[NCLUG] Fun and Action(tec)?

[Bob Proulx]

Benson Chow wrote:
> I was wonderring where I could find an audience for people who have Qwest 
> DSL and mucked with their Actiontec routers, and well, this may be the 
> right mailing list.

I have Qwest DSL.  I have had the Cisco 675 modem and am now using the
Cisco 678.  The Cisco 678 is still operating acceptably for me.  It
has only been acceptable and not great because it has not been without
problems in terms of capability.  It has been reliable enough.  But
for me it the 678 wasn't as capable as the 675 in terms of routing and
this appeared to be a firmware issue.  One day I would like to upgrade
to a more capable device and a linux based router would be a nice
upgrade.

> After many years with Qwest DSL, I'm no longer Cisco bound.  After a
> Cisco 675 got obsoleted by DMT, and a Cisco 678 was deemed obsolete
> by Qwest when I complained of instability in my DSL, I got an
> Actiontec GT701 from them.  All the better... yet another Linux box
> to play with!

Yeah! :-)

> The behavior of the GT701 is what I'm kind of concerned with.  First off I 
> have a /29 static IP block I'm using with the 'modem'.  The two issues I'm 
> having:
> 
> 1 - I've been trying to get this router to route both my /29 and my 
> 10.0.0.x subnets so I can firewall off my wifi, but the best I've gotten 
> was that my 10.0.0.x subnet would get packets mangled when trying to 
> communicate to my /29 subnet.  It is partially due to having most 
> of my /29 machines also having a 10.0.0.x address, but it looks like the 
> GT701 is routing my 10.0.0.x addresses as real addresses instead of 
> NATting them when dealing with my /29.  I'm still using my WRT54G for NAT 
> for now, but once again, for better security I'd like to separate my 
> wifi (and perhaps keep it in hotspot mode and do away with WEP...)

Your description isn't sufficient for me to understand your network
topology.  With so little information I hesitate to jump in.  But
throwing caution to the wind and knowing that others will correct me I
am going to give it a shot.

One thing you said ("routing my 10.0.0.x addresses as real addresses")
makes me wonder if your router is configured for _one_ of DNAT or SNAT
but in your configuration you need both DNAT *and* SNAT configured for
it.  Or if you need a gateway configured and do not have one.  Network
address translation is implemented with a variety of algorithms and
has different effects on internet devices.

Let me expand on that a little.  Let's say you have 208.77.188.166 as
your external wan address with a /29.

  Internet <---> 208.77.188.166/29|Router|10.0.0.1 <---> 10.0.0.42|Toaster

A packet arrives.  (Assume A.B.C.D is some random address out on the
Internet.)

  SRC: A.B.C.D           # Some Internet Address
  DST: 208.77.188.166    # Your external WAN address

Normally NAT would just be destination nat and would translate
208.77.188.166 to 10.0.0.42.

  SRC: A.B.C.D
  DST: 10.0.0.42

And then it is routed on to the Toaster.  The Toaster will see the
real address A.B.C.D.  It will respond with a packet of its own.

  SRC: 10.0.0.42
  DST: A.B.C.D

This goes through the Toaster's routing table.  Since A.B.C.D isn't on
the local subnet of any network interface it falls to the default
gateway to route.  If the Toaster has a default gateway.  In which
case it then is routed to the Router.  The Router then masquerades the
internal network address into its external network address.

  SRC: 208.77.188.166
  DST: A.B.C.D

The Internet is only exposed to the 208.77.188.166 address and never
the 10.0.0.42 address.  The Toaster device is however exposed to the
A.B.C.D Internet address.  Which means that the Toaster must have a
routing table entry that can route to it.

I ran into this very same problem while working with a Toaster device
that wasn't programmed with a default route.  It was constrained that
it could only talk to devices on the internal network and (apparently)
no one actually thought about needing a route for addresses off of the
local network.  I needed both destination NAT and source NAT.  In
which case that same packet:

  SRC: A.B.C.D
  DST: 208.77.188.166

That packet arrives and is now has both addresses translated.

  SRC: 10.0.0.1
  DST: 10.0.0.42

Then the Toaster device responds.

  SRC: 10.0.0.42
  DST: 10.0.0.1

Then the Router performs the reverse NAT on both addresses.

  SRC: 208.77.188.166
  DST: A.B.C.D

Your problem sounded similar to this case.  But I couldn't tell.  In
which case you might need to set up SNAT too.  Or you might need to
verify that your internal clients have a default gateway set.  Maybe.

> 2 - My GT701 does not seem to respond properly with traceroutes.  I'm not 
> sure what layer of the IP stack should be handling these.

Traceroute creates ICMP ping packets using the time-exceeded message
type.  If you are blocking ICMP then this will block traceroute.  It
is sufficient to allow icmp time-exceeded messages to enable
traceroute.  (Note that ping uses icmp echo-request.)

> I tried telnetting into the router and it looks like a fairly usual Linux 
> machine with a (ugh) stripped down busybox.  So usual, I've been thinking 

With so little memory and storage available on the machine it is
typical to use the most stripped down images.  Unfortunately the
standard GNU tools have become so bloated that they are usually
replaced with the leaner busybox.  However I think a compiling of the
old V7 tools would be more appropriate.

> about building custom firmware for it as I'd like it to syslog to my 
> server and shut off all the unnecessary DNS lookups it seems to do...
> 
> Anyone have fun with their GT701?

If any of the normal distributions such as OpenWRT, DD-WRT, Tomato, or
other distributions work that would be interesting to me.  I might
want to upgrade in that case!

I figure the GT701 hasn't really matured yet as I could not find a
Wikipedia page on it. :-/

Bob