# Trying to make things work in spite of a bad router?

## 1clue

Hi,

I have a customer with a crappy AT&T-supplied router.  My customer leases the router, they don't have configuration access.  If you google the router model, the first link is a review saying "not very good."

They have 4 public IPs and then the traditional local network on 192.168.x.y.  The router manufacturer's solution to port passthrough is to give these public addresses, which are completely unprotected, and then everything else is on the 192.168.  There's no configuration of ports, and anyone who wants can just statically configure their system to one of the public addresses and it "works".

The problem is, both 192.168.x.y packets and the public net packets are all traveling on the same wires and across wireless.  The first packet from one "net" to the other goes through the router, and then the TCP stack realizes it's the same and tries for direct.  This obviously breaks functionality.  I can reboot a system, then hit it exactly once from the other net, and then after that it's broken.  I can go from the private net to the private net as often as I like.

I've made my case to the customer to buy another router, but it might be tomorrow or it might be a couple months from now, I have no idea.

I want to make something that will work temporarily until the new hardware comes:

I want to configure the Linux-based systems to ignore all traffic from another network which does not come from the router.

I want to configure the Linux-based systems go through the router for all traffic on another subnet, even if the route could be direct.

Is there something I can do which will survive the system being plugged into a different network?  Assume DHCP leases.

Can anyone give pointers?  I suspect that no matter what I do to the Linux parts of this puzzle there will still be issues from other boxes.

Thanks.

----------

## eyoung100

1. Use IPTables and filter by MAC Address.

Allow Mac Address of Router 1 in Net 1, Disallow in Net 2

Allow Mac Address of Router 2 in Net 2, Disallow in Net 1.

See: Iptables MAC Address Filtering

2. Consider putting both Nets on the same subnet, and then use a bridge, connect the bridge to a port on the ISP facing device.  The bridge joins the subnets and routes all combined traffic through the router.  If you use this approach, you won't need #1.

3. Set the lease time to 0. This "turns off" DHCP Renewal.

----------

## 1clue

This won't work.

This is a cheap (as in under $100, probably a LOT under) SOHO internet appliance, a combination router and modem, and they didn't bother to put in niceties like VLAN configuration or even a way to make some ports of a host public while keeping the others private.  To complicate things, it's about 1,400 miles away from me.

I just checked, and all non-upstream interfaces on this router have the same MAC address.  The upstream port's mac address is downstream+1.

I suppose I could filter out anything not-my-subnet and not-from-router.

The bridge idea, if I understand you correctly, is not in the cards.  I'll be lucky to get another SOHO router with a good TCP stack, real VLANs and port mapping.

Don't really want to turn off renewal.  I played with that a few years ago and did not get a happy result.  Some systems get grouchy when they can't renew.

----------

## eyoung100

Does the Internet Appliance have the ability to be put into Bridging Mode?  If so, Look at Best Buy- VOIP And Cable/DSL Modems.  Use theirs as the Bridging Device and buy one.  When I worked at Verizon, as Tech Support, we had customers who we'd send a new modem that would connect a router to a router and could not get out.  Bridging one always solves the issue.  In the Bridged Device enable Remote Admin. Put the Port Number as Something way off, then use the routable IP + Whacky Port # to access the Bridge remotely, then do the same thing in the ISP device, just dont share the same port.

----------

## 1clue

Oh, man.  You just put me into a depression.

The device is a Motorola NVG510.  I googled "NVG510 bridge mode" and I see an endless stream of misery.

The problem with this router is that while it has configurations for all the neat features like a firewall and bridge mode and whatever else, none of it works correctly enough to interact well with other equipment.

Now I'm worried about whatever device they wind up getting working on it.  Now I'm not even so much interested in getting it to work until the other device gets there, I'm hoping it can be made to work AFTER we get the other device.

Seriously, we could get by with a single public IP and a good firewall and port mapping in the final configuration.  A good cross-platform VPN endpoint would be great too.

My personal SOHO Cisco gear works really well for what I want to do, I mess with that all the time.  They know what VLAN means, they keep subnets separate, they have good port forwarding and firewalls and even DHCP-controlled static IPs so you can change everything from the control panel.

I find it hard to believe that Motorola would put out such pure junk, and that a national carrier would force it on their customers.  I've bought Motorola stuff in the past, but no more.

Sorry for the rant, I'm just so incredibly angry with this situation.  They've already checked, the building has only one carrier who will deliver service to it.  The service is not nearly as fast or reliable as my home service, but they charge a business price for it.  Service calls take weeks to finish, and the techs are novices with almost no training and zero understanding of networking.

I'm at a bit of a loss right now.

----------

## 1clue

Good grief.

It appears that Motorola makes exactly two DSL modems which are not bridgeable, and both are because AT&T specified them that way.

Motorola isn't the bad guy here, it's AT&T.  They've deliberately crippled their service to cause grief to their customers.

I have a bad feeling about this.

----------

## Simba7

It wouldn't surprise me much if they did cripple service. Only one worse is CenturyLink.

Can you get the login information for the xDSL modem?

Here's a little more information for that modem. http://wikidevi.com/wiki/Motorola_NVG510

----------

## 666threesixes666

id get a standard dsl modem -> standard router setup going and mail their junk back to them.

----------

## Simba7

 *666threesixes666 wrote:*   

> id get a standard dsl modem -> standard router setup going and mail their junk back to them.

 

Me.. I'd probably hack it and throw on OpenWrt.. but at&t probably wouldn't like that.

----------

## 1clue

It's not the customer's equipment.  It belongs to AT&T.

FWIW I'd like to put in a plug for my ISP.  I'm on Midcontinent Cable.  It's awesome.  I live in a small town in a sparsely populated state, and the service is excellent.

I can get up to 100mbps.

The installation techs are extremely knowledgeable.  The guy looked at my equipment and asked a few pertinent questions, found out I'm not a novice on this and shared his opinion on the relative merits of other equivalent equipment.

The equipment they give you is NOT junk.  Quite the opposite.  They figure if it's good equipment they'll have fewer support calls.

There's no contract requiring you to stick with the number of channels or megabits once you get it.  I can bump bandwidth up or down, change channel packages, whatever without a penalty.

With a few exceptions, every time I run a speed test, I generally get more bandwidth than I paid for in both directions, even using a non-affiliated speed test service.

Every reliability issue I've had turned out to be my equipment.  A bad cable, for example.

It's crazy.  I lived in the Chicago area for over 10 years.  Cable and Internet are generally crappy, the speed is never up to the advertised rate, there are always extra service charges and hidden fees.  It goes down fairly often and at bad times of the day.  You get companies like AT&T who seem to go out of their way to provide the crappiest experience they possibly can, and for all I know they charge extra for service calls.  Which would explain everything.  You have Comcast, which is much better than AT&T but they lock you into contracts and charge extra at every possible opportunity.

Then you go out to where there are more cows than people, and you get some first rate Internet at speeds that I couldn't have gotten in Chicago even if I had the money for it.  And it's better in every way.

----------

## thegeezer

sounds like you want macvlan

it came about because of the issue of a machine with vms

where you have a management port, and a bridge going to the virtual machines.

similar to your situation, you want the correct port to respond to the correct traffic.

macvlan is really just a seperator for local machine 

failing that you can also use ip rule and routing tables so that you can force the routing tables

----------

