Solved

1 PC + 3 MACs + Router + Cable Modem + SPI = ?

Posted on 2004-09-15
19
787 Views
Last Modified: 2013-12-14
Here’s an interesting one for you guys.  I *think* the problem is resolved, but I’m not 100% sure.  I’d like to explain the situation, and then ask for an explanation or two from some of my techies fellows here.  Here goes:

Yesterday, I got a call from a guy who has 1 PC, 2 Macintosh boxes, and 1 Apple Laptop.  All are hooked up to a Netgear router, which is then plugged into a cable modem.  I didn’t write down the model of the Netgear router, but it’s a non-wireless model and it has 4 ports in the back + the WAN port.  No wireless in the equation at all.  The problem is that the router kicks them all off the “net” at random times, all machines, at the same exact time.  Sometimes after a minute, sometimes 15 minutes, sometimes after an hour or two.  I told him I would come out in the morning and check it out.

Today, I went out on site to troubleshoot his network.  Turns out, everything is set up pretty clean.  Everything looks good.  He could not tell me if getting kicked off “net” means kicked off the home network, or just kicked off the internet/web.  While I was working on his Apple Laptop we got kicked off, and I noticed that the WAN settings for the router went completely blank.  We only had the one computer powered up at the time, but I could still connect to the router, so I am going to assume that he was meaning they were all kicked off the internet.

Not wanting to waste the guy’s time and charge him a huge fee for drinking coffee at his computer desk while waiting for his router to hiccup again, I went through a few of the suggestions that I had read here… changing the MTU to 1492, looked at the possibility of spoofing the MAC address, etc.

Then I saw a little setting down by the MTU box, called SPI with a radio button for on and off.  It was set to on.  I decided that since the SPI setting was about the only thing that looked out of place to me, I decided to disable it and see if it made any difference.  Well, afterwards, we browsed the internet for 45 minutes while discussing his plans for future network expansion (including wireless, security, differences between a switch and a router, differences between a wireless router and a wireless access point, etc, etc) and we were able to stay on the network the entire time!

Through looking around on the internet, I have found the SPI stands for “Stateful Packet Inspection”, and I have the garnered the idea that it has to do with security… but, I don’t understand how enabling this feature would cause network problems.  Could someone PLEASE explain this?  Get as technical as you’d like, as I dig details… but, please don’t BS me too much.  I’m wearing my good shoes.
0
Comment
Question by:AbacusOnsite
  • 8
  • 5
  • 4
  • +1
19 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
SPI is a type of firewall.  It is the mostly widely used and in my mind the best type out there.  In the past, only advanced firewall products had this feature, but it is now being packaged in today's routers.

That being said, I would hesitate to advise you that this is the problem here.  Since you modified the MTU to 1492 I will assume you are using a DSL connection with PPPoE..?  If so, as you know, this protocol is an on and off again flavor of broadband, which does automatically disconnect you after a period of time (although in the perfect world, it is supposed to be a seamless reconnect)

Regarding MTU settings, I have written a short page on how to determine the proper MTU size on my website.  If you would like, feel free to visit:

www.doverproductions.com

or

http://65.24.134.81/KipSolutions/MTU/MTU.htm

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
mostly widely used = widely used   :)  Jeez, I need some more coffee before I post, eh?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
BTW:  you should modify the MTU on the router and the client systems...
0
 
LVL 2

Author Comment

by:AbacusOnsite
Comment Utility
The router is connected to a *cable modem*...an RCA/Thompson DCM315.  Comcast is the ISP.  I only know about the MTU size tweak from reading the posts here at EE.  What does the MTU have to do with DSL?  Does it matter if the client is using Cable Modem instead of DSL?  And the real question is:  Why would changing the MTU to 1492 (and, turning off SPI) alter the router's ability to stay connected to Comcast?  Those two things are the ONLY things I changed and the user hasn't had any problems since.

Also, if I WERE to change the MTU on the client machines, how do I change it on a MAC?  I know how to change the MTU within Windows XP, but I barely know my way around a MAC.  The user practically had to do the MAC stuff for me when I was on his laptop (a little embarrassing, but I'm okay with that for now).

Oh... and I don't know if it matters or not, but the Firmware on the Netgear router was 5.20_RC3NA.  I read a little bit on the EE forums that people were having some problems after flashing from 4.00, but those posts are over a year old.  I would think that Netgear had solved that problem a long time ago.  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
#1   MTU size has a lot to do with DSL..  PPPoE adds an extra header to the packet, which is 8 bytes in size, therefore the 1492 recommendation.  (Cable is 1500 as it does not have to push that extra packet baggage.)  But, I have found that even a 1492 setting will start fragmenting.  As far as disconnecting, the packet size (MTU) does not have anything to do with this.  (I only sent you that link so you could get a better understanding of this)

I would look harder at how that Firewall is configured.  Usually SPI firewalls are highly configurable.

#2   I don't know anything about MACs except for a few times I have had to network them.  Never had to change the MTU on one..

#3   And yes, Netgear is a good product and I would agree that they should have debugged it by now.  
0
 
LVL 11

Accepted Solution

by:
infotrader earned 250 total points
Comment Utility
Comcast doesn't use PPPoE and thus you do not need to set your MTU.  I've got a Linksys and Comcast and everything is working fine (just to save you trouble from playing with the setting too much).

There are a few possibilities here:

1.  The cable modem is going out - This happens every once in a long while, and happened to me just 2 months ago.  Nothing you can do except replacing it.

2.  The Linksys might be going bad....  Once again, doesn't happen alot but could.  Another possibility is to look for a different version of firmware (upgrade if you need to, or sometimes downgrade would do the trick).  I have a Linksys 4Port router, and after upgrading it continues to give me problems until I've rolled back to the earlier firmware.

3.  The cable modem connection is not good.  Sometimes, if your cable is exposed to a lot of water, heat, etc., it is known to degrade to a point you'll get sporadic outages.  This happens to a client of mine until Comcast took care of it.

Most likely it's the firmware, I think.

- Info
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
yes..  It could even be the type of cable that you are wired with here.  Cabling is definitely an issue with a Cable connection.  If you are in an apartment (or a home for that matter) that was cabled prior to the year 2000, there is a good possibility  that the cable is RJ59, which causes problems with attentuation.  Cabling should be at least a minimum of RJ6.  (I even replaced my cable with RJ11, which is a very heavy gauge coax.)
0
 
LVL 2

Author Comment

by:AbacusOnsite
Comment Utility
I suppose I should have mentioned this in the beginning:

Before I went on-site to "fix" the issue, the user says that he could connect a single computer into the cable modem (without the router) and surf the web for hours and hours with absolutely no problems at all.  This was Comcast's suggestion to him, to test the cable modem.  When he eliminated the router from the equation, everything worked fine on the one machine, and so Comcast said "not our problem" and that was when he called me.

I am fairly confident that the problem was with the router, and I'm also pretty sure that whatever I changed on the router has improved the situation... either turning off the SPI, or changing the MTU from 1500 to 1492.  Apparently, from what everyone here is saying, the MTU setting only has to do with DSL, so I'm suspecting that the SPI setting was doing something funky with the connection.  This is so odd!  Has no one EVER seen a network issue like this?

A faulty cable is a possibility, but I am doubtful about that being the only thing wrong (although I will change it if the problem comes back, so thank you for mentioning it).

By the way, the router is a Netgear.  Not a Linksys.  Don't know if that really matters, but I thought I'd clarify this.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
SPI firewalls work in both directions.  Stopping errant packets from leaving, as well as coming into the LAN.  This is why I believe that it is your problem.  Look at it carefully, and see if you can tweak the settings to allow the traffic your client needs to get out...

FE
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:AbacusOnsite
Comment Utility
Why wouldn't I want to just disable this setting and install something simpler, like Zone Alarm or Norton Firewall?  I know that each of them adds a little "overhead" to the computer, which in turn, lowers the performance a little.  But, at the same time, they are easier to configure and give you warnings and feedback when it detects suspicious activity.

If what you are telling me true, SPI simply severs connectivity when it suspects foul-play, without any warning or explanation of what has occured.  This is unacceptable behavior on a network, and I would rather do without it.  If a cracker wants to get into a network, there are literally thousands of wide-open wireless networks out there to choose from.  I would rather disable SPI and take my chances, than leave it enabled and pull my hair out because every 5 to 15 minutes my router kicks me off of the internet!
0
 
LVL 11

Expert Comment

by:infotrader
Comment Utility
Actually, SPI is a good thing.  ALL top-quality firewalls (such as Cisco) use SPI.  It should not drop all of your packets when it detects some foul play, or at least that's not what it is meant to be....  Otherwise, it's worse than a DoD attack, wouldn't you think (All I have to do is TRY to hack into the system, and the router would kill the network?  LOL)

With SPI not working, I am suspecting that something IS wrong with your router/firewall.  Have you tried upgrading/downgrading the firmware as suspected?  I would try that first BEFORE giving up on the SPI, because you never know if something else is not working (such as it's not blocking anything at all, etc.).

Of course, I must say, if all else fails, then I'd either have to go out and get another router when I have the time/money, or just do what you suggest and turn off the SPI :-)

- Info
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Agree with info...  SPI is usually rock solid, and a very good thing to leave in place..  Turn it off as a last resort.

Most every network I have worked on requires file/print sharing to some extent, whether it be Domain ro P2P..  These software firewalls always present problems in these circumstances...  (Problems meaning that your customer will be calling you every day for free troubleshooting...  :)
0
 
LVL 5

Expert Comment

by:eddkhamou
Comment Utility
You might have a conflict with the IP addressing between the router and the cable modem.

Try changing the IP addressing scheme on the router to a different Private Network address scheme.  Not sure what the default scheme is on Netgear.

If the DHCP address on the router is 172.16.0.1 with a subnet of 255.255.0.0 change it to 192.168.0.1/255.255.255.0 or 10.0.0.1/255.0.0.0.

I don't think that SPI is the problem but if that's the only thing that works go with it.

Hope this helps

Ed

0
 
LVL 2

Author Comment

by:AbacusOnsite
Comment Utility
After checking back in the client, I learned that he is still having the same problem with his network... only less frequently with the SPI turned off.  I have a firm and ethical policy about my work, so I refunded his money and wished him luck.  He is in the process of returning the cable-modem back to Comcast.  Still scratching my head over this one.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
me too (scratching head)...  I have had to do the refund bit before myself.  Sorry about that..

FE
0
 
LVL 11

Expert Comment

by:infotrader
Comment Utility
Well, sometimes things just break or are defective out of the box.  I had to return a few defective equipments for my clients as well.  Just out of curiousity, now that we are pretty sure the problem really isn't the SPI, have you considered replacing the equipment with another one (or maybe another brand, although I am pretty sure Netgear has pretty decent products)?  That way, you restore fate into your client, and he's much happier with a good solution...  Just a thought.....  Good Luck.

- Info
0
 
LVL 2

Author Comment

by:AbacusOnsite
Comment Utility
After talking with the client a couple of weeks ago, I offered to come over and fix him free of charge... but, he said that Comcast was already scheduled to come out and replace the cable-modem.  By the way, it wasn't the Netgear switch that was bad.  It was the flakey cable-modem (RCA/Thompson DCM315).  Supposedly, the voltage was going out of range (both over and below), causing some major instability... even when connected to a good UPS.

I still wonder why disabling SPI would cause the router to misbehave less often.  I hate technology sometimes... only sometimes.

Well to make a long story short, points go to Infotrader for mentioning a faulty Cable Modem!

Cheers to all who pitched in and schooled me on SPI.  I learned a lot, as I always do on EE.  Thanks again.
0
 
LVL 11

Expert Comment

by:infotrader
Comment Utility
thanks!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now