Re: [gentoo-user] [OT] router woes
On mer. 29 mars 05:02:16 2017, Jorge Almeida wrote: > BTW, I've been using dnscache (from djbdns) for years. I suppose that > protects against spoofing? It depends of from what you want to protect. DNS is an all clear protocol, it’s easy to modify packet. Plus, the DNSSEC deployment is too few, and even with DNSSEC, you have to validate localy. It’s just more difficult for the ISP to spoof DNS packets than make their resolver lying. -- alarig signature.asc Description: PGP signature
Re: [gentoo-user] [OT] router woes
On Wed, Mar 29, 2017 at 1:59 AM, Adam Carter wrote: > On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida wrote: >> > > The next hop after the ISP supplied router is another piece of the ISPs > network equipment, so the ISP access to your data is equivalent, since the > geography is not important. I dont think Netgear is any less trustworthy > than TP-link or whatever. Here the trust is probably more about reliability > of the device than data privacy. Probably being too paranoid. The difference between Netgear and TP-link is not about which company is less trustworthy. The point is that the Netgear belongs to the ISP, wheras the TP-link belongs to me and its crappy firmware (crappy interface, at least) can be replaced by dd-wrt. > >> >> >> >> Which part is to blame? The secondary router boasts 1300Mbps on 5GHz >> WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. >> The power consumption is about 4.5w, which seems a bit flimsy. >> Or maybe the primary router is thottling speed when in bridge mode? Is >> this possible at all? (And if so, what could be the purpose of such >> measure? *spooky*) > > > Does ifconfig show any interface errors? > > You can probably setup PPPoA, or whatever is required, on your Gentoo box to > bring the service up instead of the TP-link, and test the bridge mode > throughput. This also means you can have maximum flexibility since Gentoo > will do all the interesting network stuff. However, unless you wanted to do > that as a learning exercise its probably a waste of time and effort. > > Does TPlink provide any performance stats? > I already found that the TP-Link router is the culprit, due to low processing power, Netgear is innocent. regards Jorge Almeida
Re: [gentoo-user] [OT] router woes
On Wed, Mar 29, 2017 at 12:47 AM, Mick wrote: > On Tuesday 28 Mar 2017 22:52:25 Jorge Almeida wrote: > > Many ISPs today implement TR-069 (a standard of the DSL forum) to access > customer equipment remotely for service provisioning. They use configuration > servers to implement management access to *their* routers and update > firmware/software, reset the configuration to defaults, or more secure > settings. > > http://www.broadband-forum.org/technical/download/TR-069.pdf > > This also allows them to undertake status and performance monitoring and run > some diagnostics tests to manage their customers' complaints. > > The extent to which all this also allows spying on your connections is > debatable, but if they have access to your DNS resolver, I guess they can > route your queries on the fly, wherever they like. > -- Spying on packets is probably something they'll be able to do if they want to. Infiltrating the home network is what I find spooky. No one seems to talk about it, maybe I'm missing something that is obvious for more knowledgeable people. BTW, I've been using dnscache (from djbdns) for years. I suppose that protects against spoofing? Regards Jorge
Re: [gentoo-user] [OT] router woes
On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick wrote: > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: > > > It's more a privacy issue that security for me. I have a similar setup > with a virgin cable router, which I set to what they call modem mode, > where only one of the ports works and connects to my router. The one time > I ran tech support they were able to see that I was using it this way and > even reset the modem for me. I suppose it makes life easier for them and > their typical customers, but it was a little unnerving. > > The ISP provided router is officially managed (whatever this means) by them. As to privacy, I know a packet is visible once it leaves the router via Wan port. What I worry a bit is about the possibility of foul play towards the home network. The computers are firewalled via iptables, but accept connections from 192.168 What prevents a hacked router of impersonating a local origin? J.A.
Re: [gentoo-user] [OT] router woes
On Wednesday 29 Mar 2017 19:59:18 Adam Carter wrote: > On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida wrote: > > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz > > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. > > The power consumption is about 4.5w, which seems a bit flimsy. > > Or maybe the primary router is thottling speed when in bridge mode? Is > > this possible at all? (And if so, what could be the purpose of such > > measure? *spooky*) > > Does ifconfig show any interface errors? Also check output from dmesg, ethtool, mii-tool to confirm if the link is negotiated as 1Gbps half or full duplex when you connect your PC to the router, as opposed to when you connect directly to the modem. BTW, even as full duplex, a 100Mbps connection will give you a throughput < 100Mbps no matter how enthusiastic it is. For example, on my home network (100baseT switch) on a full duplex link: $ dmesg | grep duplex [ 19.420820] tg3 :0b:00.0 enp11s0: Link is up at 100 Mbps, full duplex ... I never see more 96Mpbs data throughput. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] router woes
On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida wrote: > I have net by cable with nominal speed 200Mbps. The ISP provides a > modem/router Netgear (from Numericable). I disabled the WiFi and I > have 2 computers connected via ethernet to the router. The speed is > about 156Mbps (measured by http://www.speedtest.net), which seems to > be what to expect. > > Now, having a device provided by the ISP to act as router seems to be > good for people who trust both the ISP and the manufacturer. (Please > comment if I'm being too paranoid.) > The next hop after the ISP supplied router is another piece of the ISPs network equipment, so the ISP access to your data is equivalent, since the geography is not important. I dont think Netgear is any less trustworthy than TP-link or whatever. Here the trust is probably more about reliability of the device than data privacy. Probably being too paranoid. > So, I setup the router to work in bridge mode and connected one of the > 4 lan ports to the Wan port of a secondary router TP-link (Archer > C1200, Wireless dual band gigabit). It is supposed to comply with > 802.11b/g/n 2.4GHz and 802.11a/n/ac 5GHz. Not that this matters per > se, as I disabled the WiFi. > > The point is: I connected the computers to the lan ports of my > secondary router (with original firmware, but I intended to install > ddwrt), and the setup works, except that the speed never reaches > 100Mbps. > Ok so i think you've downgraded your performance without any real change in security. > > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. > The power consumption is about 4.5w, which seems a bit flimsy. > Or maybe the primary router is thottling speed when in bridge mode? Is > this possible at all? (And if so, what could be the purpose of such > measure? *spooky*) > Does ifconfig show any interface errors? You can probably setup PPPoA, or whatever is required, on your Gentoo box to bring the service up instead of the TP-link, and test the bridge mode throughput. This also means you can have maximum flexibility since Gentoo will do all the interesting network stuff. However, unless you wanted to do that as a learning exercise its probably a waste of time and effort. Does TPlink provide any performance stats?
Re: [gentoo-user] [OT] router woes
On Wednesday 29 Mar 2017 08:45:33 Neil Bothwick wrote: > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: > > PS. I still would like to know what people in this list think about > > having an ISP managed device as router, re security. Not that I have > > any real option if I want the contracted speed... > > It's more a privacy issue that security for me. I have a similar setup > with a virgin cable router, which I set to what they call modem mode, > where only one of the ports works and connects to my router. The one time > I ran tech support they were able to see that I was using it this way and > even reset the modem for me. I suppose it makes life easier for them and > their typical customers, but it was a little unnerving. Perhaps your 'modem mode' is a half-bridge set up with a public IP address and they can still access it via WAN? Bear in mind the TR-069 daemons may still be running no matter how you set up the router, unless you stop them manually. I have a Huawei which I use in a fully bridged mode as a modem and have to stop such services manually on every reboot, after I log into it with SSH. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] router woes
On mar. 28 mars 22:52:25 2017, Jorge Almeida wrote: > I've been using an RT-N16 for years, and it still works fine. They > don't advertise big speeds and I understood it doesn't have the CPU > power to cope. I assumed a new generation router would do the job. Big > mistake. I have an 1G fiber at home, I kept the provided ONT, plug the RJ-45 cable to an APU, I can use the whole downlink. For the Wi-Fi, I have an old WRT54G (birdged), I didn’t test the bandwidth but I don’t expect so much. -- alarig signature.asc Description: PGP signature
Re: [gentoo-user] [OT] router woes
On Tuesday 28 Mar 2017 22:52:25 Jorge Almeida wrote: > PS. I still would like to know what people in this list think about > having an ISP managed device as router, re security. Not that I have > any real option if I want the contracted speed... Many ISPs today implement TR-069 (a standard of the DSL forum) to access customer equipment remotely for service provisioning. They use configuration servers to implement management access to *their* routers and update firmware/software, reset the configuration to defaults, or more secure settings. http://www.broadband-forum.org/technical/download/TR-069.pdf This also allows them to undertake status and performance monitoring and run some diagnostics tests to manage their customers' complaints. The extent to which all this also allows spying on your connections is debatable, but if they have access to your DNS resolver, I guess they can route your queries on the fly, wherever they like. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] router woes
On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: > PS. I still would like to know what people in this list think about > having an ISP managed device as router, re security. Not that I have > any real option if I want the contracted speed... It's more a privacy issue that security for me. I have a similar setup with a virgin cable router, which I set to what they call modem mode, where only one of the ports works and connects to my router. The one time I ran tech support they were able to see that I was using it this way and even reset the modem for me. I suppose it makes life easier for them and their typical customers, but it was a little unnerving. -- Neil Bothwick One of the nice things about standards is that there are so many of them. pgpNcOUdo352J.pgp Description: OpenPGP digital signature
Re: [gentoo-user] [OT] router woes
On Tue, Mar 28, 2017 at 9:10 PM, Daniel Frey wrote: > On 03/28/2017 01:19 PM, Jorge Almeida wrote: >> The point is: I connected the computers to the lan ports of my >> secondary router (with original firmware, but I intended to install >> ddwrt), and the setup works, except that the speed never reaches >> 100Mbps. > > This is not unusual, the speeds they advertise are device to device > (i.e. switched, not routed.) That explains it, then. Misleading publicity... I should have asked here before buying... > >> >> > > As Mick mentioned, a lot of the all-in-ones don't have enough CPU > available to route at those speeds. Some of them do come with hardware > offloading, thus taking it off the main CPU but that itself doesn't mean > it is able to route at port speed. > > I have the same problem, I had an old RT-N16. It finally crapped out and I've been using an RT-N16 for years, and it still works fine. They don't advertise big speeds and I understood it doesn't have the CPU power to cope. I assumed a new generation router would do the job. Big mistake. I already checked that the ISP/Netgear router is not to blame: connecting to a single computer in bridge mode yields about 150Mbps. Thanks Jorge PS. I still would like to know what people in this list think about having an ISP managed device as router, re security. Not that I have any real option if I want the contracted speed...
Re: [gentoo-user] [OT] router woes
On 03/28/2017 01:19 PM, Jorge Almeida wrote: > The point is: I connected the computers to the lan ports of my > secondary router (with original firmware, but I intended to install > ddwrt), and the setup works, except that the speed never reaches > 100Mbps. This is not unusual, the speeds they advertise are device to device (i.e. switched, not routed.) > > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. > The power consumption is about 4.5w, which seems a bit flimsy. > Or maybe the primary router is thottling speed when in bridge mode? Is > this possible at all? (And if so, what could be the purpose of such > measure? *spooky*) > As Mick mentioned, a lot of the all-in-ones don't have enough CPU available to route at those speeds. Some of them do come with hardware offloading, thus taking it off the main CPU but that itself doesn't mean it is able to route at port speed. I have the same problem, I had an old RT-N16. It finally crapped out and have read many stories about these $200 all-in-ones that can't actually fully route at 100 mbit+ speeds. Some of the newer hardware revisions can with hardware offloading. For myself, as fibre is coming to my home sometime this year (I'm looking forward to symmetrical 150mbit at $85/month) I'm probably going to get an Ubiquiti Edgerouter and AP, and perhaps even a small managed switch. The middle grade Edgerouters have been tested to actually route at near gigabit speeds. The problem with my solution is cost, it'll probably be 2-3x higher than the high-end all-in-ones. But at least if a component fails or gets outdated, I can replace one thing at a time. Thinking mainly wifi technologies changing. Dan
Re: [gentoo-user] [OT] router woes
On Tuesday 28 Mar 2017 23:00:12 Alarig Le Lay wrote: > On mar. 28 mars 21:19:29 2017, Jorge Almeida wrote: > > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz > > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. > > The power consumption is about 4.5w, which seems a bit flimsy. > > Or maybe the primary router is thottling speed when in bridge mode? Is > > this possible at all? (And if so, what could be the purpose of such > > measure? *spooky*) > > You will never reach 1300Mbps on Wi-Fi, it’s some commercial bullshit. > First of all, check if you have a gigabit switch on your TP-link, it’s > not impossible to have a 100M one. And, if you have a gig switch, use an > RJ45 cable, the only cheap and efficient medium if you need bandwidth and > latency. . As Alarig says, 802.11ac rarely sees more than 200Mbps in real life, over short distances, with no interference and only a single client connected. Through walls you're better off with 2.4GHz Assuming the switch ports on the router are 1Gpbs, check on the PCs and on the router that it is operating in Full Duplex mode, both on the bridged modem side and on the PC side. Replace the Cat5e cables if it is not and try again. Finally, I have experienced some domestic routers coming to their knees at high throughput. Their SoC does not have the capability to process packets through the firewall and perform routing without becoming the bottleneck in the network. Both throughput and latency increases in these cases. The only solution is to buy better quality hardware. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] router woes
On mar. 28 mars 21:19:29 2017, Jorge Almeida wrote: > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable. > The power consumption is about 4.5w, which seems a bit flimsy. > Or maybe the primary router is thottling speed when in bridge mode? Is > this possible at all? (And if so, what could be the purpose of such > measure? *spooky*) You will never reach 1300Mbps on Wi-Fi, it’s some commercial bullshit. First of all, check if you have a gigabit switch on your TP-link, it’s not impossible to have a 100M one. And, if you have a gig switch, use an RJ45 cable, the only cheap and efficient medium if you need bandwidth and latency. -- alarig signature.asc Description: PGP signature
