Mikrotik router behind Comcast business modem with dynamic IPv6

I was so happy with the Mikrotik Routerboard I’m using at home that I talked my church into buying one for their building. Now I cannot for the life of me get it to work. The only difference that I can see between home setup and work setup is that I have a static IP from Comcast (business class Internet) at home, and the church has dynamic IP, which very often ends up being IPv6.

The Comcast modem is made by Cisco and is an incredible pain in the foot to manage. Each setting I change and save requires a reboot, which takes on average more than 10 minutes. And this is the “new” modem they used to replace our old one about 9 months ago.

The Mikrotik is a heX RB750Gr3 5-port RouterBoard.

Mikrotik WILL NOT connect to the Comcast modem, although no other device has issues doing so. I did enable the IPv6 package on the RB. I’ve tried putting the Comcast in bridge mode, rebooting both devices multiple times with nothing else connected. I’ve tried two chained routers, with Comcast providing a DHCP address on 192.168.10.x. I’ve tried setting static IP on the RB. The RB GUI reports that the cable connection is good, and shows activity on the line (confirmed by the lights flashing), but I cannot ping an outside address or get an Internet connection. I’ve spent three half days at the church trying to make this work with no success. Any suggestions?

I’m reasonably experienced with IPv4 networking, going all the way back to the coax days. Not so experienced with IPv6. My understanding is that if I do all IPv6 networking, that will expose my internal devices to the Internet. I’m very reluctant to do that. And some of our equipment is old and may not work with IPv6. So I’d like the RB to run NAT, keeping the internal network on 192.168.x.x, with only the WAN/modem connection using IPv6. Is this a sound approach?

Even though I’ve set up a lot on the RB, at this point I’m willing to factory reset and start over if I can just get it to work. Or maybe it’s just not possible to set up?

Post your config. I have been using both ipv4 and ipv6 since Comcast began supporting ipv6(quite a number of years ago).

The dynamic ip should be an ipv4 though and you should also get a ipv6 address and a prefix (/64 or /60).

If you are switching between routers, be sure to reboot the modem as they get locked to the wan Mac address.

Yes, I rebooted the Comcast router and made sure the RB was the only device connected.

Here is the config:

# sep/09/2019 00:59:42 by RouterOS 6.42.11
# software id = H2AJ-QXHP
#
# model = RB750Gr3

/interface ethernet
set [ find default-name=ether2 ] l2mtu=1598 name=ether1-gateway
set [ find default-name=ether3 ] arp=proxy-arp l2mtu=1598 mac-address=\
    4C:5E:0C:AB:85:8D name=ether2-vlan
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E \
    name="ether3-subnet1 CID office"
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F \
    name=ether4-admin

/interface vlan
add interface=ether2-vlan name="vlan10 translation" vlan-id=10
add interface=ether2-vlan name="vlan11 CID office" vlan-id=11
add interface=ether2-vlan name="vlan12 CID wireless" vlan-id=12
add interface=ether2-vlan name="vlan13 Admin only" vlan-id=13
add interface=ether2-vlan name="vlan15 Guest Internet only" vlan-id=15
add interface=ether2-vlan name="vlan18 OpenVPN" vlan-id=18

/ip pool
add name=dhcp ranges=192.168.1.90-192.168.1.150
add name=dhcp_pool3 ranges=192.168.3.151-192.168.3.180
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.253
add name=dhcp_pool2 ranges=192.168.2.200-192.168.2.253
add name=dhcp_pool1 ranges=192.168.1.151-192.168.1.220
add name=dhcp_pool8 ranges=192.168.8.200-192.168.8.254

/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-10sec-delay disabled=no \
    interface="vlan12 CID wireless" name="Wireless office"
add address-pool=dhcp_pool8 disabled=no interface="vlan18 OpenVPN" \
    lease-time=6h name=VPN
add address-pool=dhcp_pool1 disabled=no interface="ether3-subnet1 CID office" \
    name=Basement
add address-pool=dhcp_pool1 disabled=no interface="vlan11 CID office" name=\
    "Upstairs wired"
add address-pool=dhcp_pool1 disabled=no interface=ether4-admin name=\
    "Admin port"
add address-pool=dhcp_pool0 disabled=no interface="vlan10 translation" name=\
    Translation

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-vlan network=192.168.88.0
add address=192.168.3.1/24 interface="vlan13 Admin only" network=192.168.3.0
add address=192.168.0.1/24 interface="vlan10 translation" network=192.168.0.0
add address=192.168.2.1/24 disabled=yes network=192.168.2.0
add address=192.168.8.1/24 interface="vlan18 OpenVPN" network=192.168.8.0
add address=192.168.2.1/24 interface="vlan12 CID wireless" network=\
    192.168.2.0
add address=192.168.1.1/24 comment="Management port" interface=ether2-vlan \
    network=192.168.1.0
add address=192.168.5.1/24 interface="vlan15 Guest Internet only" network=\
    192.168.5.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway

Is the Comcast device a modem only or is it a business class modem/router combo device? If it is a combo device then you need to call Comcast support and put it in bridged mode.

I looked at the config quickly and didn’t see any reason to not get a valid address, so it looks like you might be dealing with one of these combo devices.

Yes, it’s a combo device. It should work either in router mode or bridge mode. I did call Comcast and put in in bridge mode, but the Mikrotik did not work either way.

It’s probably not really in bridge mode then. On the dslreports forums in the past people have reported many issues with those devices (normally smc devices). You are better off buying/trying a standard modem on the business class supported modem list and get the modem activated on the account. This will make your life much easier.

Thanks. Shouldn’t the RB at least be able to get an IP address from the Comcast router via DHCP when Comcast is in router mode? Or be able to get online if I put a static IP on the RB? I’m concerned that I can go out and buy a new modem and my RB setup still isn’t working.

If there is a dhcp server on the modem / combo box it should provide an address. You might want to also update to a current version as 6.42.11 is very old - it looks to be a dev build anyway. There have been dhcp client related fixes since then, so you could be hitting an old bug.

Also be aware that your “ether1-gateway” is actually ether2 on your device. Perhaps this is your issue depending on how things are connected.

/interface ethernet
set [ find default-name=ether2 ] l2mtu=1598 name=ether1-gateway
set [ find default-name=ether3 ] arp=proxy-arp l2mtu=1598 mac-address=
4C:5E:0C:AB:85:8D name=ether2-vlan
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E
name=“ether3-subnet1 CID office”
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F
name=ether4-admin

That looks like a likely source for the problem. I’ll change the interfaces, pools, servers and addresses and see what happens.

Update: I replaced the Comcast router with a brand new router, but the RB still was not working. Then I noticed that since the eth ports were mixed up, it affected IP addresses, DHCPP servers, etc. I think I’ve cleaned up the remaining eth port errors. However, I cannot access the RB admin from eth3 or eth4. Any ideas?
Here is my config:

# sep/09/2019 03:18:55 by RouterOS 6.42.11
# software id = H2AJ-QXHP

# model = RB750Gr3

/interface ethernet
set [ find default-name=ether1 ] name=eth1-gateway
set [ find default-name=ether2 ] arp=proxy-arp l2mtu=1598 name=eth2-vlan
set [ find default-name=ether3 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8D \
    name=eth3-basement
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E \
    name=eth4-admin
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F \
    name=eth5-default

/ip pool
add name=dhcp_pool3 ranges=192.168.3.151-192.168.3.180
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.253
add name=dhcp_pool2 ranges=192.168.2.200-192.168.2.253
add name=dhcp_pool1 next-pool=dhcp_pool1a ranges=192.168.1.151-192.168.1.220
add name=dhcp_pool1a ranges=192.168.1.90-192.168.1.150
add name=dhcp_pool8VPN ranges=192.168.8.200-192.168.8.254
add name=adminpool ranges=192.168.88.90-192.168.88.253
add name=dhcp_pool4 ranges=192.168.4.151-192.168.4.220

/ip dhcp-server
add address-pool=dhcp_pool8VPN lease-time=6h name=VPN
add address-pool=adminpool disabled=no interface=eth5-default name=default
add address-pool=dhcp_pool0 disabled=no interface="vlan10 translation" name=Translation
add address-pool=dhcp_pool2 disabled=no interface="vlan12 CID wireless" name=Wireless
add address-pool=dhcp_pool3 disabled=no interface=eth3-basement name=Basement
add address-pool=dhcp_pool1 disabled=no interface="vlan11 CID office" name="CID wired upstairs"

/ip address
add address=192.168.10.2/24 interface=eth1-gateway network=192.168.10.0
add address=192.168.3.1/24 interface=eth3-basement network=192.168.3.0
add address=192.168.4.1/24 interface=eth4-admin network=192.168.4.0
add address=192.168.88.1/24 comment="default configuration" interface=eth5-default network=192.168.88.0
add address=192.168.0.1/24 interface="vlan10 translation" network=192.168.0.0
add address=192.168.1.1/24 interface="vlan11 CID office" network=192.168.1.0
add address=192.168.2.1/24 interface="vlan12 CID wireless" network=192.168.2.0
add address=192.168.5.1/24 interface="vlan15 Guest Internet only" network=192.168.5.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=eth1-gateway

Are you connecting to the router ip for that subnet, or a different vlan? You have firewall rules blocking inter vlan traffic.

Connecting on that port and on that subnet. But I think it’s simply marking them as invalid because I have everything disconnected. When I reconnect the cables and reboot, they come back. So tomorrow I plan to go back over and install this again in the church office.

If you do run into any issues, I would focus on your firewall rules. Disable the vlan restricting ones then enable one by one until you find the culprit.

Thanks so much!

So the saga continues…

I set the Comcast modem to have LAN IP 192.168.10.1 with DHCP starting at 192.168.10.90. (Note: this is not bridge mode.) The RB is set to WAN IP 192.168.10.2. I plugged it in and everything worked great on the RB! Firewall, routing, Internet access, all good so far. Then two issues happened:

1. This is my third Comcast modem in a few months, and it too is defective, and crashes when you try to set up port forwarding. Easy solution: I’m ordering my own modem today and am done renting bad modems from Comcast.

2. BUT, long story short, I called Comcast about the port forwarding and talked to an idiot rep who insisted that the only way this would work is with bridge mode off but with DHCP also off on the Comcast modem and my router getting a dynamic WAN IP. Finally I humored him and let him change the Comcast router. (After, he couldn’t figure out how to get it back and wanted me to pay a tech $100 to fix it. I declined and switched it back myself, but that’s another story.) BUT, here’s the weird thing. When the RB could no longer get a WAN IP or connect to Comcast on Eth1-gateway, it stopped allowing me to access the admin web GUI on ANY of the interfaces. I tried it plugged into Comcast, unplugged from Comcast, power cycled it, etc., but am back to the RB apparently not working. How would the lack of an Internet connection on eth1 stop the other interfaces from working? It did respond to ping, and DHCP was working, but no web admin on any of its IPs, and I could not verify that it was routing anything. This is the same thing that happened a few days ago when the Comcast tech was there with me; my RB stopped responding at all so it was easy for him to say the Comcast router issue was actually my Mikrotik’s fault.

Finally I gave up and brought the RB home again. After being off for 45 minutes, I fired the RB back up. Same thing. No more admin. The only change here is that I set it to “obtain address automatically” in the Quick set. DHCP works on eth5, eth4, eth3, and it responds to ping on those ports and IPs, but the web admin page is gone on all interfaces and IP addresses.

I suppose I could factory reset it and restore/rebuild the config, but I’m starting to wonder if there’s something wrong with the unit.

Really strange things. Put comcast into pure bridge mode and try with a computer attached directly if you can set it in the way that everything starts to work. Then replicate the settings to wan port of the router. Check it gets the expected ip address and is able to get the Internet connection then step forward… You need to split the aresas of possible problems and investigate them independently.

http://forum.mikrotik.com/t/help-with-comcast-modem-bridge-mode-no-internet/142695/1

OP, I posted my thread in “General” section. Near identical issue.

Every other Comcast tech gave me a different answer. One I spoke this morning says bridge mode requires static IP. I have dynamic IP. So he recommends “pass through” mode: disable Comcast wifi and remove IPV4 and IPV6 firewalls. Keep DHCP on. I did so and still no internet.

Latest tech thinks Mikrotik router is not configured properly to receive DHCP from Comcast. I’m not sure how to check if the Mikrotik is setup properly.

Newb question: how does one look and post the router 's config? Sorry for hijack.

Bridge mode means that the router should get a dynamic address. If you have a static allocation your gateway would have to be in router/gateway mode.

DHCP should work if the gateway device is actually handing out a DHCP address. Run the packet sniffer to see if dhcp requests are being sent and how they are being replied to by the gateway.

The only real reason to ever use these devices is if you need static addresses. If you don’t just get a regular modem and things will “just work”.

How does one check to see if the Mikrotik is receiving a DHCP address?