| |
OOLost
Anon
2012-Sep-23 10:41 am
Need help configuring my Cisco871W with Optimum Static IPI've recently had issues with my Optimum Business Static IP service. First, I work from my home and I have both a residential and a business service. On the residential side, I was given an Arris modem. From there, I have it plugged into a Cisco router and that configuration is working like a charm. I also have the business modem which is a Cisco model DPQ3925. This was replacement for a Cisco 800 series router and a Motorola modem previously installed. Since then, it's been hell. I have now a Cisco 871W (none of the radio interfaces configured) connected from FastEthernet4 (the WAN interface) to the Cisco DPQ3925 interface 1. I was told this would be a transparent replacement but I cannot get service. Presently, I have NOTHING connected to my Cisco871W wired interfaces. When I power up the router, after reload, the transmit and receive LED flash incessantly. I've tried to ping sites on the internet from the Cisco871W with no results. (ie. ping 8.8.8.8 repeat 1000 source 192.168.1.1 -- which is the NAT address on the WAN interface) This is the same router configuration I've had on this device (in fact, it's backed up via a 'copy startup-config » ftp:// :...' to an internal ftp server and I've copied it back too just to be certain). I'm thoroughly convinced that something is NOT configured as it was before in terms of this Cisco DPQ3925. Optimum has sent out "technicians" who have replace splitters and even swapped the DPQ3925 with another. I'm also at a loss since there's very little expertise when calling support WRT their service and Cisco routers. They seem to rely on the fact that people just plug commodity routers on these services. I have my NAT in 192.168.1.0 with 4 of the 5 static IPs defined. The other I used as the address for anything DHCP on the inside network. Can somebody please help me figure out what is going on? I plugged my Mac into the Cisco DPQ3925 and statically defined one of the IPs to its interface (after I removed the definition on the Cisco871W, of course) and it pings just fine. As soon as the router is connected, the ping from the Mac slow down dramatically. HELP!!! |
|
 jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2012-Sep-23 11:13 am
You might try the networking forum for help with your Cisco router. » NetworkingPerhaps backup you current configuration, and start with a more basic configuration and see how that works. |
|
efrem
join:2002-04-03
Westport, CT |
to OOLost
Which of your fixed IP addresses did you assign to the WAN interface of your 871? |
|
| |
OOLost
Anon
2012-Sep-23 3:03 pm
I have 5 addresses... .25 is the gateway. I have .26 through .30. I assigned the .26 address to the WAN interface.
What's strange is that this confige has been working. Now, all of a sudden and with nothing plugged in on the LAN side, there is traffic to the Cisco 871W... A LOT of traffic! The TXD and RXD are only almost solid. |
|
| |
to OOLost
The best way to confirm the DPQ3925 is operating correctlyis to check that you do not receive a connection to a PC connected directly in DHCP mode, and that you do when you configure it with a static IP. If it works with your PC & not your router, then it will definitely be something with your router. Since you couldn't ping from the router itself, I wouldn't focus on anything with the LAN config until that part is working. |
|
| |
OOLost
Anon
2012-Sep-23 4:09 pm
I'm thinking I've been targeted for a DoS.
With nothing on the router at 192.168.1.2 NATted to ext.er.nal.26, there is little traffic showing on the TXD LED but the RXD is still nearly constant on. The other addresses, now back on the router, seem to be OK. However, if I add the server at 192.168.1.2, the proverbial brown-nasty hits the air impeller. Can OOL see what's happening or what's coming into that address??? |
|
 EliteDataEliteData
Premium Member
join:2003-07-06
Philippines |
said by OOLost :I'm thinking I've been targeted for a DoS.
your probably getting multicast/broadcast traffic. nothing to worry about. |
|
| |
OOLost
Anon
2012-Sep-23 5:34 pm
so much so that the RXD/TXD LEDs are lit continuously with nothing connected to the LAN side of the router??? |
|
EliteDataEliteData
Premium Member
join:2003-07-06
Philippines |
i know broadcast traffic is filtered (by the CM, set by CV's CFG file via SNMP) for subscriber based CM's but im not sure of its filtered on business accounts.
if broadcast traffic is not filtered on business accounts and you are on the same "node" with alot of other modems, you will get alot of broadcast traffic.
you should see the broadcast traffic for the cable boxes ! |
|
jaa
Premium Member
join:2000-06-13 |
jaa to OOLost
Premium Member
2012-Sep-23 7:20 pm
to OOLost
said by OOLost :I'm thinking I've been targeted for a DoS.
I think that is unlikely, and this statement seems to rule that out: said by OOLost : I plugged my Mac into the Cisco DPQ3925 and statically defined one of the IPs to its interface (after I removed the definition on the Cisco871W, of course) and it pings just fine. If it works with your Mac it will likely work with your router. And the fact that both are Cisco devices would make some strange incompatibility less likely. |
|
| |
to EliteData
I was running for a bit and now the connection is toast. I'm ready to cancel my business account. This router was configured eons ago and it worked just fine. Now, all of a sudden, I'm getting these issues and they've been getting progressively worse in the past two weeks. I've also changed out the routers. I have 2 Cisco 851s and one Cisco 871W. The problem occurs with all, so I'm convinced it is not my kit.
interface FastEthernet4
description WAN
ip address 24.xx.yy.26 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.yy.25
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.2 24.xx.yy.26
ip nat inside source static 192.168.1.4 24.xx.yy.28
ip nat inside source static 192.168.1.64 24.xx.yy.29
ip nat inside source static 192.168.1.7 24.xx.yy.30
That should be right, is it not??? |
|
 your moderator at work
 hidden :
|
| OOLost |
OOLost to jaa
Anon
2012-Sep-23 8:15 pm
to jaa
Re: Need help configuring my Cisco871W with Optimum Static IPI posted router config but it hasn't shown here yet. I can't fathom what has changed that might make it incorrect. If it shows, let me know. All I can state is that I've never seen the Cisco's LED on as steady as they are now.
Fortunately, I have residential service as well and can post here using it. The Cisco on it is quite content. I'd register for an account here, instead of using the OOLost anonymous name, but I need my Business network functional for the email. The ol' catch 22. |
|
jaa
Premium Member
join:2000-06-13 |
jaa to OOLost
Premium Member
2012-Sep-23 9:11 pm
to OOLost
Do you still think it is a DoS attack on your IP?
I have no idea what a cisco configuration looks like, but to me it seems you are assigning the .26 address twice.
I think it is your router config - try a simpler config, perhaps for one attached device, and see if it works.
Or throw out the cisco equipment and spend $15 on a netgear. |
|
| |
Alpacas to OOLost
Anon
2012-Sep-23 9:19 pm
to OOLost
You could have some provisioning issue with your acct. i know you called and had people there. When they were at your house did they plug there laptop in or verify it worked before they left? You make just need the static deprovisioned then reprovisioned. If you call again and talk to business tsg they can do this. |
|
| |
OOLost to jaa
Anon
2012-Sep-24 7:44 am
to jaa
I had a "Cisco" guru give me the green-light on the configuration. The configuration of Fa4 is correct. Netgear? Toys. |
|
efrem
join:2002-04-03
Westport, CT |
efrem
Member
2012-Sep-24 10:06 am
Just want to clarify that you are indeed using the correct subnet and IP addresses assigned to you by CV.
You say you have 5 addresses .... you really should have 7.
One is the subnet
One is the default gateway
Four are the addressable individual IP's
One is the broadcast address for the subnet.
It does not appear to me that you are using that scheme with the addresses you listed above.
You might want to double-check that. |
|
|
| |
to OOLost
said by OOLost :I'm also at a loss since there's very little expertise when calling support WRT their service and Cisco routers. They seem to rely on the fact that people just plug commodity routers on these services.
As they should be - for a $10/month service, you can't expect expert networking support. Quick question: what area are you in (town,state)? Some areas seem to have gotten a new firmware for the 3925 recently: it was 120309a, now 120614a (e.g.: March to June release dates). If that turns out to be your problem, you'll not win this. I've reviewed your config, and yes, ip proxy-arp was one of my suspects in this (the DPQ3925 does NOT support this), but you have it turned off on FE4, yet it remains a suspect. What does your (871W) arp-table show after you generate some traffic? Can you ping the default-gw (.25) when using .26 as the source-IP? If you hook up a lowly sniffable hub between the FE4 and 3925-port1 interfaces, can you tell us for SURE that there is no proxy-arp going on, and absolutely all L2 traffic leaving your FE4 interface is using the one and only MAC-address of that interface, and ALL IP packet source addresses are .26-30? Not sure if the 871 will do with its NAT what you expect with a ping source of 192.168.1.1 - does it correctly apply the NAT translation before sending that packet out FE4? Try the 24.x.x.26 address as the source. |
|
| |
OOLost
Anon
2012-Sep-24 1:49 pm
said by cablewizzard:I've reviewed your config, and yes, ip proxy-arp was one of my suspects in this (the DPQ3925 does NOT support this), but you have it turned off on FE4, yet it remains a suspect.
What does your (871W) arp-table show after you generate some traffic?
Can you ping the default-gw (.25) when using .26 as the source-IP?
If you hook up a lowly sniffable hub between the FE4 and 3925-port1 interfaces, can you tell us for SURE that there is no proxy-arp going on, and absolutely all L2 traffic leaving your FE4 interface is using the one and only MAC-address of that interface, and ALL IP packet source addresses are .26-30?
Not sure if the 871 will do with its NAT what you expect with a ping source of 192.168.1.1 - does it correctly apply the NAT translation before sending that packet out FE4? Try the 24.x.x.26 address as the source.
FWIW, after calling Optimum and reading them the riot act, the "chatter" on the router just ceased about 20 minutes ago. I did find, too, that Optimum wiped out all of my reverse DNS definitions. I told them that they will find them and recover them. I'm not touching anything in the interim. It's clear that they've mucked up a number of things. Anyway, it's a joy to see RxD/TxD black, only to flash when there's traffic. Currently, since I've shutdown servers and services, the only flashing I see is an occasional email (or rejected SPAM) and when I type in one of my ssh sessions from my residential account to the server on the business account!  I am awaiting a callback from OOL WRT to this issue and the restoration of my reverse-DNS. I'd love to hear what they found as the issue. FWIW, I put a 100bT switch between the DPQ3925/Cosco router *just* in case I need to start sniffing what's been going on but... that looks unnecessary at the moment. |
|
| OOLost |
OOLost to efrem
Anon
2012-Sep-24 1:50 pm
to efrem
said by efrem:Just want to clarify that you are indeed using the correct subnet and IP addresses assigned to you by CV.
You say you have 5 addresses .... you really should have 7.
One is the subnet
One is the default gateway
Four are the addressable individual IP's
One is the broadcast address for the subnet.
It does not appear to me that you are using that scheme with the addresses you listed above.
You might want to double-check that.
Really? Talk that over with the OOL folks then. I was told: 24.xx.yy.24/29 24.xx.yy.25 -- gateway 24.xx.yy.26 -- 1st assignable IP 24.xx.yy.27 -- 2nd assignable IP 24.xx.yy.28 -- 3rd assignable IP 24.xx.yy.29 -- 4th assignable IP 24.xx.yy.30 -- 5th assignable IP 24.xx.yy.31 -- broadcast |
|
| |
to OOLost
said by OOLost :FWIW, after calling Optimum and reading them the riot act, the "chatter" on the router just ceased about 20 minutes ago.
I did find, too, that Optimum wiped out all of my reverse DNS definitions. I told them that they will find them and recover them. I'm not touching anything in the interim. It's clear that they've mucked up a number of things.
[....]
You seem to indicate that you now have access, but I don't think I understand what they changed for you - and all this after several truck rolls? They can't do much more than de/re-provision the device, really. Go ahead and edit the rDNS values - there is no reason to wait. Also, a correction in my choice of words: with no proxy-arp, your 871 MUST use a different MAC for every single one of the 5 IPs. Network behavior will be erratic/unstable otherwise (and that's been like this since the early days of the DPQ3925, Cisco simply doesn't support that feature in the 3925, but did in the 851). |
|
efrem
join:2002-04-03
Westport, CT |
to OOLost
My bad. For some reason I thought it was 4 usable addresses, but you are correct, they actually assign 5. |
|
| |
OOLost
Anon
2012-Sep-25 6:59 am
Things have come back to normal.
After calling OOL yesterday, OOL did some testing and saw the packet loss to the DPQ3925. They rolled a technician who replaced the drop because he found that there was water and some corrosion in the connection at the pole. Also, there was a reset of the DPQ3925 earlier in the day which seemed to have cleared the issue of the incessant traffic to the router. A configuration change perhaps? I/you will never know as there's no way to view the configuration of the DPQ3925. I recovered my router's configuration from its ftp backup (easier than undoing all of the crazy things I tried to figure out what was banging on the router's interface) and all's well.
Also, it appears that OOL deleted my reverse-DNS. That'd explain a number of bizarre things like mail bouncing back and remote SQL query complaints. I'm waiting still for OOL to contact me about this particular issue.
I can now get back to working on a deadline project waylaid several days with this OOL debacle. |
|
| OOLost |
OOLost
Anon
2012-Sep-26 8:04 am
The holiday didn't last long.
I finally had enough and I put a old hub (10bT) between the DPQ3925 and my Cisco router interface. I then fired up Wireshark on a linux laptop on its wired ethernet interface and plug it into the hub so that it could see the traffic between the two.
Yup. It's a DDoS on DNS. I've presently gotten port 53 via an ACL on the Cisco disabled but I now have not DNS.
HOW DO I GET OOL TO UNDERSTAND THAT THIS IS HAPPENING?
I called them again yesterday and all they did was roll another cable tech out. That' NOT going to fix this problem. They need to intercede to stop this attack. |
|
jaa
Premium Member
join:2000-06-13
1 edit |
jaa
Premium Member
2012-Sep-26 1:13 pm
Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?
Do you think it is a DDoS attack on all your IP addresses?
Have you asked OOL to assign you a different block of IP addresses?
I am skeptical of DDoS attack. Too coinciental that the attack started the same time OOL changed equipment, and that your Mac would work ok connected to the OOL equipment. I also do not recall anyone else posting about a DDoS attack on this forum in the past 10 years, but you could be the first. |
|
| |
to OOLost
One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.
No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.
Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries. |
|
| |
OOLost to jaa
Anon
2012-Sep-26 1:38 pm
to jaa
said by jaa:Does your Mac still work ok if you disconnect your router and connect directly to the OOL router? You think like an OOL tech.  said by jaa:Do you think it is a DDoS attack on all your IP addresses? Would you like that I post all 800000 Wireshark captures? said by jaa:Have you asked OOL to assign you a different block of IP addresses? I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent. |
|
EliteDataEliteData
Premium Member
join:2003-07-06
Philippines |
said by OOLost :said by jaa:Does your Mac still work ok if you disconnect your router and connect directly to the OOL router? You think like an OOL tech. said by jaa:Do you think it is a DDoS attack on all your IP addresses? Would you like that I post all 800000 Wireshark captures? said by jaa:Have you asked OOL to assign you a different block of IP addresses? I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent. can you post a small capture packet from wire shark ? |
|
| |
OOLost
Anon
2012-Sep-26 2:33 pm
said by EliteData:can you post a small capture packet from wire shark ?
Here you go, on incoming from 72.8.190.97 doing a standard query of RIPE.NET ANY. 0000 00 1f 9e 03 36 c3 f4 5f d4 cf c2 03 08 00 45 00 ....6.._ ......E. 0010 00 42 03 85 40 00 75 11 0d e7 48 08 be 61 18 xx .B..@.u. ..H..a.. 0020 yy 1a 00 35 00 35 00 2e 00 00 03 b8 01 00 00 01 ...5.5.. ........ 0030 00 00 00 00 00 01 04 72 69 70 65 03 6e 65 74 00 .......r ipe.net. 0040 00 ff 00 01 00 00 29 10 00 00 00 80 00 00 00 00 ......). ........ |
|
EliteDataEliteData
Premium Member
join:2003-07-06
Philippines |
i meant to capture for about 5 seconds then "save as" in wireshark and attach it here or you can send it private message if you want) |
|
