used as WAN, you also have to configure a DHCP
client and add the interface created for the VLAN to the WAN list.
ANd THEN finally I got an IPv4 address from the provider. Wauw!

So now I had outgoing IPv4 on the devices connected to the LAN. I
could make outgoing binkp connections. Configuring a port forward
seemed easy. But that didn't work. I wasn't really surprised, almost
nothing with Mikrotik seems to work at the first go.

OK, let's try somethimg else. Let's activate IPv6. Contrary to what I
encountered so far that was releatively easy. Or maybe I already got
used to the peculartities of RouterOs. First we have to configure a
DHCPv6 client for the VLAN interface. Specify what you want to
request, address, prefix or info. I specified both address and prefix.
The address turned out to be not needed, but it didn't hurt for now.
For the prefix size specify the prefix size that the provider issues,
56 in my case. Specify a pool name, any name will do but something
logical like the name of the provider can be handy. Specify nothing
for the address hint and voila, you get a pefix from the provider.
So we now have a prefix, what is next ask for an address range for the
subnet where our LAN will be. So we go ask fo an addrees for the
interface "bridge" that is our local LAN. Ask for a ::/64 from the
pool that we defined in the previous step and leave the rest as
default. And the first /64 from the /56 that we got before is assigned
to the LAN. IPv6 capable devices on the LAN now automatically get a
global IPv6 address. So far so good. But.. no access to the IPv6 part
of the InterNet. And there it is: another Mikrotik thing. It turned
out that one needs to click on "add default route" when configuring
the DHCPv6 client for the VLAN interface. No ideau why this isn't set
by default like "Use peer DNS" and "Rapid Commit", but that's
Mikrotik. Anyway, we now have outgoing IPv6.

OK, back to IPv4. Why does the port forwarding not work? Not only does
the port fowarding not work, I could not even reach the binkp server
from the local LAN using the local IPv4 addresses. It seems to be
totally isolated for incoming, even locally. I asked for suggestions
in a Mikrotek forum and posted my config there. None of Mikrotik gurus
could find anything wrong with it. But I got a few suggestions. One of
them was the Windows firewall of the PC running the servers. My first
reaction was: "of course not. This system has been running for a very
long time and so has the port forwarding." But I checked anyway. Yes,
binkp was in the rules of the Windows firewall. So I decided on some
more tests. I could not access my binkp server from my laptop that was
on the same LAN. What about it being connected on the same port of the
router via an extra switch? It was also unaccessable. That seemed
impossible because in that case it it didn't even go through the
router, So what about the client running on the same PC as my binkp
system? I still had 280/5556 installed on the same system. So I fired
that up. And low and behold, 280/5556 could connect to 280/5555. Now
I wasn't so sure anymore that the problem was not in the Windows'
firewall. So I turned it around. Let me see if I can make a connection
when I configure my point 1 on the laptop as the server. And, yes I
could.

At this point I should mention that I kept my connection with the
cable company and that I installed a second network card for the
connection with the fiber boys. I already mentioned this in part 1 but
the reader may have forgotten. As I did. Sort of...

So I looked at configuation of the Windows firewall once more and then
it suddenly hit me. While there is only one setting for the list of
programs that are allowed access, there are actually two networks. One
associated with each interface. For each network there is a setting
that defines it as a home network or a public network. And the second
network, the one for the fiber connection was configured as a public
network. I have no idea how this happened an how long it had been that
way. Well, I was moaning about RouterOs having it pecularities, we all
know that Windows has some strange ideas of its own too. Anyway, when
I changed the setting from public network to home network the problem
was solved and port forwarding worked as expected.

The IPv6 pinhole for port 24554 was not a poblem. Except for the fact
that a rule added with the Mikrotik's GUI puts it on the bottom of the
list of rules and the order is relevant. The original last line was a
rule that rejects "all else that doen not come from the LAN" and so
the new rule had no effect. But there is no way to influence where in
the list the new rule comes when entering it wiyh the GUI. That
problem was solved when I discovered that when displayng the list one
can grab a line with the mouse and drag it to another place in the
list. So I moved that last line one place up and that activated the
pinhole for port 24554.

Now there was one thing left. The internet communication between the
router and the ONT goes via interface VLAN 100. The physical interface
ether1 is configured by default to have a DHCP client and it is added
to the WAN list. That is not needed in this setup. But there still is
one little thing that I wanted to add. I mentioned in part 1 that the
ONT has a GUI that can be accessed by connecting a PC or laptop
configured with a fixed IP of 192.168.100.xx to the ethernet port. But
that ethernet port is now connected to the WAN port of the router.
What I wanted was to make the ONT accessable via the router. That
turned out to be easy. I added a fixed address of 192.168.100.10 to
the interface "ether1". It was already on the WAN list. The DHCP
client associated with it was no longer needed, so I disabled that.
After that I could indeed access the ONT's GUI by browsing to
192.168.100.1 from any PC on the LAN. That was easy. It seems I am
getting a little bit familiar with RouterOs.

My Fidonet system is now reachable via both providers. IPv4 and IPv6.
The IPv4 address starting with 83 and the IPv6 address starting with
2001.1c02 are from the cable provider. (Ziggo)  The IPv4 address
starting with 81 and the IPv6 address starting with 2001.4c3c are from
the fiberglass provider. (Delta) Feel free to try it.

That completes the installation and configuration of my own ONT and
router for my fiberglass connection. For now of course. On a Fidonet
system there is always room for further tuning and experiments. But
for now I will leave it as is.

-----------------------------------------------------------------

--- Azure/NewsPrep 3.0
 * Origin: Home of the Fidonews (2:2/2.0)

.