Mikrotik hAP ax³ adventures with Cable Modem Technicolor CGA4233vdf ( DOCSIS 3.1 coaxial cable) - Working

jordibond · April 4, 2024, 3:20pm

Hi all,
First of all, thanks to all forum contributors for their answers, great contributions!

When i was thinking about installing a router with advanced capabilities like wifi6, VPN, etc. , i looked for interoperability references with the Technicolor CGA4233vdf without luck. I can’t remove Technicolor box because its WAN port is a coaxial cable.

So this is a post to illustrate the configurations i’ve tried connecting the Mikrotik hAP ax³ to the cable modem via ethernet port 1:

-Routing scenario: configure the Mikrotik with routing, firewall and NAT.Two LAN: LAN-A:192.168.0.0/24 and LAN-B: 192.168.88.0/24. Seems to Work fine in despite of double NAT. I tried removing Mikrotik NAT but workstations on LAN-B can’t connect to workstations on LAN-A; i guessed that the cause is that router CGA4233vdf and workstation in LAN-A doesn’t known the gateway to LAN-B (and you can’t setup an static route to LAN-B in the Technicolor, even advanced user interface doesn’t have this option). Works out-of-the-box with dhcp-client setup on ethernet 1 port (WAN).

WAN <—> Technicolor CGA4233vdf <— LAN-A 192.168.0.0/24 —> Mikrotik router <— LAN-B 192.168.88.0/24 >

-DMZ scenario: Same as Routing scenario but configuring the CGA4233vdf with DMZ, which sends all connections to Mikrotik router.Seems to Work fine in despite of double NAT.I think difference is you have only 1 firewall.
Note: to configure DMZ in CGA4233vdf you must configure the Mikrotik with static IP on LAN-A

WAN <—> Technicolor CGA4233vdf DMZ <— LAN-A 192.168.0.0/24 —> Mikrotik router <— LAN-B 192.168.88.0/24 >

-Bridge mode scenario: Physical connexion is also the same as previous scenarios, but configuring CGA4233vdf as bridge mode instead of routing mode, and Mikrotik WAN port with dhcp-client. This is the current and final selected scenario: only 1 firewall and 1 NAT.

WAN <—> Technicolor CGA4233vdf bridge mode <— Public IP —> Mikrotik router <— LAN-A 192.168.0.0/24 >
Note: Phone connected to the RJ11 port on CGA4233vdf works also as expected.

In addition, in all scenarios i obtained 300Mbps wifi6 speed in test downloads with a portable MSI GE62 2QD Apache Pro sited on the same room than the Mikrotik router.

Best Regards, hope this helps to future users. Attached is the exported configuration file, i’ve followed some recommended security rules.
Power consumption Mikrotik HAP AX^3 : From 6w to 7w
Jordi
produccio_14mar24_bridgemode.rsc (7.34 KB)

holvoetn · April 4, 2024, 4:10pm

I have similar setup with Telenet ISP, CV8560E Docsis 3.1 E-router/modem over coax.
My router is RB5009.

Double NAT is not really a problem (I haven’t seen any yet). Worst case I can put my router in DMZ or even put Telenet modem in bridge mode which results in my router becoming the only external gateway. I opted not to, let them be the first line of defense for the Bad Wide Web

For the cases where I need it, I use port forwards to my router (mainly incoming wireguard connections).

Amm0 · April 6, 2024, 12:56am

Bridge mode to hAPax seem like the right call – essentially your turning it into just a cable modem. So while you’d lose Wi-Fi from the Technicolor, I’d imagine the AX from hAPax3 is going to be better than the Technicolor. And routing/NAT on hAPax3 certainly more flexible in this mode.

In terms of DoS protections I doubt the Mikrotik is any worse than whatever technicolor one is doing. e.g. it’s already using your bandwidth once it get to the cable modem & ISP DoS protections be on the DOCSIS headend side, not the router.

If “cable TV” package from your cable company, might want to search the forum since there is some tricks to allow “normal TV” (e.g. multicast / RTSP ) when in bridge mode. That be the other complexity with bridge mode. If you don’t have a TV package, it wouldn’t come up.

Now if you really want to use Technicolor Wi-Fi and LAN in a routed mode. I believe SOME technicolor routers support RIP dynamic routing protocol. And RouterOS supports RIP protocol, so you could enable that on both RouterOS & Technicolor to allow 192.168.0.0/24 and 192.168.88.0/24 routers to be exchange. IF it supported, that is… that allow “workstations on LAN-B can’t connect to workstations on LAN-A” while in routed mode. You’d have to check the UI to see if that was possible.

But routed mode only help if you really wanted to use the Technicolor’s built-in Wi-Fi along with hAPax3’s (perhaps for coverage if the hAPax3 were connected via long ethernet).

jordibond · April 10, 2024, 10:36am

Bridge mode to hAPax seem like the right call – essentially your turning it into just a cable modem. So while you’d lose Wi-Fi from the Technicolor, I’d imagine the AX from hAPax3 is going to be better than the Technicolor. And routing/NAT on hAPax3 certainly more flexible in this mode.
—> Certainly i also think wifi capability is better from the Mikrotik!

In terms of DoS protections I doubt the Mikrotik is any worse than whatever technicolor one is doing. e.g. it’s already using your bandwidth once it get to the cable modem & ISP DoS protections be on the DOCSIS headend side, not the router.

If “cable TV” package from your cable company, might want to search the forum since there is some tricks to allow “normal TV” (e.g. multicast / RTSP ) when in bridge mode. That be the other complexity with bridge mode. If you don’t have a TV package, it wouldn’t come up.
—> To complete the initial post about cable TV service: fortunately now the TV service is an IP box, wich in the Bridge mode scenario needs to be connected to the Mikrotik router without problem (plug and forget)

-Routing scenario: configure the Mikrotik with routing, firewall and NAT.Two LAN: LAN-A:192.168.0.0/24 and LAN-B: 192.168.88.0/24. Seems to Work fine in despite of double NAT. I tried removing Mikrotik NAT but workstations on LAN-B can’t connect to workstations on LAN-A; i guessed that the cause is that router CGA4233vdf and workstation in LAN-A doesn’t known the gateway to LAN-B (and you can’t setup an static route to LAN-B in the Technicolor, even advanced user interface doesn’t have this option). Works out-of-the-box with dhcp-client setup on ethernet 1 port (WAN).

WAN <—> Technicolor CGA4233vdf <— LAN-A 192.168.0.0/24 —> Mikrotik router <— LAN-B 192.168.88.0/24 >

Now if you really want to use Technicolor Wi-Fi and LAN in a routed mode. I believe SOME technicolor routers support RIP dynamic routing protocol. And RouterOS supports RIP protocol, so you could enable that on both RouterOS & Technicolor to allow 192.168.0.0/24 and 192.168.88.0/24 routers to be exchange. IF it supported, that is… that allow “workstations on LAN-B can’t connect to workstations on LAN-A” while in routed mode. You’d have to check the UI to see if that was possible.
—> Agree, i also though that RIP can solve the scenario, but this model doesn’t seems to support it ( see https://www.normann-engineering.com/products/product_pdf/ccap_cmts_-_cable_modems/technicolor/DS_Technicolor_CGA4233_EXT_v01.pdf to see the only specs i’ve been able to find - keep in mind tha my ISP doesn’t provide this info and my docsis box can be different cause is CGA4233VDF). UI doesn’t allow for RIP enabling nor static routes)

But routed mode only help if you really wanted to use the Technicolor’s built-in Wi-Fi along with hAPax3’s (perhaps for coverage if the hAPax3 were connected via long ethernet).
—> Agree, also found that wifi coverage is better using wifi Mikrotik. Both Technicolor and Mikrotik are placed in the same place in this case.

Amm0 · April 10, 2024, 12:09pm

Clearly bridge mode is the right call in your case. And in most cases with DOCSIS.

Re the TV set-top box, that was my only concern with bridging. I recall some provider in Spain (Movistar?) required some specific setup with multicast based on other posts. But TV box is working, that’s good news.