Ok, this problem is REALLY starting to tick me off. After a random interval of time (usually overnight, but can be 15 minutes), the Linux box (acting as firewall/NAT/webserver) stops talking to my modem (Webexcel). The only way to get everything working is to reboot first the modem, then the linux box. If I just reset the linux box, I get a virtual interface called eth0:9 (eth0 connects to the modem). If I just reboot the modem, SFA happens.

I've got the modem setup in half-bridge mode as this is the only way to run a server using this modem. My firewall is one of the most secure I've ever come across (perfect scores on numerous firewall checking sites), so I don't think it could be hackers or anything.

The only thing I can think of is a heartbeat pulse. Does Swiftel use a heartbeat? Acting in half-bridge mode, my modem forwards everything to the linux box. If the loinux box is blocking these pulses, could it affect the connection?

Any help would be GREATLY appreciated as this problem is, as I've said earlier, really starting to annoy me. So much so that I'm thinking of setting up a Windoze box and using that as the firewall/NAT/webserver.

Cheers
Gareth

could it be something to do with dhcp server in the modem?

had some issues setting up half bridge with a billion modem and it relied on a correct modem dhcp setup.

is it possible to run full bridge and use linux pppoe? that is what i use with my billion and debian.

Hmm, I'll look into the DHCP.

I did actually find a setup guide for my modem that details how to setup it up as a half-bridge so you can server pages. The problem I was having was it wasn't forwarding ports (ie port 80) to the Linux box in full-bridge mode, which is why I went to half-bridge.

With my modem, I don't think it's possible to run ppoe from linux as this is an ADSL modem with 4 port hub. So it handles the ppoe and just dumps the data onto the hub. I'll look into it when I get home though. I'm willing to try anything to get this thing working.

Just in case it doesn't, I've got the sledge hammer ready...:mad: ;)

Edit:

**slaps self in forehead** I can use the USB port on the modem <duh>, assuming of course it has linux drivers. That should work, hopefully.

**slaps self on forehead, again** Computer doesn't have USB ports. The onboard chip went bang, and adding USB cards doesn' work. *sigh*:(

Originally posted by smkranz0506
could it be something to do with dhcp server in the modem?

had some issues setting up half bridge with a billion modem and it relied on a correct modem dhcp setup.

is it possible to run full bridge and use linux pppoe? that is what i use with my billion and debian.

Yup using full-bridge here with Fedora... the connection is rock-solid... only goes down when I bring it down. :)

Cheers,

Matt.

PS: Turn ya Billion into full bridge mode, remove all other features you are using on the modem and things will be fine... :) (ie: No DNS, no DHCP, etc).
The Billion just ends up acting as an ADSL gateway to Ethernet. :) It doesn't have any IP assigned to it.

Does the modem still take care of the ppoe/authentication stuff in full bridge mode, or do I need to setup the Linux box to handle ppoe/authentication etc?

I do know how to setup ADSL on Linux (thanks Atomic PC!), but just one question, does Swiftel use Telstra's BPA login stuff?

Cheers
Shadrick:cool:

in full bridge mode, your linux box does authentication with rp-pppoe / ppp. it doesn't use telstra bpa login. all you need is rp-pppoe and ppp installed.

in full bridge, the hub isn't essentially used as only one client can login at a time. you can then use your linux box as a gateway and have a hub / switch attached after your linux box.

port forwarding isn't really applicable when in full bridge as all packets are automatically passed on to the linux box. you will then have to rely on your linux firewall.

try the advise mbottrell mentioned about disabling all your modem features, and then try using the linux rp-pppoe.

simon

Yup Simon in correct.

asl-setup or the other GUI tool I showed you both are wrappers for rp-pppoe and pppd.

No BigSwamp login script requried. :p

Use these + iptables to setup a full gateway... it outperforms your ADSL router anyway.

It also gives you much more flexability... I use it with a dozen odd public-addressable IP addresses (routing via my Swiftel static IP, you can also setup tools to do traffic accounting and even Intrusion Detection. :) Using the 'internal IP' back to your network you can bind say SQUID to help speed up and cache HTTP/FTP stuff. :) This IP is also good for a DNS cache.... adding those two alone dramatically improves the appearance of a much 'faster' connection.


Cheers,

Matt.

i've been running my linux box on cable for a year, then moved house and got adsl. took me a week or so to iron out the differences between BPA cable and swiftel adsl, but all runs well now. (just over two months 24/7 with very little downtime - few hours total)

if you're game, you can run any service you wish as swiftel doesn't block any ports.

i haven't got around to running squid yet, but it has been on my todo list for a while.

i use ipac-ng to do traffic counting, although my counting rules are very simple and are just a carry over habit from cable and having to keep telstra's usage meter honest!!

That's cool. Atomic PC (sometime last year I think) actually spent about 5 months on a project called the Uber-Linux box.

It goes from setting up a network server, to firewall (with NAT over ADSL/Cable) to Squid, bandwidth shaping, game serving, getting X on your Windows desktop. It also came with a very secure firewall script, which is what I'm using now. It's now more secure than my ADSL modem was when it was in router mode!

Thanks Again

Glad ya up and running... :D

Well, I spoke too soon. It's died again. I'll get some output from ifconfig -a, cat resolv.conf etc... when I get home (I'm at work atm, so can't access the server).

After that, I'll get the ADSL stuff setup on the linux box, reset the moem to factory defaults so I can access it, and set it to full bridge mode. Hopefully, after that little step, I'll post the output here for you to have a look at.

Once it's up and running, it should be fairly good. Although the 64k upload speed is a bit of a bum. If I'm browsing it at uni, it's not going to be much faster than browsing over a 56K modem.

Actually at 64K it is a reasonable amount faster... :)

Though got to 512/128 ... you'll notice a big increase... :)

Cheers,

Matt.

PS: Just minimise the graphics on your pages... text does come down fast. :) You can also turn on gzip encoded web-pages which makes a BIG improvement in speed (most modern browsers support it... though not all proxies do).

Hmm, well I spent a lotof time over Easter playing with various settings on the modem, the problem being once setup in bridge mode, the only way to access the modem is to reset it to factory defaults.

I can't figure out how to get it into full-bridge mode, so I'm stuck with half-bridge. And unfortunately, it also looks as though I'm stuck with an unreliable connection that needs resetting at least every morning. Whether this is due to the modem, linux, phone line or swiftel I have no idea, not any menas to find out.

Bummer.

Worth checking your nic. Some cards go to sleep after a period of inactivity. Obviously most common on laptops but I've seen it on desktop products as well (cheaper for manufacturers to use one component for all products). they are supposed to wake up with activity but I've had a couple of crappy desktops never wake up at work(And everyone blamed the network!!!!!).
Just a thought.

Thanks Kal, I'll grab a new one (or 2) from work and see what happens. Thanks for that. Why I didn't think of it.....*duh* :rolleyes:

Well, after much stuffing around I've given up. 5 minutes after I setup the new NIC as the gateway device, it had stopped talking to the net. Swapping NICs so the other was the gateway had the same result. I can't run a web server on a connection like that.
Whether it's a connection problem, modem problem, Linux problem, NIC problem, whatever problem I have no idea. The only thing I can think of to try now is either setup a DMZ on the modem (although whether or not you can serve from a DMZ I don't know) or try a new modem. And I'm not about to spend $150+ on a new modem on the of chance it'll fix my problem.

*sigh*
:( :(

EDIT:- Well, I've just answered my own question. No, you can't use a web server in a DMZ. Looks like I'll go back to using my 50Mb web space and point the domain name at that.

WTF?! A DMZ is exactly where an Internet visible host should sit (such as a Mail server, Game Server, Web server).

You do know what a DMZ is don't you?
If not... here's a cryptic definition if there ever was one! http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=DMZ

Cheers,

Matt.

PS: I think you might be referring to a port-forwarded Web server. This isn't a DMZ host, but rather a Destination-NATTED host. Port-forwarding is also possible but not always the preferred solution...

Wondering if you can shed more light on your 'lost connection'.
What specifically happens... do you have line sync? What happens before the reboot? Have you got any logs?!

Might pay to get Swiftel to raise a call to get your line checked.... sounds like it's either your modem or your line. :(

Cheers,

Matt.

I didn't know what a DMZ was until I read a post sometime yesterday in the Modem help section, which is what gave me the idea of setting one up. Either way, the Webexcel modem does not forward ports, even when told (using the "Virtual Server" section), nor does it forward requests to the DMZ when the DMZ is setup. It'll only forward requests when in half-bridge (and then it forwards everything, it only handles connection auth/PPPoE). I wish I knew how to disable the stupid firewall on it... (there are no option in any menu, either web based or telnet based).

As for "Coneciton" problems, it's hard to describe exactly. I'm now almost certain it's not the line as when the modem is not in half-bridge mode, everything works fine for as long as you want. Fire up the system in the morning, check email, works first go. It worked like that for a week or two before I got linux going.

When it stops talking, there are no error logs as linux thinks everything is cool, except it can't see the network. Modem still shows all correct lights. But when the network is restarted (service network restart), I get a virtual ethernet port on the gateway device (I get eth0:9 with IP of 172.255.255.255 or something). Otherwise, all the other error logs/normal logs show nothing at all out of the ordinary, which is what bugs me. There SHOULD be something. I'm leaning towards modem at the moment, but don't have a spare one (none of my friends can even get ADSL, let alone afford it) I can use a test.

Oh, well. What do you do with a Linux box that doesn't work? Easy, wipe it, load up Windows, install Flight Sim and use it in the Flight Sim Pod you're building! Although, when I get some time after uni finishes this semster, I'll look into it again. Might have enough for another modem by then so I can check that...

check your routing when you're in full bridge. When the modem is in full bridge and you use linux, ppp and pppoe will setup an interface ppp0 (or something). ppp0 is then tunnelled over eth0 (or whatever your external NIC is). The default route will be thru ppp0 which in turn goes thru eth0. to access the modem in full bridge mode, you will need to setup your ext NIC to the same subnet as the modem, and then ensure you have a route setup for that subnet. without this, you'll never see your modem.

what happens when you try to ping your modem when in full bridge?

not sure what settings to use for webexcel, but i use rfc 1483 llc bridge for my billion 5100.

simon

what happens when you try to ping your modem when in full bridge?

Ahh, nothing because there's no way I can find to get the webexcel into full bridge mode. The best I can do is to get half bridge (modem handles PPoE, and passes it onto the linux box eth0 via the inbuilt switch). And in half-bridge, I can't ping it. The IP address of the modem is 10.0.0.2. In half bridge, does that change to the static IP address assigned by Swiftel?

You do have a "Bridge" option on the Webexcel, but setting it to enabled does nothing. Under "Misc" configuration, there is a "PPP Half Bridge" option. Setting this to "Enabled" puts it into half bridge. Making both enabled only gets me half bridge. The webexcel seems to have problems doing what it's told. Port forwarding doesn't work, and the DMZ doesn't work either. And to top it all off, trying to find help for it is near impossible. It took me ages to find any info on it at all, and then the only 'info' I could find was people having problems asking for help. I eventually found instructions on setting up half bridge.

But, when it does fail, it either says "Cannot access network" (if pinging an IP eg 203.2.193.124) or sits there doing SFA (doesn't resolve address, doesn't throw any errors). If just trying to access the net from any of the computers on the network, I have noticed that there is no activity on the modem. But that could be a symptom of the problem, not the problem itself.

Just to double check, what are the error logs I should be looking at? Just want to make sure i'm not a dunder head and missing the obvious.

Below is a cut from /var/log/messages:


Apr 13 18:22:22 www drakconnect[587]: removed files/directories /etc/resolv.conf
Apr 13 18:22:22 www drakconnect[587]: written eth1 interface configuration in /etc/sysconfig/network-scripts/ifcfg-eth1
Apr 13 18:22:22 www drakconnect[587]: written eth0 interface configuration in /etc/sysconfig/network-scripts/ifcfg-eth0
Apr 13 18:22:22 www drakconnect[587]: created file /etc/hosts
Apr 13 18:22:22 www drakconnect[587]: created file /etc/hosts
Apr 13 18:22:24 www drakconnect[587]: modified file /etc/profile.d/proxy.csh
Apr 13 18:22:24 www drakconnect[587]: modified file /etc/modules.conf
Apr 13 18:22:25 www drakconnect[587]: modified file /etc/sysconfig/network
Apr 13 18:22:25 www drakconnect[587]: modified file /etc/sysconfig/network-scripts/ifcfg-eth1
Apr 13 18:22:25 www drakconnect[587]: modified file /etc/sysconfig/network-scripts/ifcfg-eth0
Apr 13 18:22:25 www drakconnect[587]: writing host information to /etc/hosts
Apr 13 18:22:25 www drakconnect[587]: writing host information to /etc/hosts
Apr 13 18:22:25 www drakconnect[587]: modified file /etc/profile.d/proxy.sh <142>Apr 13 18:22:25 drakconnect[587]: modified file /etc/profile.d/proxy.csh
Apr 13 18:22:26 www network: Shutting down loopback interface: succeeded
Apr 13 18:22:26 www network: Setting network parameters: succeeded
Apr 13 18:22:27 www network: Bringing up loopback interface: succeeded
Apr 13 18:22:27 www ifup: Determining IP information for eth0...
Apr 13 18:22:35 www dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13
Apr 13 18:23:01 www dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20
Apr 13 18:23:31 www dhclient: No DHCPOFFERS received.
Apr 13 18:23:31 www zcip[842]: interface: eth0 (00:10:B5:43:C5:79)
Apr 13 18:23:31 www zcip[842]: probing for 127.255.255.255 <30>Apr 13 18:23:31 zcip[842]: sending probe 1 for 127.255.255.255
Apr 13 18:23:35 www zcip[842]: sending probe 3 for 127.255.255.255
Apr 13 18:23:39 www zcip[842]: claiming ownership of address 127.255.255.255
Apr 13 18:23:43 www ifup: done.
Apr 13 18:23:43 www zcip[843]: watching for collisions
Apr 13 18:23:43 www ifup: ./ifup: line 433: 844 Hangup /etc/init.d/tmdns reload >/dev/null 2>&1
Apr 13 18:23:43 www network: Bringing up interface eth0: succeeded
Apr 13 18:23:45 www network: Bringing up interface eth1: succeeded


Below is output from iptables -L after running my firewall script:


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere 255.255.255.255 udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 169.254.0.0/16 anywhere
DROP all -- anywhere 127.0.0.0/8
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:https
LOG all -- anywhere anywhere LOG level warning prefix `|iptables -- '

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination




Below is cut from /var/log/syslog when trying to ping when it's broken:


Apr 13 23:59:05 www postfix/nqmgr[2693]: 4E7CD99FD: to=<huscroft@adsl-36-176.swiftdsl.com.au>, orig_to=<huscroft>, relay=none, delay=218273, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: 4D5199A08: to=<huscroft@adsl-36-176.swiftdsl.com.au>, orig_to=<huscroft>, relay=none, delay=217609, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: 42EC59A05: to=<huscroft@adsl-36-176.swiftdsl.com.au>, orig_to=<huscroft>, relay=none, delay=217804, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: 4FD5299EA: to=<huscroft@adsl-36-176.swiftdsl.com.au>, orig_to=<huscroft>, relay=none, delay=219424, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: 42EE699EC: to=<huscroft@adsl-36-176.swiftdsl.com.au>, orig_to=<huscroft>, relay=none, delay=219304, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: E3AF8944C: to=<huscroft@adsl-36-176.swiftdsl.com.au>, relay=none, delay=201472, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: ED48D9A47: to=<huscroft@adsl-36-176.swiftdsl.com.au>, relay=none, delay=201468, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: E47DD9A4E: to=<huscroft@adsl-36-176.swiftdsl.com.au>, relay=none, delay=201467, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)
Apr 13 23:59:05 www postfix/nqmgr[2693]: E45D49A55: to=<huscroft@adsl-36-176.swiftdsl.com.au>, relay=none, delay=201466, status=deferred (Name service error for name=adsl-36-176.swiftdsl.com.au type=MX: Host not found, try again)

The syslog errors are due to it trying to send mail (via postfix) to a local user ( huscroft@adsl-36-176.swiftdsl.com.au )

This is failing as the IP adsl-36-176/swiftdsl.com.au doesn't have an MX (mail exchange) DNS record... and thus doesn't know where to send it. :(

U need Dynamic DNS if you want this happening. Then send to the dymanic DNS address.. ie: huscroft@myadslconn.ddns.org.

Take a look at companies like ddns.org that offer services for free (there are plently around!)

Looking at the syslogs and boot messages... your NIC is trying to get a DHCP address... seems to fail and then use a private address instead... Never good...

Seems you have a weirdass setup... (no offense meant!)

If you are a student... look at Astaro Linux -- it's an easy-to-use, feature rich, and free for personal use Linux Firewall that supports PPPOE. You can find more here: http://www.astaro.com/

It's as simple as sticking the CD in (downloadable ISO), answering a few questions and away you go! (Less than 10 mins!)

Best of all -- it's all web-based and quite powerful! :) Very easy to use as well... and well docoed! :)

Cheers,

Matt.

try reading this thread for the trouble i had with half bridging. i am rather new to networking and not too good at explaining troubleshooting.

http://forum.swiftdsl.com.au/showthread.php?s=&threadid=3946

as far as i know with my billion, the ip address of the modem remained the same after eth0 got the swiftel ip. but i still had a route up for 192.168.1.0 set to eth0. if i remember correctly, 10.0.0.2 is a private address and will not go thru default route, so you have to add one.

try route add -net 10.0.0.0 netmask 255.255.255.0 eth0 and then ping it. make sure your firewall allows ping out on eth0 and back in again. have you tried pinging with firewall completely flushed with policies ACCEPT?

when a modem is in bridge mode, it's meant to do nothing. you then have to use ppp and pppoe to authenticate. Do you have these running? if so, as previously stated, a ppp0 interface will be setup etc. you will also need to setup your dns in /etc/resolv.conf with a nameserver 218.214.17.1 (melbourne dns)

Based on your log, dhclient did not get an address?? can you post output of ifconfig?

when a modem is in bridge mode, it's meant to do nothing

A modem in full-bridge mode. I can only get half bridge, where the modem handles the PPoE/authentication. I can ping as the firewall is setup to accept anything in reply to a request from inside the network.

Thanks for the route -add command. I'd been trying to remeber what the hell it was, but couldn't.

If you are a student... look at Astaro Linux

Hmm, sounds interesting. I'm also in the process of downloading e-smith server (www.e-smith.org). Same kind of thing.

I can't get any more logs/output atm as I've taken the system down and have it running straight through the modem. I've also setup a URL redirection to home.swiftdsl.com.au as I don't have any more time to spend on this right now (damn uni). When the mid year break comes though, I'll be looking back into this. As I'd really like the flexibility of running my own server.

Thanks
Gaz

clarkconnect is also good as a firewall distro, and i know it supports pppoe. should support half bridge also, you would just choose eth0 as your external interface and dhcp and it should work. that is what i used before i switched to debian for a complete distro.

i have messaged you my email address if you wish to discuss anything in future.

Yup... Clark, E-Smith or Astaro are all quite good. :)

Good luck with it all Gaz... let us know how you come on during mid-sem. break. :D

PM me if you need any assistance.

Cheers,

Matt.