[ale] 10.1.10.1 Comcast access from local LAN? (Slightly OT BUT there is Ubuntu AND PI involved!)

Boris Borisov bugyatl at gmail.com
Fri Feb 5 15:54:50 EST 2021


Can you draw gif file of the network diagram with IPs showing. You
mentioned several real world IP addresses. This could help better
understanding.

Thanks.

You can substitute real IP with something else if you want.

On Fri, Feb 5, 2021, 14:03 Neal Rhodes via Ale <ale at ale.org> wrote:

> Thanks.  I forgot about NAT.  So the RV180 is doing NAT on.. everything
> that goes out the WAN port?   Which essentially means it changes the
> packet to say it's coming from its 50.248 address, but somehow remembers
> the local address to send the response.
>
> Would the RV180 be deciding NOT to do the NAT on something bound for
> 10.1 address?  Obviously the NAT is working for everything else.
>
> Maybe there is some packet capture on the Comcast router that will shed
> some light on that.   (ultimately, it always comes back to printf's in
> the kernel...)
>
>
> On 2021-02-05 11:20, Derek Atkins wrote:
> > HI,
> >
> > Youre ascii art is hard to read, so I can't tell what's where.
> > But basically, no, what SHOULD be happening is that your RV180 would
> > NAT
> > your 192.168 network to its 50.248 address.  then it will send a
> > request
> > to 10.1 -- the DPC3939 might not allow that.
> >
> > I think it very unlikely that the Comcast device is seeing the packet
> > coming from 192.168.
> >
> > More likely it's blocking access from the 50.248 to the 10.1 address.
> >
> > Here's something to try:  Can you ADD a 10.1. address to the Comcast
> > side
> > of the RV180?  In other words, let it have the 50.248 address as the
> > default address, but also add a static address of 10.1.10.X?  And
> > ensure
> > it properly NAT's from 192.168 to 10.1.
>
> I only partially understand that.  You are saying can I compel the
> Comcast router to add an additional 10.1 address it listens on?
> Unsure.   And in fact would that address allow http login?
>
>
> >
> > -derek
> >
> >
> > On Fri, February 5, 2021 11:45 am, Neal Rhodes via Ale wrote:
> >> Our church has a Business Comcast DPC3939 connected to Our little
> >> Cisco
> >> RV 180 VPN.
> >>
> >> The Comcast has a local IP of 10.1.10.1, and the WAN Static Address of
> >> 50.248.230.105.
> >>
> >> Our Cisco router has a WAN address of 50.248.230.106, and it supports
> >> a
> >> 192.168.1.X network behind that, which is where everything on the LAN
> >> lives.
> >>
> >> INTERNET==>Comcast DPC3939 <===>Our Cisco RV180VPN<====Our 192.168.1.X
> >> LAN <==JackTrip Raspberry Pi Virtual Studio
> >>                            50.248.230.105
> >> 50.248.230.106
> >>                                                           <==
> >> Everything
> >> else on the LAN
> >>                             10.1.10.1
> >>                                    |== Ubuntu JackTrip Audio Server
> >>                                            10.1.10.91
> >>                                            Port Forwarding 4464, UDP
> >> 61002-62000
> >>
> >> We really need to do a couple of things:
> >> - our office administrators need to occasionally be able to http
> >> access
> >> the Comcast router from our 192.168.1.X LAN.  They cannot.  Any
> >> attempt
> >> times out.  (Fun fact: you CAN http to 50.248.230.105, and get a login
> >> response, BUT the correct userid/password will result in a Password
> >> failure.  It only allows login from the 10.1.10.1 address.)
> >> - we need for ME to be able to occassionally get an ssh session from
> >> an
> >> office PC TO the Ubuntu server.   Similar challenge I think.
> >> - The Raspberry Pi Virtual Studio box in the sanctuary needs to
> >> connect
> >> to the Ubuntu server on port 4464.   I think it can hit the external
> >> address of the Comcast router for that.   I've got that port
> >> forwarding
> >> all working now at home with a UVerse router.
> >>
> >> We can access the Comcast Router as http://10.1.10.1 IF we go
> >> downstairs
> >> to the furnace room and plug into the LAN ports on the DPC3939.  The
> >> PC
> >> will then get a 10.1.10.X address.
> >>
> >> Now, when I look at the DPC3939, I see no evidence that it has a
> >> static
> >> route for our LAN.  So, when someone on, say 192.168.1.145 puts
> >> 10.1.10.1 in their browser, the PC hands it to our Cisco router, it
> >> knows it's not on our LAN, so it hands it to its gateway: the DPC3939.
> >>
> >> And then I THINK the DPC3939 then says, "I don't know where to send
> >> 192.168.1.145" and so it times out.
> >>
> >> I THINK the Comcast router needs a static route that says 192.168.1.X
> >> is
> >> behind our Cisco router: 50.248.230.106.
> >>
> >> Am I thinking right?  I don't mind stuffing in the route myself, but I
> >> asked Comcast first, since it's their equipment.   Tier 1 said, "no
> >> that's not possible".  Tier 3 response was:
> >>
> >> _1- you need to know, in order for two local networks to communicate
> >> they have to be in the same lan scheme, either both 192.168.x.x or
> >> 10.1.x.x_
> >>
> >> _2-  My suggestion is to change the local IP scheme for Comcast
> >> modem/router to match the other router _
> >> _192.168.1.X_
> >> _ _
> >> _3- Make sure the IP scope of the modem is not conflicting with the
> >> other router._
> >> _ _
> >> _For example if the other router IP scope is from 192.168.1.1 to
> >> 192.168.1.100 then make the modem DHCP  192.168.1.101 to
> >> 192.168.1.200.
> >> Same lan scheme different IP scope to avoid future issues._
> >>
> >> The Tier 3 response sounds insane to me; if I'm on 192.168.1.145, and
> >> I
> >> want to send data to 192.168.1.4, my IP stack will just put it out on
> >> the LAN wire.   The Comcast router is never going to see that,  'cause
> >> it's connected to the WAN port on our router.    The only way my
> >> gateway
> >> would get involved is when a workstation knows that the destination is
> >> NOT on the local network, and hence the packet needs to get passed to
> >> the gateway.  The Tier 3 response also seems to open up all kinds of
> >> security issues if it in fact worked; then a compromise to anything on
> >> the Comcast side could easily bleed into our LAN.
> >>
> >> What is kinda weird to me is that at home this "just works".  I have
> >> an
> >> AT&T Uverse router which provides 192.168.1.X.  I have a Sonicwall VPN
> >> router plugged into that, which provides a LAN of 192.168.100.X.   The
> >> linux and PC devices are on the 100.X network.   There are a few
> >> expendable devices and IOT on the 1.1 network.    I can ssh and http
> >> from the 100.1 network to hosts on the 1.1 network; but of course they
> >> cannot go the other way.    I didn't do anything for this to happen.
> >> Did the routers exchange BGP and just figure that out?
> >>
> >> Regards,
> >>
> >> Neal Rhodes_______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> https://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210205/79362cff/attachment.html>


More information about the Ale mailing list