Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Trying to make things work in spite of a bad router?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Sep 12, 2013 6:21 pm    Post subject: Trying to make things work in spite of a bad router? Reply with quote

Hi,

I have a customer with a crappy AT&T-supplied router. My customer leases the router, they don't have configuration access. If you google the router model, the first link is a review saying "not very good."

They have 4 public IPs and then the traditional local network on 192.168.x.y. The router manufacturer's solution to port passthrough is to give these public addresses, which are completely unprotected, and then everything else is on the 192.168. There's no configuration of ports, and anyone who wants can just statically configure their system to one of the public addresses and it "works".

The problem is, both 192.168.x.y packets and the public net packets are all traveling on the same wires and across wireless. The first packet from one "net" to the other goes through the router, and then the TCP stack realizes it's the same and tries for direct. This obviously breaks functionality. I can reboot a system, then hit it exactly once from the other net, and then after that it's broken. I can go from the private net to the private net as often as I like.

I've made my case to the customer to buy another router, but it might be tomorrow or it might be a couple months from now, I have no idea.

I want to make something that will work temporarily until the new hardware comes:

  1. I want to configure the Linux-based systems to ignore all traffic from another network which does not come from the router.
  2. I want to configure the Linux-based systems go through the router for all traffic on another subnet, even if the route could be direct.
  3. Is there something I can do which will survive the system being plugged into a different network? Assume DHCP leases.


Can anyone give pointers? I suspect that no matter what I do to the Linux parts of this puzzle there will still be issues from other boxes.

Thanks.
Back to top
View user's profile Send private message
eyoung100
Veteran
Veteran


Joined: 23 Jan 2004
Posts: 1428

PostPosted: Thu Sep 12, 2013 7:00 pm    Post subject: Reply with quote

1. Use IPTables and filter by MAC Address.

Allow Mac Address of Router 1 in Net 1, Disallow in Net 2
Allow Mac Address of Router 2 in Net 2, Disallow in Net 1.
See: Iptables MAC Address Filtering

2. Consider putting both Nets on the same subnet, and then use a bridge, connect the bridge to a port on the ISP facing device. The bridge joins the subnets and routes all combined traffic through the router. If you use this approach, you won't need #1.

3. Set the lease time to 0. This "turns off" DHCP Renewal.
_________________
The Birth and Growth of Science is the Death and Atrophy of Art -- Unknown
Registerd Linux User #363735
Adopt a Post | Strip Comments| Emerge Wrapper
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Sep 12, 2013 8:33 pm    Post subject: Reply with quote

This won't work.

This is a cheap (as in under $100, probably a LOT under) SOHO internet appliance, a combination router and modem, and they didn't bother to put in niceties like VLAN configuration or even a way to make some ports of a host public while keeping the others private. To complicate things, it's about 1,400 miles away from me.

I just checked, and all non-upstream interfaces on this router have the same MAC address. The upstream port's mac address is downstream+1.

I suppose I could filter out anything not-my-subnet and not-from-router.

The bridge idea, if I understand you correctly, is not in the cards. I'll be lucky to get another SOHO router with a good TCP stack, real VLANs and port mapping.

Don't really want to turn off renewal. I played with that a few years ago and did not get a happy result. Some systems get grouchy when they can't renew.
Back to top
View user's profile Send private message
eyoung100
Veteran
Veteran


Joined: 23 Jan 2004
Posts: 1428

PostPosted: Thu Sep 12, 2013 8:49 pm    Post subject: Reply with quote

Does the Internet Appliance have the ability to be put into Bridging Mode? If so, Look at Best Buy- VOIP And Cable/DSL Modems. Use theirs as the Bridging Device and buy one. When I worked at Verizon, as Tech Support, we had customers who we'd send a new modem that would connect a router to a router and could not get out. Bridging one always solves the issue. In the Bridged Device enable Remote Admin. Put the Port Number as Something way off, then use the routable IP + Whacky Port # to access the Bridge remotely, then do the same thing in the ISP device, just dont share the same port.
_________________
The Birth and Growth of Science is the Death and Atrophy of Art -- Unknown
Registerd Linux User #363735
Adopt a Post | Strip Comments| Emerge Wrapper
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Sep 12, 2013 9:16 pm    Post subject: Reply with quote

Oh, man. You just put me into a depression.

The device is a Motorola NVG510. I googled "NVG510 bridge mode" and I see an endless stream of misery.

The problem with this router is that while it has configurations for all the neat features like a firewall and bridge mode and whatever else, none of it works correctly enough to interact well with other equipment.

Now I'm worried about whatever device they wind up getting working on it. Now I'm not even so much interested in getting it to work until the other device gets there, I'm hoping it can be made to work AFTER we get the other device.

Seriously, we could get by with a single public IP and a good firewall and port mapping in the final configuration. A good cross-platform VPN endpoint would be great too.

My personal SOHO Cisco gear works really well for what I want to do, I mess with that all the time. They know what VLAN means, they keep subnets separate, they have good port forwarding and firewalls and even DHCP-controlled static IPs so you can change everything from the control panel.

I find it hard to believe that Motorola would put out such pure junk, and that a national carrier would force it on their customers. I've bought Motorola stuff in the past, but no more.

Sorry for the rant, I'm just so incredibly angry with this situation. They've already checked, the building has only one carrier who will deliver service to it. The service is not nearly as fast or reliable as my home service, but they charge a business price for it. Service calls take weeks to finish, and the techs are novices with almost no training and zero understanding of networking.

I'm at a bit of a loss right now.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Sep 12, 2013 9:41 pm    Post subject: Reply with quote

Good grief.

It appears that Motorola makes exactly two DSL modems which are not bridgeable, and both are because AT&T specified them that way.

Motorola isn't the bad guy here, it's AT&T. They've deliberately crippled their service to cause grief to their customers.

I have a bad feeling about this.
Back to top
View user's profile Send private message
Simba7
l33t
l33t


Joined: 22 Jan 2007
Posts: 706
Location: Billings, MT, USA

PostPosted: Fri Sep 13, 2013 12:12 am    Post subject: Reply with quote

It wouldn't surprise me much if they did cripple service. Only one worse is CenturyLink.

Can you get the login information for the xDSL modem?

Here's a little more information for that modem. http://wikidevi.com/wiki/Motorola_NVG510
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Sep 13, 2013 1:15 am    Post subject: Reply with quote

id get a standard dsl modem -> standard router setup going and mail their junk back to them.
Back to top
View user's profile Send private message
Simba7
l33t
l33t


Joined: 22 Jan 2007
Posts: 706
Location: Billings, MT, USA

PostPosted: Fri Sep 13, 2013 2:46 am    Post subject: Reply with quote

666threesixes666 wrote:
id get a standard dsl modem -> standard router setup going and mail their junk back to them.

Me.. I'd probably hack it and throw on OpenWrt.. but at&t probably wouldn't like that.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Fri Sep 13, 2013 6:16 pm    Post subject: Reply with quote

It's not the customer's equipment. It belongs to AT&T.

FWIW I'd like to put in a plug for my ISP. I'm on Midcontinent Cable. It's awesome. I live in a small town in a sparsely populated state, and the service is excellent.

  1. I can get up to 100mbps.
  2. The installation techs are extremely knowledgeable. The guy looked at my equipment and asked a few pertinent questions, found out I'm not a novice on this and shared his opinion on the relative merits of other equivalent equipment.
  3. The equipment they give you is NOT junk. Quite the opposite. They figure if it's good equipment they'll have fewer support calls.
  4. There's no contract requiring you to stick with the number of channels or megabits once you get it. I can bump bandwidth up or down, change channel packages, whatever without a penalty.
  5. With a few exceptions, every time I run a speed test, I generally get more bandwidth than I paid for in both directions, even using a non-affiliated speed test service.
  6. Every reliability issue I've had turned out to be my equipment. A bad cable, for example.


It's crazy. I lived in the Chicago area for over 10 years. Cable and Internet are generally crappy, the speed is never up to the advertised rate, there are always extra service charges and hidden fees. It goes down fairly often and at bad times of the day. You get companies like AT&T who seem to go out of their way to provide the crappiest experience they possibly can, and for all I know they charge extra for service calls. Which would explain everything. You have Comcast, which is much better than AT&T but they lock you into contracts and charge extra at every possible opportunity.

Then you go out to where there are more cows than people, and you get some first rate Internet at speeds that I couldn't have gotten in Chicago even if I had the money for it. And it's better in every way.
Back to top
View user's profile Send private message
thegeezer
n00b
n00b


Joined: 11 Jul 2010
Posts: 38

PostPosted: Tue Sep 24, 2013 9:49 pm    Post subject: Macvlan Reply with quote

sounds like you want macvlan
it came about because of the issue of a machine with vms
where you have a management port, and a bridge going to the virtual machines.
similar to your situation, you want the correct port to respond to the correct traffic.
macvlan is really just a seperator for local machine

failing that you can also use ip rule and routing tables so that you can force the routing tables
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum