Monday, July 28, 2014

Tech Challenge of the Day

I'm trying to learn some Linux, so I've got Ubuntu installed on an old Dell Mini 10v. That seems to be working well.

The problem is trying to get SSH access over the internet to it. I've got a Comcast/Xfinity SMCD3GNV (Cable modem, wireless access point, router, phone) along with the Asus RT-N66U wireless router. The SMCD3GNV has the public IP on the WAN interface and a LAN interface IP of 10.0.0.1. I can login to it and make changes.

My RT-N66U gets a 10.0.0.2 address from the SMCD3GNV on its WAN port. I've got it configured to have the 192.168.1.1 address on the LAN interface. My clients connect to the RT-N66U - including the Ubuntu box.

I've done some research and apparently I want my SMCD3GNV to be in bridge mode. I called Comcast and they said they put it in bridge mode. I'm not convinced it is actually in bridge mode. When they put it in bridge mode, the WiFi light should stay off according to one article I read. Unfortunately, it occasionally blinks and the admin web page has an icon that is green, but the mouse-over says "Status: Not Connected ; 0 computers connected."



I've tried all sorts of tom-foolery with the port forwarding, DMZ, static addresses, etc. I've tried to take the Asus out the mix by plugging the Ubuntu box into the SMCD3GNV and enable port forwarding to it. Still no joy.

Per this post, if you go into debug mode and enter this: $("#pageForm1").show(); at the console, you can see the Bridge Mode button.


I was going to work on it some more last night, but the storms knocked our cable out. It just was not meant to be. Maybe today or tomorrow or the next day...

17 comments:

  1. Have you tried any other services through the SMCD3GNV? Some providers block common services inbound to your connection. See if you can get SSH up and running on a different port on Ubuntu. And, I hate to ask, but can you SSH into it from another computer on the same side of the router?

    ReplyDelete
    Replies
    1. I've not tried moving it to a different port. I'll have to give that a whirl.

      I can SSH to it all day long from inside the network. (And no worries about asking anything that might help me get this working.)

      Delete
    2. I'll keep thinking on it today, although I have a final team paper due tonight for ALGORITHMS AND LOGIC FOR COMPUTER PROGRAMMING. Fun Fun Fun. Optimum out here doesn't force the router-from-hell on us thank god, but Verizon does. I was able to work with the Verizon provided box when I had that though. We switched back to cable after Sandy. Verizon actually weathered the storm, only to be ripped literally right out of the side of the house by a bucket truck three days after power came back. They told me that there were no service trucks in the area and it would take 3 weeks even though the trucks were all up the road at a bagel place. Bye bye.

      Delete
    3. three *weeks* I meant. I'm sounding like a whining, privileged, hurricane insensitive douche.

      Delete
    4. Good luck on your paper! And thanks for the help.

      Delete
  2. Yep, try moving the port that SSH will listen on. It is highly likely that your ISP blocks traffic to it's subscribers on port 22. Also check your /etc/hosts.deny

    ReplyDelete
    Replies
    1. I also just re-read your post and realized that you are doing NAT twice (double NAT). That is likely going to be problem. You should only NAT between public and private at your Internet edge device. You're doing it at the SMCD3GNV and then again at the RT-N66U. I highly recommend picking a single place to do network services like stateful firewall and NAT. http://www.practicallynetworked.com/networking/fixing_double_nat.htm

      Delete
    2. I know that's, let's say, sub-optimal. ;)

      I have tested without the Asus, so that the Ubuntu device is connected only to the SMCD3GNV. I tried putting it in the DMZ and with just the port forwarding configured. No luck either way.

      I will try the different port to see what happens, but the article you link suggests bridge mode or the double-port forwarding/DMZ. Maybe I need to try calling Comcast again about the bridge mode. I can't find any documentation, but I assume in bridge mode, I would see the public IP on my WAN port on the Asus if it was actually working.

      Delete
  3. Agree w/double NAT being a problem. On Charter we have the option of having our own modems, so I do. The modem hands the public IP off to the router, so I can do my own thing. I've fought DSL routers and often lose due to the way the telco has them locked down. Good luck.

    ReplyDelete
    Replies
    1. Thanks. It's always these things that should be easy that turn into a multi-hour troubleshooting exercise that drive me batty.

      Delete
  4. No luck with using a different port. Tried 2222 forwarded to 22 over the double-NAT. Tried 2222 forwarded to the 2222 over the double-NAT. I've not physically connected the Ubuntu box back to the SMCD3GNV to eliminate the double-NAT, so maybe tomorrow I'll try that. I did send a message to a Comcast employee who has been helping people out on the forums to see if he could change mine to bridge mode - which I think is the best solution.

    ReplyDelete
  5. Your modem in bridge mode is way your best option, that way you have no double NAT (which s*cks) and you can control everything on your own router (which gets the public IP from your provider, since the modem is just a modem and no router anymore). This is how I do it here in the Netherlands and all works great. SSH is not blocked, HTTP(S) is not blocked (and I do SSH over 443 as a backup if my client blocks it, LOL!), only SMTP incoming is blocked (for anti-SPAM reasons, which I can live with).

    ReplyDelete
  6. I chatted with a Comcast tech again today to see if he could put it into bridge mode. I'm at the office, so I can't verify, but he promises it really, really, really is in bridge mode this time. I didn't want to insult him, but I saw this and asked him to verify everything was done.

    You need to have them go into the Arris management page and then go to Advanced (requires password of the day) --> MSO features --> then

    Bridge Mode -- Enabled
    Wifi - Disable
    LAN DHCP - Disable

    Apparently, there is a GUI that doesn't do all the steps, but this Arris page does.

    I'll have to find out this evening when I get home.

    ReplyDelete
  7. They need to put a physical toggle switch on these things:

    Mode A: Normal Mode - NAT, DCHP server, WiFi on with WPA2 and the password is the serial number on the bottom, etc.
    Mode B: Expert Mode - Bridged, no WiFi, no DHCP, no nada.

    If you're in B mode, you get no tech support. (Experts who suspect hardware failure or circuit outages can switch to A for testing)

    ReplyDelete
    Replies
    1. I like that idea. Of course, if the software switch in the web admin page worked, that would be okay, too.

      Delete
  8. Well, as of yesterday I'm in bridge mode. Still can't get the port forwarding to work. For the moment, I've punted on port forwarding and working on doing a VPN connection. I can connect using the VPN, but can only get to the Asus router itself. This is a lot easier with business/enterprise class circuits and hardware.

    ReplyDelete
    Replies
    1. I lied... I can get to my printer. Still can't get to SSH on the Ubuntu box over the VPN. Can't even ping the box on its wifi or wired interfaces. So now I need to look at the Ubuntu box to see what security voodoo, I mean, setting is causing the problem.

      Delete