[ale] So, who do we like for a new 4 port gigabit LAN/WAN Firewall Routers these days?

neal at mnopltd.com neal at mnopltd.com
Tue Feb 23 21:24:55 EST 2021


So, tonight's experiment at removing port triggering and doing port 
forwarding resulted in the exact same failure from the now unsupported 
Cisco router.   Running a traceroute to "progress.com" from the admin 
page results in:

progress.com: Temporary failure in name resolution
Cannot handle "host" cmdline arg `progress.com' on position 1 (argc 3)

which is interesting, as that error pops up in a lot of unix/linux 
versions.  Is the RV180vpn linux inside?

I've pretty well had it with Cisco, and this router.

WHO do we like for a well supported reliable gigabit firewall router 
with 1 WAN, 4-6 LAN ports, no WIFI needed?

Netgear seems to offer support for 90 days?  Does anyone actually stand 
behind their products?

Of course, I cannot rule out some garbling between the Cisco and the 
Comcast, although my memory is that our linux server directly on the 
Comcast LAN port has no DNS problems.

regards,

Neal



On 2021-02-22 21:12, neal at mnopltd.com wrote:
> Ok, replacement Cisco RV180VPN arrives from Ebay today.
> 
> Flash with latest firmware, load the config, and put it in.
> 
> aaaaaaaaaaaand, 20 minutes after starting the Jamulus client, it fails
> the same way.
> 
> So, the only thing interesting/unique about a Jamulus client on the
> LAN side is that it is sending data on UDP port 22124.  So, there is a
> Port Triggering rule on the Cisco.  Which means it is supposed to keep
> track of who opens this port outbound so it can match responses up
> when they come back?
> 
> IS IT POSSIBLE that Cisco failed to test this thoroughly?  And with a
> client beavering away sending constant compressed audio it overruns
> its internal data? Since this product is recently at End-of-Life we
> cannot ask Cisco.
> 
> Now, practically, there is only ONE client on the LAN side which is
> sending data on UDP port 22124: the one Jamulus PI box.  (remember? I
> said linux/raspian WAS involved)  Can't I logically remove the Port
> Triggering rule, and just Port Forward all UDP 22124 to the Jamulus PI
> box?  (which has a static DHCP address)
> 
> regards,
> 
> Neal
> 
> On 2021-02-16 10:21, neal at mnopltd.com wrote:
>> Subsequent failure last night looks like the Cisco Router crapped in
>> its own nest.
>> 
>> From the router itself:
>> 
>> traceroute to 75.75.76.76 (75.75.76.76), 10 hops max, 40 byte packets
>>  1  * * *
>>  2  * * *
>>  3  * * *
>>  4  * * *
>>  5  * * *
>>  6  * * *
>>  7  * * *
>>  8  * * *
>>  9  * * *
>> 10  * * *
>> 
>> From a PC trying to access other DNS servers:
>> 
>> PS C:\Users\sanctuary> nslookup - 1.1.1.1
>> DNS request timed out.
>>     timeout was 2 seconds.
>> Default Server:  UnKnown
>> Address:  1.1.1.1
>> 
>> PS C:\Users\sanctuary> nslookup - 208.67.222.222
>> DNS request timed out.
>>     timeout was 2 seconds.
>> Default Server:  UnKnown
>> Address:  208.67.222.222
>> 
>> Trying traceroute on cisco after reboot (jamulus was still running):
>> progress.com: Temporary failure in name resolution
>> Cannot handle "host" cmdline arg `progress.com' on position 1 (argc 3)
>> 
>> 2nd reboot after shutting off Jamulus and it is ok.
>> 
>> So it sure looks to me like the NAT code in the router is garbled
>> under this load.
>> 
>> Hopefully replacement router showing up today and we'll flash latest 
>> firmware.
>> 
>> 
>> On 2021-02-14 06:16, Neal Rhodes via Ale wrote:
>>> That's a great idea, at least for diagnosis, since I can cause this
>>> failure any evening I want.
>>> 
>>> I can at least force an nslookup on a PC to use those and see if it
>>> works or not.
>>> 
>>> One really really weird thing: I noticed three warnings in the Cisco
>>> logs maybe-about the time of failure complaining that IPV6 was not
>>> configured.  Which it is not.  Ever.   Did the Cisco get a wild hare
>>> and decide to NAT all the DNS traffic through IPV6?
>>> 
>>> Thanks and regards,
>>> 
>>> Neal
>>> 
>>>> Have you tried using another public DNS service instead of Comcast.
>>>> I’ve found Comcast DNS to be extremely unreliable and I use a
>>>> combination of OpenDNS (208.67.222.222 and 208.67.220.220) and
>>>> Cloudfare (1.1.1.1 and 1.0.0.1).  I’ve heard others use Google or
>>>> Comodo.   All of these are publicly available.
>>>> 
>>>> Ray
>>> 
>>> On 2021-02-13 21:59, Raylynn Knight wrote:
>>>>> On Feb 13, 2021, at 2:37 PM, Neal Rhodes via Ale <ale at ale.org> 
>>>>> wrote:
>>>>> 
>>>>> I will apologize in advance for not taking some of the advice given 
>>>>> on our church WAN/LAN regarding making 10.1.10.X see 192.168.x.x.
>>>>> 
>>>>> The stock small business Comcast router setup is what they call 
>>>>> "virtual bridge mode", meaning no firewall, and being a hybrid 
>>>>> voice/data configuration any significant changes risks bringing the 
>>>>> whole house down.  With no support from them to get it back up.
>>>>> 
>>>>> I have the access we need working, retaining our Ubuntu audio 
>>>>> server on the comcast side, and letting our cisco router act as 
>>>>> firewall, and I haven't brought down questions about murky security 
>>>>> issues. yet.
>>>>> 
>>>>> BUT this has to be one for the record books... Configuration:
>>>>> 
>>>>> Comcast Router <==> Cisco RV180vpn Router <==> 192.168.x.x: Virtual 
>>>>> Studio/Jambox
>>>>> +Ubuntu Jack/Jamulus
>>>>> 
>>>>> Comcast router, with Ubuntu server running Jacktrip and Jamulus.  
>>>>> Normal Comcast 10.X.X.X network.
>>>>> 
>>>>> Cisco Router providing 192.168.x.x LAN behind it.
>>>>> 
>>>>> Now comes the weird part... outside VS boxes can hit the Jacktrip 
>>>>> or Jamulus all day, for hours, no problem. JackTrip uses TCP port 
>>>>> 4464, and UCP 51002-62000.   Jamulus just uses UDP 22124.   Once 
>>>>> fired up, these are wailing away sending either uncompressed 
>>>>> (jacktrip) or compressed (Jamulus) audio.
>>>>> 
>>>>> BUT, fire up the VS box on the LAN, connecting to the Jacktrip or 
>>>>> Jamulus server sitting on the Comcast box, and within 2 hours 
>>>>> NOTHING on the LAN will be able to get DNS service.   Not 
>>>>> immediately, but within 2 hours.   The Cisco box doesn't fake DNS; 
>>>>> it tells clients to hit 75.75.75.75, or 75.75.76.76, the standard 
>>>>> Comcast ports.   The DNS failure is visible both in the Cisco 
>>>>> router's Diagnostic tools, AND from a browser, AND from nslookup on 
>>>>> a PC.  The Ubuntu box outside the LAN continues to have normal DNS 
>>>>> responses.
>>>>> 
>>>>> We can still PING external hosts we have an IP address for.    I 
>>>>> was able to ping my house router.
>>>>> 
>>>>> This has happened three different days, and in each instance, a 
>>>>> simple reboot of the Cisco router has resolved it for days.   Until 
>>>>> Virtual Studio or Jambox is started again.   Today, being Saturday, 
>>>>> there was NO activity besides me.
>>>>> 
>>>>> And on Sundays, we have been streaming video without incident.
>>>>> 
>>>>> The Cisco RV180VPN is in fact not running latest firmware.  I have 
>>>>> another coming (I hope) on Ebay and will flash that with latest and 
>>>>> try it.  Beyond that,  what?   I guess we could buy a brand new 
>>>>> router with current support...
>>>>> 
>>>>> From a local PC: nslookup
>>>>> DNS request timed out.
>>>>>    timeout was 2 seconds.
>>>>> Default Server:  UnKnown
>>>>> Address:  75.75.75.75
>>>>> 
>>>>>> google.com
>>>>> Server:  UnKnown
>>>>> Address:  75.75.75.75
>>>>> 
>>>>> DNS request timed out.
>>>>>    timeout was 2 seconds.
>>>>> DNS request timed out.
>>>>>    timeout was 2 seconds.
>>>>> DNS request timed out.
>>>>>    timeout was 2 seconds.
>>>>> DNS request timed out.
>>>>>    timeout was 2 seconds.
>>>>> *** Request to UnKnown timed-out
>>>>> 
>>>>> I also tried nslookup - 75.75.76.76 with identical results.
>>>>> 
>>>>> My wife suggested I should run a traceroute to the DNS server when 
>>>>> it's working, and then again when it fails.  I should listen to her 
>>>>> more often.
>>>>> 
>>> 
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list