Link to home
Start Free TrialLog in
Avatar of boilermaker2k
boilermaker2k

asked on

Slow Connection With Router, Fast w/o

I'm inside a fairly large network (in an apartment complex, 650 users) where there's 1-2 Cisco Routers upfront.  When I use my router (both a Netgear RT314 and a Gigafast router that is good) for some reason I receive a constant 125-150k/second.  This totally hoses my internet connection (10kb/sec w/ 50+% packet loss).  This is with either router.  When I directly connect to the line though my connection speed is upwards of 20mbits/sec (the network is dual DS3's) and i'm not receiving all of this traffic (the 125-150 k/sec as mentioned above)!!!  Does anyone have any idea why this is happening?  For those who wonder, the network does use switched ports for all connections.

I've tried the following:

1) Spoofed the MAC on the routers thinking someone was attacking them because they're routers
2) Used a hub and the uplink and gotten several DHCP leases.  This works fine and give me my speed but it does not provide the security i'd like to have with the router.
3) Tried different routers.
4) Talking to the net admin.  He doesn't mind me using multiple connections at all but hasn't figured out why this his happening

Someone mentioned the phrase broadcast storm and while I understand the concept behind it I'm not sure what I can do to fix it if this is the problem.

Any and all help would be appreciated.  
Thanks!
Avatar of ShineOn
ShineOn
Flag of United States of America image

Are the Cisco Routers upfront granting leases on public IP addresses or are they private IP addresses?  It could be double NATting causing you grief.
You might be able to get around the double-nat problem by asking the net admin to give you a static address, but I don't know if that would help or not.
Avatar of qwaletee
qwaletee

ShineOn,

Why would double-NATing cause a problem?  No more so than single NATing.
Avatar of boilermaker2k

ASKER

I am granted unlimited DHCP leases but I also have been assigned a static IP.  Both setups have the same issue.
And the IP leases are private IP's
Is the static IP also private?  Is it in the same subnet as the leased addresses, and you are using the static for the public port on your router?  What are you using for your default gateway on the clients, and what are you using for the default route on the router?
Is the static IP also private?  
//Yes
Is it in the same subnet as the leased addresses, and you are using the static for the public port on your router?  
//The public address has a subnet of 255.0.0.0.  My internal addresses are 192.168.8.x and therefore have a subnet of 255.255.255.0.
What are you using for your default gateway on the clients, and what are you using for the default route on the router?
//My default gateway on the router is 10.254.1.3 and my default gateway for the clients is the router (192.168.8.1)
So the building uses a class A private-range network and you're using a class C private-range network for your personal network, correct?  Do you have NAT configured, or are you doing a simple route to the class A router?  
qwaletee:

AFAIK, NAT replaces the ID field on the outbound header with its own "placeholder" ID field having its own public address, so it can "remember" which NATted address to send inbound packets to.

If the first NAT replaces the ID field with its own "placeholder" ID field and sends that to the second NAT, the second NAT replaces the first NAT's "placeholder" with its own.  The 2nd NAT "remembers" what ADDRESS/PORT to send the packet back to, but doesn't necessarily "remember" the first NAT's "placeholder" info in the ID field.

The only way you can NAT behind NAT is if the public-side NAT is a static NAT with its own public IP, so there is no port translation to "remember."
>>The only way you can NAT behind NAT is if the public-side NAT is a static NAT with its own public IP, so there is no port translation to "remember."<<

That statement isn't very clear.

What I meant to say is that a dynamic-NAT (port address translation) behind another dynamic NAT is not likely to work well, if at all, because the port-mapping to different addresses is dynamic in nature.  Static NAT might work, in that the port maps are 1-1 for the two addresses.  I suppose a static NAT behind a dynamic NAT MIGHT work, because the static NAT would send a separate IP address for each connection to the dynamic NAT, but a dynamic NAT behind either static or dynamic NAT is likely to be a problem, because of the 2nd NAT replacing the first NAT's ID field.

Does that make sense?  Am I incorrect in that analysis?
Ask the net admin what his subnet mask is...  If he, for some reason, defined his subnet mask to, say 255.255.0.0 that may cause an issue as well...  Just a thought.

-Scott
Anyway, boilermaker2k, back to my last question to you.

If you want to go out through the (I assume) dynamic NAT on the Cisco router, you'll want to simply route through your router, rather than NATting again.

I don't know if that will defeat the simple firewalling features of your router, but it should work for you, because the NAT translation on the Cisco router will be the only one, so there shouldn't be any problems with communication speed...  I think your connections slow down that dramatically because your router can't figure out which IP address to send the inbound packet to, so you're getting tons of dropped packets.

To verify this, you could get a dumb hub to put in-between your apartment's connection and your router, and hook up a PC to the dumb hub, then run a freeware packet analyzer for a while - www.ethereal.com has a good one - and see what's happening to your traffic, in and out.
qwaletee - sorry about the "U" instead of "W" - my gestalt<->fingers<->keyboard connection works faster than my conscious brain sometimes, and tends to assume the "Wh" sound after a "Q" is a "U" even when I know otherwise... ;P
Could be the MTU causing these sorts of problems, try this http://www.dslreports.com/tweaks with your router in place it should help identify any issues, they also have a tool http://www.dslreports.com/front/drtcp.html to easily make any recommended adjustments.

PS my own system is double NATed with no problems (only difference is both under my control)
Snerkel - yes MTU had occurred to me, but I didn't mention it, as both routers aren't under boilermaker2k's control.

Are you double-NATted with the internal and external NAT on both  NAT devices being dynamic and not static?  If you are running both as dynamic, are both NATs running on the same platform?  How do you have your default routes set in a double-dynamic-NAT scenario?
ShineOn I believe the MTU of the PC being adjusted correctly will allow the packet to pass unfragmented, eg as long as the packet is less than the MTU any of the routers can handle.

You've blinded me with science with next question :-)

Arrangement:-      ADSL Modem/Router (4-port) >>>>>>>> DSL router (4-port)>>>>>>>>> Main network
                                                                            ¦
                                                                            ¦
                                                                            ¦>>>>>> Wireless AP
                                                                            ¦
                                                                     Other temporary devices (PCs and industrial kit at various times)

No special routes have been setup except to allow a few services on fixed ports (such as VPN), AP etc is IP range 192.x  Main Network is 10.x

Initially setup to learn more about networking and routing, but has proved so succesfull intend on keeping this arrangement (the arrangement will also allow me to share internet access without compromising my network as and when I need too).
Snerkel, your diagram doesn't really answer my questions.  Where is each NAT?  What is the NAT at each point - dynamic or static?
NAT 1 = ADSL Modem/Router
NAT 2 = DSL router

NAT is dynamic (eg one to many) using NAPT on both routers. I assume dynamic refers to the ports that NAT is using to track data.
Like I said, unless I am wrong (I was once before...;)) NAT creates specific information in the ID field of the IP packet going out, so it can translate the return packets appropriately.  If you have an already-translated IP packet with specific information in the ID field so that one NAT can  translate return packets to the appropriate address/port behind *IT*, and that packet passes through another NAT translator that places its OWN ID field information in the packet when it sends it on , so it knows what IP/Port to send responses back to, then response packets will hit the "public" address/port of the 1st NAT without having the ID field info needed to translate it to the source port/IP address, and will result in dropped packets and retransmit requests.

Unless, somehow, magically, the Cisco router and the SOHO router decide on a common reference point, resulting in return packets magically translating into the correct IP address and port.

Not altogether likely, and IMHO the probable cause of the massive decrease in throughput.
Ok...  ShineOn and everyone, I thank you for your help.  But the point seems to be missed here (i'm not explaining it well).

To make it simple, we're going to lay it out like this

(Public IP Address) Cisco Router (Private IP's) - > (My Router's Public IP) My Router (My Router's Internal IPs)

Our Public IP is 4.x.x.x (Verizon T3).  
Our Private IP's are 10.x.x.x.  I personally have a static one assigned to myself of 10.7.15.3 and a gateway of 10.254.1.3.  I can however also use DHCP.

My router has a public IP therefore of 10.7.15.3 and i'm using 192.168.8.1 as my router's internal IP and the clients are 192.168.8.2-32.  My router I have complete access to.  One of the routers I have has a 10mbit auto sensing WAN port and the other has a 100mbit Auto Sensing WAN port (I am NOT using both simultaneously but have both available to test with incase one or the other is bad).  I don't think the duplex thing is an issue.

The thing is I can't imagine duplex or MTU settings causing my router to receive data!  It's really the darndest thing.  

If I do use a hub and just get multiple DHCP leases that is fine.  But I like the security of a router and would sacrifice some speed for that.  The network is switched but the switch ports (as most are) are autosensing 10/100's i'm sure.

Remember there are a total of two routers here, one under my control and one not.  But the network admin definately has no problem with what i'm doing and doesn't see how his equipment could be doing this (but is also too busy to help me w/ it).  I wouldn't want to help me either (it's kind of how cable companies don't give you tech support if you have a router).  I'm far from network illiterate but this one has me baffled.
Also, I'm not using the NAT features of my router (IE: No port forwarding). This is because my external IP on my router isn't even an Internet IP.  So there's nothing to forward (unless I were to host an internet server of some sort)

Thanks
Your router would receive additional packets if data going out was having to be fragmented, can't hurt trying the MTU setting.
Also NAT is what "translates" from one IP range to another, NAPT is a form of NAT that your router is likely to be using, this effectively tracks the data using port numbers, your arrangement is very similar to my own (only on a bigger scale) hence it is probably a good comparison
If you extend your imagination to the concept that the "public side" interface is the "public side" interface regardless of whether or not it is assigned to a registered, public IP address, then yes, NAT plays a part.

If you have NAT enabled on your SOHO router, NATting your Class C network addresses to the Class A network address you were assigned, then you ARE using the NAT features of your router.  If you are specifying within your router that the Class A network address of the "public" side of your router is your "next hop" router, and that the default route OF THAT INTERFACE is the Class A address of the Cisco edge router, then you are ROUTING, not NATting.
I think ShineOn's on the right track.

boilermaker2k, 10.x.x.x is a very large address space. Much larger than a 650-unit apartment complex needs (unless every apartment is crammed to the rafters with computers). Have you considered asking the apartment complex's network admin to assign you your very own chunk of the 10.x.x.x space, statically, and ditching NAT?
PsiCop I think the reason boilermaker2k wishs to use a router is to gain the additional protection that NAT will afford
Or ditching your private NAT with the realization that the internal Class C addresses do NOT cleanly transliate through the Class A network to the Public IP and back...

For example:

PC client = address on 192.168.1 network (private)

That address and port is ROUTED to 10.0.0.0 network. (also private)

That address and port is then NATted from the 10.x.x.x network to 216.43.1.23, which is the next hop to the Internet. (NAT/PAT)

From there it goes to, and receives responses from, the Internet host.  (NAT/PAT)

In this example, going in reverse order, you NAT/PAT from the target IP to the local IP address, and from there you ROUTE back to the PC.


Does that make more sense, or make me look more stupid?
snerkel - what I'm saying is there is a limit to the benefits of NAT, which includes how many and what kind of NAT hops may be between you and the target host.  I recommend that if boilermaker2k's router can handle it, that port and/or protocol filtering be established rather than NAT at that level of connectivity, and that when concentrating on port/protocol filtering you gain additional security on top of NAT.
snerkel,

"additional protection that NAT will afford"?

What protection? NAT is NOT a security measure. Anyone who uses NAT for security is wetting themselves while wearing dark clothes - it'll feel good and no one else will notice.

Using NAT for security is like the paper CNEs who would use MAP ROOT to "hide" directories they didn't want people to see. Looks great but useless in the long run.

Any half-way decent firewall will do a better job of providing security functions.

>>Also, I'm not using the NAT features of my router (IE: No port forwarding). This is because my external IP on my router isn't even an Internet IP<<

The little "cable /dsl" cheapie SOHO routers that you can get at your neighborhood TV/Stereo store are pretty much the same all around.  Many of them have rudimentary, simple firewalling features including NAT.  They don't necessarily use the standard terminology for the technologies they support, which makes it difficult to tell EXACTLY how to configure one or another without looking at the manual and working with the management interface directly.

Since most of these routers have that simple firewalling feature, often that feature starts up enabled.  If you want to use it as a simple router without NAT, you have to make sure that it is only routing, not doing its simple firewalling, because the first thing it does as far as its simple firewall is NAT, whether you tell it to or don't.  You have to make sure that it isn't doing NAT.

If the "public" (aka WAN) port address is in a DIFFERENT NETWORK than the private IP ports handed out through DHCP on your router, unless you specifically configure your router *not* to do NAT, it will do NAT, based on the SOHO routers I've seen so far.  It doesn't matter if the WAN-port address is a "public" or "private" address, you can still NAT from one network to another.  You need to make sure you are only routing and not NATting.

If you aren't sure, post the exact make and model number and we can look up the online docs for you and verify what has to be done not to NAT with that router.
I don't think any of the SOHO routers allow you to turn off NAT.  You CAN avod the WAN port, and set up static routes on the "inside" ports for some of them.
Can't you simply use a Switch/Hub and ask for more 10.x.x.x number from your Systems Admin?  I mean if the Apartment Complex's subnet is really 255.0.0.0 thats more than enough IP's to go around...  How many computers are you going to have in your little subnet?

I mean, this would avoid the problem entirely.  You could even take your router (which I'm assuming is a 1 WAN, 4 LAN) and disable DHCP on it, and use the 4 ports for LAN and plug nothing into the WAN...

One problem, however, is this would be exposing your computer(s) to the other PCs in the apartment complex.

-Scott
Scott_V:

The whole point of using a router for me is to use it's limited security capabilities (NAT basically).  I write software and I like to have some systems fairly open for development purposes without worrying about the latest MS vulnerability or some idiot user screwing my system up...

-Adam
But you're "protected" from the internet already by your apartment complex's NAT Router, and if you're worried about people inside your network messing something up on your computer turn on your firewall (assuming you have windows XP, if not download a software firewall).  I mean, this is not 100% secure or anything, but you have to realize NO protection is ever 100% secure.  Hardware is generally better than software, but they both do a relatively good job.

-Scott
You could probably pick up an old Pentium PC for next to nothing, put 2 NICs in it, and Linux on it, and use that as a firewall, with REAL firewall features, still avoiding NAT.   Just get that bigger block of IP addresses from your building's net admin.
In fact there's a Linux distribution called "freesco" (free cisco) that doesn't have a bunch of the add-ons of a RedHat or SuSE, just routing and firewalling features.
Yeah, good call ShineOn.  Thats a great way to do it if that level of security is absolutely necessary.  Or, maybe if you're real lucky, you can get an old hardware Firewall off EBay or something.  :)
The quickest way to debug this wold probably be to put an old hub (not a switch) between the router and the building segment, and plus a sniffer (or PC with Ethereal) into the hub.  You can then see whether there is any real difference in external traffic.

I don't remember if this was mentioend before, but a bad DNS setup can really get you with these SOHO routers.  The router will act as a DNS forwarder, but frequently, it does this much too slowly.  Is your pure IP traffic slow, or could it be related only to slow address resolution?
First of all, like someone said earlier, NAT has nothing to do with security, it is a public address saving mechanism. If you have an address of 10.1.2.3 (private) which is translated to 8.9.10.11 (public), that simply means that someone needs to use the address 8.9.10.11 to hack your machine . . . forgetting about firewalls for the purpose of the example.

Second, have you "sniffed" the incoming line to see what the 125-150K/sec is? When you say constant, do you mean 24x7? Get Ethereal or some other free packet sniffer and see just what the heck that 125-150k/sec actually is.  Ny the way, how did you measure that?

Third, you mentioned broadcast storms . . . A buddy of mine lives in an apartment complex with a layout similar to what you've described and there was a steady 50k of ARP traffic because of a configuration PROBLEM similar to what you mentioned. The so called "network administrator" was using 10.0.0.0 / 255.0.0.0 meaning that all 1100 units in the complex were in the same broadcast domain. Of course you may be victim of some jerk useing a packet generator to spit frames out of his PC destined for 255.255.255.255 just because he's cranky. Sorry. I only did this once at my buddy's apartment because the landlady was such a witch.

Fourth, MTU likely has nothing to do with this because -- assuming ethernet -- you'd actually have to misconfigure a router to have anything other than a 1500 bit MTU. MicroSplot OS's, however, assumes that if you are transmitting data to a logical network different from your own (say . . . from 10.1.2.3 to 8.9.10.11) that it should set the packet size to 536 (or something close to that, I cant remember) because the assumption is you will be going into a WAN environment and a 1500bit packet would be fragmented thus slowing total transit time. You can cruise the internet to figure out how to configure your PC to always send a 1500bit packet. There's a registry setting or some such that can be changed.

Last, no matter what you do locally (to the architecture within your apartment) your internet connection will be hosed if there truely is a problem within the apartment complex layout.

Last again ( I mean it this time), make sure your ethernet interfaces and optimally the switches they are attached to have FIXED comm parameters not autosensed or autonegotiated.

Good luck,
Steve
SteveJ and others... NAPT on most SOHO routers will afford a reasonable amount of protection from WAN attack or accidental access. Unless a port is left open or a user from the LAN side opens a port to another user on the WAN side.
Anyone entering a LAN side IP from the WAN side will not get anywhere apart from to the WAN port of the router if it is configured correctly. Back this up with a software firewall and you can feel fairly secure.
Advising using a hub will leave boilermaker2k network open to the other 649 residents, I personally would not feel comfortable with that situation. Even running a software firewall is not fool proof.

MTU has been a big cause of ADSL problems in the UK, this is due to Windows defaulting to using 1500 MTU on Ethernet connections, this in turn causes fragmentation in the main backbone routers (Cisco in the main I believe). The UK recommended MTU is between 1438 & 1458 MTU for this reason. The link I provided earlier will confirm or dispell this theory if boilermaker2k can confirm the results either way.
Port address translation doesn't afford squat to the determined hacker.  It's just a different port to walk through.

I would feel better if he could get a specific subnet of addresses assigned to him and set up a firewall in-between with stateful packet filtering and perhaps application proxies.  That way he doesn't need to put a software firewall on every one of the PC's in his apartment's subnet, which could throw off his development efforts.

ShineOn, you do realize hes talking about just his PC in his apartment, right?  I don't think he cares about the other PCs in the building aside from security and internet access with out having a bunch of junk-traffic whenever he attaches his NAT box...  Oh, and btw, NAT routers do provide some protection thusly...  If you do not have your ports forwarded on the router then any hack attempt to the WAN ip of the router (any port) will result in either nothing at all (because nothing is listening at that port) or if for some reason there is an open port on the router (say, if you have remote management enabled for some reason), a hack to the router itself.  You cannot, however, hack a port that is not open...  Thats like trying to hotwire a car with no battery!

-Scott
Scott_V:

You see my point... No one has really provided enough of any thing to help the problem unfortunately.  Thanks for everyone's continued help. Hopefully someone will figure something out...  I don't want new equipment and shouldn't need it...

The 125-150k/sec of traffic must be junk from the other router or something because I'm 99% confident it's not from network users...

boilermaker have you checked that site link I suggested?
Yep... not useful for me unfortunately... Thanks though
So the test showed everything OK?

Next question would be configuration of the router WAN side, eg are you setting a static IP or allowing the DHCP server to assign everything, if you can I would set the WAN with fixed settings, so these would include

WAN IP 10.x.x.x
Default Gateway 10.x.x.x (IP of Cisco router)
Subnet Mask to match 10. network
DNS servers, enter the service providers DNS servers

Disable UPNP and RIP

If all else fails then try setting up DMZ to a PC running snort or similar and see if you can get any clues.
The WAN side is setup exactly as you have said.  

ASKER CERTIFIED SOLUTION
Avatar of ShineOn
ShineOn
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ShineOn: Your comments have been extremely helpful and led the net admin to fix an issue he had on his network.  Thanks and you have been given credit for the problem!
Too cool!  Has the admin let you in on the issue that fixed the problem?  If so, can you post it here to make this PAQ more valuable?
If you don't mind me asking, what WAS wrong with the apartment network?

-Scott
He hasn't told me in full but he will here by tomorrow evening.  Something about running multiple gateways off a single router and his routing tables...

I'll let you guys know in full...

Thanks again everyone.  Wish I could award you all w/ points!
You can split points.  If you want to change the points distribution to give others that helped some credit, then you can post a request in Community Support (CS) to have the Question reopened.  Once it's reopened, you can distribute points however you desire.

Click on the "help" link in the "your status" box, and select "closing a question" (or whatever it is that is close to that.)  It will describe the different ways you can close a question, what the grades mean, and how to split the points among multiple Experts.
Whenever you post anything in the CS topic area regarding a specific question, always include a link to the question, BTW.