AbacusOnsite
asked on
1 PC + 3 MACs + Router + Cable Modem + SPI = ?
Here’s an interesting one for you guys. I *think* the problem is resolved, but I’m not 100% sure. I’d like to explain the situation, and then ask for an explanation or two from some of my techies fellows here. Here goes:
Yesterday, I got a call from a guy who has 1 PC, 2 Macintosh boxes, and 1 Apple Laptop. All are hooked up to a Netgear router, which is then plugged into a cable modem. I didn’t write down the model of the Netgear router, but it’s a non-wireless model and it has 4 ports in the back + the WAN port. No wireless in the equation at all. The problem is that the router kicks them all off the “net” at random times, all machines, at the same exact time. Sometimes after a minute, sometimes 15 minutes, sometimes after an hour or two. I told him I would come out in the morning and check it out.
Today, I went out on site to troubleshoot his network. Turns out, everything is set up pretty clean. Everything looks good. He could not tell me if getting kicked off “net” means kicked off the home network, or just kicked off the internet/web. While I was working on his Apple Laptop we got kicked off, and I noticed that the WAN settings for the router went completely blank. We only had the one computer powered up at the time, but I could still connect to the router, so I am going to assume that he was meaning they were all kicked off the internet.
Not wanting to waste the guy’s time and charge him a huge fee for drinking coffee at his computer desk while waiting for his router to hiccup again, I went through a few of the suggestions that I had read here… changing the MTU to 1492, looked at the possibility of spoofing the MAC address, etc.
Then I saw a little setting down by the MTU box, called SPI with a radio button for on and off. It was set to on. I decided that since the SPI setting was about the only thing that looked out of place to me, I decided to disable it and see if it made any difference. Well, afterwards, we browsed the internet for 45 minutes while discussing his plans for future network expansion (including wireless, security, differences between a switch and a router, differences between a wireless router and a wireless access point, etc, etc) and we were able to stay on the network the entire time!
Through looking around on the internet, I have found the SPI stands for “Stateful Packet Inspection”, and I have the garnered the idea that it has to do with security… but, I don’t understand how enabling this feature would cause network problems. Could someone PLEASE explain this? Get as technical as you’d like, as I dig details… but, please don’t BS me too much. I’m wearing my good shoes.
Yesterday, I got a call from a guy who has 1 PC, 2 Macintosh boxes, and 1 Apple Laptop. All are hooked up to a Netgear router, which is then plugged into a cable modem. I didn’t write down the model of the Netgear router, but it’s a non-wireless model and it has 4 ports in the back + the WAN port. No wireless in the equation at all. The problem is that the router kicks them all off the “net” at random times, all machines, at the same exact time. Sometimes after a minute, sometimes 15 minutes, sometimes after an hour or two. I told him I would come out in the morning and check it out.
Today, I went out on site to troubleshoot his network. Turns out, everything is set up pretty clean. Everything looks good. He could not tell me if getting kicked off “net” means kicked off the home network, or just kicked off the internet/web. While I was working on his Apple Laptop we got kicked off, and I noticed that the WAN settings for the router went completely blank. We only had the one computer powered up at the time, but I could still connect to the router, so I am going to assume that he was meaning they were all kicked off the internet.
Not wanting to waste the guy’s time and charge him a huge fee for drinking coffee at his computer desk while waiting for his router to hiccup again, I went through a few of the suggestions that I had read here… changing the MTU to 1492, looked at the possibility of spoofing the MAC address, etc.
Then I saw a little setting down by the MTU box, called SPI with a radio button for on and off. It was set to on. I decided that since the SPI setting was about the only thing that looked out of place to me, I decided to disable it and see if it made any difference. Well, afterwards, we browsed the internet for 45 minutes while discussing his plans for future network expansion (including wireless, security, differences between a switch and a router, differences between a wireless router and a wireless access point, etc, etc) and we were able to stay on the network the entire time!
Through looking around on the internet, I have found the SPI stands for “Stateful Packet Inspection”, and I have the garnered the idea that it has to do with security… but, I don’t understand how enabling this feature would cause network problems. Could someone PLEASE explain this? Get as technical as you’d like, as I dig details… but, please don’t BS me too much. I’m wearing my good shoes.
mostly widely used = widely used :) Jeez, I need some more coffee before I post, eh?
BTW: you should modify the MTU on the router and the client systems...
ASKER
The router is connected to a *cable modem*...an RCA/Thompson DCM315. Comcast is the ISP. I only know about the MTU size tweak from reading the posts here at EE. What does the MTU have to do with DSL? Does it matter if the client is using Cable Modem instead of DSL? And the real question is: Why would changing the MTU to 1492 (and, turning off SPI) alter the router's ability to stay connected to Comcast? Those two things are the ONLY things I changed and the user hasn't had any problems since.
Also, if I WERE to change the MTU on the client machines, how do I change it on a MAC? I know how to change the MTU within Windows XP, but I barely know my way around a MAC. The user practically had to do the MAC stuff for me when I was on his laptop (a little embarrassing, but I'm okay with that for now).
Oh... and I don't know if it matters or not, but the Firmware on the Netgear router was 5.20_RC3NA. I read a little bit on the EE forums that people were having some problems after flashing from 4.00, but those posts are over a year old. I would think that Netgear had solved that problem a long time ago.
Also, if I WERE to change the MTU on the client machines, how do I change it on a MAC? I know how to change the MTU within Windows XP, but I barely know my way around a MAC. The user practically had to do the MAC stuff for me when I was on his laptop (a little embarrassing, but I'm okay with that for now).
Oh... and I don't know if it matters or not, but the Firmware on the Netgear router was 5.20_RC3NA. I read a little bit on the EE forums that people were having some problems after flashing from 4.00, but those posts are over a year old. I would think that Netgear had solved that problem a long time ago.
#1 MTU size has a lot to do with DSL.. PPPoE adds an extra header to the packet, which is 8 bytes in size, therefore the 1492 recommendation. (Cable is 1500 as it does not have to push that extra packet baggage.) But, I have found that even a 1492 setting will start fragmenting. As far as disconnecting, the packet size (MTU) does not have anything to do with this. (I only sent you that link so you could get a better understanding of this)
I would look harder at how that Firewall is configured. Usually SPI firewalls are highly configurable.
#2 I don't know anything about MACs except for a few times I have had to network them. Never had to change the MTU on one..
#3 And yes, Netgear is a good product and I would agree that they should have debugged it by now.
I would look harder at how that Firewall is configured. Usually SPI firewalls are highly configurable.
#2 I don't know anything about MACs except for a few times I have had to network them. Never had to change the MTU on one..
#3 And yes, Netgear is a good product and I would agree that they should have debugged it by now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes.. It could even be the type of cable that you are wired with here. Cabling is definitely an issue with a Cable connection. If you are in an apartment (or a home for that matter) that was cabled prior to the year 2000, there is a good possibility that the cable is RJ59, which causes problems with attentuation. Cabling should be at least a minimum of RJ6. (I even replaced my cable with RJ11, which is a very heavy gauge coax.)
ASKER
I suppose I should have mentioned this in the beginning:
Before I went on-site to "fix" the issue, the user says that he could connect a single computer into the cable modem (without the router) and surf the web for hours and hours with absolutely no problems at all. This was Comcast's suggestion to him, to test the cable modem. When he eliminated the router from the equation, everything worked fine on the one machine, and so Comcast said "not our problem" and that was when he called me.
I am fairly confident that the problem was with the router, and I'm also pretty sure that whatever I changed on the router has improved the situation... either turning off the SPI, or changing the MTU from 1500 to 1492. Apparently, from what everyone here is saying, the MTU setting only has to do with DSL, so I'm suspecting that the SPI setting was doing something funky with the connection. This is so odd! Has no one EVER seen a network issue like this?
A faulty cable is a possibility, but I am doubtful about that being the only thing wrong (although I will change it if the problem comes back, so thank you for mentioning it).
By the way, the router is a Netgear. Not a Linksys. Don't know if that really matters, but I thought I'd clarify this.
Before I went on-site to "fix" the issue, the user says that he could connect a single computer into the cable modem (without the router) and surf the web for hours and hours with absolutely no problems at all. This was Comcast's suggestion to him, to test the cable modem. When he eliminated the router from the equation, everything worked fine on the one machine, and so Comcast said "not our problem" and that was when he called me.
I am fairly confident that the problem was with the router, and I'm also pretty sure that whatever I changed on the router has improved the situation... either turning off the SPI, or changing the MTU from 1500 to 1492. Apparently, from what everyone here is saying, the MTU setting only has to do with DSL, so I'm suspecting that the SPI setting was doing something funky with the connection. This is so odd! Has no one EVER seen a network issue like this?
A faulty cable is a possibility, but I am doubtful about that being the only thing wrong (although I will change it if the problem comes back, so thank you for mentioning it).
By the way, the router is a Netgear. Not a Linksys. Don't know if that really matters, but I thought I'd clarify this.
SPI firewalls work in both directions. Stopping errant packets from leaving, as well as coming into the LAN. This is why I believe that it is your problem. Look at it carefully, and see if you can tweak the settings to allow the traffic your client needs to get out...
FE
FE
ASKER
Why wouldn't I want to just disable this setting and install something simpler, like Zone Alarm or Norton Firewall? I know that each of them adds a little "overhead" to the computer, which in turn, lowers the performance a little. But, at the same time, they are easier to configure and give you warnings and feedback when it detects suspicious activity.
If what you are telling me true, SPI simply severs connectivity when it suspects foul-play, without any warning or explanation of what has occured. This is unacceptable behavior on a network, and I would rather do without it. If a cracker wants to get into a network, there are literally thousands of wide-open wireless networks out there to choose from. I would rather disable SPI and take my chances, than leave it enabled and pull my hair out because every 5 to 15 minutes my router kicks me off of the internet!
If what you are telling me true, SPI simply severs connectivity when it suspects foul-play, without any warning or explanation of what has occured. This is unacceptable behavior on a network, and I would rather do without it. If a cracker wants to get into a network, there are literally thousands of wide-open wireless networks out there to choose from. I would rather disable SPI and take my chances, than leave it enabled and pull my hair out because every 5 to 15 minutes my router kicks me off of the internet!
Actually, SPI is a good thing. ALL top-quality firewalls (such as Cisco) use SPI. It should not drop all of your packets when it detects some foul play, or at least that's not what it is meant to be.... Otherwise, it's worse than a DoD attack, wouldn't you think (All I have to do is TRY to hack into the system, and the router would kill the network? LOL)
With SPI not working, I am suspecting that something IS wrong with your router/firewall. Have you tried upgrading/downgrading the firmware as suspected? I would try that first BEFORE giving up on the SPI, because you never know if something else is not working (such as it's not blocking anything at all, etc.).
Of course, I must say, if all else fails, then I'd either have to go out and get another router when I have the time/money, or just do what you suggest and turn off the SPI :-)
- Info
With SPI not working, I am suspecting that something IS wrong with your router/firewall. Have you tried upgrading/downgrading the firmware as suspected? I would try that first BEFORE giving up on the SPI, because you never know if something else is not working (such as it's not blocking anything at all, etc.).
Of course, I must say, if all else fails, then I'd either have to go out and get another router when I have the time/money, or just do what you suggest and turn off the SPI :-)
- Info
Agree with info... SPI is usually rock solid, and a very good thing to leave in place.. Turn it off as a last resort.
Most every network I have worked on requires file/print sharing to some extent, whether it be Domain ro P2P.. These software firewalls always present problems in these circumstances... (Problems meaning that your customer will be calling you every day for free troubleshooting... :)
Most every network I have worked on requires file/print sharing to some extent, whether it be Domain ro P2P.. These software firewalls always present problems in these circumstances... (Problems meaning that your customer will be calling you every day for free troubleshooting... :)
You might have a conflict with the IP addressing between the router and the cable modem.
Try changing the IP addressing scheme on the router to a different Private Network address scheme. Not sure what the default scheme is on Netgear.
If the DHCP address on the router is 172.16.0.1 with a subnet of 255.255.0.0 change it to 192.168.0.1/255.255.255.0 or 10.0.0.1/255.0.0.0.
I don't think that SPI is the problem but if that's the only thing that works go with it.
Hope this helps
Ed
Try changing the IP addressing scheme on the router to a different Private Network address scheme. Not sure what the default scheme is on Netgear.
If the DHCP address on the router is 172.16.0.1 with a subnet of 255.255.0.0 change it to 192.168.0.1/255.255.255.0 or 10.0.0.1/255.0.0.0.
I don't think that SPI is the problem but if that's the only thing that works go with it.
Hope this helps
Ed
ASKER
After checking back in the client, I learned that he is still having the same problem with his network... only less frequently with the SPI turned off. I have a firm and ethical policy about my work, so I refunded his money and wished him luck. He is in the process of returning the cable-modem back to Comcast. Still scratching my head over this one.
me too (scratching head)... I have had to do the refund bit before myself. Sorry about that..
FE
FE
Well, sometimes things just break or are defective out of the box. I had to return a few defective equipments for my clients as well. Just out of curiousity, now that we are pretty sure the problem really isn't the SPI, have you considered replacing the equipment with another one (or maybe another brand, although I am pretty sure Netgear has pretty decent products)? That way, you restore fate into your client, and he's much happier with a good solution... Just a thought..... Good Luck.
- Info
- Info
ASKER
After talking with the client a couple of weeks ago, I offered to come over and fix him free of charge... but, he said that Comcast was already scheduled to come out and replace the cable-modem. By the way, it wasn't the Netgear switch that was bad. It was the flakey cable-modem (RCA/Thompson DCM315). Supposedly, the voltage was going out of range (both over and below), causing some major instability... even when connected to a good UPS.
I still wonder why disabling SPI would cause the router to misbehave less often. I hate technology sometimes... only sometimes.
Well to make a long story short, points go to Infotrader for mentioning a faulty Cable Modem!
Cheers to all who pitched in and schooled me on SPI. I learned a lot, as I always do on EE. Thanks again.
I still wonder why disabling SPI would cause the router to misbehave less often. I hate technology sometimes... only sometimes.
Well to make a long story short, points go to Infotrader for mentioning a faulty Cable Modem!
Cheers to all who pitched in and schooled me on SPI. I learned a lot, as I always do on EE. Thanks again.
thanks!!
That being said, I would hesitate to advise you that this is the problem here. Since you modified the MTU to 1492 I will assume you are using a DSL connection with PPPoE..? If so, as you know, this protocol is an on and off again flavor of broadband, which does automatically disconnect you after a period of time (although in the perfect world, it is supposed to be a seamless reconnect)
Regarding MTU settings, I have written a short page on how to determine the proper MTU size on my website. If you would like, feel free to visit:
www.doverproductions.com
or
http://65.24.134.81/KipSolutions/MTU/MTU.htm
FE