aDSL router which is /just/ a router?!?

OK, OK, I give up. Much tearing of hair has been done...

Brief reprise: we're moving from an old leased line to a new DSL line,
and don't want to interrupt service from our servers more than
necessary. The network configuration looks like this:

62.6.156.72/29;192.168.2.0/24 192.168.1.0/24
[server][server][server][server] [pc] [pc] [pc]
[cullen][beesi ][parker][buckie] | | |
| | | | | | |
+-------+-------+-------+ +-------+-------+
| |
+--[firewall]---+
|
+-------+-------+
| |
[router] [adsl router]
62.6.156.65 217.34.156.190
| |
62.6.156.64/28 217.34.156.176/28
| |
+-{the Internet}+

[I was going to put phoney IPs in, but frankly, if someone is trying to
hack into our network on the basis of this post, phoney IPs wouldn't be
very much protection. You should get the same page on
http://62.6.156.74/ and on http://217.34.156.189/]

The aDSL router is a 2Wire IG rebadged as a BT1800HG, and it has one of
these 'idiot proof' user interfaces. One 'feature' of this is that it
adds devices to the set it routes for by their hardware addresses as it
sees them, and neither the manual nor BT's help desk know of any way of
over-riding this feature. Consequently, because it can't see the servers
behind my firewall, it won't route for them, and there is no way of
telling it to assign multiple IP addresses to the same device.

[sigh].

I can't use the aDSL router as my main firewall until all addresses are
migrated and the leased line is disconnected, and in any case I don't
want to trust it as my firewall, because I didn't write it and I can't
audit it and I don't trust what goes on behind pretty pointy clicky
interfaces; and if I want to add another external connection later I'll
have the same triangulation problems.

So, I want an aDSL router which is /just/ a router, and doesn't have any
NAT or firewall functions (or if it has, they can be switched off
entirely).

Any recommendations?

--
(E-Mail Removed) (Simon Brooke) http://www.jasmine.org.uk/~simon/

;; this is not a .sig

> The network configuration looks like this:

[SNIP ASCII-art diagram that really didn't render well here :-( ]

> The aDSL router is a 2Wire IG rebadged as a BT1800HG

First things first: I've played with these in the past. They're
*appalling*. Throw it away and put in something functional.

> and it has one of
> these 'idiot proof' user interfaces. One 'feature' of this is that it
> adds devices to the set it routes for by their hardware addresses as it
> sees them

Well - it does need to know MAC addresses before it can route traffic
there...

Usual behaviour for unknown IP addresses on the local subnet is to start
sending ARP packets. The holder of the IP address should respond, and
you get comms going that way. Are you sure your firewall isn't blocking
ARP traffic?

> So, I want an aDSL router which is /just/ a router, and doesn't have any
> NAT or firewall functions (or if it has, they can be switched off
> entirely).
>
> Any recommendations?

Look for something that supports "half bridging"; I think that's what
you're trying to do.

Personally, I use a Dabs box based on the Conexant chipset. I bought it
because it was the cheapest I could find, and it's proved to be
fabulous. Others with the same box have had different experiences,
though - so consider how critical this link is before skimping on the
h/w :-)

If you do get a Conexant-based box, make *sure* you set it up fully - as
shipped, there's a fully-functioning backdoor...

HTH

Vic.





--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

On Mon, 15 Aug 2005, (E-Mail Removed) stated:
> Personally, I use a Dabs box based on the Conexant chipset. I bought it
> because it was the cheapest I could find, and it's proved to be
> fabulous. Others with the same box have had different experiences,
> though - so consider how critical this link is before skimping on the
> h/w :-)

It WORKSFORME, with the caveats that it (rarely) goes completely
moribund, and needs rebooting with a Perl script whenever the line
drops.

--
`I work in computers so, of course, I'm an expert on everything.'
--- Simon Rumble

With respect Simon I think you are being a little bit paranoid. Buy a good
quality router like one of the Draytek range and you can configure it to
suit your requirements. The firewall part is first class and unless you are
prepared to pay megabucks for negligible extra benefit it really is quite
sufficient.

Peter Crosland

In message <bpf6t2-(E-Mail Removed)>, Simon Brooke
wrote:
>
> So, I want an aDSL router which is /just/ a router, and doesn't have any
> NAT or firewall functions (or if it has, they can be switched off
> entirely).
>
> Any recommendations?
>
I've got a DLink DSL300T which might do what you want in the short term. It
would need some tweaking but it's possible to telnet to it from inside,
turn off the firewall and use the route command to adjust the routeing to
force traffic for multiple IPs to get passed to your router. However, it
will lose all of that on reboot so be prepared to write a script if you
actually want it to work that way. It's running ucLinux on a MIPS processor
as far as I can tell. I flash-upgraded it to be a dumb modem, because I've
got a Linux box acting as internal firewall/router. I'm not sure you'd want
to use it longer-term in this mode without an internal firewall box.

It's also given me trouble with losing the PPP link at random, to the point
where I wrote a script to force a reconnect. It's in use at the moment but
that's only because my Draytek 2500 woke up this morning with a shiny new
connect at 2MB and an SNR of -4dB. So a quick swap until I get it fixed.

I wouldn't recommend one long-term but it might get you out of a hole in the
short term.

Of course, there's always a USB Speedtouch, newer kernels have native
support for those so you could plug that into your firewall box :-)
--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

> needs rebooting with a Perl script whenever the line
> drops.

I've heard that story before. It's one of those issues I just haven't
seen...

Vic.





--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

In article <(E-Mail Removed)>,
Dave {Reply Address in.sig} wrote:

> It's also given me trouble with losing the PPP link at random, to the point
> where I wrote a script to force a reconnect. It's in use at the moment but
> that's only because my Draytek 2500 woke up this morning with a shiny new
> connect at 2MB and an SNR of -4dB. So a quick swap until I get it fixed.

Nasty... a Signal-to-Noise Ratio shouldn't be negative (in decibels).

That would mean that there's more noise than signal.

In my experience you need a minimum SNR of about 6dB for an ADSL link
to work, and 12dB for reliability. Typical SNRs are 20-30dB.

You need a better SNR for higher bandwidth links than you need for
lower bandwidth links.

--
Paul Martin <(E-Mail Removed)>

in message <(E-Mail Removed) lgate.org>,
Vic ('(E-Mail Removed)') wrote:

>> The network configuration looks like this:
>
> [SNIP ASCII-art diagram that really didn't render well here :-( ]
>
>> The aDSL router is a 2Wire IG rebadged as a BT1800HG
>
> First things first: I've played with these in the past. They're
> *appalling*. Throw it away and put in something functional.
>
>> and it has one of
>> these 'idiot proof' user interfaces. One 'feature' of this is that it
>> adds devices to the set it routes for by their hardware addresses as
>> it sees them
>
> Well - it does need to know MAC addresses before it can route traffic
> there...

Well, it doesn't have to, it could just take packets it sees on one of
its interfaces and dump them out on the other - and frankly if it did
that everything in the garden would be rosy. But I want to map all the
IP addresses onto one MAC address, and it only allows me to assign one
IP to one MAC. Still, if it's 'appalling' perhaps it's just as well it
won't do what I need.

> Usual behaviour for unknown IP addresses on the local subnet is to
> start sending ARP packets. The holder of the IP address should respond,
> and you get comms going that way. Are you sure your firewall isn't
> blocking ARP traffic?
>
>> So, I want an aDSL router which is /just/ a router, and doesn't have
>> any NAT or firewall functions (or if it has, they can be switched off
>> entirely).
>>
>> Any recommendations?
>
> Look for something that supports "half bridging"; I think that's what
> you're trying to do.
>
> Personally, I use a Dabs box based on the Conexant chipset. I bought it
> because it was the cheapest I could find, and it's proved to be
> fabulous. Others with the same box have had different experiences,
> though - so consider how critical this link is before skimping on the
> h/w :-)

It's critical. If it goes down at two in the morning /I/ have to get out
of bed and deal with it - I call that critical.

Thanks for the thoughts.

--
(E-Mail Removed) (Simon Brooke) http://www.jasmine.org.uk/~simon/

;; An enamorata is for life, not just for weekends.

On 15 Aug 2005 20:45:46 GMT, Paul Martin <(E-Mail Removed)> wrote:

>Nasty... a Signal-to-Noise Ratio shouldn't be negative (in decibels).
>That would mean that there's more noise than signal.

except the reported figures are almost invariably SNR *margin* defined
in the G.dmt standards as the SNR in excess of that required to give a
bit error rate of 1e-7.

So a -ve SNR margin can still run, with a higher error rate. Generally
speaking modems retrain when the SNR margin gets to zero.

Phil
--
Tiscali - dialup speeds at Broadband prices, see
http://bbs.adslguide.org.uk/postlist...&Board=tiscali

AOL - the unlimited ISP of choice for heavy downloaders.

On Mon, 15 Aug 2005, (E-Mail Removed) gibbered uncontrollably:
>> needs rebooting with a Perl script whenever the line
>> drops.
>
> I've heard that story before. It's one of those issues I just haven't
> seen...

It may be firmware-related or something: I last upgraded mine in late
2003, and since it now works (with Perl to help), I'm not going to
touch it

--
`I work in computers so, of course, I'm an expert on everything.'
--- Simon Rumble