Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




9 posts

Wannabe Geek


# 19313 12-Feb-2008 20:08
Send private message

Hi,

I have a similar issue to those posted by several others of late - intermittent loss of connection from some of my devices conneced to my netgear WGR614 wireless router. However I do have a solution which I thought I would post here as it may help others avoid some of the pain I have suffered this week!

I've been using the netgear WGR614 with the telstra cable service in Kapiti since last year. I had major problems getting it going to start with and have 2 little gems that might save you some pain that I learned via talking to telstra, the netgear helpdesk and much digging with packet sniffers and the like...

so here's my first tip for netgear users. Log on to the router and change its address range from the default (192.168.something) to another 192.168 or 10.x.x.x range. You will have endless connection / routing problems otherwise.

2nd tip - Netgear / Telstra ARP issue
As noted in other posts (http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=16787, http://www.geekzone.co.nz/forums.asp?forumid=49&topicid=17666 ) & others there is MEGA arp traffic bouncing round the telstra network.

Here's my setup:
telstra cable modem
netgear WGR614
Various ethernet / wireless devices in internal subnet 192.168.x.x something.

Problem symptoms:
apparently random loss of connectivity even to the internal router interface from some internal devices but not others. rebooting router / hosts, "repair" connection, or event just "arp -d routeraddress" in a cmd window restores connectivity for short periods. Smart packet sniffers such as etherpeek will report duplicate address errors for mac addresses that seem to come out of nowhere. 

The why:
Fact 1: The WGR614 only has one arp cache for both internal and external interfaces (probably a common factor with many cheap combo devices)
fact 2: the router updates its arp cache from both internal and external interfaces based on arp traffic it sees
fact 3: much of the arp traffic in telstra is for invalid addresses (probably due to stupid configuration by users)

The WGR614 only has one arp cache for both internal and external interfaces, and combined with the fact it sees all the arp traffic on the telstra network, this can cause you big apparently random pain. The router will create an arp cache using the arp traffic from both you valid internal hosts and all the external hosts floating about telstra land.

If you are using an ip address that some idiot has misconfigured their machine to broadcast arp for into telstra's subnet the netgear router will wipe your valid internal arp entry with the bogus internet one on a regular basis as long as the other machine is turned on. This will happen each time the other box sends an arp broadcast advertising its ip to mac details.

Solution:
Change your internal addressing scheme to something really really obscure and private that is unlikely to be hit by other stupid (or malicious) telstra users arp broadcast traffic....


I'd be keen to hear any other suggestions (don't tell me to buy a more expensive router with better security as this is what the netgear helpdesk told me already as a solution). I've complained to Telstra but am not confident of a positive resonse from them...

Create new topic
6694 posts

Uber Geek
+1 received by user: 563

Trusted
Subscriber

  # 110318 13-Feb-2008 08:47
Send private message

Interesting stuff Rick, of note, of the several folk on this forum that I have assisted with routers on the TCL network lately nearly all of them tripped themselves up after having placed an internal private IP in the WAN setup.


Cyril

836 posts

Ultimate Geek

Trusted

  # 110440 13-Feb-2008 17:13
Send private message

Frankly thats pretty poor from Telstra Clear - its not like arp poisoning is anything new.

 
 
 
 


13 posts

Geek


# 110622 14-Feb-2008 14:57
Send private message

That sounds so obvious in retrospective. I'll check it out as soon as I get home Friday.

My problems are always worse in the evening which is I guess when JoeUser comes home and gets into gear and this explanation fits pretty well.

I also wonder what happens when the arp cache fills. There is a lot of random arp traffic on my cable segment that I have no interest in. Presumably it expires older entries as new ones come in.

Think I'll also check out whether I can make static arp entries for my default router and local PCs. They seldom change although it woudl be a pain if they did.

jim

6694 posts

Uber Geek
+1 received by user: 563

Trusted
Subscriber

  # 110626 14-Feb-2008 15:10
Send private message

Yep a nice firmware feature for routers would be that the cache only records local traffic and the WAN ones that matches the gateway or subnet, everything else is biffed.

I note that Cisco have quite a lot of documentation on ARP filtering on CMTS's, they have CMTS firmware that can be configured to counter this type of issue. What headend gear (CMTS) does TCL use?

Cyril

13 posts

Geek


  # 111376 18-Feb-2008 13:05
Send private message

I tried changing my LAN IP addresses to a totally different range that is much less likely to be used by some else.

This change made no difference on my Zonealarm Z100G firewall.

I am trialling a Linksys WRT54GL and it seems much less prone to whatever the problem I am having is and may have solved it.

On the other hand the Linksys is much les flexible in its configuration. doesn't do content scanning, decent logging or a host of other things that the Zonealarm does.

I'd try some of the alternative open source firmware images for it if I was confident that it would have all the features I want without risking going backwards in solving the problem.


33 posts

Geek


  # 111402 18-Feb-2008 15:26
Send private message



I'd be keen to hear any other suggestions (don't tell me to buy a more expensive router with better security as this is what the netgear helpdesk told me already as a solution). I've complained to Telstra but am not confident of a positive resonse from them...


Probably won't hear anything back, but I have it on good authority that the arp issue pissses off the Telstra cable guys at least as much as it does the customers. Now that that the vlan segmentation of the management side of the cable network has been completed (yay for the no more dhcp flying around the network) the cable guys are actively working on segmenting the CPE side of things into more manageable chunks.

Personally I just wish everyone had a router behind their cable modem and that people didn't plug the modems into their home switches. That'd make a whole bunch of the rfc1918 address space vanish from the arp torrent out there.

33 posts

Geek


  # 111404 18-Feb-2008 15:35
Send private message


I note that Cisco have quite a lot of documentation on ARP filtering on CMTS's, they have CMTS firmware that can be configured to counter this type of issue. What headend gear (CMTS) does TCL use?


Arp filtering only deals with people sending out _alot_ of arp packets at a time, it's not so much filtering as rate shaping. The problem on the cable network is that there are some 10's of 1000's of customers all on one gigantic ethernet segment, but I understand that Telstra are actively looking into fixing that.

 
 
 
 


836 posts

Ultimate Geek

Trusted

  # 111409 18-Feb-2008 16:30
Send private message

Yeah you need to do some sort of ACL on allowable ARP responses per MAC really.

33 posts

Geek


  # 111415 18-Feb-2008 16:59
Send private message

Fraktul: Yeah you need to do some sort of ACL on allowable ARP responses per MAC really.


And of course the problem there is that you'd be blocking incoming arp packets based on the source mac address, which won't get you very far at all.

What you'd really need is a deep packet inspecting job that could inspect the contets of arp packets at wire speed and block/allow based on the who-has or is-at values. And no, TCL don't have CMTS that can do that. In fact I don't there _are_ CMTS that can do that, happy to be proven wrong tho. :)

836 posts

Ultimate Geek

Trusted

  # 111422 18-Feb-2008 17:54
Send private message

Dump responses for specific IP ranges from any MACs apart from your whitelist. Eg dump responses for anything on 192.168.0.0/16 apart from my whitelist of MACs.... Seems like it would work to me.

33 posts

Geek


  # 111614 19-Feb-2008 15:43
Send private message

Fraktul: Dump responses for specific IP ranges from any MACs apart from your whitelist. Eg dump responses for anything on 192.168.0.0/16 apart from my whitelist of MACs.... Seems like it would work to me.


Erg, yeah, but you're talking about deep packet inspection at wire rate. As in take packet strip ethernet and IP headers, look into the data portion of the frame, identify the values of the who-has or is-at message and then block on those values. Typical routers/CMTS can take a look at the headers at wire rate so they can block on src/dst mac address or ip address, but that's it. At wire rate that'd take a fairly high end bit of kit too.

And like I said before as far as I'm aware there aren't any CMTS out there that do filtering based on deep packet inspection.

.... hmmm... Re reading your reply you might also be getting confused as to how arp works, so here's a brief look:

Arp is a _layer 2_ protocol. Do a tcpdump or etheral capture of some of the traffic and you'll see the packets don't have a layer 3 (IP) or 4 (tcp/udp/icmp etc etc) header.

The addressing on ARP packets is all mac address based, messages don't come from or go to an ip address, they come from and go to mac addresses:

15:33:03.124969 0:90:1a:a0:3:d7 ff:ff:ff:ff:ff:ff 0806 56: arp who-has 121.73.49.187 tell 121.73.49.1
15:33:03.125904 0:40:2b:4f:10:da ff:ff:ff:ff:ff:ff 0806 60: arp who-has 121.73.3.32 tell 121.73.45.18
15:33:03.128193 0:90:1a:a0:3:d7 ff:ff:ff:ff:ff:ff 0806 56: arp who-has 121.73.52.13 tell 121.73.52.1

And to break that done some:

date stamp: 15:33:03.124969
Source Mac: 0:90:1a:a0:3:d7
Dest Mac: ff:ff:ff:ff:ff:ff
frame type, in this case ETHER_ARP: 0806
frame length in bytes: 56
data: arp who-has 121.73.49.187 tell 121.73.49.1

So no, dumping responses for anything on 192.168.0.0/16 wouldn't work unless, like I said before, you were deep inspecting the packets (ie looking beyond the ethernet header at the data chunk of the frame) to see what was in the who-has / is-at at dropping based on that.

836 posts

Ultimate Geek

Trusted

  # 111617 19-Feb-2008 15:57
Send private message

Yes inspection of the data portion of the frame is what I was saying - I just didnt go into depth explicitly stating that because it would have duplicated what you said in your previous post.

Probably would have helped if I wrote a more detailed first post. Laughing

Yes I know how ARP works thanks Smile

Edit: Also you mention taking high end kit - yes but this is actually no more computationally intensive than ACLs. We are not trying to do layer 7 inspection or anything. On legacy equipment this would a problem, with current ICs you have the MIPs to burn or transistors to dedicate to this kind of thing however.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18


E-scooter share scheme launches in Wellington
Posted 17-Jun-2019 12:34


Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.