dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
46309
anoxia
join:2009-05-19
Dallas, TX

1 recommendation

anoxia

Member

AT&T gateway (5268ac, maybe others) misrouting 1.1.1.0/24?

Traceroutes from the 5268ac web interface diagnostics page:

traceroute 1.1.1.1 with: 64 bytes of data
1: 1.1.1.1(1dot1dot1dot1.cloudflare-dns.com), time=0 ms
 
traceroute 1.1.1.2 with: 64 bytes of data
1: 1.1.1.2(1.1.1.2), time=3 ms
 

That suggests that the 5268ac has been assigned 1.1.1.1 on an internal interface, and 1.1.1.2 is one hop beyond the 5268ac, inside AT&T's network.

Traceroutes from the LAN side of the 5268ac:

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  1.137 ms  1.003 ms  0.975 ms
 
traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 38 byte packets
 1  192.168.1.254 (192.168.1.254)  0.999 ms  0.753 ms  0.827 ms
 2  1.1.1.2 (1.1.1.2)  1.705 ms  1.833 ms  1.662 ms
 
traceroute to 1.1.1.5 (1.1.1.5), 30 hops max, 38 byte packets
 1  192.168.1.254 (192.168.1.254)  1.080 ms  0.813 ms  0.931 ms
 2  192.168.1.254 (192.168.1.254)  3001.723 ms !H  3001.582 ms !H  3001.550 ms !H
 
 

This suggests to me that the 5268ac has a local interface assigned 1.1.1.1, 1.1.1.2 is assigned to the next hop inside AT&T's network, and the 5268ac believes 1.1.1.5 is also directly connected on the WAN, but doesn't have a mac address for it, so it thinks it's supposed to reply that the host isn't reachable.

192.168.1.254 is the lan address of the 5268ac.

The alternative cloudflare dns ip, 1.0.0.1, outside of 1.1.1.0/24, works
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
 1  192.168.1.254 (192.168.1.254)  0.729 ms  0.662 ms  0.782 ms
 2  *redacted*
 3  *redacted*
 4  *  *  *
 5  *redacted*
 6  *redacted*
 7  *redacted*
 8  *redacted*
 9  1dot1dot1dot1.cloudflare-dns.com (1.0.0.1)  3.251 ms  3.325 ms  3.241 ms
 
 

AT&T doesn't own 1.1.1.0/8, and it's not private address space. Are they using it anyway, or is there something unusual going on with only my gateway?

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

I see similar oddities. These are traceroutes from the LAN:
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  1.1.1.1  0.838 ms  1.244 ms  1.743 ms
 
and
traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 60 byte packets
 1  192.168.1.254  0.662 ms  0.911 ms  1.253 ms
 2  1.1.1.2  1005.039 ms  1004.827 ms  1004.611 ms
 
So I did a "whois" lookup:
inetnum:        1.1.1.0 - 1.1.1.255
netname:        APNIC-LABS
descr:          APNIC and Cloudflare DNS Resolver project
descr:          Routed globally by AS13335/Cloudflare
descr:          Research prefix for APNIC Labs
country:        AU
org:            ORG-ARAD1-AP
admin-c:        AR302-AP
tech-c:         AR302-AP
mnt-by:         APNIC-HM
mnt-routes:     MAINT-AU-APNIC-GM85-AP
mnt-irt:        IRT-APNICRANDNET-AU
status:         ASSIGNED PORTABLE
remarks:        ---------------
remarks:        All Cloudflare abuse reporting can be done via
remarks:        resolver-abuse@cloudflare.com
remarks:        ---------------
last-modified:  2018-03-30T01:51:28Z
source:         APNIC
 
I don't know what that all implies. But perhaps it has to do with global distributed DNS services. Perhaps it is legitimate.

Zer0Evil
join:2008-02-10
Burbank, IL

1 recommendation

Zer0Evil

Member

NVG599 not afffected.
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  192.168.1.254 (192.168.1.254)  0.382 ms
 2  76-221-92-1.lightspeed.cicril.sbcglobal.net (76.221.92.1)  18.091 ms
 3  75.14.64.61 (75.14.64.61)  18.405 ms
 4  cr1.cgcil.ip.att.net (12.123.7.106)  21.116 ms
 5  cgcil403igs.ip.att.net (12.122.133.33)  19.827 ms
 6  ae16.cr7-chi1.ip4.gtt.net (173.241.128.29)  18.822 ms
 7  xe-0-0-0.cr1-det1.ip4.gtt.net (89.149.128.74)  25.583 ms
 8  cloudflare-gw.cr0-det1.ip4.gtt.net (69.174.23.26) 25.838 ms
 9  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  25.895 ms
 

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

3 recommendations

maartena to anoxia

Premium Member

to anoxia
I can confirm this. I can't confirm it anymore, because I successfully implemented the gateway bypass using a Ubiquiti USG (see the big bypass thread) yesterday.... but on Friday I tried using 1.1.1.1 DNS and notices its trace routes stopped dead hard at the Pace gateway.

You have three options:

1) Don't use anything in 1.1.1.0/24 and fuggedaboutit until AT&T issues a firmware that fixes it.
2) Implement a bypass using one of the methods described in the huge thread about it - may require purchasing some hardware.
3) Get AT&T to give you a different gateway.
cooperaaaron
join:2004-04-10
Joliet, IL

1 edit

1 recommendation

cooperaaaron to anoxia

Member

to anoxia
Isn't this Cloudflare's new DNS service? 1.1.1.1? On the site for this service, they mention that 1.1.1.1 might not be working for some people; to try to use 1.0.0.1 instead..

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

2 recommendations

maartena

Premium Member

said by cooperaaaron:

Isn't this Cloudflare's new DNS service? 1.1.1.1? On the site for this service, they mention that 1.1.1.1 might not be working for some people; to try to use 1.0.0.1 instead..

Apparently Cisco equipment also doesn't like 1.1.1.1 - I guess it was an easy /24 to discount and use as some sort of default setting.

I can tell you that Ubiquiti gear seems unaffected.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

2 recommendations

Napsterbater to anoxia

MVM

to anoxia
Here are 2 Atlas probe measurements from 54 (All?) Probes that have a Public IP in AS7018 (AKA AT&T)

Traceroute: 1 Hop = "Busted" Gateway, 2 Hops = "Busted" Gateway but with a 2nd router in use behind it, 3 = "Busted" Gateway but with a 2nd and 3rd router in use.
»atlas.ripe.net/measureme ··· #!probes
Seems Almost half (21 of 52) can't get to the right place,

Ping
»atlas.ripe.net/measureme ··· #!probes
bplein
join:2013-03-14
Leander, TX

5 recommendations

bplein to maartena

Member

to maartena
While the options you list are true, that's being too nice to AT&T.

They don't own/control 1.1.1.1. It's not theirs to borrow for their own use unless it was 100% transparent to the rest of the Internet. They have hijacked a legitimate business IP address.

The hijack occurred when they thought nobody would ever use it, but that's inexcusable. It wasn't reserved for this use (as 10.0.0.0/8, etc. were)
bplein

2 recommendations

bplein to anoxia

Member

to anoxia
Click for full size
Click for full size
It gets worse.

It appears they are using 1.1.1.1 to bridge to ipv6? Maybe some sort of transparent tunnel?
bplein

4 recommendations

bplein

Member

It's actually (on the link tree) root0->home0->br6->ipnet6, which although it has "6" in the name, doesn't appear to be related to ipv6 for use by the customer. That is in root0->bband0->br1 (below that in ip6net1)

Deafboy91
join:2017-03-30

2 recommendations

Deafboy91 to anoxia

Member

to anoxia
I shared my result in other topic at networking: »Re: 1.1.1.1 this test I took are on 5268ac modem with USG behind it. 1.1.1.1 are not working at home network. (traceroute dead after 8th hop; USG are fine)

But non profit organization I working for use At&t business fiber with NVG595 with static ip address. I tested it and it working.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

4 recommendations

maartena to bplein

Premium Member

to bplein
said by bplein:

While the options you list are true, that's being too nice to AT&T.

They don't own/control 1.1.1.1. It's not theirs to borrow for their own use unless it was 100% transparent to the rest of the Internet. They have hijacked a legitimate business IP address.

The hijack occurred when they thought nobody would ever use it, but that's inexcusable. It wasn't reserved for this use (as 10.0.0.0/8, etc. were)

I agree. But that doesn't mean its fixed quickly.

AT&T is not the only one.... it appear that most Cisco gear also can't use 1.1.1.0/24 because it is used for a variety of purposes within their gear:

»supportforums.cisco.com/ ··· /3161248

»www.networking-forum.com ··· &t=11216

Those are topic forums from years ago, apparantly Cisco uses 1.1.1.1 as a virtual IP to redirect to when the device needs to be setup for the first time, OR uses it as a captive portal to authenticate guest wifi, such as in hotels and restaurants and such.

Why? Beats me.... but there are now millions of pieces of Cisco hardware out there that can't use or route 1.1.1.0/24.

Tthe 1.1.1.1 is used as a captive portal for public wifi such as Starbucks, which would indicate they may use a Cisco setup. But it sucks if you have your laptop hardcoded to 1.1.1.1, forget about it, take it to a Starbucks, get on their wifi.... and then find out DNS isn't working.

A small silver lining: Using the secondary 1.0.0.1 seems to be unaffected, (different /24) so you can safely use THAT and use Google's 8.8.8.8 as a secondary for backup.

Deafboy91
join:2017-03-30

1 recommendation

Deafboy91

Member

Can use 1.1?

SLC 96
join:2005-04-03
Chicago, IL

1 recommendation

SLC 96 to anoxia

Member

to anoxia
I can't get to 1.1.1.1 or 1.0.0.1 using BGW210 firmware 1.5.11.

Luckily I can access Cloudflare DNS using IPv6.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

1 recommendation

Napsterbater

MVM

said by SLC 96:

I can't get to 1.1.1.1 or 1.0.0.1 using BGW210 firmware 1.5.11.

Got a trace tol them you can post?

SLC 96
join:2005-04-03
Chicago, IL

2 recommendations

SLC 96

Member

From Computer
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  10.2.52.1 (10.2.52.1)  0.413 ms  0.224 ms  0.400 ms
 2  192.168.1.254 (192.168.1.254)  0.536 ms  0.396 ms  0.334 ms
 3  192.168.1.254 (192.168.1.254)  3005.187 ms !H  3005.193 ms !H  3005.103 ms !H
 
From Computer
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  10.2.52.1 (10.2.52.1)  0.389 ms  0.272 ms  0.274 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 
From BGW210
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  0.231 ms  0.181 ms  0.108 ms
 
From BGW210
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
 1  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  3006.024 ms !H  3006.224 ms !H  3005.981 ms !H
                    
                    
 
sims
join:2013-04-06

1 edit

1 recommendation

sims to anoxia

Member

to anoxia
Not seeing any issues using 1.1.1.1 or 1.0.0.1 on our NVG510 ADSL2+
neufuse
join:2006-12-06
James Creek, PA

3 recommendations

neufuse to anoxia

Member

to anoxia
when we implemented one of our web filters it required the IP to be 1.1.1.1 on the network, which was stupid... now we have a enterprise cisco setup and it put the IPS on 1.1.1.1 by default another dumb move
FlatWorld
join:2016-07-11
US

1 recommendation

FlatWorld to anoxia

Member

to anoxia
Working fine on a BGW210 on Fiber.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

6 recommendations

maartena to neufuse

Premium Member

to neufuse
said by neufuse:

when we implemented one of our web filters it required the IP to be 1.1.1.1 on the network, which was stupid... now we have a enterprise cisco setup and it put the IPS on 1.1.1.1 by default another dumb move

That is Cisco's doing. All of Cisco's wireless controllers also have their captive portal on 1.1.1.1, so even if you got your DNS to work at home and you are perfectly happy with 1.1.1.1 as your DNS server, the first time you go to a Starbucks you might wonder why you can't connect to their wifi

Bottom line:
- Yes Cisco and my other manufacturers should not have done that.
- Yes APNIC should have managed the release of 1.1.1.1 to public routing a lot better.
- No, it's not going to be fixed quickly. Not by a long shot.
pawpaw
join:2004-05-05
Asheville, NC

3 recommendations

pawpaw to maartena

Member

to maartena
4) Don't use an ISP that disregards good practise.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

2 recommendations

Napsterbater

MVM

This is just one of many reasons why AT&T would be one of my last resorts because of the forced Gateway, gateways that almost every single one has a bug one way or another. There's no logical reason to force a Gateway for an Internet only customer. There Is also no reason for them to be using 802.1x except to force the use of a gateway.
pawpaw
join:2004-05-05
Asheville, NC

1 recommendation

pawpaw

Member

Agreed. To me, this is all part and parcel of net neutrality - don't screw with internet standards in any way.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

2 recommendations

maartena to pawpaw

Premium Member

to pawpaw
said by pawpaw:

4) Don't use an ISP that disregards good practise.

Although there are ISP's that do indeed disregard good practice, the majority of problems are because of hardware manufacturers not following good practice. I'm actually quite surprised how much of the Cisco product line is affected, they should know better.

You don't always have that choice either.... LEGACY charter areas (so those who were charter before the merger) have issues with 1.1.1.1 because it is used somewhere internally.

Now, if your ISP choices are AT&T on the telco side, and legacy Charter on the cable side.... you may not have a choice.

Finally: We have lived with 1.1.1.1 not working for decades. Now that Cloudfare puts a DNS server on it people start complaining. There are plenty of other DNS services available, and 1.1.1.1 is not critical enough to go change ISP's over it. Use 4.2.2.x or 9.9.9.9 if you don't want to use Google or your ISP's DNS.... and there is a good chance Cloudfare's 1.0.0.1 actually will work. And then there is OpenDNS, and you may find that a local university may have a public DNS server.
maartena

1 recommendation

maartena to Napsterbater

Premium Member

to Napsterbater
said by Napsterbater:

This is just one of many reasons why AT&T would be one of my last resorts because of the forced Gateway, gateways that almost every single one has a bug one way or another. There's no logical reason to force a Gateway for an Internet only customer. There Is also no reason for them to be using 802.1x except to force the use of a gateway.

Luckily there are some great ways to bypass the RG completely if you have fiber. Not so much with vDSL though.... but it works perfectly with fiber, with the ONT connected straight to my Ubiquity USG.
pawpaw
join:2004-05-05
Asheville, NC

1 recommendation

pawpaw to maartena

Member

to maartena
A company with the size and expertise of AT&T should not be using crappy equipment then. Don't pass the buck.

Agreed that we do not have enough choice.

So 1.1.1.1 not working for decades, with plenty of alternatives? Well then, colored folk will be happy at the back of the bus, it's been that way forever and there are ample seats.
sludgehound
join:2007-03-12
New York, NY

1 recommendation

sludgehound to anoxia

Member

to anoxia
fwiw still working fine 2nd day Spectrum NYC on low speed cable, mega-tasking stable 1 1 1 1 / 9 9 9 9

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

2 recommendations

maartena to pawpaw

Premium Member

to pawpaw
said by pawpaw:

A company with the size and expertise of AT&T should not be using crappy equipment then. Don't pass the buck.

You may find that a lot of not-so-crappy equipment is affected. Although these days Cisco isn't what they used to be, they are still considered a major manufacturer of enterprise-grade hardware.... and pretty much anyone that uses Cisco as their wifi system will be affected. (See below).

So 1.1.1.1 not working for decades, with plenty of alternatives? Well then, colored folk will be happy at the back of the bus, it's been that way forever and there are ample seats.

My point is that 1.1.1.1 has been available for decades, but because there isn't anything on there that interested people besides some APNIC research, absolutely NO ONE cared that all of the nation's Starbucks have a 1.1.1.1 captive portal as they use Cisco wireless controllers. Now, we could all stop drinking Starbucks out of protect or realize that it really isn't Starbuck's fault....

My second point is that the world will continue to spin if you can't get to 1.1.1.1.... No one heard of it 2 weeks ago, and your internet isn't going to be worse off if you have a ISP that uses it, or go to a Starbucks or Hotel that uses it on a captive portal. Your internet will work exactly like it did 2 weeks ago, with whatever favorite DNS provider you were using then.

As a matter of fact, travelers that often use things like Airport wifi, Starbucks wifi, Hotel wifi, McDonalds wifi, etc, etc... may just want to stay away from using 1.1.1.1 as a static DNS on their laptops, as they may find they can either no longer resolve anything, or not even connect to a hotel network if it uses Cisco gear.

Cloudfare might force hardware manufacturers to change their ways.... (one can hope), but the world doesn't end just because you can't reach 1.1.1.1 and its the current cool DNS to have.

It simply isn't a problem that can be solved in a day, or a month, or even a year in many cases.
dave006
join:1999-12-26
Boca Raton, FL

1 recommendation

dave006 to pawpaw

Member

to pawpaw
said by pawpaw:

So 1.1.1.1 not working for decades, with plenty of alternatives?

No big deal just use 1.0.0.1 if you have a 5268ac the other RGs should be fine with 1.1.1.1.

Much simpler issue than the AT&T firmware that blocks "bridge" mode and removes multiple other customer beneficial features.

Dave

SLC 96
join:2005-04-03
Chicago, IL

1 recommendation

SLC 96

Member

said by dave006:

said by pawpaw:

So 1.1.1.1 not working for decades, with plenty of alternatives?

No big deal just use 1.0.0.1 if you have a 5268ac the other RGs should be fine with 1.1.1.1.

Much simpler issue than the AT&T firmware that blocks "bridge" mode and removes multiple other customer beneficial features.

Dave

With the latest BGW210 firmware, both 1.0.0.1 and 1.1.1.1 don't work.