cancel
Showing results for 
Search instead for 
Did you mean: 

TG582n firewall problem

EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

TG582n firewall problem

I have just suffered a weird problem where a Windows 8.1 laptop suddenly and persistently lost connectivity to the Internet without losing connectivity to the LAN and Intranet.  Our other computers and mobile phones (Linux based) had connectivity with both the WAN and LAN.  Naturally, I spent ages trying to work out what had changed in the laptop.  The answer after two full wasted days was nothing wrong with the laptop.  It was also nothing to do with my creating an internal IPv6 network on the LAN (Windows 8.1 is IPv6 transition ready).
The TG582n firewall was using a bespoke rule based on Standard but with a single block for a particularly nasty attacker sending break-in attempts to my email server at a high rate some 18 months ago.  The router has been up for ages and I have not had to change anything for many months.  The laptop has worked well as had everything else on the network.
It appears my bespoke firewall setting has changed internally without any record in the log.  Switching back to Standard opened access to the WAN for the laptop.  Switching back to my bespoke setting stops solely the laptop from sending traffic to the WAN.  With the bespoke firewall settings it is also impossible to log into the router from the LAN (wireless or cabled) using the laptop.  The laptop can access Intranet web-pages such as the printer maintenance screen.  Rebooting the router did not change anything.
I am baffled to say the least. 
Does anyone on the forum know the answer to these questions:

  • Is this a known problem with bespoke firewall settings?

  • Is there a fix or patch to software release 8.C.M.0 that addresses problems of this nature?

  • Is there a guide to the backup .ini file that I could use to start analysing what in the settings might be blocking the LAN side of the router for this particular computer


8 REPLIES 8
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: TG582n firewall problem

You may find it helpful to view the list of rules in the firewall chains via telnet, that shows every thing you need to know about the firewall although it's not easy to follow.
eg telnet command:
firewall rule list
You can see the typical result from that command here:
http://npr.me.uk/forwardports.html
EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

Re: TG582n firewall problem

Thank you for the advice and the link to your guide. 
It appears that the rule cloned from Standard that allows outgoing packets from LAN to WAN disappeared of its own accord. 
I didn't notice it missing before digging through the telnet firewall listings for the working and non-working settings. 
I recreated a fresh configuration which includes the outgoing packet rule.
It brings into question my seeing the Linux machines continuing to work.  I suspect the Linux machines were renewing their pages from caches held locally or they were existing circuits that were continuing to respond. The other Linux machines should have suffered the same problem as the  Windows 8.1 laptop.  I have added the outgoing LAN -> WAN rule to the bespoke settings.
This is clearly a rare intermittent event.  I vaguely recall some rules changing shortly after I signed up with PlusNet a few years ago.  I hope I don't have a sneaky intruder covering his/her tracks.  I cannot do any more on this until I see it happen again. 
Settled but not Solved.
Undecided
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: TG582n firewall problem

I've never known a custom firewall rule disappear of it's own accord.
If you seriously think there's a intruder it's easy enough to change the routers password may also be worth disabling the reset button Wink
Alternatively you could create the firewall rule via telnet and place it in a higher firewall chain not shown in the GUI.
EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

Re: TG582n firewall problem

The solutions I found were one of the following:

  • delete IPv6 entries from the local DNS, DHCP and perhaps stopping the RAdvD server advertising the site-local IPv6 network address

  • jump ahead to interim IPv6 Internet connectivity which involves upgrading the router firmware to version 10.x.y.z , and setting up a viable IPv6 tunnel with HE or SixXS 

  • change the Windows 8.1 computer's packet routing preference levels to favour IPv4 over IPv6, which would allow for eventual retirement of the IPv4 service with no impact

  • disable the IPv6 service on the Windows 8.1 computer's Wi-Fi interface


I chose the last of these to allow my experimenting with an IPv6 site network to continue, albeit more cautiously.  It was the simplest solution with minimal ongoing maintenance.  It also minimises the chance the Windows 8.1 computer will misbehave due to side-effects of further IPv6 Intranet experimenting clashing with my lack of Windows 8.1 knowledge.   
Thank you npr for your last comment.  I am probably misinterpreting symptoms I was seeing.  I need to test whether the absence of the accept outbound rule is a real problem.  I could have mistaken the IPv6 packets hitting the IPv4-only router and getting no response as being caused by the absence of the accept outbound rule.
EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

Re: TG582n firewall problem

BTW npr.  I disconnected the router from the modem, rebooted without Internet connectivity to check to see if an intruder had done something nasty in the router. 
I was worried because I had been blocking a set of Chinese hacking sources that are part of the Hee Thai Campaign who are trying to break into server root accounts via SSH.  They were switching the addresses frequently so I blocked entire address ranges for some Chinese ISPs - I would actually like to block the rest of the world. 
Being suspicious I noticed that the Windows 8.1 event log recorded some registry events that contained the words access records deleted, which I found suspicious but were probably benign and part of a self healing mechanism when the operating system encounters a registry problem. 
It was very worrying for a while.
EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

Re: TG582n firewall problem

REALLY SOLVED:  Smiley
I tracked this problem down to the ARP responses being given by the router. 
The router was giving two MAC addresses in quick succession (<1ms) for it's LAN side.
1:  a4:b1:xx:xx:xx:xx
      and then
2:  a6:b1:xx:xx:xx:xx
The Windows IPv4 stack picked up the second MAC address and consequently failed to get anythiong more than a ICMP response and not through to the Internet or even the TG582n administration login screen.  Connectivity with other nodes on the cabled Intranet was unaffected as their ARP records were good.
The Linux stacks were not seduced by the second ARP response, so were fully capable of using the Internet.
I spotted a duplicate ARP error using Wireshark when I connected the laptop to the cabled segment.
I confirmed the problem was in the router using a cabled Linux computer using the program
/sbin/arping -b -I eth0 192.168.1.254
I disconnected most of the other devices connected to the network (pulling out their LAN cables)  I left arping running while I rebooted the TG582n to confirm that both of the responses stopped at the same time ( as opposed to it being a separate device I did not know about).  This reboot cured the problem - just the first response.
I do not know if there is a hardware problem inside somewhere around MAC address dip switches (if they are still used in modern equipment).  I notice from npr's website that it is possible to set the MAC address via telnet or spoof it.  I don't think I did that.  I haven't asked the PN tech support user if they did anything when they adjusted the configuration over TR69.
That was way too hard. 
Thank you for the help.
I'm now trying to understand why a wireless laptop cannot access my separate DHCP/DNS server and my cabled desktop cannot ping the laptop via the TG582n.  I suspect I need a bridge set-up to link the Wireless LAN and the cabled LAN?
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: TG582n firewall problem

Quote from: silentraspberry
REALLY SOLVED:  Smiley
I tracked this problem down to the ARP responses being given by the router. 
The router was giving two MAC addresses in quick succession (<1ms) for it's LAN side.
1:  a4:b1:xx:xx:xx:xx
      and then
2:  a6:b1:xx:xx:xx:xx

I don't have a technicolor here to check, but IIRC the mac address a4:b1.... is the router gateway on IP address 192.168.1.254.
The mac address a6:b1....  is the file server for usb devices on IP address 192.168.1.253
Don't see why this is causing a problem with your firewall.  Undecided
EmmaAtkinson
Dabbler
Posts: 14
Registered: ‎10-02-2014

Re: TG582n firewall problem

I don't think this is a firewall problem per se. 
My thinking it was a firewall issue was due to my lack of knowledge when I encountered this rather bizarre symptom 
I do not use the router's USB port for anything as I have separate servers for Files, Mail, DNS and DHCP.  I was certainly unaware of the USB port having its own IP address when acting as a File Server.  It never occurred to me.  One day I hope to replace the TG582n with something that is easier for me to manage, perhaps IPv6 ready too (even if PlusNet isn't ready to progress beyond the limited trial)
arping is returning solely the a4:b1:... MAC for the router gateway address today as it should - nothing has changed overnight, thankfully.
Quote
I don't have a technicolor here to check, but IIRC the mac address a4:b1.... is the router gateway on IP address 192.168.1.254.
The mac address a6:b1....  is the file server for usb devices on IP address 192.168.1.253

I have a TP-Link device configured as a cabled Wireless Access Point that was on IP.addr 192.168.1.253.    It also doubles as a bridge allowing Wireless LAN clients access to the DHCP server without configuring a bridge in the TG582n.  Configuring a bridge on the TG582n involves using the CLI, looked rather involved and probably prone to human error. 
Following your post above  :o, I altered the WAP's network address as a precaution that I hope reduces the complexity of diagnosing network problems next time it turns against me. 
Smiley