[ale] So, who do we like for a new 4 port gigabit LAN/WAN Firewall Routers these days?
Steve Litt
slitt at troubleshooters.com
Wed Feb 24 06:06:16 EST 2021
I used (and liked) pfSense for several years. The only problem was it
consumed a computer, with the 24/7 power requirements that implies.
Now I'm using my Spectrum cable modem as a firewall/router/dhcpserver.
If that ever doesn't work (I blow out cable modems every few years)
I'll go back either to pfSense or OpenBSD and pf.
SteveT
On Tue, 23 Feb 2021 21:38:24 -0500
Chuck Payne via Ale <ale at ale.org> wrote:
> I have good luck with pfSense. I only have Wan/Lan, but if I could
> find a cheap 4 port nic card. ( Gave/Left mine at Volacity, regret ).
> It's nice does a lot. Only issue I have, is that it won't do VIP for
> IP's. I have to use EOL Sonic Wall NAS3500 for.
>
>
>
> On Tue, Feb 23, 2021 at 9:25 PM Neal Rhodes via Ale <ale at ale.org>
> wrote:
>
> > So, tonight's experiment at removing port triggering and doing port
> > forwarding resulted in the exact same failure from the now
> > unsupported Cisco router. Running a traceroute to "progress.com"
> > from the admin page results in:
> >
> > progress.com: Temporary failure in name resolution
> > Cannot handle "host" cmdline arg `progress.com' on position 1 (argc
> > 3)
> >
> > which is interesting, as that error pops up in a lot of unix/linux
> > versions. Is the RV180vpn linux inside?
> >
> > I've pretty well had it with Cisco, and this router.
> >
> > WHO do we like for a well supported reliable gigabit firewall router
> > with 1 WAN, 4-6 LAN ports, no WIFI needed?
> >
> > Netgear seems to offer support for 90 days? Does anyone actually
> > stand behind their products?
> >
> > Of course, I cannot rule out some garbling between the Cisco and the
> > Comcast, although my memory is that our linux server directly on the
> > Comcast LAN port has no DNS problems.
> >
> > regards,
> >
> > Neal
> >
> >
> >
> > On 2021-02-22 21:12, neal at mnopltd.com wrote:
> > > Ok, replacement Cisco RV180VPN arrives from Ebay today.
> > >
> > > Flash with latest firmware, load the config, and put it in.
> > >
> > > aaaaaaaaaaaand, 20 minutes after starting the Jamulus client, it
> > > fails the same way.
> > >
> > > So, the only thing interesting/unique about a Jamulus client on
> > > the LAN side is that it is sending data on UDP port 22124. So,
> > > there is a Port Triggering rule on the Cisco. Which means it is
> > > supposed to keep track of who opens this port outbound so it can
> > > match responses up when they come back?
> > >
> > > IS IT POSSIBLE that Cisco failed to test this thoroughly? And
> > > with a client beavering away sending constant compressed audio it
> > > overruns its internal data? Since this product is recently at
> > > End-of-Life we cannot ask Cisco.
> > >
> > > Now, practically, there is only ONE client on the LAN side which
> > > is sending data on UDP port 22124: the one Jamulus PI box.
> > > (remember? I said linux/raspian WAS involved) Can't I logically
> > > remove the Port Triggering rule, and just Port Forward all UDP
> > > 22124 to the Jamulus PI box? (which has a static DHCP address)
> > >
> > > regards,
> > >
> > > Neal
> > >
> > > On 2021-02-16 10:21, neal at mnopltd.com wrote:
> > >> Subsequent failure last night looks like the Cisco Router
> > >> crapped in its own nest.
> > >>
> > >> From the router itself:
> > >>
> > >> traceroute to 75.75.76.76 (75.75.76.76), 10 hops max, 40 byte
> > >> packets 1 * * *
> > >> 2 * * *
> > >> 3 * * *
> > >> 4 * * *
> > >> 5 * * *
> > >> 6 * * *
> > >> 7 * * *
> > >> 8 * * *
> > >> 9 * * *
> > >> 10 * * *
> > >>
> > >> From a PC trying to access other DNS servers:
> > >>
> > >> PS C:\Users\sanctuary> nslookup - 1.1.1.1
> > >> DNS request timed out.
> > >> timeout was 2 seconds.
> > >> Default Server: UnKnown
> > >> Address: 1.1.1.1
> > >>
> > >> PS C:\Users\sanctuary> nslookup - 208.67.222.222
> > >> DNS request timed out.
> > >> timeout was 2 seconds.
> > >> Default Server: UnKnown
> > >> Address: 208.67.222.222
> > >>
> > >> Trying traceroute on cisco after reboot (jamulus was still
> > >> running): progress.com: Temporary failure in name resolution
> > >> Cannot handle "host" cmdline arg `progress.com' on position 1
> > >> (argc 3)
> > >>
> > >> 2nd reboot after shutting off Jamulus and it is ok.
> > >>
> > >> So it sure looks to me like the NAT code in the router is garbled
> > >> under this load.
> > >>
> > >> Hopefully replacement router showing up today and we'll flash
> > >> latest firmware.
> > >>
> > >>
> > >> On 2021-02-14 06:16, Neal Rhodes via Ale wrote:
> > >>> That's a great idea, at least for diagnosis, since I can cause
> > >>> this failure any evening I want.
> > >>>
> > >>> I can at least force an nslookup on a PC to use those and see
> > >>> if it works or not.
> > >>>
> > >>> One really really weird thing: I noticed three warnings in the
> > >>> Cisco logs maybe-about the time of failure complaining that
> > >>> IPV6 was not configured. Which it is not. Ever. Did the
> > >>> Cisco get a wild hare and decide to NAT all the DNS traffic
> > >>> through IPV6?
> > >>>
> > >>> Thanks and regards,
> > >>>
> > >>> Neal
> > >>>
> > >>>> Have you tried using another public DNS service instead of
> > >>>> Comcast. I’ve found Comcast DNS to be extremely unreliable and
> > >>>> I use a combination of OpenDNS (208.67.222.222 and
> > >>>> 208.67.220.220) and Cloudfare (1.1.1.1 and 1.0.0.1). I’ve
> > >>>> heard others use Google or Comodo. All of these are publicly
> > >>>> available.
> > >>>>
> > >>>> Ray
> > >>>
> > >>> On 2021-02-13 21:59, Raylynn Knight wrote:
> > >>>>> On Feb 13, 2021, at 2:37 PM, Neal Rhodes via Ale <ale at ale.org>
> > >>>>> wrote:
> > >>>>>
> > >>>>> I will apologize in advance for not taking some of the advice
> > >>>>> given on our church WAN/LAN regarding making 10.1.10.X see
> > >>>>> 192.168.x.x.
> > >>>>>
> > >>>>> The stock small business Comcast router setup is what they
> > >>>>> call "virtual bridge mode", meaning no firewall, and being a
> > >>>>> hybrid voice/data configuration any significant changes risks
> > >>>>> bringing the whole house down. With no support from them to
> > >>>>> get it back up.
> > >>>>>
> > >>>>> I have the access we need working, retaining our Ubuntu audio
> > >>>>> server on the comcast side, and letting our cisco router act
> > >>>>> as firewall, and I haven't brought down questions about murky
> > >>>>> security issues. yet.
> > >>>>>
> > >>>>> BUT this has to be one for the record books... Configuration:
> > >>>>>
> > >>>>> Comcast Router <==> Cisco RV180vpn Router <==> 192.168.x.x:
> > >>>>> Virtual Studio/Jambox
> > >>>>> +Ubuntu Jack/Jamulus
> > >>>>>
> > >>>>> Comcast router, with Ubuntu server running Jacktrip and
> > >>>>> Jamulus. Normal Comcast 10.X.X.X network.
> > >>>>>
> > >>>>> Cisco Router providing 192.168.x.x LAN behind it.
> > >>>>>
> > >>>>> Now comes the weird part... outside VS boxes can hit the
> > >>>>> Jacktrip or Jamulus all day, for hours, no problem. JackTrip
> > >>>>> uses TCP port 4464, and UCP 51002-62000. Jamulus just uses
> > >>>>> UDP 22124. Once fired up, these are wailing away sending
> > >>>>> either uncompressed (jacktrip) or compressed (Jamulus) audio.
> > >>>>>
> > >>>>> BUT, fire up the VS box on the LAN, connecting to the
> > >>>>> Jacktrip or Jamulus server sitting on the Comcast box, and
> > >>>>> within 2 hours NOTHING on the LAN will be able to get DNS
> > >>>>> service. Not immediately, but within 2 hours. The Cisco
> > >>>>> box doesn't fake DNS; it tells clients to hit 75.75.75.75, or
> > >>>>> 75.75.76.76, the standard Comcast ports. The DNS failure is
> > >>>>> visible both in the Cisco router's Diagnostic tools, AND from
> > >>>>> a browser, AND from nslookup on a PC. The Ubuntu box outside
> > >>>>> the LAN continues to have normal DNS responses.
> > >>>>>
> > >>>>> We can still PING external hosts we have an IP address for.
> > >>>>> I was able to ping my house router.
> > >>>>>
> > >>>>> This has happened three different days, and in each instance,
> > >>>>> a simple reboot of the Cisco router has resolved it for days.
> > >>>>> Until Virtual Studio or Jambox is started again. Today,
> > >>>>> being Saturday, there was NO activity besides me.
> > >>>>>
> > >>>>> And on Sundays, we have been streaming video without incident.
> > >>>>>
> > >>>>> The Cisco RV180VPN is in fact not running latest firmware. I
> > >>>>> have another coming (I hope) on Ebay and will flash that with
> > >>>>> latest and try it. Beyond that, what? I guess we could
> > >>>>> buy a brand new router with current support...
> > >>>>>
> > >>>>> From a local PC: nslookup
> > >>>>> DNS request timed out.
> > >>>>> timeout was 2 seconds.
> > >>>>> Default Server: UnKnown
> > >>>>> Address: 75.75.75.75
> > >>>>>
> > >>>>>> google.com
> > >>>>> Server: UnKnown
> > >>>>> Address: 75.75.75.75
> > >>>>>
> > >>>>> DNS request timed out.
> > >>>>> timeout was 2 seconds.
> > >>>>> DNS request timed out.
> > >>>>> timeout was 2 seconds.
> > >>>>> DNS request timed out.
> > >>>>> timeout was 2 seconds.
> > >>>>> DNS request timed out.
> > >>>>> timeout was 2 seconds.
> > >>>>> *** Request to UnKnown timed-out
> > >>>>>
> > >>>>> I also tried nslookup - 75.75.76.76 with identical results.
> > >>>>>
> > >>>>> My wife suggested I should run a traceroute to the DNS server
> > >>>>> when it's working, and then again when it fails. I should
> > >>>>> listen to her more often.
> > >>>>>
> > >>>
> > >>> _______________________________________________
> > >>> Ale mailing list
> > >>> Ale at ale.org
> > >>> https://mail.ale.org/mailman/listinfo/ale
> > >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>> http://mail.ale.org/mailman/listinfo
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > https://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
SteveT
Steve Litt
Autumn 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
More information about the Ale
mailing list