 whfsdudePremium
join:2003-04-05
Washington, DC | Re: [Business] ARP Packets from Comcast are Flooding My LOCAL Ne It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.
If you had the modem in bridge mode, your router would always see it. |
|
 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
 ·Comcast Business..
 ·Vonage
 ·Cingular Wireless
·Comcast
| said by whfsdude:It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.
If you had the modem in bridge mode, your router would always see it.
If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge. 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
whfsdudePremium
join:2003-04-05
Washington, DC Reviews:
·T-Mobile US
| said by NetFixer:If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.
No I don't sadly. I however know some users in meatspace with SB6120's in on business class service.
My point was though that the ARP traffic is totally normal for cable modems so it wouldn't change your WAN speeds.
However, generally people don't use proxy arp for their LANs. I'd argue it's a minor security issue in fact. But it will not effect speeds. |
|
| reply to NetFixer
said by NetFixer:said by whfsdude:It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.
If you had the modem in bridge mode, your router would always see it.
If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge. If you can talk someone in support into running a telnet session into your D3G the command is > ven RG 0 (1 enables gateway)
In the D3g you need to be in cable mode (default), 8014 would be main mode.
My D3G is running happy in bridge mode |
|
|
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
·PHONE POWER
·Comcast
| Business Class 12/2, 5 statics, SMC in "true static" mode
Before reboot:
Firmware Version 1.4.0.49.7-CCR
No ARP packets coming in from modem to FW/Router (linux box)
shaperprobe:
Checking for traffic shapers:
Upstream: Burst size: 1708-2163 KB; Shaping rate: 2128 Kbps.
Downstream: Burst size: 6735-7900 KB; Shaping rate: 11816 Kbps.
Reboot:
Firmware Version 3.1.4.51.1
shaperprobe:
Checking for traffic shapers:
Upstream: Burst size: 1829-2312 KB; Shaping rate: 2128 Kbps.
Downstream: Burst size: 7961-8523 KB; Shaping rate: 12768 Kbps.
No changes there,
tcpdump from firewall, on, interface facing the cable modem...
ARP, Request who-has 73.70.119.169 tell 73.70.118.1, length 46
ARP 
tcpdump, side facing my lan:
no ARP packets from comcast...
So, yep, ARP packets from Comcast are being forwarded to the other side, even with statics.
--
My place : »www.schettino.us |
|
| JohnInSJ: Thanks for the detailed notes on your experiment! |
|
1 edit | Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.
What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.
Details can be found here:
»forums.smartertools.com/showthre···DRESSES! |
|
 ropeguruPremium
join:2001-01-25
Mechanicsville, VA | Interesting post you linked to. So essentially, if it is a small business that is sitting behind their own router with no dns server on their network, they need to expose all their equipment to the internet directly because Comcast is FORCING the DNSSEC servers on all business customers which do not work behind NAT.
Additionally, since the DNSSEC would require a real internet address, this sounds like Comcast is pushing this in order to force business customers to have to have more than one IP. This would require the purchase of a block of 5 IP's and generate a large amount of revenue.
Glad I don't use their dns for anything and run my own. Yes, I know the ramifications of possibly not getting the closest goole, netflix, hulu, etc. server. |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| reply to Nalez
said by Nalez:Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.
What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.
Details can be found here:
»forums.smartertools.com/showthre···DRESSES!
said by chicagonettech :As of this month, Comcast is officially rolling out DNSSEC to all of their DOCSIS ROUTERS on their digital circuits for Business Class Customers. This means that a FIRMWARE UPDATE is being pushed to all COMCAST DOCSIS modems and, as part of that process, the DNS SERVERS in those modems are being LOCKED onto 75.75.75.75 and 75.75.76.76, the two COMCAST DNSSEC DNS servers. This means that Business Class end users who have had their DOCSIS modem firmware updated will NOT be able to change the internal DNS of the COMCAST ROUTER to any other DNS SERVER IP address. [The firmware update also installs the ability for IPV6, but it is not yet enabled unless an account is specifically engineered for IPV6.]
Interesting that my SMCD3G with the 3.1.4.51.1 firmware does not seem to be using the 75.75.75.75 and 75.75.76.76 DNS servers:
Gateway Status
Initilization Procedure
Vendor Name SMC Networks
Hardware Version 1A
Serial Number H21039056789
Firmware Version 3.1.4.51.1
Operating Mode RG
System Uptime 001 days 01h:41m:11s
Date May-11-2012
Time 10:58:21
Network
Internet Settings
Gateway MAC Address 00:26:F3:XX:YY:Z1
WAN MAC Address 00:26:F3:XX:YY:Z2
WAN DHCP IP Address 107.3.237.186
WAN DHCP Subnet Mask 255.255.254.0
WAN DHCP Default Gateway 107.3.236.1
WAN Internet IP Address 75.146.8.46
DNS (primary) 68.87.68.162
DNS (secondary) 68.87.74.162
DHCP Time Remaining 70h:54m:08s
Date May-11-2012
Static IP Block 75.146.8.46/29
Local Settings
Gateway IP Address 192.168.10.254
Subnet Mask 255.255.255.0
DHCP Server Enabled
IP Range (start) 192.168.10.20
IP Range (end) 192.168.10.20
FWIW, my local DNS server worked just fine (for both internal and external queries) with Comcast's DNSSEC even before this latest firmware update that now floods my servers with Comcast's ARP traffic.
It is nice to see at least a backdoor acknowledgement that this latest firmware update is related to IPv6 functionality. I wonder if anyone in one of Comcast's IPv6 test areas with this firmware is now seeing IPv6 functionality using this router?
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
| The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present. |
|
ropeguruPremium
join:2001-01-25
Mechanicsville, VA | said by noisefloor:The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.
Static as in static ip's or static routes for his ip's.
If static ip's, then he has those:
Static IP Block 75.146.8.46/29 |
|
| Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS. |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
1 edit | reply to noisefloor
said by noisefloor:The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.
I have no control over that setting. That setting, like many other configurable settings in the SMCD3G-CCR, can only be set by Comcast. The only DNS server setting in the SMCD3G-CCR that the customer can change is the two DNS servers that the SMC's DHCP server assigns to its DHCP clients (that setting does not change the DNS servers that the SMCD3G-CCR uses internally).
FWIW, I do have a /29 static IP block (as is shown in my previous post), but I can't see why that would make any difference. I do know for a fact that I am able to use the 75.75.75.75 and 75.75.76.76 IP addresses because my local DNS server uses those IP addresses for forwarding. And the ICSI Netalyzr test shows that my local DNS is/was DNSSEC compliant whether I forward to the 75.75.75.75 and 75.75.76.76 IP addresses or to the 68.87.68.162 and 68.87.74.162 IP addresses, or to the SMCD3G's IP address (this is both before and after the new 3.1.4.51.1 firmware was loaded).
My previous post was just to point out that the new 3.1.4.51.1 firmware does not automatically assign the 75.75.75.75 and 75.75.76.76 IP addresses, nor are those specific IP addresses required to use Comcast's DNSSEC servers (the 68.87.68.162 and 68.87.74.162 IP addresses that my SMCD3G gets from Comcast are also Comcast DNSSEC servers, and they work properly as DNSSEC servers).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| reply to noisefloor
said by noisefloor:Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS.
I don't know anything about Comcast macros, but I do know that my /29 static IP block (including my public facing web and email servers) is working just fine with the SMCD3G configured with the 68.87.68.162 and 68.87.74.162 DNS server addresses.
FWIW, I do recall that my SMCD3G was originally configured with the 75.75.75.75 and 75.75.76.76 DNS servers, but that changed at some point after another firmware upgrade was pushed to my box.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
 DarkLogixTexan and ProudPremium
join:2008-10-23
Baytown, TX
kudos:3 | reply to JohnInSJ
said by JohnInSJ:said by DarkLogix:Guess I'll power cycle my SMC and see if I see any changes (tonight)
Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens... Arrg I power cycled it today and heres what happened
the CM oddly didn't make the switch port active which caused more power cyceling and also my ASP page that fetches the rf stats is now broken |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by DarkLogix:said by JohnInSJ:said by DarkLogix:Guess I'll power cycle my SMC and see if I see any changes (tonight)
Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens... Arrg I power cycled it today and heres what happened the CM oddly didn't make the switch port active which caused more power cyceling and also my ASP page that fetches the rf stats is now broken I saw that too - oddity on the switch side - I was on LAN 4, which came up dead... LAN 1 was working, which I found by jacking in a laptop on each port until I got das blinkenlites.
Weird.
--
My place : »www.schettino.us |
|
DarkLogixTexan and ProudPremium
join:2008-10-23
Baytown, TX
kudos:3 | well now I'm trying to troubleshoot my ASP page (btw I'm not a programer)
and it involves some array manipulation
if you're a programer feel free to help I made a thread in the webmasters forum
I wish I know what has changed with the formatting of the html page I'm pulling the data from |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| reply to JohnInSJ
said by JohnInSJ:I saw that too - oddity on the switch side - I was on LAN 4, which came up dead... LAN 1 was working, which I found by jacking in a laptop on each port until I got das blinkenlites.
Weird.
I did not see that symptom because I normally only have one device connected to my SMCD3G's LAN (my SamKnows box on SMC port 1). After seeing DarkLogix's post and your followup, I moved my Vonage RTP300's WAN connection to the SMC LAN ports 2-4 in sequence, and all of the SMC switch ports were active as soon as I connected the cable.
Perhaps the new SMCD3G firmware expects that the SMC LAN port 1 will always have an active connection, and if it doesn't find one, it doesn't bother to enable any other switch ports? Later this evening I plan to check to see if the USB port has perhaps been activated with the new firmware. I will move my SamKnows box to port 4 on the SMC at that time to see if it works immediately after an SMC reboot.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
DarkLogixTexan and ProudPremium
join:2008-10-23
Baytown, TX
kudos:3 | Well I initialy had it plugged into port 2 then moved to port 1 (also dead) then port 3 then they all came up |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to DarkLogix
said by DarkLogix:well now I'm trying to troubleshoot my ASP page (btw I'm not a programer)
and it involves some array manipulation
if you're a programer feel free to help I made a thread in the webmasters forum
I wish I know what has changed with the formatting of the html page I'm pulling the data from
My munin script survived the new formatting, I'll take a look
--
My place : »www.schettino.us |
|
