About Steve Discher

Steve Discher was born in Apple Valley, California and today makes his home in College Station, Texas with my wife and three children. He is a 1987 graduate of Texas A&M University and own ISP Supplies, a wireless distribution company, and conducts MikroTik training classes. His hobbies include flying my Piper Cub and RV camping with my family.

New ISP Supplies App

Now available on the Playstore and the iPhone Appstore, the ISP Supplies App! With great features like a powerful search engine and a reorder list, it makes it fast and easy to place orders on the go.

  • Favorite products for quick access
  • Reorder products on the go
  • Product search
  • View order status
  • Download invoices
  • Synced cart across devices

We put a lot of time and effort into this app to make it easy to sue and hope you will enjoy it!

Update: Block Countries Based on IP Addresses and Networks

If you never used my web site https://mikrotikconfig.com to build firewalls and QOS, you have been working too hard!  I recently (today) updated the database of IP addresses by Country to generate MikroTik IP Address Lists by country.  Check it out!

UPDATE: 12/31/18  With the help of Google, I wrote a bash script to automatically update the lists daily!

 

Unhacking Your MikroTik Router

Several vulnerabilities and exploits have recently plagued MikroTIk users.  Specifically, these vulnerabilities affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it.  Granted, you can be critical of MikroTik but after all, running without a firewall is a user problem not a MikroTik problem.

MikroTik fixed the vulnerability in the following RouterOS releases:

  • 6.37.5 in the Bugfix channel
  • 6.38.5 in the Current channel

The vulnerability in question was exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.

Many users may have unknowingly had their credentials compromised BEFORE their router was upgraded, but not yet actually hacked.  This means many upgraded and thought they were completely safe until a few weeks ago when strange behaviors may have been observed.  Specifically what we have seen is IP blacklisting by game sites like Playstation and XBox, slow speeds, inability to manage the router and so on.  The telltale sign of this hack is viewing the system log and it is only one line long.  If this has happened to you, the best solution is to clean up the config to remove the hack, export the config, check the config closely and then Netinstall the router and import the config.  Again, this is the most drastic but the safest approach.  Here are the things we have seen done by the hacker you will need to clean up:

/system logging

Reset it to 1000 lines

/ip firewall filter

Remove this rule and enable your drop rule if disabled

/ip socks

Disable it

/system scheduler

Delete any scheduled entries you didn’t add.  Look for one that starts a script named “port 54321”

/system script

Delete this script

/system users

The hack adds a user “system”, delete that

I saw one router thad had a ppp user added. I can’t remember the user name but check that as well.

Those are the things we have found in many routers so get your routers cleaned up, change the passwords, add a real set of firewall rules (http://mikrotikconfig.com is a good place to star) and be safe.

How to configure Baicells LTE for a WISP Network

With so many options of NAT, Router, Bridged, etc., it can be overwhelming to create the correct architecture for your first Baicells LTE deployment the first time.  To facilitate this for you, I created a Baicells LTE HowTo Knowledge Base article that outlines the best fit scenario for LTE deployments for WISPs. You can read the article HERE.

Why is Technical Training So Important

As someone that has organized and lead technical training for more than ten years, I can say I have been asked this question many times.  The commonality is that most people are self-taught, and use certain products in the daily conduction of their jobs, and feel like formal training doesn’t have sufficient value to warrant the time off from work, or the expense associated with it.  I would like to take a few moments today to outline what I believe the benefits of formal training are.  This post is timely because we have just such an opportunity coming up in July at ISP Supplies, but more on that later.

Addressing Weakness

No one likes to admit they are weak in any area, yet just like muscles, not using a skill every day leads to weakness.  A training program allows you to strengthen those skills, that each employee needs, to improve and brings all employees to a higher level so they all have similar skills and knowledge.  You get sharper, the network runs better and everyone benefits.

Consistency and Performance

Training programs are structured to present the greatest amount of information in the least amount of time.  This means you get the opportunity to see all the features of a product, or system rather than just the ones you regularly use.  In the process, students almost always learn a new or more efficient way to perform a function.  This leads to consistency and repeatability which increases efficiency.  Once again, things just work better.

Motivation

Employees that are subjected to training opportunities perform at a higher level than those that have to seek out training on their own.  This fact speaks for itself.

Opportunity

The value of attending a training even is not just the material, it is the chance to network with other professionals in your area of expertise and thereby create relationships that benefit you today and in the future.

I began the post with the words “just such an opportunity” and now I want to invite you to gain the benefit that only formal training can provide by attending our fun and educational Summertime Cookout With Cambium Networks  There is more information and the opportunity register HERE.  I hope you can make it!

 

 

 

New Baicells LTE Nova 436

We are excited about the latest product from Baicells, the Nova 436. We received our first shipment late last week and this new LTE Base Station has some really cool features, never before seen from Baicells and not at this price point. The Nova 436 is the first Baicells LTE product to deliver carrier aggregation, even across discontiguous channels. Carrier aggregation is used in LTE-Advanced in order to increase the bandwidth, and thereby increase the bitrate or throughput. This is critical for the upcoming CBRS bands, where “PAL” and “GAA” channels allocated by the SAS may not be contiguous.

Quick Facts: Max peak rate of the aggregated carriers is 224 Mbps DL.  Fully featured, these ship with everything you need (except antenna and power cabling) which lets you rack up more savings and simplify ordering and delivery
The Baicells dual carrier base station has some significant advantages over the competition:

One Gig-E copper AND one Gig-E SFP Cage: In split sector mode, the Nova dual carrier base station has independent 20 MHz channels. This is 2x the capacity our main competition only splits with two 10 MHz carriers. Lower weight and less power draw than others, so it’s less expensive to build battery back up support. Better pricing and still no games. No feature restrictions, so you get what you pay for. And, of course, unlike our competition, our Novas come with GPS, modules, and everything needed all for one low price.

The New Nova 436 may also be used in “split sector” mode for maximum footprint and capacity in one package. And, unlike competitive products, each carrier can have as high as 20 MHz of independent channel width. In split sector, you utilize two of the bas station antenna connectors to serve one sector and the other two to serve a second sector. This is a great way to cover 360 degrees with one base station and without an omni. As your cell density increases, you can add a second base station and do carrier aggregation, and increase your total capacity tremendously. This allows operators to “grow into” LTE.

The Nova 436 is available now at ISP Supplies. We are a full service Baicells distributor, ready to serve your LTE needs.

Baicells LTE Adds Halo B Support

HaloB is a feature that Baicells LTE introduced in February of 2018. Any Baicells eNodeB (eNB) can be purchased with or upgraded to HaloB through software feature activation. A HaloB eNB eliminates the transport layer between the Evolved Packet Core (EPC) and the eNB by embedding a “Lite EPC” directly on the eNB. Therefore, critical control plane signaling is kept local.

With HaloB installed, S1 (transport) failures are eliminated. This removes wireless PTP backhaul failures, fiber outages, or routing mistakes from causing customer service disruption. CloudCore is still available for OMC monitoring and upgrade functions, as well as the BOSS HSS functions. SIM card activation and bandwidth package assignment are still performed by the BOSS. Operators using the Baicells API for billing software integration will see no change. When a UE attempts to attach to a HaloB eNB, the HaloB contacts the BOSS to verify the IMSI is valid and active and collects the bandwidth packages. All information is downloaded to the HaloB memory bank. Once stored, the UE will remain attached indefinitely. In the event of an eNB or UE reboot, attachment only needs to check the local HaloB memory data for the UE to reattach.

SIM card IMSIs can attach to multiple HaloB eNBs, and each will store the SIM data for future attachments. In the event of a rare CloudCore outage, new installs may not be able to attach during the outage if the SIM data has never been downloaded from the BOSS before. This is not a mission-critical event in most cases and once the CloudCore connection is resumed, the HaloB eNB will collect the SIM data for the new install and commence attachment.

With HaloB:

  • Operators entering the world of fixed LTE wireless have a lower initial investment.
  • The simplified structure means there is no need for professional design and maintenance.
  • The self-configuration, plug-and-play deployment model means a shorter time-to-market (TTM) and faster return-on-investment (ROI).
  • Operators can provide a Layer 2 environment for SMEs and LAN gaming.
  • The eNBs and the core network functions are decoupled.
  • The control plane is processed within HaloB; user equipment will always be online.

What does Halo B Cost?

Per eNodeB: BAICELLS-HALOB-1 $249.99
Per 10 eNodeB’s: BAICELLS-HALOB-10 $1999.99.

Ready to add Halo B?  Now in stock at ISP Supplies HERE.

MikroTik Automatic Failover Two Gateways

There’s a million ways to do this on the wiki and the web but none of them fit my particular application.  Let me explain:

1.  The weak point in my network was an AirFiber 24 upstream from the tower I am connected to wirelessly.  This is the link that goes down in heavy rain causing an outage at our office to PROVIDER1.  We have a backup connection through a second provider that is slower but being 5GHz doesn’t drop in the rain, PROVIDER2.

The network is like this:

[MikroTik CCR1036-12G-4S]
—[RBSXT]—[RBOmniTikU-5HnD[—[AF24]—[PROVIDER1]
—[RBSXT]—[PROVIDER2]

2. Simple floating static routes with check gateway doesn’t help because on PROVIDER1 we never drop our 5GHz connection to the tower, it’s the upstream link that fails.

3. I tried recursive routes and it works but the failover was still lacking and seemed sporadic at best.

4. When failover did occur, the VOIP PBX would hold the connection open through the dead provider and some phones in the office wouldn’t work at all, rebooting the phone was the only solution. We tried a ton of solutions and never got it to work consistently.

The solution that works the best is as follows.  I am using a combination of static routes, firewall rules and Netwatch scripts. Here it is:

The Netwatch script watches 4.2.2.4 (a public DNS server). If it goes down:

  • It changes the distance on the default router to PROVIDER1 to 20 making it inactive.  Now all traffic defaults through PROVIDER2.
  • It emails me that the gateway has changed. Please not you must set up your email server IP, and any authentication in /tools e-mail first.
  • It clears any connections to my VOIP gateway, thereby causing them to re-establish, interestingly calls do not drop!
  • When pings return, it sets the distance on the default route through PROVIDER2 back to 1 making it the active route and then clears all connections to the VOIP gateway again.
/tool netwatch
add comment=CheckCon down-script="/ip route set [find comment=\"\
    PROVIDER1\"] distance=20\r\
    \n/ip route set [find comment=\"PROVIDER2\"] disabled=no\r\
    \n/tool e-mail send to=\"YourEmailAddress\" body=\
    \"Connection with PROVIDER1 Lost, Switched to PROVIDER2\" \
    subject=\
    \"Lost connection with PROVIDER1\"\r\
    \n/ ip firewall connection remove [find dst-address=\"\
    YourVoipGatewayIP\"]" host=4.2.2.4 interval=5s timeout=2s \
    up-script="/ip route set [find comment=\"PROVIDER1\"] distan\
    ce=1\r\
    \n/ip route set [find comment=\"PROVIDER2\"] disabled=no\r\
    \n/tool e-mail send to=\"YourEmailAddress\" body=\
    \"Connection with PROVIDER1 Regained, Switched back to PROV\
    IDER1\" subject=\"Regained connection with PROVIDER1\"\r\
    \n/ip firewall connection remove [find dst-address=\"\
    YourVOIPGatewayIP\"]"

Next we need to ensure we can only ping our test host through the PROVIDER1 connection.  This is done with a static route through PROVIDER1:

/ip route add 
comment="Force test pings through PROVIDER1" dst-address=4.2.2.4 /
gateway=199.21.228.153

Next we need to comment our default routes.

/ip route
add comment=PROVIDER1 distance=1 gateway=199.21.228.137 scope=\
    11
add comment=PROVIDER2 distance=10 gateway=209.112.225.65

Next we need to ensure that no pings to our test ip go through PROVIDER1 only:

/ip firewall filter add chain=output comment=/
"Drop pings to 4.2.2.4 if they go through PROVIDER2" \
dst-address=4.2.2.4out-interface=ether2 action=drop

As I write this it is pouring rain outside and I have observed it go down 3-4 times and even with people on the phone, calls continue and we haven’t lost the network. I am loving this!

Transitioning the WISP to Telrad LTE

The number one concern I have heard thus far before we transition a select group of WISPs (Wireless Internet Service Providers) from WiFI or TDMA to LTE is “How can I afford LTE?” and the question is valid.  The costs are high, very high, astronomically high in fact when compared to the “disruptively priced” gear from others we have enjoyed and loved in the past.  My response to the question “How can I afford Telrad Networks LTE?” is really another question and that is “How can I NOT afford Telrad LTE?”

Think about it this way.  When I was a full time WISP operator, we kept careful stats on the number of calls for service versus the number of installs.  I am not talking about tire kicker calls, I mean people that called, credit card in hand wanting to buy what we were selling. We found that we were only serving 20% of those qualified customers and losing 80%. Seriously, qualified customers, ready to read you their credit card number and close the deal today and agree to pay you every month, same day, same amount, and we had to tell them no 80% of the time?  Why?

Well, I can tell you it was not because we had a line of sight problem, it was because our WiFI and TDMA unlicensed equipment had a line of sight problem.  You see, what had happened is we accepted the shortcomings of the technology and began to believe LOS (line of sight) was the ONLY way.

Fortunately all that has changed and Telrad is leading the charge.  All that remains is a path to take the same gear our competitors, the big cell carriers have relied upon to take our customers, equipment that doesn’t have a LOS problem, and “WISPatize” it.  That is exactly what Telrad is doing.

We are WISPs and we know how to do what others won’t, or can’t or don’t understand and that is serve the unserved and underserved with the most cost effective, creative method we can.

So, as we evolve into the WISPatized LTE model, here’s another way to start small and transition into something huge.   Think about it like this, when you make the switch to LTE, even starting small and begin to crush your competitor’s LOS solution, you will take his customers and the revenue increase will fund the transition of the remainder of your LOS network to NLOS.

In that vein, here’s a solution to get you started small at first and the best part is it doesn’t involve an omini!  It allows nearly 360 degree coverage day one with only one base station radio and two sectors.  Understand it has some shortcomings:

  1. It is not 100% true 360 degree coverage, after all we are using two 65 degree sectors that provide up to 120 degrees of coverage, not 180 degrees.  There will be two pie shaped gaps, but those will get filled soon enough.  Be smart, position those gaps facing an uninhabited prairie or forest.
  2. This solution is not without signal loss.  Splitting the 4×4 MIMO into two 2×2 MIMO sectors will cost you 3 dB of signal.  That’s a lot, I get that.  Remember the rule of 3’s in RF theory?  Every 3 dB doubles your power, remove 3dB and halve your power.

The advantage here is that day one, one base station, two antennas and you have great close-in coverage with antennas you will reuse for Phase II.

One base station, two sectors, 2×2 MIMO

Sectors2

Phase II is to add a second BST and increase your range incrementally and fill the entire 360 degree area with no more gaps.

Two base stations, four sectors, 2×2 MIMO

Sectors2-4

Phase III is to add one or two more BST’s.  With 3 BST’s you are now full 4x MIMO, get back your lost 3 dB, increase your range and increase your density.

Four base stations, four sectors, 4×4 MIMO

Sectors44a

With 4 BST’s you will be able to increase your number of subs on this single tower to something approaching 400 depending on your bandwidth packages.

It’s not a perfect plan but it will work and that’s what WISPs do, make it work.  I hope this helps increase your knowledge and gets the creative juices flowing to transform your WISP into the next generation.