About Steve Discher

Steve Discher was born in Apple Valley, California and today makes his home in College Station, Texas with his wife and three children. He is a 1987 graduate of Texas A-M University and owns ISP Supplies, a wireless distribution company, and conducts MikroTik training classes. His hobbies include flying his Piper Cub and RV camping with his family.

Connecting and Managing Remote Grandstream Phones with MikroTik, UCM and Zero Config

If you are familiar with the Grandstream UCM VOIP PBX, you know the value of the Zero Configuration service.  if not, Zero Configuration service allows you to create profiles that are common to all phones, certain models of phones or only certain phones on your network.  These profiles can do things like push configuration changes, push software upgrades, or set new names or extensions on the extension modules or “sidecars” as we call them.  You can, of course, manage each phone individually through a web browser interface but this method does not scale well.

Here is an example of how we use Zero Config in our phone network.

  1. Globally, we set the time zone and the Screen Saver/Background on all phones and rotate them as banners as a message board system.  We also set the path for firmware upgrades for all new phones.
  2. We use a Model Template to configure the Speed Dial buttons on one model of phone and set the names and extensions on other models that have the auxiliary boards.
  3. Adding a new phone is simple for us, plug it in, wait for it to appear in Zero Config, assign an extension, push the changes and that phone is now configured and provisioned.

There are many more capabilities for Zero Config that you can take advantage of but these are a few that I like a lot.

Now, all of this works well in a LAN environment but how can you easily do Zero Configuration with Remote Phones when you have users working from home across the internet?  Easy, MikroTik and RouterOS.  Here is our example:

To make Grandstream Zero Configuration work, we need to get the remote phone and the office LAN on the same Layer2 segment.,  Obviously, this is the job of a VPN protocol, but I wanted to make it as easy and simple as possible, hence fewer issues down the road. I also did not want all the remote LAN traffic to traverse the tunnel and MikroTik L2TP + BCP makes it really easy.

There was one trick that threw me off, and I want to make sure you take notice.  I am telling you this up front for those of you searching to see why a bridged L2TP tunnel BCP is not passing DHCP, do not address the tunnel.  That means, no remote or local address on the server end of the L2TP server.  It is not needed (that itself surprised me) and in fact, it breaks DHCP for some reason.  Also, the MTU, MRU settings must be exactly as shown or bridging will not work.  Again, this caused me a lot of heartache until I figured it out.

Here is the configuration we want to create:

In summary, port Ether5 on the remote router is bridged to the L2TP tunnel on the remote end and on the Office end, the L2TP tunnel is bridged to the port that connects to the office LAN switch.  The net result is that the remote phone pulls an IP address from the UCM which is running DHCP server and the remote phone appears on the same Layer 2 segment as the UCM so it can be used with Zero Configuration.  Here is how you set that up in RouterOS.  I assume basic connectivity is in place at both ends and we are only building the tunnel and the bridges.  Here is how my network looks in my Dude Server:

 

Remote End Configuration:

Each remote device has 2 L2TP interfaces, one for managing the router and one for the VOIP.

First, create the profile because that is where the bridging takes place.  Here is that PPP profile:

Next, create the L2TP Client.  Notice the MTU, MRU, MRRU settings and set as shown because they are critical for bridging to work:

Finally, here are the bridge settings.  Notice the Max MTU, MRU, etc in the red box.  These must be set to these values or bridging will not work:

  

Server End Configuration:

First, create the Bridged profile:

Next, enable the L2TP server and again, the MTU, MRU, MRRU settings are important, set as shown.  Use the profile just created:

Finally, create the bridge and on the Ports tab add the ethernet port connected to the office LAN or switch.  The L2TP interfaces will be added automatically when these users connect.

 

Once this is done, your remote phone, plugged into ether4 pulls an IP from the UCM DHCP Server on the office LAN and is configurable using Grandstream Zero Configuration.

 

 

 

 

 


Source: Blog

Mikrotik RouterOS Dynamic IP Firewall Address List Entries for CDN’s, etc.

Has anyone noticed a new behavior for address lists in RouterOS?  The release notes for 6.37.3 show “firewall – fixed timeout option on address lists with domain name;” but I don’t see when that feature was actually added.

Specifically, if you add a DNS name as the address entry, it dynamically resolves all the IP’s for that name.

The best example is a name record that points to a CDN like WIndows’ Updates. I discovered this trying to mark and prioritize Windows’ updates, MAC Updates, iCloud photo uploads, etc.

Here is an example. Our website, www.ispsupplies.com is distributed by a CDN. One entry in the address list produces 8 dynamic entries, one for each CDN IP. I also noticed they update themselves dynamically, on an unknown schedule. I don’t see this in the Who wants to work together on a QOS system using this feature?

 

No automatic alt text available.
No automatic alt text available.


Source: Blog

How to use Ubiquiti’s AirLink tool to plan wireless links

To properly select Ubiquiti gear for a point to point or point to multipoint link, this need to do proper planning.  Fortunately, Ubiquiti has a great tool that allows you to try different products in a real-world link simulation to select the right product for your application.

You can begin mapping out your service area using Ubiquiti’s Airlink tool here: https://airlink.ubnt.com/#/ptmp

You can plan your backhaul links using this function: https://airlink.ubnt.com/#/ptp

This Youtube video produced shows the features of the Airlink software and how to use it for mapping.


Source: Blog

Grandstream security vulnerability in the UCM series firmware

Grandstream posted this today…

A security vulnerability has recently been discovered in the UCM series IP PBX firmware version 1.0.14.23 or older. We highly recommend that any UCM customer upgrade their firmware version to 1.0.14.24 or 1.0.15.13 as soon as possible in order to install a permanent fix to this issue.

The security vulnerability affects the UCM6100 series, UCM6200 series, and UCM6510. For more information on the details behind the security issue please read the special security bulletin below.

Grandstream Security Bulletin GS17-003

To upgrade your firmware, please visit the firmware page below and install either 1.0.14.24 (official release) or 1.0.15.13 (currently a beta release).

Grandstream Firmware Page

If you are not familiar with how to upgrade the firmware, please see below for a link to each UCM series user manual:

UCM6100 User Manualpage 349

UCM6200 User Manual page 336

UCM6510 User Manualpage 364

For additional support resources please see the options below. If you are opening a Help Desk ticket please be sure to log in with your ResellerConnect credentials to receive priority technical support.

Help Desk

Grandstream Forums

UCM Security Manual

 

The post Grandstream security vulnerability in the UCM series firmware appeared first on Steve Discher.


Source: Blog

Using Baicells LTE L2 Mode

Baicells LTE provides an L2 mode to bridge the UE’s.  To change LGW mode, navigate to the Network -> LGW page. In LGW L2 mode, the eNB will create a virtual interface for every UE that attaches. Each virtual interface will then do a DHCP request and create a 1:1 mapping between the UE IP (from Cloud EPC) and LGW IP. In L2 mode, the MAC address that the CPE uses is generated from the IMSI number. To calculate the CPE Mac address, convert the last 12 digits of the IMSI number to hex, then prefix it with 8A. For example, if the IMSI is 311980000002918, you would take the last 12 digits “980000002918” and convert it to hex which would equal “E42C8D5366”, which brings us to the MAC address of 8A:E4:2C:8D:53:66. Once you know the MAC address, you can provision your networking accordingly.

Note:

About the LGW, the CPEs will get private IPs from the cloud EPC. Since the operator has no control over this, LGW is used to translate the IPs to match your own network. You can find some more details on this in the Nova LGW User Guide. We currently do not support VLANs using LGW. With LGW, your options are: NAT mode (L3 w/ NAT), where all CPEs will share the same IP address as the eNB, or Router mode (L3), where you can route to the LGW subnet.

To access the CPE remotely.
First, you have to do some settings on eNB and CPE before you can access into the CPE remotely.

From base station web GUI:
Under LTE Settings->LGW Settings, you can select either NAT (default) or Router mode. Under either mode, you can remotely access the CPE. Details of which are included in the attached LGW User Guide. Also, as described in this guide, you can statically assign an IP address to each CPE based on the SIM card’s IMSI number.

From CPE web GUI:
To enable remote access to the CPE, please remember to enable the “Allow HTTPS Login from WAN” parameter on the System->Web Setting page.

Baicells LTE Attachment(s)
Nova LGW User Guide (8).pdf
LGW Bridge Flowchart (5).png
CPE Working Mode.docx

 

 

 

 

 

 

 

 

 

 

 

 

The post Using Baicells LTE L2 Mode appeared first on Steve Discher.


Source: Blog

One Reason IPV6 on MikroTik Doesn’t Stink

One word, auto configuration.  That’s two words, ok, but if you scrunch it together it is one, autoconfiguration.  My spell check keeps complaining about making it one but oh well.  In the MikroTik world, enabling the MikroTik IPv6 package is really all you need to do to start using it (provided your computer is dual stacked as well).  Today, I realized how nice it is to take a router, reset to factory defaults, and as long as IPv6 is enabled, I can log into the router, Layer 3 with no configuration because IPv6 autoconfigures itself.

That is a big deal because often times on certain laptops, I can’t get MAC WInbox to work.  It can be really flaky but with IPv6 I don’t need it.

Example: I reset this router to factory defaults and look at Winbox:

I can click the MAC address (green arrow) and put up with disconnects or failed connections or click the red arrow and have instant Layer 3 access with no configuration on the router. This one benefit is enough for me to start running IPv6. Obviously, there are many others but this should get your attention at least.

If you want to start learning IPv6, watch some YouTube videos, there are tons, and then create a free IPv6 tunnel with Hurricane Elecric’s Tunnelbroker.com.  Try it, it works!

 

 

The post One Reason IPV6 on MikroTik Doesn’t Stink appeared first on Steve Discher.


Source: Blog

Updating PoE Standards on the UniFi Product line

Ubiquiti posted this recently and I thought it worth repeating.

UniFi Access Points have always been built to be powered by PoE – it’s convenient, easy to setup and scalable. When we first started producing UniFi nearly 7 years ago, 24v Passive PoE was the standard in the operator space so we opted to use 24v passive for our Enterprise lines (UniFi, EdgeMAX).

UniFi Access Points have always been built to be powered by PoE – it’s convenient, easy to setup and scalable. When we first started producing UniFi nearly 7 years ago, 24v Passive PoE was the standard in the operator space so we opted to use 24v passive for our Enterprise lines (UniFi, EdgeMAX).

Since then, 802.3af and 802.3at PoE technologies have become the standard, especially in the Enterprise space. The 802.3af/at standards provide a number of benefits over 24v passive that improve stability, allow for greater voltage, etc. (For more details on PoE methods/standards see our article on PoE here).

For this reason, we have been intentionally moving our products (UniFi APs, UniFi Switch, UniFi Video, etc.) toward the current standard for some time, and will continue to do so.

  • 802.3af+24V Support for UAP-AC-LR/UAP-AC-LITE
  • Removal of 24V Support from New Production of UniFi Switch Series

While we have produced many devices that support 802.3af/at, a couple of our Access Points (UAP-AC-LITE, UAP-AC-LR) continued supporting only 24V passive. Over the past several months (starting in September 2016) a number of customers have noted the appearance of some UAP-AC-LRs/UAP-AC-LITEs that have a sticker showing “802.3af Compatible” (see top-left of boxes in image below):

This reflects a hardware revision that has been made to make newer UAP-AC-LITEs and UAP-AC-LRs 802.3af compatible in addition to supporting 24V passive. Any device produced with datecode 1638 (September 2016) and up contains this revision and can be powered by any 802.3af power source like the UniFi Switch.

As a part of updating and improving our products, we will continue to transition away from 24V passive PoE and prioritizing 802.af/at standards. To this end, already-produced switch units with 24V PoE support will retain it, while all future production starting on July 1st 2017 will be 802.3af/at only (across all UniFi Switch models). As existing stock at distributors/resellers/etc. will remain 24V+802.3af stock for some time (until it sells out), this transition will be gradual, with our goal of simplifying UniFi PoE to standards.

This update to the UAP-AC-LR/LITE has been made to ensure that these devices can continue to benefit from updated technology and be deployed with industry standard PoE.

AC-LITE and AC-LR Change Summary

  • The only change made to the AC-LITE and AC-LR devices was the introduction of 802.3af compatibility, as of September 2016.
  • This will not affect the performance of the devices in any way.
  • This modification was added to add stability/consistency to product line at no additional cost to customers.
  • These updated devices will continue to permit 24V passive.

UniFi Switch Change Summary

  • The only change made to the UniFi Switch series is the removal of 24V output support.  Models with 24V support removed will start production July 2017:
    – US-8-150W
    – US-16-150W
    – US-24-250W
    – US-24-500W
    – US-48-500W
    – US-48-750W
  • All new UniFi Switch models will also not have 24V support.

This transition is by popular request of UniFi users.  We intentionally rolled 802.3af support into the UAP-AC-LITE and UAP-AC-LR (starting Sept. 2016) nine months before initiating removal of 24V from new production of the UniFi Switches (starting July 2017) to lessen the impact of the transition.

The post Updating PoE Standards on the UniFi Product line appeared first on Steve Discher.


Source: Blog

ISP Supplies Names Violeta Thompson New Director of Marketing

College Station, Texas: ISP Supplies, a leading provider of high-quality networking equipment, recently announced that Violeta Thompson has joined the company’s marketing team as Marketing Director.

Violeta will be developing and implementing an overall corporate marketing strategy, directly engaging and managing the marketing team, and translating the company’s business objectives into marketing strategies that drive revenue. In addition, she will determine and administer the marketing budget and identify and track key metrics. ISP Supplies is looking to expand its marketing efforts and provide a stronger presence across North and South America.

“We conducted a nationwide job search looking for someone with Violeta’s qualifications and we are elated that we were able to bring her into our ISP family. Her integrated marketing experience and skill set around modern, scalable marketing methods will allow us to capitalize on the strength of the ISP Supplies brand as we continue to innovate and grow.”  said Steve Discher, Owner and Founder.

With over a decade of experience, Violeta comes to ISP Supplies most recently from Dolce Advertising where she served as Creative Director and Strategist. In her role, she has managed and motivated interdisciplinary teams, developed and implemented business strategies, and designed and directed various new client branding campaigns. Her most notable work is in web development that ranges from informative websites to highly configurable e-commerce website and software applications. Violeta holds a Bachelor of Arts in Marketing from the University of New Orleans and is a member of the American Market Association and the Hispanic Chamber of Commerce.

About ISP Supplies: ISP Supplies is a leading provider of high quality wired and wireless networking equipment and services. The company’s 10,000 square foot warehouse provides wireless internet service providers with products from top manufacturers. Its team of experienced trainers has consistently been the choice among notable enterprises and institutions, including the U.S. Department of Justice, Centurylink, and the Smithsonian Institute.

The post ISP Supplies Names Violeta Thompson New Director of Marketing appeared first on Steve Discher.


Source: Blog

MikroTik Optimal Wireless Config for Transparent Point to Point or Backhaul

I am often asked what is the optimal configuration for a point to point with Mikrotik, typically SXT’s.  I would stress that the fewer settings you make, the better the link will work so I don’t recommend tweaking, just set the basics.  Here are screen shots of everything that needs to be set to make a high capacity point to point.  The red boxes are settings that are peculiar to that end of the link and the blue boxes are the settings that must match both ends of the link:

Wireless AP End of Link (also called bridge mode on a point to point)

Station End

ISP Supplies is a premiere MikroTik stocking distributor in the USA and we pride ourselves on offering more than boxes; we also offer knowledge.  Our team is knowledgeable, willing and able to provide technical assistance with any MikroTik device.

 

The post MikroTik Optimal Wireless Config for Transparent Point to Point or Backhaul appeared first on Steve Discher.


Source: Blog

Common Error with Simple Queues in MikroTik RouterOS

Simple Queues don’t work properly…

I have heard this more than once, my MikroTik RouterOS Simple Queues don’t work properly.  In a simple queue, “target” option is the only option that determines the flow direction of a simple queue.  Since the default value is 0.0.0.0/0, leaving it at that value creates an issue.

  • If a target is not specified (is 0.0.0.0/0), all traffic will be captured in the download part of the queue,
    as everything is download for 0.0.0.0/0.
  • This means the queue will not deliver the amount of bandwidth you are expecting.
  • Using the “dst” option is only an additional filter, it doesn’t determine the direction.

I did some tests using different values for target.  First, the incorrect target of 0.0.0.0/0. Notice this is a 3Mx3M queue and we aren’t getting even close to that on download:

Now, I changed the target to the IP of the test workstation. As you can see the queue operates as expected now, about 3Mx3M.

Finally  I changed the target to the interface.  Same result, 3Mx3M:

Set that target, don’t accept 0.0.0.0/0 and your MikroTik simple queues will work as expected.

 

 

 

The post Common Error with Simple Queues in MikroTik RouterOS appeared first on Steve Discher.


Source: Blog