Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Alarig Le Lay
On mer. 29 mars 05:02:16 2017, Jorge Almeida wrote:
> BTW, I've been using dnscache (from djbdns) for years. I suppose that
> protects against spoofing?

It depends of from what you want to protect. DNS is an all clear
protocol, it’s easy to modify packet. Plus, the DNSSEC deployment is
too few, and even with DNSSEC, you have to validate localy.

It’s just more difficult for the ISP to spoof DNS packets than make their
resolver lying.

-- 
alarig


signature.asc
Description: PGP signature


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Jorge Almeida
On Wed, Mar 29, 2017 at 1:59 AM, Adam Carter  wrote:
> On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida  wrote:
>>

>
> The next hop after the ISP supplied router is another piece of the ISPs
> network equipment, so the ISP access to your data is equivalent, since the
> geography is not important. I dont think Netgear is any less trustworthy
> than TP-link or whatever. Here the trust is probably more about reliability
> of the device than data privacy. Probably being too paranoid.

The difference between Netgear and TP-link is not about which company
is less trustworthy. The point is that the Netgear belongs to the ISP,
wheras the TP-link belongs to me and its crappy firmware (crappy
interface, at least) can be replaced by dd-wrt.

>
>>


>>
>>
>> Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
>> WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
>> The power consumption is about 4.5w, which seems a bit flimsy.
>> Or maybe the primary router is thottling speed when in bridge mode? Is
>> this possible at all? (And if so, what could be the purpose of such
>> measure? *spooky*)
>
>
> Does ifconfig show any interface errors?
>
> You can probably setup PPPoA, or whatever is required, on your Gentoo box to
> bring the service up instead of the TP-link, and test the bridge mode
> throughput. This also means you can have maximum flexibility since Gentoo
> will do all the interesting network stuff. However, unless you wanted to do
> that as a learning exercise its probably a waste of time and effort.
>
> Does TPlink provide any performance stats?
>

I already found that the TP-Link router is the culprit, due to low
processing power, Netgear is innocent.

regards

Jorge Almeida



Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Jorge Almeida
On Wed, Mar 29, 2017 at 12:47 AM, Mick  wrote:
> On Tuesday 28 Mar 2017 22:52:25 Jorge Almeida wrote:
>

> Many ISPs today implement TR-069 (a standard of the DSL forum) to access
> customer equipment remotely for service provisioning.  They use configuration
> servers to implement management access to *their* routers and update
> firmware/software, reset the configuration to defaults, or more secure
> settings.
>
> http://www.broadband-forum.org/technical/download/TR-069.pdf
>
> This also allows them to undertake status and performance monitoring and run
> some diagnostics tests to manage their customers' complaints.
>
> The extent to which all this also allows spying on your connections is
> debatable, but if they have access to your DNS resolver, I guess they can
> route your queries on the fly, wherever they like.
> --
Spying on packets is probably something they'll be able to do if they
want to. Infiltrating the home network is what I find spooky. No one
seems to talk about it, maybe I'm missing something that is obvious
for more knowledgeable people.

BTW, I've been using dnscache (from djbdns) for years. I suppose that
protects against spoofing?

Regards

Jorge



Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Jorge Almeida
On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick  wrote:
> On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote:
>

>
> It's more a privacy issue that security for me. I have a similar setup
> with a virgin cable router, which I set to what they call modem mode,
> where only one of the ports works and connects to my router. The one time
> I ran tech support they were able to see that I was using it this way and
> even reset the modem for me. I suppose it makes life easier for them and
> their typical customers, but it was a little unnerving.
>
>
The ISP provided router is officially managed (whatever this means) by
them. As to privacy, I know a packet is visible once it leaves the
router via Wan port. What I worry a bit is about the possibility of
foul play towards the home network. The computers are firewalled via
iptables, but accept connections from 192.168 What prevents a
hacked router of impersonating a local origin?

J.A.



Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Mick
On Wednesday 29 Mar 2017 19:59:18 Adam Carter wrote:
> On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida  wrote:

> > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
> > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
> > The power consumption is about 4.5w, which seems a bit flimsy.
> > Or maybe the primary router is thottling speed when in bridge mode? Is
> > this possible at all? (And if so, what could be the purpose of such
> > measure? *spooky*)
> 
> Does ifconfig show any interface errors?

Also check output from dmesg, ethtool, mii-tool to confirm if the link is 
negotiated as 1Gbps half or full duplex when you connect your PC to the 
router, as opposed to when you connect directly to the modem.  BTW, even as 
full duplex, a 100Mbps connection will give you a throughput < 100Mbps no 
matter how enthusiastic it is.  For example, on my home network (100baseT 
switch) on a full duplex link:

$ dmesg | grep duplex
[   19.420820] tg3 :0b:00.0 enp11s0: Link is up at 100 Mbps, full duplex

... I never see more 96Mpbs data throughput.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Adam Carter
On Wed, Mar 29, 2017 at 7:19 AM, Jorge Almeida  wrote:

> I have net by cable with nominal speed 200Mbps. The ISP provides a
> modem/router Netgear (from Numericable). I disabled the WiFi and I
> have 2 computers connected via ethernet to the router. The speed is
> about 156Mbps (measured by http://www.speedtest.net), which seems to
> be what to expect.
>
> Now, having a device provided by the ISP to act as router seems to be
> good for people who trust both the ISP and the manufacturer. (Please
> comment if I'm being too paranoid.)
>

The next hop after the ISP supplied router is another piece of the ISPs
network equipment, so the ISP access to your data is equivalent, since the
geography is not important. I dont think Netgear is any less trustworthy
than TP-link or whatever. Here the trust is probably more about reliability
of the device than data privacy. Probably being too paranoid.


> So, I setup the router to work in bridge mode and connected one of the
> 4 lan ports to the Wan port of a secondary router TP-link (Archer
> C1200, Wireless dual band gigabit). It is supposed to comply with
> 802.11b/g/n 2.4GHz and 802.11a/n/ac 5GHz. Not that this matters per
> se, as I disabled the WiFi.
>
> The point is: I connected the computers to the lan ports of my
> secondary router (with original firmware, but I intended to install
> ddwrt), and the setup works, except that the speed never reaches
> 100Mbps.
>

Ok so i think you've downgraded your performance without any real change in
security.

>
> Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
> WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
> The power consumption is about 4.5w, which seems a bit flimsy.
> Or maybe the primary router is thottling speed when in bridge mode? Is
> this possible at all? (And if so, what could be the purpose of such
> measure? *spooky*)
>

Does ifconfig show any interface errors?

You can probably setup PPPoA, or whatever is required, on your Gentoo box
to bring the service up instead of the TP-link, and test the bridge mode
throughput. This also means you can have maximum flexibility since Gentoo
will do all the interesting network stuff. However, unless you wanted to do
that as a learning exercise its probably a waste of time and effort.

Does TPlink provide any performance stats?


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Mick
On Wednesday 29 Mar 2017 08:45:33 Neil Bothwick wrote:
> On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote:
> > PS. I still would like to know what people in this list think about
> > having an ISP managed device as router, re security. Not that I have
> > any real option if I want the contracted speed...
> 
> It's more a privacy issue that security for me. I have a similar setup
> with a virgin cable router, which I set to what they call modem mode,
> where only one of the ports works and connects to my router. The one time
> I ran tech support they were able to see that I was using it this way and
> even reset the modem for me. I suppose it makes life easier for them and
> their typical customers, but it was a little unnerving.

Perhaps your 'modem mode' is a half-bridge set up with a public IP address and 
they can still access it via WAN?  Bear in mind the TR-069 daemons may still 
be running no matter how you set up the router, unless you stop them manually.  
I have a Huawei which I use in a fully bridged mode as a modem and have to 
stop such services manually on every reboot, after I log into it with SSH.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Alarig Le Lay
On mar. 28 mars 22:52:25 2017, Jorge Almeida wrote:
> I've been using an RT-N16 for years, and it still works fine. They
> don't advertise big speeds and I understood it doesn't have the CPU
> power to cope. I assumed a new generation router would do the job. Big
> mistake.

I have an 1G fiber at home, I kept the provided ONT, plug the RJ-45
cable to an APU, I can use the whole downlink. For the Wi-Fi, I have an
old WRT54G (birdged), I didn’t test the bandwidth but I don’t expect so
much.

-- 
alarig


signature.asc
Description: PGP signature


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Mick
On Tuesday 28 Mar 2017 22:52:25 Jorge Almeida wrote:

> PS. I still would like to know what people in this list think about
> having an ISP managed device as router, re security. Not that I have
> any real option if I want the contracted speed...

Many ISPs today implement TR-069 (a standard of the DSL forum) to access 
customer equipment remotely for service provisioning.  They use configuration 
servers to implement management access to *their* routers and update 
firmware/software, reset the configuration to defaults, or more secure 
settings.  

http://www.broadband-forum.org/technical/download/TR-069.pdf

This also allows them to undertake status and performance monitoring and run 
some diagnostics tests to manage their customers' complaints.

The extent to which all this also allows spying on your connections is 
debatable, but if they have access to your DNS resolver, I guess they can 
route your queries on the fly, wherever they like.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-user] [OT] router woes

2017-03-29 Thread Neil Bothwick
On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote:

> PS. I still would like to know what people in this list think about
> having an ISP managed device as router, re security. Not that I have
> any real option if I want the contracted speed...

It's more a privacy issue that security for me. I have a similar setup
with a virgin cable router, which I set to what they call modem mode,
where only one of the ports works and connects to my router. The one time
I ran tech support they were able to see that I was using it this way and
even reset the modem for me. I suppose it makes life easier for them and
their typical customers, but it was a little unnerving.


-- 
Neil Bothwick

One of the nice things about standards is that there are so many of them.


pgpNcOUdo352J.pgp
Description: OpenPGP digital signature


Re: [gentoo-user] [OT] router woes

2017-03-28 Thread Jorge Almeida
On Tue, Mar 28, 2017 at 9:10 PM, Daniel Frey  wrote:
> On 03/28/2017 01:19 PM, Jorge Almeida wrote:
>> The point is: I connected the computers to the lan ports of my
>> secondary router (with original firmware, but I intended to install
>> ddwrt), and the setup works, except that the speed never reaches
>> 100Mbps.
>
> This is not unusual, the speeds they advertise are device to device
> (i.e. switched, not routed.)

That explains it, then.
Misleading publicity... I should have asked here before buying...

>
>>

>>
>
> As Mick mentioned, a lot of the all-in-ones don't have enough CPU
> available to route at those speeds. Some of them do come with hardware
> offloading, thus taking it off the main CPU but that itself doesn't mean
> it is able to route at port speed.
>
> I have the same problem, I had an old RT-N16. It finally crapped out and

I've been using an RT-N16 for years, and it still works fine. They
don't advertise big speeds and I understood it doesn't have the CPU
power to cope. I assumed a new generation router would do the job. Big
mistake.

I already checked that the ISP/Netgear router is not to blame:
connecting to a single computer in bridge mode yields about 150Mbps.

Thanks

Jorge

PS. I still would like to know what people in this list think about
having an ISP managed device as router, re security. Not that I have
any real option if I want the contracted speed...



Re: [gentoo-user] [OT] router woes

2017-03-28 Thread Daniel Frey
On 03/28/2017 01:19 PM, Jorge Almeida wrote:
> The point is: I connected the computers to the lan ports of my
> secondary router (with original firmware, but I intended to install
> ddwrt), and the setup works, except that the speed never reaches
> 100Mbps.

This is not unusual, the speeds they advertise are device to device
(i.e. switched, not routed.)

> 
> Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
> WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
> The power consumption is about 4.5w, which seems a bit flimsy.
> Or maybe the primary router is thottling speed when in bridge mode? Is
> this possible at all? (And if so, what could be the purpose of such
> measure? *spooky*)
> 

As Mick mentioned, a lot of the all-in-ones don't have enough CPU
available to route at those speeds. Some of them do come with hardware
offloading, thus taking it off the main CPU but that itself doesn't mean
it is able to route at port speed.

I have the same problem, I had an old RT-N16. It finally crapped out and
have read many stories about these $200 all-in-ones that can't actually
fully route at 100 mbit+ speeds. Some of the newer hardware revisions
can with hardware offloading.

For myself, as fibre is coming to my home sometime this year (I'm
looking forward to symmetrical 150mbit at $85/month) I'm probably going
to get an Ubiquiti Edgerouter and AP, and perhaps even a small managed
switch. The middle grade Edgerouters have been tested to actually route
at near gigabit speeds.

The problem with my solution is cost, it'll probably be 2-3x higher than
the high-end all-in-ones. But at least if a component fails or gets
outdated, I can replace one thing at a time. Thinking mainly wifi
technologies changing.

Dan




Re: [gentoo-user] [OT] router woes

2017-03-28 Thread Mick
On Tuesday 28 Mar 2017 23:00:12 Alarig Le Lay wrote:
> On mar. 28 mars 21:19:29 2017, Jorge Almeida wrote:
> > Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
> > WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
> > The power consumption is about 4.5w, which seems a bit flimsy.
> > Or maybe the primary router is thottling speed when in bridge mode? Is
> > this possible at all? (And if so, what could be the purpose of such
> > measure? *spooky*)
> 
> You will never reach 1300Mbps on Wi-Fi, it’s some commercial bullshit.
> First of all, check if you have a gigabit switch on your TP-link, it’s
> not impossible to have a 100M one. And, if you have a gig switch, use an
> RJ45 cable, the only cheap and efficient medium if you need bandwidth and
> latency.
.
As Alarig says, 802.11ac rarely sees more than 200Mbps in real life, over 
short distances, with no interference and only a single client connected.  
Through walls you're better off with 2.4GHz

Assuming the switch ports on the router are 1Gpbs, check on the PCs and on the 
router that it is operating in Full Duplex mode, both on the bridged modem 
side and on the PC side.  Replace the Cat5e cables if it is not and try again.

Finally, I have experienced some domestic routers coming to their knees at 
high throughput.  Their SoC does not have the capability to process packets 
through the firewall and perform routing without becoming the bottleneck in 
the network.  Both throughput and latency increases in these cases.  The only 
solution is to buy better quality hardware.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-user] [OT] router woes

2017-03-28 Thread Alarig Le Lay
On mar. 28 mars 21:19:29 2017, Jorge Almeida wrote:
> Which part is to blame? The secondary router boasts 1300Mbps on 5GHz
> WiFi, so I assumed it could deal with 150Mbps on cat5e ethernet cable.
> The power consumption is about 4.5w, which seems a bit flimsy.
> Or maybe the primary router is thottling speed when in bridge mode? Is
> this possible at all? (And if so, what could be the purpose of such
> measure? *spooky*)

You will never reach 1300Mbps on Wi-Fi, it’s some commercial bullshit.
First of all, check if you have a gigabit switch on your TP-link, it’s
not impossible to have a 100M one. And, if you have a gig switch, use an
RJ45 cable, the only cheap and efficient medium if you need bandwidth and
latency.

-- 
alarig


signature.asc
Description: PGP signature