A router upgrade results in some surprises

Topic

New Reply

	ON SECURITY A router upgrade results in some surprises
	By Susan Bradley Sometimes “new” doesn’t necessarily mean better — at least not for customers upgrading to the newest technology. Installing an updated Comcast router at the company’s request brought some unpleasant surprises. Here’s a lesson for us all.

---

The full text of this column is posted at http://windowssecrets.com/on-security/a-router-upgrade-results-in-some-surprises/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

This wouldn’t quite solve all of Susan’s issues, but goes a long way to it.

I always install a separate firewall box. You can actually use a broadband router (one with Ethernet on the WAN side) as a firewall. This way I can isolate my network from whatever cable/ADSL etc supply I have. I also do this for small business I support. This way, if a router dies, a quick replacement can be done without having to replace lots of settings. In a hurry, you simply point the DMZ to the firewall, and then later at your leisure, do the normal configuration you would have.

It does have a further useful purpose – the wifi on the router is now isolated from the rest of your network – one of Susan’s concerns. What you effectively have is a “me.external” network which is anything connected to the router and a “me.internal” network which is anything within the firewall.

Yes, it is a little extra cost (from about $50, although you can use an old PC and download a UTM firewall virtual appliance free for home use from companies like Sophos) and effort, but it provides protection and isolates you more from things your service provider might do.

Reply | Quote

Susan,

I have to agree with TonyGore in the above message. No matter what I receive from my ISP, that goes into a firewall router and then that goes into my network switch. I will also discuss an earlier version of this which I have abandoned but might be useful to some.

The current architecture is derived from the fact that I have abandoned POTS (Plain Old Telephone Service) lines and switched both my home business and personal phones to VOIP. I live in Aurora, Ontario, Canada (a wee bit north of Toronto), so our ISP ecosystem may be very different from the USA one. Both the cable company and the telephone company must provide “last mile” connectivity to independent ISPs. The ISP offers connectivity and, in the case of my current ISP, VOIP services. An alternate ISP also offers IPTV services, but I must be a connectivity subscriber to obtain their IPTV offerings.

The irony of the situation that triggered our cutting of the personal home phone POTS line was that while our DSL was working during a major blackout around Christmas 2013, our POTS circuit (which came in on the same pair) was down! VOIP let us reduce our monthly bill from $75 to $15 (and yes there are cheaper options, but there are reasons that we are where we are). When we cut the last POTS line we realized we had no communications redundancy. So we ordered a very low cost cable internet service (no longer offered to new subscribers). Our DSL is 25 Mb/s down and 10 Mb/s up. our cable is 6 Mb/s down and 256 kb/s up.

The DSL comes with a SageMCom modem which has WiFi and a four-port router built in. The Cable comes with a modem.

Our main network firewall is a Netgear FVS-336Gv2 dual WAN four-LAN-port device. I have been very pleased with that device and it was chosen because it has a firewall throughput of 60 Mb/s which compares very favourably to the FVS318’s 9 Mb/s which I had used for a decade. We only outgrew that about three years ago.

One WAN port is fed off one of the SageMCom’s four ports.
My business line ATA VOIP adapter is fed off a second port of the SageMCom
The wireless is configured as a guest router
A third port is available for patching to help in my setup and checkout of my boys’ university systems
The fouth port is unused.

The Cable modem feeds the home phone ATA VOIP adapter and the output of that feeds the second WAN port on the FVS336. This is the ISP’s preferred configuration for the ATA. On the SageMCom I had an ongoing need to reboot that ATA but things have turned around since we put in three port forwarding instructions into the SageMCom (and printed it because Bell, the owner of the last mile and party responsible for the modem, has been known to push updates that wipe out custom settings. When that happens, I need to go back and make sure my password isn’t password again, as Susan mentioned.

The FVS336 is in DSL preferred but auto rollover to cable mode. The personal line always runs on the cable and the business line always runs on the DSL. In this way, we have immediate manual selection of line for outgoing calls and can easily check both lines from any of the five dual-line phones in the house, or by using the single-line cordless phones on both services.

Please note, at one point I had a Netgear FVS-124G and found it unreliable even after a firmware upgrade. With Netgear in particular, I find some products are stellar and others, not so much.

The output side of the FVS-336G is configured with one LAN port to a TrendNET 24-port switch and a second LAN port to our security system. I am of two minds about the “private network” Wireless Access Point — the more I think about it, the more I think it should be on the Firewall Router than on the main 24-port switch. It is currently on the 24-port switch. All LAN ports are Gigabit Ethernet, by the way. All the heavy lifting computers are wired as are all five NAS units (two main, three backup). Wireless is used for portable laptops (my wife’s laptop and my workshop laptop are both using a wired connection) and phones.

Downstream of the TrendNET switch I have three sub-switches: in the store room where the backup NASes are, I only ran one wire and I’m not going to run another. All the backup can share a single Gigabit connection; where I have a monochrome and colour laser printer, again only one cable run initially and the switch was added when the colour laser was added; and in my studio, I had four cables but decided to add a switch when I recently added the laptop in the workshop rather than tie up the last cable. An aux XP computer is in the studio to run the thermal CD/DVD printer, so it can share with the workshop. I have two main computers and the fourth line is kept for rapid up/downloading from my laptop.

The latest QNAP NAS is connected to the TrendNET switch via two ports.

I don’t use any DMZ and the only port forwarding is on the DSL Modem for the VOIP to stabilize it.

One other note. I realize my FVS336G is running “double NAT” on the DSL which is not always considered good, but my security system is reasonably happy with it. I’m not certain how that will impact the use of the VPN feature in the FVS336G which is something I have not yet tried, although it is there, I don’t travel enough to warrant it and why punch another hole in the firewall.

Back when my Internet connections were below 9 Mb/s I used two Netgear FVS-318 (a v1 and a v3), one on cable on one on DSL. One was assigned to be 192.168.0.1 and the other was 192.168.0.2. In that way, I could select on a per-computer basis (using manually assigned network parameters) which circuit the computer went out on. The new system offers automatic failover (rollover) but forces all the traffic to one line or the other (except the VOIP as mentioned above).

The desktop computers, printers and multifunctions (up to five now), and NAS units all have manually assigned network addresses. All the laptops (even if wired) use DHCP as do the phones (we don’t have any tablets, yet).

I hope this might be of some interest to someone.

Cheers,

Richard

Reply | Quote

I had a somewhat different experience with Comcast this last renegotiation. I did not have a Comcast phone, I’ve used Vonage for years for my “landline”. But the cheapest alternative package they had available was a triple play bundle which gave me everything I had including “boost internet which for me runs at about 70mbs download, very fast” and a Comcast phone number (which though I have never used and is hooked up to a phone that doesn’t ring, still gets robocalls occasionally – that number has never been published anywhere, is on the Do Not Call list but Rachel of Card Services is freaking everywhere!). I was not getting the download speed I should have and their tech told me it was because my old modem was not capable of handling the higher speeds. So they, of course, offered to rent me a nice new modem. But since my last one had lasted 8 years, I declined, their tech gave me the name and model of what I needed, found it at Amazon and bought it for just under $200 – you recover the cost within 2 years by purchasing your own. It arrived and Comcast helped me set it up quickly. I, like the others here, have always used a separate hardware router and what I have now is a Cisco Linksys combination router with four hardware ports and four WiFi connections. It was incredibly easy to setup. I just ran all of Steve Gibson’s tests against my router and it is locked down tight, my entire machine is invisible to the rest of the world. Nice secure feeling that is!

Reply | Quote

An interesting read.
Home Internet setup became very simple here at one point when the ISPs started providing modems with routers built in. Of course they had to be better configured than the defaults but my old Linksys ended up in a box.
Now they’ve become more complex again. In Canada, so I have the scenario Richard mentions – last mile service. I bought the recommended modem/router (paid for itself in 4 mo) but it curiously has only one LAN port so I added another router for the internal network, and for wireless. And the ATA box. ($5 a month special for home phone) Pretty reliable but if something goes off, I sometimes have to restart all of them. I hadn’t realized how common this had become, for various reasons.

Reply | Quote

Hi, David,

If your ATA has two RJ45s on it, I understand you are better off hooking it up between the modem (with one jack) and the router WAN input. VOIP does not like network address translation (that is my comment about port forwarding in the DSL modem/router). I found the VOIP adapter without port forwarding was what needed to be rebooted way too often. So far so good with port forwarding.

That is counter-intuitive as to how I would have done it, but that appears to be the reality of VOIP today. It has to be almost as stable as POTS of my wife will be upset.

Reply | Quote

For simplicity, I merely contacted Comcast and had them put my new P.O.S. into “Bridge mode”. Then hooked up my good old D-Link router.

As for the battery problem, I simply plug the new unit into my UPS!

Reply | Quote

I had twc roadrunner for many yrs and in early days i bought my own modem before voip was offered and before they had wifi modems. The rental fee savings paid off the modem in under a yr and i never experienced any problems with it. So I’ve always used my own wifi router, usually based on WS security baseline suggestions.
Since moving, I now have xfinity and simply told them I did not need wifi. They did not give me any grief and sent me the voip modem without wifi. After reading your problems and the info about public hotspots, I’m glad I’ve held firm.

Reply | Quote

I recently had a high speed Verizon FIOS internet (30/x) with a Verizon supplied modem/router/WiFi. We also have a WD N900 router used for PS3, PS4 and android connections that was piggy backed to the Verizon router. Things generally worked better through the WD. The WD router had higher throughput specs than the Verizon router. My sons have a tendency (constantly) to play bandwidth intensive online games such as Call of Duty. I tried connecting my main desktop to either the Verizon or the WD routers (one router at a time) but found that internet browsing and other online activity would suffer greatly (Page loads were extremely slow or would timeout) if one or both of the PS3 and PS4 were on, especially if online games were being played. Apparently this combination of daisy chained routers was having trouble with internet collisions, packet loss, and/or other conflicts.

I now have a Time Warner Cable modem connected to the WD router. (I specifically asked for a modem instead of a router to avoid any daisy chained router problems.) Even though the modem specs are not nearly as fast as the FIOS modem/router was, the slow down observed from the desktop is either just a tad bit for some sites or not noticeable. However in the last few days there have been a number of apparently dropped packets – web pages would fail to completely come up, but a reload sometimes did the trick, sometimes not. A couple of days ago observed several times where the modem lights indicated that the downstream and upstream connections were in trouble (orange instead of green) and the online normally on light was off, resulting in no internet connection. Also when the lights were “normal”, pages would suddenly not load in browsers, sometimes complaining about unreachable servers or timeouts, and ping or tracert would return with unable to connect to server errors as if the DNS service was unreachable (I use OpenDNS, which was not reporting any problems). This had been going on for about 4 hours with random failures of at least several per hour lasting from a few minutes to over ten minutes. There were no service outages listed online.

Had an online chat with a rep where first off I mentioned that I had tried the reset procedures outlined online including power cycling equipment and verifying connections, and outlined the problems I was having. I expected him to do what many ISPs had done in the past and read a script asking me to power everything down and up, but he skipped that and did some looking around and found that my connection was reporting errors. (Apparently my tech talk about the problem convinced him that I might know what I was talking about, and I got lucky and got a tech that new how to do more than just read scripts.)

We will see what happens when a tech comes out Sunday afternoon (the first mutually available time). I suspect a corollary of Murphy’s law will probably apply – when trouble shooting, the failure will not show itself when the technician arrives until after the technician leaves, but once he does it will probably come back with a vengeance. Even though I had problems for several more hours that day, things are working much better now.

Reply | Quote

What possible chance does a non-techy end user have if they get sucked into this votex of confusion? Is it any wonder that people have ‘admin/password’ left in place? How would a regular person even know where to start? Is it any wonder we’re all just giving up and joining the Borg? I find this kind of corporate behavior pretty close to criminal.
I’m lucky. My ISP provides a cable modem/VOIP box and all the home networking stuff is left up to me. I hope if/when we switch ISP’s it’s as easy.
Great article.

Reply | Quote

What possible chance does a non-techy end user have if they get sucked into this votex of confusion? …

I’m lucky. My ISP provides a cable modem/VOIP box and all the home networking stuff is left up to me. I hope if/when we switch ISP’s it’s as easy.
Great article.

Doug,

You already know most of the hard stuff and I think we’ve learned you CAN ask for a modem only…Down the road, I suspect there will be court cases over the VOIP sharing which will, unfortunately, be the way some of this will become sorted out.

The two big issues are:
— Will you be charged for the public usage?
— Will you be responsible for the public usage?

Unless the answer is NO in both cases, expect to eventually see this in the courts, sadly.

A third issue:
— Will your modem/circuit data rate cap include the public usage?

This one will be trickier because rates are increasing pretty quickly (compared to a decade ago) and unless the drive-by person is downloading a bunch of huge files, it will be difficult to notice, but even that could end up in the courts.

With that said, I feel your frustration! I had to reboot my DSL modem and my firewall router just now because my security system was unhappy overnight–I had just done that but something went amiss yesterday. Grrrr. All this should be easier for those who want it easier. Although those who wanted good sound systems had to buy component systems back in the 1950s and 1960s…and many of us still do .

Reply | Quote

While on the subject of the router upgrade, I finally realized that the NTP external time updating on the Windows machines and the NAS units was not working…so I added both TCP and UDP port forwarding to both routers. Seems to work better.

I can’t update this regularly so to be safe, please look at my blog.

I don’t know how to get rid of the image below, but it has been updated at the blog link.

Reply | Quote

I’d also like to share TekSavvy’s solution to intermittent VOIP issues on the SageMCom modem because of its NAT built in.

You need to first reserve the DHCP address for the VOIP device in the DHCP screen.

I never wanted to get this deep into this level of networking…but I also want things the way I want them . I do like the idea that my two VOIP lines are more-or-less totally independent, one coming in over cable and the other over DSL. Since the accounts are both with TekSavvy, I am assuming there is some commonality at some point in a datacenter someplace.

As above, I also updated this. Sorry, I do not know how to delete the attached picture. The updated screen shot is on my blog.

Reply | Quote

I hope all this relates only to USA and Canada, as it’s way above my head.

Or does it apply to users receiving their email by cable? In which case, why would they also need an ISP, as the cable provider is the ISP, at least in the UK

Reply | Quote

I would think there would be similar issues worldwide. The less complex a system and fewer demands you make, the less likely you will run into any issues like this. But, when you add VOIP (Voice over Internet Protocol) Phone, then more challenges show up. If your ISP provides the whole connectivity package in one box, then it is much less of a worry.

My situation is a bit more complex as my ISP is a third party (not the owner of the last mile) who uses the Bell DSL last mile and the Rogers Cable last mile. But they offer great tech support and are less costly.

Reply | Quote

“If you see a port labeled “open,” let me know about it by using the WS Lounge link below.”
HTTPS port 443 is open on my desktop. Not sure why, though I have some guesses. However, disabling the two inbound rules (SSTP-In and NVIDIA Network Service) and the one outbound rule (BranchCache) which specify that port in my firewall did not affect the ShieldsUP test.

Reply | Quote