# NAT issues, comcast confuses router?

## jdrotos

My problem:

When connecting my gentoo router to the internet through a linksys router, all computers behind the gentoo router are able to connect and browse the internet.

When I connect my comcast cable modem directly into the gentoo router, the gentoo router is able to browse the internet but no computers behind the gentoo router are able to browse. However, they are able to ping outside websites such as google.com.

Theory:

I'm thinking that somehow the linksys router is better at hiding that fact that I've got multiple computers set up? This is just a thought. My configurations are (nearly) correct seeing as how I can hand out addresses and client machines can browse the internet so long as the uplink to my gentoo router is through another router.

My setup:

The gentoo router is a little Via C7 machine with 3 nics. The uplink is eth0.

iptables script i've been using:

```
iptables -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save
```

ifconfig:

```
eth0      Link encap:Ethernet  HWaddr 00:1b:21:1a:03:87

          inet addr:10.10.11.102  Bcast:10.10.11.255  Mask:255.255.255.0  <=== when comcast is providing dhcp this is of coarse different. 

          inet6 addr: fe80::21b:21ff:fe1a:387/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:753798 errors:0 dropped:0 overruns:0 frame:0

          TX packets:413613 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:1074251326 (1.0 GiB)  TX bytes:40708672 (38.8 MiB)

eth1      Link encap:Ethernet  HWaddr 00:30:18:a1:74:37

          inet addr:10.10.20.1  Bcast:10.10.20.255  Mask:255.255.255.0

          inet6 addr: fe80::230:18ff:fea1:7437/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:714133 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1030546 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:61833104 (58.9 MiB)  TX bytes:1108220988 (1.0 GiB)

          Interrupt:18 Base address:0x2000

eth2      Link encap:Ethernet  HWaddr 00:30:18:a1:74:38

          inet addr:10.10.21.1  Bcast:10.10.21.255  Mask:255.255.255.0

          inet6 addr: fe80::230:18ff:fea1:7438/64 Scope:Link

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:467 errors:0 dropped:0 overruns:0 frame:0

          TX packets:46 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:34200 (33.3 KiB)  TX bytes:5120 (5.0 KiB)

          Interrupt:19 Base address:0x4000

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1052 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1052 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:159249 (155.5 KiB)  TX bytes:159249 (155.5 KiB)
```

Any help would be much appreciated. I am at a loss. Thanks in advance.

----------

## erik258

Hey!  I'm in minneapolis too!  I used to be on comcast and it worked just fine for me through my gentoo router, so there should be a solution for you - although with comcast you never know.  But, networking is one of my favorite topics, so I'm going to tackle this even though I don't see what the problem is caused by ... at least not yet.  

 *jdrotos wrote:*   

> My problem:
> 
> When connecting my gentoo router to the internet through a linksys router, all computers behind the gentoo router are able to connect and browse the internet.
> 
> When I connect my comcast cable modem directly into the gentoo router, the gentoo router is able to browse the internet but no computers behind the gentoo router are able to browse. However, they are able to ping outside websites such as google.com.
> ...

 

They can ping but they can't browse?  How very strange.  If pinging is working, then they must be able to get out to the world, do a dns lookup, and proceed to send ICMP packets through your router, through your cable modem, and out to the world.  And if those ping requests get back the world must be getting them.  So why would port 80 connections be different?  You _are_ pinging by domain name right?  (if you are pinging by an IP looked up previously, that might be the problem - dns lookups are failing.  but i am guessing you know to set up DNS).  And I assume you have tried to connect to he IP that ping mentions with your browser?  

The only situation in which I can forsee the linksys router working unlike linux in this respect is if the router has some configuration that gentoo does not (or vise versa).  

I can't think of many answers to your question, and those I did think of are almost all precluded by information following.  Unless you set up a web proxy or something (Tor?) and forgot about it, I can't guess what the problem might be.  IF I were you, I would be doing some more investigative typing.  

 *Quote:*   

> 
> 
> Theory:
> 
> I'm thinking that somehow the linksys router is better at hiding that fact that I've got multiple computers set up? This is just a thought. My configurations are (nearly) correct seeing as how I can hand out addresses and client machines can browse the internet so long as the uplink to my gentoo router is through another router.

 

Do you have access to any web servers that aren't behind your router?  If you do, you could see whether they were hearing anything from you when you attempt to connect to them.  What's that?  You don't have any webservers that aren't behind your router?  Well, if that's the case, you're in luck.  I happen to have a webserver that isn't behind your router.  So if you need assistance with this, I need only to know your IP address at the time of connection and I can ship you over the relevant log lines from my server, located at http://spore.ath.cx.  PM my if you want to proceed around this route and, like many of the (rather paranoid, in my opinion) netziens out there don't care to share your IP with the world.  

My setup:

The gentoo router is a little Via C7 machine with 3 nics. The uplink is eth0.

 *Quote:*   

> iptables script i've been using:
> 
> ```
> iptables -F
> 
> ...

 

What is the point of 

```
/etc/init.d/iptables save
```

 if you have a script to set up your iptables for you?  Do you run the script every time you 

start the computer or do you just run it when you need to reset your firewall configuration?  

I noticed that there don't appear to be any iptables flush lines for the nat table in that script.  This leads me to wonder whether there are any iptables rules that are interfering with things.  Would you be so kind as to post the output of 

```
iptables -L -v;  iptables -L -v -t nat 
```

?  That would show current iptables rules and I am very curious as to what you'll find there.  

 *Quote:*   

> 
> 
> ifconfig:
> 
> ```
> ...

 

The iptables config looks fine; I am at a bit of a loss myself.  But, please do post your iptables config, the current config as I mentioned before.  If you feel like it you could also post `route -n,` it's basically the only other related piece of information but I can't see why it would make a difference in this case, unless you're using ip to set up more complicated routing.  

And take me up on my offer to log your ip's connections to my site!  Make sure to hit it from a server and from a client.  I am curious as to what we'll find.  

Good luck, enjoy this fine fall day we're having in the Cities, and I hope you get this working.  Sounds like you have a fun little network, lots of subnets and such, it would be a shame if you couldn't get  that icky linksys router out from the front of your network.

PS By the way, welcome to the forums.

----------

## jdrotos

Thanks for replying so quickly.

You were right about not flushing my nat table, my first run of 

```
iptables -L -v;  iptables -L -v -t nat
```

 produced:

```

Chain INPUT (policy ACCEPT 49437 packets, 2704K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 9647 packets, 5834K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 48869 packets, 5909K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 179K packets, 18M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1268 packets, 185K bytes)

 pkts bytes target     prot opt in     out     source               destination

 123K 8509K MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 73995 packets, 5672K bytes)

 pkts bytes target     prot opt in     out     source               destination

```

I added a line to clear that table to my script, ran it, and was then given the much cleaner output:

```

Chain INPUT (policy ACCEPT 49 packets, 3193 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 75 packets, 38800 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 45 packets, 4939 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 179K packets, 18M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1270 packets, 185K bytes)

 pkts bytes target     prot opt in     out     source               destination

    6   369 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 74116 packets, 5680K bytes)

 pkts bytes target     prot opt in     out     source               destination

```

It doesn't look like any of the additions to the nat table were being used apart from the first one, and thus probably weren't causing any problems for me.

I actually had this working on a different gentoo machine a while back, so I too know it's possible.

I do have access to a web server and I will likely be trying what you suggested sometime soon. If it goes awry I might take you up on the offer to use your server.

This internet connection is being shared between me and  others in my apartment building so I can only change the configuration and test it every once in a while when I suspect no one is online.

This is a pretty new and clean install so I shouldn't have anything running that would be stopping me (no X no nothin). I did  enable about 95% of the networking features in the kernel (I plan to do some traffic shaping if I can ever actually get this working as the top level router) so if you can think of a feature that might conflict with anything? That has crossed my mind, but nothing looks to menacing.

Thanks again.

----------

## erik258

I can't think of anything that would break this sort of thing simply by being compiled into the kernel.    I can think of a lot of things, but given that pings work, I'm really at a loss as to why HTTP traffic isn't getting through.  Your iptables even show traffic coming through to the MASQUERADE target.  

Have you tried any other protocols over the net, other than HTTP?

----------

## Hu

I suggest we proceed by determining exactly what happens when a browsing attempt fails.  In particular, we should understand whether the TCP handshake completes successfully, and if any application traffic is exchanged.

Please emerge net-analyzer/tcpdump and use it to monitor the external interface when an internal system initiates an HTTP transaction.  If possible, use a simple client like wget or curl, which should cut down on the noise that could be generated from using a full web browser.  It would be ideal if we could also get a packet capture from the HTTP server at the same time.  Please try to obtain full application data, rather than the truncated packets that are captured by default.  I suggest running the client capture as tcpdump -i eth0 -s 0 -p -w /tmp/http.pcap host ip-of-http-server.  This will save the traffic to /tmp/http.pcap for further analysis in net-analyzer/wireshark or for sharing with us.  Caution: this capture could contain private information, so check it before posting the packet capture for general consumption.

For future reference, the output of iptables-save -c is slightly more useful than the output from iptables -L.  However, in this case, I do not believe it is an iptables problem.

----------

## jdrotos

I had about 5 minutes to run some tests this morning before work the results were:

A:

I am able to use other protocols from client computers. SSH and FTP to the outside worked just fine.

B:

When I try to load a web page, from one of the client pcs, the webserver I connect to sees my connection attempt and logs:

```

MY.IP.IP.IP - - [02/Oct/2008:07:50:55 -0500] "GET /calendar/index.php HTTP/1.1" 302 - "http://joe.safl.umn.edu/login.php" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16"

MY.IP.IP.IP - - [02/Oct/2008:07:50:55 -0500] "GET /login.php?cd=10&phpgw_forward= HTTP/1.1" 200 4272 "http://joe.safl.umn.edu/login.php" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16"

MY.IP.IP.IP - - [02/Oct/2008:07:53:05 -0500] "GET /calendar/index.php HTTP/1.1" 302 - "http://joe.safl.umn.edu/login.php" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16"

MY.IP.IP.IP - - [02/Oct/2008:07:53:06 -0500] "GET /login.php?cd=10&phpgw_forward= HTTP/1.1" 200 4272 "http://joe.safl.umn.edu/login.php" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16"

```

I didn't have time/(I forgot) to test connecting via the server to see if the output was different. I will try this soon. I also didn't run tcpdump which I will try to do the next time I get a chance.

Any thoughts? the fact that other protocols get through makes it all the more confusing for me...

----------

## erik258

I think the next step is as Hu suggests above.  We can be sure the packets are getting out to the world from the inside (due to your last test).  Now, you should run tcpdump on both the internal and the external interfaces of the router and see whether you can see data getting through the router.  

MASQUERADE targets need open ports in the higher ranges to map outgoing connections onto if I'm not mistaken.  All I can think is different in your case is that you're running Hardened, and I wonder if that is restricting the NAT functionality in some way.  The packets are clearly getting out, probably getting back to the router (if it can get out, as long as MY.IP.. before was 

your external IP (and is has to be to get through comcast, they filter) it can get back in), and that means the router is most likely responsible for not passing it along.  

Your router knows how to talk to the subnet behind it -  It must have a route to that subnet if other protocols work.  So it couldn't be a problem of not knowing how to route to the private networks, even though the symptoms fit.  

Therefore, TCPdump will probably tell us where the data's stopping, be it at the front door or the back door, so to speak.

----------

## Hu

Although it is a bit unusual on cable modem deployments, my guess would be an MTU problem.  jdrotos is probably testing only with content heavy sites, which are more likely to send large datagrams that exceed the PMTU and get dropped.  Small traffic like ssh would work fine in such a scenario.  FTP might work properly if it was only used for small files.  To test if this is the case, read man iptables for the target TCPMSS.  If the description there applies to your situation, try out the TCPMSS rule.

----------

## jdrotos

I ran a tcp dump trying to connect to google from one of my client machines.

The uplink on the server (eth0) said:

```

19:04:37.012143 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.40315: 48997 1/0/0 (93)

19:04:37.012333 IP c-71-63-155-52.hsd1.mn.comcast.net.45797 > cns.westlandrdc.mi.michigan.comcast.net.domain: 50826+ PTR? 184.155.63.71.in-addr.arpa. (44)

19:04:37.083368 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.45797: 50826 1/0/0 (93)

19:04:37.083544 IP c-71-63-155-52.hsd1.mn.comcast.net.43349 > cns.westlandrdc.mi.michigan.comcast.net.domain: 63709+ PTR? 230.156.63.71.in-addr.arpa. (44)

19:04:37.109858 arp who-has c-24-118-49-77.hsd1.mn.comcast.net tell c-3-0-ubr05.eagan.mn.minn.comcast.net

19:04:37.134850 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.43349: 63709 1/0/0 (93)

19:04:37.135064 IP c-71-63-155-52.hsd1.mn.comcast.net.55705 > cns.westlandrdc.mi.michigan.comcast.net.domain: 25080+ PTR? 34.155.63.71.in-addr.arpa. (43)

19:04:37.162840 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.55705: 25080 1/0/0 (91)

19:04:37.163033 IP c-71-63-155-52.hsd1.mn.comcast.net.54326 > cns.westlandrdc.mi.michigan.comcast.net.domain: 4450+ PTR? 102.156.63.71.in-addr.arpa. (44)

19:04:37.189830 arp who-has c-75-72-149-209.hsd1.mn.comcast.net tell bu-10-ubr04.nempls.mn.minn.comcast.net

19:04:37.209073 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.54326: 4450 1/0/0 (93)

19:04:37.209271 IP c-71-63-155-52.hsd1.mn.comcast.net.34289 > cns.westlandrdc.mi.michigan.comcast.net.domain: 23942+ PTR? 74.157.63.71.in-addr.arpa. (43)

19:04:37.255071 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.34289: 23942 1/0/0 (91)

19:04:37.259809 IP c-71-63-155-52.hsd1.mn.comcast.net.38050 > cns.westlandrdc.mi.michigan.comcast.net.domain: 58729+ PTR? 89.156.63.71.in-addr.arpa. (43)

19:04:37.261059 arp who-has c-24-118-49-14.hsd1.mn.comcast.net tell c-3-0-ubr05.eagan.mn.minn.comcast.net

19:04:37.308043 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.38050: 58729 1/0/0 (91)

19:04:37.308391 IP c-71-63-155-52.hsd1.mn.comcast.net.47501 > cns.westlandrdc.mi.michigan.comcast.net.domain: 15883+ PTR? 4.157.63.71.in-addr.arpa. (42)

19:04:37.355276 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.47501: 15883 1/0/0 PTR[|domain]

19:04:37.355488 IP c-71-63-155-52.hsd1.mn.comcast.net.43626 > cns.westlandrdc.mi.michigan.comcast.net.domain: 46212+ PTR? 98.155.63.71.in-addr.arpa. (43)

19:04:37.402758 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.43626: 46212 1/0/0 (91)

19:04:37.402936 IP c-71-63-155-52.hsd1.mn.comcast.net.44436 > cns.westlandrdc.mi.michigan.comcast.net.domain: 34997+ PTR? 242.155.63.71.in-addr.arpa. (44)

19:04:37.468254 IP Augustus.rome.local.53864 > arachnid.safl.umn.edu.http: F 2034082171:2034082171(0) ack 2758808562 win 5840 <nop,nop,timestamp 12901574$

19:04:37.468974 IP c-71-63-155-52.hsd1.mn.comcast.net.55118 > cns.westlandrdc.mi.michigan.comcast.net.domain: 55145+ PTR? 115.44.101.128.in-addr.arpa. (4$

19:04:37.470992 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.44436: 34997 1/0/0 (93)

19:04:37.471352 IP c-71-63-155-52.hsd1.mn.comcast.net.47821 > cns.westlandrdc.mi.michigan.comcast.net.domain: 31963+ PTR? 226.238.97.202.in-addr.arpa. (4$

19:04:37.471792 IP c-71-63-155-52.hsd1.mn.comcast.net.18907 > chic-cns.area4.il.chicago.comcast.net.domain: 47058+ AAAA? www.google.com. (32)

19:04:37.501474 IP chic-cns.area4.il.chicago.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.18907: 47058 1/1/0 CNAME www.l.google.com. (100)

19:04:37.501885 IP c-71-63-155-52.hsd1.mn.comcast.net.52018 > chic-cns.area4.il.chicago.comcast.net.domain: 41292+ A? www.google.com. (32)

19:04:37.504970 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.47821: 31963 NXDomain 0/1/0 (134)

19:04:37.505345 IP c-71-63-155-52.hsd1.mn.comcast.net.35415 > cns.westlandrdc.mi.michigan.comcast.net.domain: 14972+ PTR? 246.155.63.71.in-addr.arpa. (44)

19:04:37.522968 IP chic-cns.area4.il.chicago.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.52018: 41292 5/0/0 CNAME www.l.google.com.,[|domain]

19:04:37.523507 IP c-71-63-155-52.hsd1.mn.comcast.net.58101 > qb-in-f103.google.com.http: S 164986542:164986542(0) win 5840 <mss 1460,sackOK,timestamp 12$

19:04:37.525463 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.55118: 55145 1/0/0 (80)

19:04:37.526089 IP c-71-63-155-52.hsd1.mn.comcast.net.43572 > cns.westlandrdc.mi.michigan.comcast.net.domain: 35709+ PTR? 103.205.14.72.in-addr.arpa. (44)

19:04:37.552954 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.35415: 14972 1/0/0 (93)

19:04:37.553257 IP c-71-63-155-52.hsd1.mn.comcast.net.40384 > cns.westlandrdc.mi.michigan.comcast.net.domain: 10466+ PTR? 206.155.63.71.in-addr.arpa. (44)

19:04:37.554954 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.43572: 35709 1/0/0 (79)

19:04:37.565948 IP qb-in-f103.google.com.http > c-71-63-155-52.hsd1.mn.comcast.net.58101: S 573488467:573488467(0) ack 164986543 win 5672 <mss 1430,sackO$

19:04:37.566090 IP c-71-63-155-52.hsd1.mn.comcast.net.58101 > qb-in-f103.google.com.http: . ack 1 win 5840 <nop,nop,timestamp 129015774 3005375213>

19:04:37.566265 IP c-71-63-155-52.hsd1.mn.comcast.net.58101 > qb-in-f103.google.com.http: . 1:525(524) ack 1 win 5840 <nop,nop,timestamp 129015774 300537$

19:04:37.566279 IP c-71-63-155-52.hsd1.mn.comcast.net.58101 > qb-in-f103.google.com.http: P 525:693(168) ack 1 win 5840 <nop,nop,timestamp 129015774 3005$

19:04:37.581193 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.40384: 10466 1/0/0 (93)

19:04:37.581502 IP c-71-63-155-52.hsd1.mn.comcast.net.41965 > cns.westlandrdc.mi.michigan.comcast.net.domain: 23724+ PTR? 207.155.63.71.in-addr.arpa. (44)

19:04:37.610188 IP qb-in-f103.google.com.http > c-71-63-155-52.hsd1.mn.comcast.net.58101: . ack 525 win 6432 <nop,nop,timestamp 3005375257 129015774>

19:04:37.610191 IP qb-in-f103.google.com.http > c-71-63-155-52.hsd1.mn.comcast.net.58101: . ack 693 win 7504 <nop,nop,timestamp 3005375257 129015774>

19:04:37.615680 00:a3:b9:99:fa:cf (oui Unknown) > 6d:7b:cf:fa:d5:ee (oui Unknown), ethertype Unknown (0x811d), length 460:

        0x0000:  768c fdc1 9951 4352 e63e e0d1 8370 9553  v....QCR.>...p.S

        0x0010:  51e6 2912 7949 c179 7534 20a7 dce5 ca69  Q.).yI.yu4.....i

        0x0020:  afbd a3cd f7dc 0601 782a 723c eba6 d8f8  ........x*r<....

        0x0030:  106b 3252 93dd 7756 abb5 716c c0f3 a4f8  .k2R..wV..ql....

        0x0040:  d4fb 6cdd dcdd 81a6 d60c c725 75c0 f5c4  ..l........%u...

        0x0050:  c456                                     .V

19:04:37.616179 59:2e:76:b1:5c:3c (oui Unknown) > 26:6a:ca:6d:fe:ef (oui Unknown), ethertype Unknown (0x4dd0), length 249:

        0x0000:  39a5 d041 87e8 b224 d70b 60ab 4dd6 5636  9..A...$..`.M.V6

        0x0010:  5c32 919b 412b dd1d 540e aadc 5425 9a8d  \2..A+..T...T%..

        0x0020:  fd99 3cb3 fc2f 3a1a bab8 4c4f abd9 4a35  ..<../:...LO..J5

        0x0030:  9539 60d3 4e04 b95b 2894 7642 abbe 757a  .9`.N..[(.vB..uz

        0x0040:  b599 f921 678c d3b0 84ac f922 388f 6be6  ...!g......"8.k.

        0x0050:  cb6a

19:04:37.620178 IP hawthorn.osuosl.org.http > c-71-63-155-52.hsd1.mn.comcast.net.39953: F 2622904468:2622904468(0) ack 1463064102 win 14 <nop,nop,timesta$

19:04:37.627177 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.41965: 23724 1/0/0 (93)

19:04:37.627517 IP c-71-63-155-52.hsd1.mn.comcast.net.51500 > cns.westlandrdc.mi.michigan.comcast.net.domain: 19252+ PTR? 67.157.63.71.in-addr.arpa. (43)

19:04:37.657686 IP c-71-63-155-52.hsd1.mn.comcast.net.39953 > hawthorn.osuosl.org.http: . ack 1 win 263 <nop,nop,timestamp 62327970 251213408>

19:04:37.675661 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.51500: 19252 1/0/0 (91)

19:04:37.675922 IP c-71-63-155-52.hsd1.mn.comcast.net.42301 > cns.westlandrdc.mi.michigan.comcast.net.domain: 25721+ PTR? 158.156.63.71.in-addr.arpa. (44)

19:04:37.702039 IP Augustus.rome.local.53864 > arachnid.safl.umn.edu.http: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 129015808 666817682,nop,nop,sack 1 $

19:04:37.707398 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.42301: 25721 1/0/0 (93)

19:04:37.707646 IP c-71-63-155-52.hsd1.mn.comcast.net.60241 > cns.westlandrdc.mi.michigan.comcast.net.domain: 26962+ PTR? 157.155.63.71.in-addr.arpa. (44)

19:04:37.735388 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.60241: 26962 1/0/0 (93)

19:04:37.735644 IP c-71-63-155-52.hsd1.mn.comcast.net.49019 > cns.westlandrdc.mi.michigan.comcast.net.domain: 54910+ PTR? 243.155.63.71.in-addr.arpa. (44)

19:04:37.764878 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.49019: 54910 1/0/0 (93)

19:04:37.765073 IP c-71-63-155-52.hsd1.mn.comcast.net.49522 > cns.westlandrdc.mi.michigan.comcast.net.domain: 15416+ PTR? 238.155.63.71.in-addr.arpa. (44)

19:04:37.810862 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.49522: 15416 1/0/0 (93)

19:04:37.811050 IP c-71-63-155-52.hsd1.mn.comcast.net.46182 > cns.westlandrdc.mi.michigan.comcast.net.domain: 16301+ PTR? 155.156.63.71.in-addr.arpa. (44)

19:04:37.839351 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.46182: 16301 1/0/0 (93)

19:04:37.839521 IP c-71-63-155-52.hsd1.mn.comcast.net.51254 > cns.westlandrdc.mi.michigan.comcast.net.domain: 32135+ PTR? 93.155.63.71.in-addr.arpa. (43)

19:04:37.859593 00:a3:b9:99:fa:cf (oui Unknown) > 6d:7b:cf:fa:d5:ee (oui Unknown), ethertype Unknown (0x811d), length 460:

        0x0000:  768c fdc1 9951 4352 e63e e0d1 8370 9553  v....QCR.>...p.S

        0x0010:  51e6 2912 7949 c179 7534 20a7 dce5 ca69  Q.).yI.yu4.....i

        0x0020:  afbd a3cd f7dc 0601 782a 723c eba6 d8f8  ........x*r<....

        0x0030:  106b 3252 93dd 7756 abb5 716c c0f3 a4f8  .k2R..wV..ql....

        0x0040:  d4fb 6cdd dcdd 81a6 d60c c725 75c0 f5c4  ..l........%u...

        0x0050:  c456                                     .V

19:04:37.885089 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.51254: 32135 1/0/0 (91)

19:04:37.885263 IP c-71-63-155-52.hsd1.mn.comcast.net.52506 > cns.westlandrdc.mi.michigan.comcast.net.domain: 26396+ PTR? 226.156.63.71.in-addr.arpa. (44)

19:04:37.931069 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.52506: 26396 1/0/0 (93)

19:04:37.931236 IP c-71-63-155-52.hsd1.mn.comcast.net.33743 > cns.westlandrdc.mi.michigan.comcast.net.domain: 59708+ PTR? 57.157.63.71.in-addr.arpa. (43)

19:04:37.967308 arp who-has c-24-118-49-207.hsd1.mn.comcast.net tell c-3-0-ubr05.eagan.mn.minn.comcast.net

19:04:37.998794 IP cns.westlandrdc.mi.michigan.comcast.net.domain > c-71-63-155-52.hsd1.mn.comcast.net.33743: 59708 1/0/0 (91)

19:04:37.999149 IP c-71-63-155-52.hsd1.mn.comcast.net.34398 > cns.westlandrdc.mi.michigan.comcast.net.domain: 35432+ PTR? 15.157.63.71.in-addr.arpa. (43)

```

The internal nic (eth1) said:

```

19:04:37.273159 IP Mercury.rome.local.19150 > Augustus.rome.local.37683: P 4424:4667(243) ack 1 win 5792 <nop,nop,timestamp 62327873 129015610>

19:04:37.273238 IP Augustus.rome.local.37683 > Mercury.rome.local.19150: . ack 4667 win 63344 <nop,nop,timestamp 129015700 62327873>

19:04:37.273341 IP Mercury.rome.local.19150 > Augustus.rome.local.37683: P 4667:4673(6) ack 1 win 5792 <nop,nop,timestamp 62327873 129015700>

19:04:37.273370 IP Augustus.rome.local.37683 > Mercury.rome.local.19150: . ack 4673 win 63344 <nop,nop,timestamp 129015700 62327873>

19:04:37.468209 IP Augustus.rome.local.53864 > arachnid.safl.umn.edu.http: F 2034082171:2034082171(0) ack 2758808562 win 5840 <nop,nop,timestamp 129015749 666$

19:04:37.471607 IP Augustus.rome.local.57597 > Mercury.rome.local.domain: 7524+ AAAA? www.google.com. (32)

19:04:37.501580 IP Mercury.rome.local.domain > Augustus.rome.local.57597: 7524 1/1/0 CNAME www.l.google.com. (100)

19:04:37.501762 IP Augustus.rome.local.60082 > Mercury.rome.local.domain: 34225+ A? www.google.com. (32)

19:04:37.523076 IP Mercury.rome.local.domain > Augustus.rome.local.60082: 34225 5/0/0 CNAME www.l.google.com.,[|domain]

19:04:37.523209 IP Augustus.rome.local.38158 > Mercury.rome.local.domain: 41219+ A? www.google.com. (32)

19:04:37.523293 IP Mercury.rome.local.domain > Augustus.rome.local.38158: 41219 5/0/0 CNAME[|domain]

19:04:37.523453 IP Augustus.rome.local.58101 > qb-in-f103.google.com.http: S 164986542:164986542(0) win 5840 <mss 1460,sackOK,timestamp 129015763 0>

19:04:37.566008 IP qb-in-f103.google.com.http > Augustus.rome.local.58101: S 573488467:573488467(0) ack 164986543 win 5672 <mss 1430,sackOK,timestamp 30053752$

19:04:37.566067 IP Augustus.rome.local.58101 > qb-in-f103.google.com.http: . ack 1 win 5840 <nop,nop,timestamp 129015774 3005375213>

19:04:37.566118 IP Augustus.rome.local.58101 > qb-in-f103.google.com.http: P 1:693(692) ack 1 win 5840 <nop,nop,timestamp 129015774 3005375213>

19:04:37.566172 IP Mercury.rome.local > Augustus.rome.local: ICMP qb-in-f103.google.com unreachable - need to frag (mtu 576), length 556

19:04:37.566242 IP Augustus.rome.local.58101 > qb-in-f103.google.com.http: . 1:525(524) ack 1 win 5840 <nop,nop,timestamp 129015774 3005375213>

19:04:37.566243 IP Augustus.rome.local.58101 > qb-in-f103.google.com.http: P 525:693(168) ack 1 win 5840 <nop,nop,timestamp 129015774 3005375213>

19:04:37.606467 IP Mercury.rome.local.19150 > Augustus.rome.local.37683: P 4673:4764(91) ack 1 win 5792 <nop,nop,timestamp 62327957 129015700>

19:04:37.606540 IP Augustus.rome.local.37683 > Mercury.rome.local.19150: . ack 4764 win 63344 <nop,nop,timestamp 129015784 62327957>

19:04:37.610230 IP qb-in-f103.google.com.http > Augustus.rome.local.58101: . ack 525 win 6432 <nop,nop,timestamp 3005375257 129015774>

19:04:37.610248 IP qb-in-f103.google.com.http > Augustus.rome.local.58101: . ack 693 win 7504 <nop,nop,timestamp 3005375257 129015774>

19:04:37.702011 IP Augustus.rome.local.53864 > arachnid.safl.umn.edu.http: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 129015808 666817682,nop,nop,sack 1 {4345$

19:04:37.942453 IP Mercury.rome.local.19150 > Augustus.rome.local.37683: P 4764:4855(91) ack 1 win 5792 <nop,nop,timestamp 62328041 129015784>

19:04:37.942525 IP Augustus.rome.local.37683 > Mercury.rome.local.19150: . ack 4855 win 63344 <nop,nop,timestamp 129015868 62328041>

```

Please ignore my lame roman naming scheme.

Can anyone make any sense of it? I tried googling oui unknown, but didn't come up with much.

Thanks

----------

## Mistwolf

see http://www.linux.org.za/Lists-Archives/glug-tech-0702/msg00297.html for the "oui unknown" message.  basically it means that the nic's manufacturer is not known.

With regards to the original issue, according to the logs the internal PC did communicate with Google's webserver, so I would suspect it is not the firewall that is the issue.

If I understand correctly, the original setup was:

```
computers <--> Gentoo router <--> Linksys router <--> Internet
```

and now is:

```
computers <--> Gentoo router <-->  Internet
```

?

Do you have a (web) proxy server installed on the Gentoo router?  Or had one installed on the Linksys router?

Just noticed that the internal PC (Augustus), the last time it send anything to Google, shows two entries (timestamps 19:04:37.610230 and 19:04:37.610248) and yet your router shows three (timestamps 19:04:37.566090, 19:04:37.566265 and 19:04:37.566279).  Mercury then recieves two replies from Google that are NOT forwarded to Augustus (even though it is using the same ports, timestamps 19:04:37.610188 and 19:04:37.610191).

Sorry about my ramblings, but I hope this helps you look in the right direction.

----------

## jdrotos

You've got my setup right:

 *Quote:*   

> 
> 
> If I understand correctly, the original setup was:
> 
> Code:
> ...

 

I am running thttp on the gentoo router. I'll start looking at the logs and post back if anything looks peculiar.

Thanks for the reply

----------

## jdrotos

I was looking through the system logs and it looks like my NICs change to promiscuous mode when I connect directly to comcast. This shouldn't be a huge problem if I understand promiscuous mode correctly, however, it doesn't do this when I am connected through the linksys...

```

Oct  3 18:59:18 Mercury e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX

Oct  3 18:59:18 Mercury ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

Oct  3 18:59:39 Mercury dnsmasq[24478]: reading /etc/resolv.conf

Oct  3 18:59:39 Mercury dnsmasq[24478]: using nameserver 68.87.75.194#53

Oct  3 18:59:39 Mercury dnsmasq[24478]: using nameserver 68.87.72.130#53

Oct  3 18:59:39 Mercury dnsmasq[24478]: using nameserver 68.87.77.130#53

Oct  3 19:00:01 Mercury cron[14096]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Oct  3 19:00:01 Mercury cron[14102]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Oct  3 19:00:25 Mercury device eth0 entered promiscuous mode

Oct  3 19:01:02 Mercury device eth0 left promiscuous mode

Oct  3 19:01:54 Mercury device eth0 entered promiscuous mode

Oct  3 19:02:11 Mercury device eth0 left promiscuous mode

Oct  3 19:02:40 Mercury device eth0 entered promiscuous mode

Oct  3 19:03:06 Mercury device eth1 entered promiscuous mode

Oct  3 19:03:13 Mercury device eth0 left promiscuous mode

Oct  3 19:03:14 Mercury ddclient[5324]: SUCCESS:  updating jdrotos.dyndns.org: good: IP address set to 71.63.155.52

Oct  3 19:03:16 Mercury device eth0 entered promiscuous mode

Oct  3 19:03:48 Mercury device eth0 left promiscuous mode

Oct  3 19:03:52 Mercury device eth1 left promiscuous mode

Oct  3 19:04:24 Mercury device eth1 entered promiscuous mode

Oct  3 19:04:32 Mercury device eth0 entered promiscuous mode

Oct  3 19:04:45 Mercury device eth1 left promiscuous mode

Oct  3 19:04:50 Mercury device eth0 left promiscuous mode

Oct  3 19:06:03 Mercury e1000: eth0: e1000_watchdog: NIC Link is Down

Oct  3 19:07:31 Mercury e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX

Oct  3 19:07:31 Mercury ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

Oct  3 19:07:47 Mercury dhcpcd[14056]: eth0: received SIGTERM, stopping

Oct  3 19:07:47 Mercury dhcpcd[14056]: eth0: removing default route via 71.63.154.1 metric 0

Oct  3 19:07:47 Mercury dhcpcd[14056]: eth0: removing IP address 71.63.155.52/23

Oct  3 19:07:47 Mercury dhcpcd[14056]: eth0: exiting

Oct  3 19:07:48 Mercury ADDRCONF(NETDEV_UP): eth0: link is not ready

Oct  3 19:07:48 Mercury dhcpcd[14981]: eth0: dhcpcd 3.2.3 starting

Oct  3 19:07:48 Mercury dhcpcd[14981]: eth0: hardware address = 00:1b:21:1a:03:87

Oct  3 19:07:48 Mercury dhcpcd[14981]: eth0: DUID = 00:01:00:01:0f:0c:80:1d:00:1b:21:1a:03:87

Oct  3 19:07:48 Mercury dhcpcd[14981]: eth0: broadcasting for a lease

Oct  3 19:07:49 Mercury e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX

Oct  3 19:07:49 Mercury ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

```

Thoughts?

----------

