old door phased itself out today

Jun. 25th, 2017 07:58 pm
solarbird: (molly-thats-not-good-green)
[personal profile] solarbird
The 1995 P166 that has been until now door.murkworks.net has formally and abruptly retired itself. So I'm having to move the new box into place now. This is the DMZ box I was talking about earlier.

Henceforth, "Door" refers to "New Door," not the old machine that is broken. It is latest Debian.

Door has three network cards: eth0 going to cable modem, eth1 going to fixed IP LAN segment, eth2 going to DHCP LAN segment. Door is running both DNS and DHCP servers.

Door can see everything in the world, on all cards. Complete functionality.

DHCP side can see everything in the world, on all cards. Complete functionality.

Fixed IP machines can all see Door (including its DNS services), and each other, and talk to the DHCP side, but can talk to nothing living out on eth0.

tcpdump on Door shows Door handing off ICMP packets on eth0, so that direction seems okay.

I am not seeing ACKs coming back to Door on eth0 from google.com but I can't be sure they aren't doing something tricky and my filters are confused.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         173.160.243.46  0.0.0.0         UG    0      0        0 eth0
173.160.243.40  0.0.0.0         255.255.255.248 U     0      0        0 eth1
173.160.243.42  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.43  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.44  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.46  0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2


Door is 173.160.243.41 (on eth0), 173.160.243.45 (on eth1), 192.168.1.1 (on eth2). 173.160.243.46 is the modem. 173.160.243.40 is a network to eth1.

Anybody know wtf?

eta: The router - in addition to not showing door any ACKs for anything from .42 and .43 - is sending out a lot of ARP packets looking for 173.160.243.42 and 173.160.243.43, and I'm starting to think it won't talk to a gateway box in the fixed-IP range. I try to add .41 as a gateway address for .42 and .43 and it refuses, saying illegal LAN address. SUPER RAGIFICATION ENGAGED.

eta2: And the new problem is that the PS4 won't pick up the gateway information from the Linux-based DHCP server. It will pick up an address! It's also not getting the DNS server number either. Why? Fuck if I know, everything else does it right.
  • Current Mood: confused
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2017-06-26 05:34 am (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
Presumably the fixed IP machines are all set up to use Door (173.160.243.45) as their default gateway.

One way to make sure the fixed-IP machines are all set up correctly and stay that way is to set up DHCP to serve them static addresses based on their MAC addresses. The DHCP daemon is setting up a lot of stuff behind the scenes, including the IP filtering and routing rules.

Date: 2017-06-26 06:07 am (UTC)
solarbird: (Default)
From: [personal profile] solarbird
Presumably the fixed IP machines are all set up to use Door (173.160.243.45) as their default gateway.
Of course.

One way to make sure the fixed-IP machines are all set up correctly and stay that way is to set up DHCP to serve them static addresses based on their MAC addresses.
I do not think that would solve the problem in this case because I am fairly sure at this point that the modem/router refuses to use a gateway to reach a fixed (real) IP. I think that is the fundamental problem. I will call Comcast tomorrow to find out.

Date: 2017-06-26 06:42 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
OK, now I get it. I can ping 73.160.243.42 (for example) from here.

>host 73.160.243.42
42.243.160.73.in-addr.arpa domain name pointer c-73-160-243-42.hsd1.nj.comcast.net.

So your problem is that the addresses you're trying to use for your fixed IP range are already taken, and live somewhere else on the network. That's why you can send packets but they don't come back.

Date: 2017-06-26 06:52 pm (UTC)
solarbird: (pingsearch)
From: [personal profile] solarbird
That's because I jury-rigged something to get us online again without using the fixed-IP gateway I'd set up. I wasn't going to be offline for days while I figured this out, after all.

I finally got over the AGH PHONES enough to call comcast and they told me that I was right, the router won't do what I want it to do for the fixed-IP range. It's just not functionality they offer at this level.

This is less bad than I'd've said before, because what I'm figuring out is that the Comcast Business modem is terrible at DHCP/NAT, but perfectly fine at the fixed-IP handling, and I'm seeing meaningfully behaviour having done what I've done. So really what I need to do is drop the third card out of the mix and just not do that part.

Date: 2017-06-26 10:34 am (UTC)
wrog: (Default)
From: [personal profile] wrog
Have you looked at or done anything with the iptables rules (i.e., what does iptables -L -n on door give you?

My current crazy theory is that there's a default DROP rule in there that's screwing you, say, if the default iptables config only expects there to be 2 interfaces... or is doing the usual firewall thing of aggressively DROPping everything coming from "outside" that's not explicitly approved, and it's treating everything other than eth2 as "outside"
Edited Date: 2017-06-26 10:41 am (UTC)

Date: 2017-06-26 03:14 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
No such rules in iptables, everything's set to ACCEPT. Also, as I've made clearer, I'm seeing packets from the fixed IP subnet go out, but none coming in to eth0 even when I know I'm sending traffic to it from off-net.

But I am seeing lots of ARP requests from the cable modem, which is a router.

I'm pretty much in the "stupid cable modem won't let you gateway the fixed-IP range" camp at this point. Hopefully Comcast will know.
Edited Date: 2017-06-26 03:21 pm (UTC)

Date: 2017-06-29 01:38 am (UTC)
solarbird: (Lecturing)
From: [personal profile] solarbird
Oh, I never made a follow-up post, but: I was right, Comcast says their modem won't let you do that.

I could, of course, set up all the fixed IP addresses on the one card on door, and then map them to fixed localnet addresses, and do NAT, but that seems to be unnecessary. The business modem seems to be pretty good at handling fixed-IP destination packets. It's DHCP and NAT that drag it to the mud. Offloading that has really improved a lot of things.

Date: 2017-06-30 01:34 am (UTC)
wrog: (howitzer)
From: [personal profile] wrog
I am a bit boggled that they don't let you put the Comcast box into bridge mode

(also iptables can, in fact, be blocking stuff in one direction, but if door isn't actually serving as a firewall, then I guess you don't need to mess with that unless you want to be paranoid...)
Edited Date: 2017-06-30 01:34 am (UTC)

Date: 2017-07-03 06:20 am (UTC)
solarbird: (Lecturing)
From: [personal profile] solarbird
I do mess with that shit on occasion - semi-regularly in fact - but none of that was set up yet even a little. So.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

solarbird: (Default)
solarbird
I'm on Mastodon!

Links

February 2026

S M T W T F S
12 34567
89101112 1314
15161718192021
22232425262728

Most Popular Tags

Page Summary

Active Entries