[TelstraClear] Telstra Cable Broadband Arp problems

Forums › One New Zealand (including Vodafone, WxC, Farmside) › [TelstraClear] Telstra Cable Broadband Arp problems

KiwiShaver

9 posts

Wannabe Geek

#19313 12-Feb-2008 20:08

Hi,

I have a similar issue to those posted by several others of late - intermittent loss of connection from some of my devices conneced to my netgear WGR614 wireless router. However I do have a solution which I thought I would post here as it may help others avoid some of the pain I have suffered this week!

I've been using the netgear WGR614 with the telstra cable service in Kapiti since last year. I had major problems getting it going to start with and have 2 little gems that might save you some pain that I learned via talking to telstra, the netgear helpdesk and much digging with packet sniffers and the like...

so here's my first tip for netgear users. Log on to the router and change its address range from the default (192.168.something) to another 192.168 or 10.x.x.x range. You will have endless connection / routing problems otherwise.

2nd tip - Netgear / Telstra ARP issue
As noted in other posts (http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=16787, http://www.geekzone.co.nz/forums.asp?forumid=49&topicid=17666 ) & others there is MEGA arp traffic bouncing round the telstra network.

Here's my setup:
telstra cable modem
netgear WGR614
Various ethernet / wireless devices in internal subnet 192.168.x.x something.

Problem symptoms:
apparently random loss of connectivity even to the internal router interface from some internal devices but not others. rebooting router / hosts, "repair" connection, or event just "arp -d routeraddress" in a cmd window restores connectivity for short periods. Smart packet sniffers such as etherpeek will report duplicate address errors for mac addresses that seem to come out of nowhere.

The why:
Fact 1: The WGR614 only has one arp cache for both internal and external interfaces (probably a common factor with many cheap combo devices)
fact 2: the router updates its arp cache from both internal and external interfaces based on arp traffic it sees
fact 3: much of the arp traffic in telstra is for invalid addresses (probably due to stupid configuration by users)

The WGR614 only has one arp cache for both internal and external interfaces, and combined with the fact it sees all the arp traffic on the telstra network, this can cause you big apparently random pain. The router will create an arp cache using the arp traffic from both you valid internal hosts and all the external hosts floating about telstra land.

If you are using an ip address that some idiot has misconfigured their machine to broadcast arp for into telstra's subnet the netgear router will wipe your valid internal arp entry with the bogus internet one on a regular basis as long as the other machine is turned on. This will happen each time the other box sends an arp broadcast advertising its ip to mac details.

Solution:
Change your internal addressing scheme to something really really obscure and private that is unlikely to be hit by other stupid (or malicious) telstra users arp broadcast traffic....

I'd be keen to hear any other suggestions (don't tell me to buy a more expensive router with better security as this is what the netgear helpdesk told me already as a solution). I've complained to Telstra but am not confident of a positive resonse from them...

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#110318 13-Feb-2008 08:47

Interesting stuff Rick, of note, of the several folk on this forum that I have assisted with routers on the TCL network lately nearly all of them tripped themselves up after having placed an internal private IP in the WAN setup.

Cyril

Fraktul

836 posts

Ultimate Geek

Trusted

#110440 13-Feb-2008 17:13

Frankly thats pretty poor from Telstra Clear - its not like arp poisoning is anything new.

truantsailor

13 posts

Geek

#110622 14-Feb-2008 14:57

That sounds so obvious in retrospective. I'll check it out as soon as I get home Friday.

My problems are always worse in the evening which is I guess when JoeUser comes home and gets into gear and this explanation fits pretty well.

I also wonder what happens when the arp cache fills. There is a lot of random arp traffic on my cable segment that I have no interest in. Presumably it expires older entries as new ones come in.

Think I'll also check out whether I can make static arp entries for my default router and local PCs. They seldom change although it woudl be a pain if they did.

jim

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#110626 14-Feb-2008 15:10

Yep a nice firmware feature for routers would be that the cache only records local traffic and the WAN ones that matches the gateway or subnet, everything else is biffed.

I note that Cisco have quite a lot of documentation on ARP filtering on CMTS's, they have CMTS firmware that can be configured to counter this type of issue. What headend gear (CMTS) does TCL use?

Cyril

truantsailor

13 posts

Geek

#111376 18-Feb-2008 13:05

I tried changing my LAN IP addresses to a totally different range that is much less likely to be used by some else.

This change made no difference on my Zonealarm Z100G firewall.

I am trialling a Linksys WRT54GL and it seems much less prone to whatever the problem I am having is and may have solved it.

On the other hand the Linksys is much les flexible in its configuration. doesn't do content scanning, decent logging or a host of other things that the Zonealarm does.

I'd try some of the alternative open source firmware images for it if I was confident that it would have all the features I want without risking going backwards in solving the problem.

doppleganger

33 posts

Geek

#111402 18-Feb-2008 15:26

I'd be keen to hear any other suggestions (don't tell me to buy a more expensive router with better security as this is what the netgear helpdesk told me already as a solution). I've complained to Telstra but am not confident of a positive resonse from them...

Probably won't hear anything back, but I have it on good authority that the arp issue pissses off the Telstra cable guys at least as much as it does the customers. Now that that the vlan segmentation of the management side of the cable network has been completed (yay for the no more dhcp flying around the network) the cable guys are actively working on segmenting the CPE side of things into more manageable chunks.

Personally I just wish everyone had a router behind their cable modem and that people didn't plug the modems into their home switches. That'd make a whole bunch of the rfc1918 address space vanish from the arp torrent out there.

doppleganger

33 posts

Geek

#111404 18-Feb-2008 15:35

I note that Cisco have quite a lot of documentation on ARP filtering on CMTS's, they have CMTS firmware that can be configured to counter this type of issue. What headend gear (CMTS) does TCL use?

Arp filtering only deals with people sending out _alot_ of arp packets at a time, it's not so much filtering as rate shaping. The problem on the cable network is that there are some 10's of 1000's of customers all on one gigantic ethernet segment, but I understand that Telstra are actively looking into fixing that.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Fraktul

836 posts

Ultimate Geek

Trusted

#111409 18-Feb-2008 16:30

Yeah you need to do some sort of ACL on allowable ARP responses per MAC really.

doppleganger

33 posts

Geek

#111415 18-Feb-2008 16:59

Fraktul: Yeah you need to do some sort of ACL on allowable ARP responses per MAC really.

And of course the problem there is that you'd be blocking incoming arp packets based on the source mac address, which won't get you very far at all.

What you'd really need is a deep packet inspecting job that could inspect the contets of arp packets at wire speed and block/allow based on the who-has or is-at values. And no, TCL don't have CMTS that can do that. In fact I don't there _are_ CMTS that can do that, happy to be proven wrong tho. :)

Fraktul

836 posts

Ultimate Geek

Trusted

#111422 18-Feb-2008 17:54

Dump responses for specific IP ranges from any MACs apart from your whitelist. Eg dump responses for anything on 192.168.0.0/16 apart from my whitelist of MACs.... Seems like it would work to me.

doppleganger

33 posts

Geek

#111614 19-Feb-2008 15:43

Fraktul: Dump responses for specific IP ranges from any MACs apart from your whitelist. Eg dump responses for anything on 192.168.0.0/16 apart from my whitelist of MACs.... Seems like it would work to me.

Erg, yeah, but you're talking about deep packet inspection at wire rate. As in take packet strip ethernet and IP headers, look into the data portion of the frame, identify the values of the who-has or is-at message and then block on those values. Typical routers/CMTS can take a look at the headers at wire rate so they can block on src/dst mac address or ip address, but that's it. At wire rate that'd take a fairly high end bit of kit too.

And like I said before as far as I'm aware there aren't any CMTS out there that do filtering based on deep packet inspection.

.... hmmm... Re reading your reply you might also be getting confused as to how arp works, so here's a brief look:

Arp is a _layer 2_ protocol. Do a tcpdump or etheral capture of some of the traffic and you'll see the packets don't have a layer 3 (IP) or 4 (tcp/udp/icmp etc etc) header.

The addressing on ARP packets is all mac address based, messages don't come from or go to an ip address, they come from and go to mac addresses:

15:33:03.124969 0:90:1a:a0:3:d7 ff:ff:ff:ff:ff:ff 0806 56: arp who-has 121.73.49.187 tell 121.73.49.1
15:33:03.125904 0:40:2b:4f:10:da ff:ff:ff:ff:ff:ff 0806 60: arp who-has 121.73.3.32 tell 121.73.45.18
15:33:03.128193 0:90:1a:a0:3:d7 ff:ff:ff:ff:ff:ff 0806 56: arp who-has 121.73.52.13 tell 121.73.52.1

And to break that done some:

date stamp: 15:33:03.124969
Source Mac: 0:90:1a:a0:3:d7
Dest Mac: ff:ff:ff:ff:ff:ff
frame type, in this case ETHER_ARP: 0806
frame length in bytes: 56
data: arp who-has 121.73.49.187 tell 121.73.49.1

So no, dumping responses for anything on 192.168.0.0/16 wouldn't work unless, like I said before, you were deep inspecting the packets (ie looking beyond the ethernet header at the data chunk of the frame) to see what was in the who-has / is-at at dropping based on that.

Fraktul

836 posts

Ultimate Geek

Trusted

#111617 19-Feb-2008 15:57

Yes inspection of the data portion of the frame is what I was saying - I just didnt go into depth explicitly stating that because it would have duplicated what you said in your previous post.

Probably would have helped if I wrote a more detailed first post.

Yes I know how ARP works thanks

Edit: Also you mention taking high end kit - yes but this is actually no more computationally intensive than ACLs. We are not trying to do layer 7 inspection or anything. On legacy equipment this would a problem, with current ICs you have the MIPs to burn or transistors to dedicate to this kind of thing however.