anoxia join:2009-05-19 Dallas, TX
1 recommendation |
anoxia
Member
2018-Apr-1 7:18 pm
AT&T gateway (5268ac, maybe others) misrouting 1.1.1.0/24?Traceroutes from the 5268ac web interface diagnostics page: traceroute 1.1.1.1 with: 64 bytes of data
1: 1.1.1.1(1dot1dot1dot1.cloudflare-dns.com), time=0 ms
traceroute 1.1.1.2 with: 64 bytes of data
1: 1.1.1.2(1.1.1.2), time=3 ms
That suggests that the 5268ac has been assigned 1.1.1.1 on an internal interface, and 1.1.1.2 is one hop beyond the 5268ac, inside AT&T's network. Traceroutes from the LAN side of the 5268ac: traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 1.137 ms 1.003 ms 0.975 ms
traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 38 byte packets
1 192.168.1.254 (192.168.1.254) 0.999 ms 0.753 ms 0.827 ms
2 1.1.1.2 (1.1.1.2) 1.705 ms 1.833 ms 1.662 ms
traceroute to 1.1.1.5 (1.1.1.5), 30 hops max, 38 byte packets
1 192.168.1.254 (192.168.1.254) 1.080 ms 0.813 ms 0.931 ms
2 192.168.1.254 (192.168.1.254) 3001.723 ms !H 3001.582 ms !H 3001.550 ms !H
This suggests to me that the 5268ac has a local interface assigned 1.1.1.1, 1.1.1.2 is assigned to the next hop inside AT&T's network, and the 5268ac believes 1.1.1.5 is also directly connected on the WAN, but doesn't have a mac address for it, so it thinks it's supposed to reply that the host isn't reachable. 192.168.1.254 is the lan address of the 5268ac. The alternative cloudflare dns ip, 1.0.0.1, outside of 1.1.1.0/24, works traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
1 192.168.1.254 (192.168.1.254) 0.729 ms 0.662 ms 0.782 ms
2 *redacted*
3 *redacted*
4 * * *
5 *redacted*
6 *redacted*
7 *redacted*
8 *redacted*
9 1dot1dot1dot1.cloudflare-dns.com (1.0.0.1) 3.251 ms 3.325 ms 3.241 ms
AT&T doesn't own 1.1.1.0/8, and it's not private address space. Are they using it anyway, or is there something unusual going on with only my gateway? |
|
1 recommendation |
I see similar oddities. These are traceroutes from the LAN: traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 1.1.1.1 0.838 ms 1.244 ms 1.743 ms
and traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 60 byte packets
1 192.168.1.254 0.662 ms 0.911 ms 1.253 ms
2 1.1.1.2 1005.039 ms 1004.827 ms 1004.611 ms
So I did a "whois" lookup: inetnum: 1.1.1.0 - 1.1.1.255
netname: APNIC-LABS
descr: APNIC and Cloudflare DNS Resolver project
descr: Routed globally by AS13335/Cloudflare
descr: Research prefix for APNIC Labs
country: AU
org: ORG-ARAD1-AP
admin-c: AR302-AP
tech-c: AR302-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-AU-APNIC-GM85-AP
mnt-irt: IRT-APNICRANDNET-AU
status: ASSIGNED PORTABLE
remarks: ---------------
remarks: All Cloudflare abuse reporting can be done via
remarks: resolver-abuse@cloudflare.com
remarks: ---------------
last-modified: 2018-03-30T01:51:28Z
source: APNIC
I don't know what that all implies. But perhaps it has to do with global distributed DNS services. Perhaps it is legitimate. |
|
|
1 recommendation |
NVG599 not afffected. traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 192.168.1.254 (192.168.1.254) 0.382 ms
2 76-221-92-1.lightspeed.cicril.sbcglobal.net (76.221.92.1) 18.091 ms
3 75.14.64.61 (75.14.64.61) 18.405 ms
4 cr1.cgcil.ip.att.net (12.123.7.106) 21.116 ms
5 cgcil403igs.ip.att.net (12.122.133.33) 19.827 ms
6 ae16.cr7-chi1.ip4.gtt.net (173.241.128.29) 18.822 ms
7 xe-0-0-0.cr1-det1.ip4.gtt.net (89.149.128.74) 25.583 ms
8 cloudflare-gw.cr0-det1.ip4.gtt.net (69.174.23.26) 25.838 ms
9 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 25.895 ms
|
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
3 recommendations |
to anoxia
I can confirm this. I can't confirm it anymore, because I successfully implemented the gateway bypass using a Ubiquiti USG (see the big bypass thread) yesterday.... but on Friday I tried using 1.1.1.1 DNS and notices its trace routes stopped dead hard at the Pace gateway.
You have three options:
1) Don't use anything in 1.1.1.0/24 and fuggedaboutit until AT&T issues a firmware that fixes it. 2) Implement a bypass using one of the methods described in the huge thread about it - may require purchasing some hardware. 3) Get AT&T to give you a different gateway. |
|
1 edit
1 recommendation |
to anoxia
Isn't this Cloudflare's new DNS service? 1.1.1.1? On the site for this service, they mention that 1.1.1.1 might not be working for some people; to try to use 1.0.0.1 instead.. |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
2 recommendations |
maartena
Premium Member
2018-Apr-1 9:51 pm
said by cooperaaaron:Isn't this Cloudflare's new DNS service? 1.1.1.1? On the site for this service, they mention that 1.1.1.1 might not be working for some people; to try to use 1.0.0.1 instead.. Apparently Cisco equipment also doesn't like 1.1.1.1 - I guess it was an easy /24 to discount and use as some sort of default setting. I can tell you that Ubiquiti gear seems unaffected. |
|
(Software) OPNsense Ubiquiti UniFi UAP-AC-PRO
2 recommendations |
to anoxia
Here are 2 Atlas probe measurements from 54 (All?) Probes that have a Public IP in AS7018 (AKA AT&T) Traceroute: 1 Hop = "Busted" Gateway, 2 Hops = "Busted" Gateway but with a 2nd router in use behind it, 3 = "Busted" Gateway but with a 2nd and 3rd router in use. » atlas.ripe.net/measureme ··· #!probesSeems Almost half (21 of 52) can't get to the right place, Ping » atlas.ripe.net/measureme ··· #!probes |
|
bplein join:2013-03-14 Leander, TX
5 recommendations |
to maartena
While the options you list are true, that's being too nice to AT&T.
They don't own/control 1.1.1.1. It's not theirs to borrow for their own use unless it was 100% transparent to the rest of the Internet. They have hijacked a legitimate business IP address.
The hijack occurred when they thought nobody would ever use it, but that's inexcusable. It wasn't reserved for this use (as 10.0.0.0/8, etc. were) |
|
bplein
2 recommendations |
to anoxia
It gets worse. It appears they are using 1.1.1.1 to bridge to ipv6? Maybe some sort of transparent tunnel? |
|
bplein
4 recommendations |
bplein
Member
2018-Apr-2 9:57 am
It's actually (on the link tree) root0->home0->br6->ipnet6, which although it has "6" in the name, doesn't appear to be related to ipv6 for use by the customer. That is in root0->bband0->br1 (below that in ip6net1) |
|
2 recommendations |
to anoxia
I shared my result in other topic at networking: » Re: 1.1.1.1 this test I took are on 5268ac modem with USG behind it. 1.1.1.1 are not working at home network. (traceroute dead after 8th hop; USG are fine) But non profit organization I working for use At&t business fiber with NVG595 with static ip address. I tested it and it working. |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
4 recommendations |
to bplein
said by bplein:While the options you list are true, that's being too nice to AT&T.
They don't own/control 1.1.1.1. It's not theirs to borrow for their own use unless it was 100% transparent to the rest of the Internet. They have hijacked a legitimate business IP address.
The hijack occurred when they thought nobody would ever use it, but that's inexcusable. It wasn't reserved for this use (as 10.0.0.0/8, etc. were) I agree. But that doesn't mean its fixed quickly. AT&T is not the only one.... it appear that most Cisco gear also can't use 1.1.1.0/24 because it is used for a variety of purposes within their gear: » supportforums.cisco.com/ ··· /3161248» www.networking-forum.com ··· &t=11216Those are topic forums from years ago, apparantly Cisco uses 1.1.1.1 as a virtual IP to redirect to when the device needs to be setup for the first time, OR uses it as a captive portal to authenticate guest wifi, such as in hotels and restaurants and such. Why? Beats me.... but there are now millions of pieces of Cisco hardware out there that can't use or route 1.1.1.0/24. Tthe 1.1.1.1 is used as a captive portal for public wifi such as Starbucks, which would indicate they may use a Cisco setup. But it sucks if you have your laptop hardcoded to 1.1.1.1, forget about it, take it to a Starbucks, get on their wifi.... and then find out DNS isn't working. A small silver lining: Using the secondary 1.0.0.1 seems to be unaffected, (different /24) so you can safely use THAT and use Google's 8.8.8.8 as a secondary for backup. |
|
1 recommendation |
Can use 1.1? |
|
SLC 96 join:2005-04-03 Chicago, IL
1 recommendation |
to anoxia
I can't get to 1.1.1.1 or 1.0.0.1 using BGW210 firmware 1.5.11.
Luckily I can access Cloudflare DNS using IPv6. |
|
(Software) OPNsense Ubiquiti UniFi UAP-AC-PRO
1 recommendation |
said by SLC 96: I can't get to 1.1.1.1 or 1.0.0.1 using BGW210 firmware 1.5.11. Got a trace tol them you can post? |
|
SLC 96 join:2005-04-03 Chicago, IL
2 recommendations |
SLC 96
Member
2018-Apr-2 7:59 pm
From Computer traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
1 10.2.52.1 (10.2.52.1) 0.413 ms 0.224 ms 0.400 ms
2 192.168.1.254 (192.168.1.254) 0.536 ms 0.396 ms 0.334 ms
3 192.168.1.254 (192.168.1.254) 3005.187 ms !H 3005.193 ms !H 3005.103 ms !H
From Computer traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 10.2.52.1 (10.2.52.1) 0.389 ms 0.272 ms 0.274 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
From BGW210 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 0.231 ms 0.181 ms 0.108 ms
From BGW210 traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
1 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 3006.024 ms !H 3006.224 ms !H 3005.981 ms !H
|
|
1 edit
1 recommendation |
to anoxia
Not seeing any issues using 1.1.1.1 or 1.0.0.1 on our NVG510 ADSL2+ |
|
neufuse join:2006-12-06 James Creek, PA
3 recommendations |
to anoxia
when we implemented one of our web filters it required the IP to be 1.1.1.1 on the network, which was stupid... now we have a enterprise cisco setup and it put the IPS on 1.1.1.1 by default another dumb move |
|
1 recommendation |
to anoxia
Working fine on a BGW210 on Fiber. |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
6 recommendations |
to neufuse
said by neufuse:when we implemented one of our web filters it required the IP to be 1.1.1.1 on the network, which was stupid... now we have a enterprise cisco setup and it put the IPS on 1.1.1.1 by default another dumb move That is Cisco's doing. All of Cisco's wireless controllers also have their captive portal on 1.1.1.1, so even if you got your DNS to work at home and you are perfectly happy with 1.1.1.1 as your DNS server, the first time you go to a Starbucks you might wonder why you can't connect to their wifi Bottom line: - Yes Cisco and my other manufacturers should not have done that. - Yes APNIC should have managed the release of 1.1.1.1 to public routing a lot better. - No, it's not going to be fixed quickly. Not by a long shot. |
|
pawpaw join:2004-05-05 Asheville, NC
3 recommendations |
to maartena
4) Don't use an ISP that disregards good practise. |
|
(Software) OPNsense Ubiquiti UniFi UAP-AC-PRO
2 recommendations |
This is just one of many reasons why AT&T would be one of my last resorts because of the forced Gateway, gateways that almost every single one has a bug one way or another. There's no logical reason to force a Gateway for an Internet only customer. There Is also no reason for them to be using 802.1x except to force the use of a gateway. |
|
pawpaw join:2004-05-05 Asheville, NC
1 recommendation |
pawpaw
Member
2018-Apr-3 4:25 pm
Agreed. To me, this is all part and parcel of net neutrality - don't screw with internet standards in any way. |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
2 recommendations |
to pawpaw
said by pawpaw:4) Don't use an ISP that disregards good practise. Although there are ISP's that do indeed disregard good practice, the majority of problems are because of hardware manufacturers not following good practice. I'm actually quite surprised how much of the Cisco product line is affected, they should know better. You don't always have that choice either.... LEGACY charter areas (so those who were charter before the merger) have issues with 1.1.1.1 because it is used somewhere internally. Now, if your ISP choices are AT&T on the telco side, and legacy Charter on the cable side.... you may not have a choice. Finally: We have lived with 1.1.1.1 not working for decades. Now that Cloudfare puts a DNS server on it people start complaining. There are plenty of other DNS services available, and 1.1.1.1 is not critical enough to go change ISP's over it. Use 4.2.2.x or 9.9.9.9 if you don't want to use Google or your ISP's DNS.... and there is a good chance Cloudfare's 1.0.0.1 actually will work. And then there is OpenDNS, and you may find that a local university may have a public DNS server. |
|
maartena
1 recommendation |
to Napsterbater
said by Napsterbater:This is just one of many reasons why AT&T would be one of my last resorts because of the forced Gateway, gateways that almost every single one has a bug one way or another. There's no logical reason to force a Gateway for an Internet only customer. There Is also no reason for them to be using 802.1x except to force the use of a gateway. Luckily there are some great ways to bypass the RG completely if you have fiber. Not so much with vDSL though.... but it works perfectly with fiber, with the ONT connected straight to my Ubiquity USG. |
|
pawpaw join:2004-05-05 Asheville, NC
1 recommendation |
to maartena
A company with the size and expertise of AT&T should not be using crappy equipment then. Don't pass the buck.
Agreed that we do not have enough choice.
So 1.1.1.1 not working for decades, with plenty of alternatives? Well then, colored folk will be happy at the back of the bus, it's been that way forever and there are ample seats. |
|
1 recommendation |
to anoxia
fwiw still working fine 2nd day Spectrum NYC on low speed cable, mega-tasking stable 1 1 1 1 / 9 9 9 9 |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA
2 recommendations |
to pawpaw
said by pawpaw:A company with the size and expertise of AT&T should not be using crappy equipment then. Don't pass the buck. You may find that a lot of not-so-crappy equipment is affected. Although these days Cisco isn't what they used to be, they are still considered a major manufacturer of enterprise-grade hardware.... and pretty much anyone that uses Cisco as their wifi system will be affected. (See below). So 1.1.1.1 not working for decades, with plenty of alternatives? Well then, colored folk will be happy at the back of the bus, it's been that way forever and there are ample seats. My point is that 1.1.1.1 has been available for decades, but because there isn't anything on there that interested people besides some APNIC research, absolutely NO ONE cared that all of the nation's Starbucks have a 1.1.1.1 captive portal as they use Cisco wireless controllers. Now, we could all stop drinking Starbucks out of protect or realize that it really isn't Starbuck's fault.... My second point is that the world will continue to spin if you can't get to 1.1.1.1.... No one heard of it 2 weeks ago, and your internet isn't going to be worse off if you have a ISP that uses it, or go to a Starbucks or Hotel that uses it on a captive portal. Your internet will work exactly like it did 2 weeks ago, with whatever favorite DNS provider you were using then. As a matter of fact, travelers that often use things like Airport wifi, Starbucks wifi, Hotel wifi, McDonalds wifi, etc, etc... may just want to stay away from using 1.1.1.1 as a static DNS on their laptops, as they may find they can either no longer resolve anything, or not even connect to a hotel network if it uses Cisco gear. Cloudfare might force hardware manufacturers to change their ways.... (one can hope), but the world doesn't end just because you can't reach 1.1.1.1 and its the current cool DNS to have. It simply isn't a problem that can be solved in a day, or a month, or even a year in many cases. |
|
dave006 join:1999-12-26 Boca Raton, FL
1 recommendation |
to pawpaw
said by pawpaw:So 1.1.1.1 not working for decades, with plenty of alternatives? No big deal just use 1.0.0.1 if you have a 5268ac the other RGs should be fine with 1.1.1.1. Much simpler issue than the AT&T firmware that blocks "bridge" mode and removes multiple other customer beneficial features. Dave |
|
SLC 96 join:2005-04-03 Chicago, IL
1 recommendation |
SLC 96
Member
2018-Apr-3 6:38 pm
said by dave006:said by pawpaw:So 1.1.1.1 not working for decades, with plenty of alternatives? No big deal just use 1.0.0.1 if you have a 5268ac the other RGs should be fine with 1.1.1.1. Much simpler issue than the AT&T firmware that blocks "bridge" mode and removes multiple other customer beneficial features. Dave With the latest BGW210 firmware, both 1.0.0.1 and 1.1.1.1 don't work. |
|