1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AM300 Half Bridge and Smoothwall

Discussion in 'Other Linksys Equipment' started by joanywhere, Jan 25, 2008.

  1. joanywhere

    joanywhere LI Guru Member

    All,
    Firstly - none of this may make sense if you don't use the smoothwall firewall :)

    I've tried (unsuccessfully) to get my Linksys AM300 to run in bridged mode with my Smoothwall. If someone can tell me specifically how to do it on this device in New Zealand, that would be great.

    Failing that - has anyone tried to get an AM300 working in Half Bridge mode with a Smoothwall?

    It works brilliantly if I set it to half bridge and connect it to my Windows PC, assigning the 'upstream' IP address perfectly to my PCs NIC. There is a noticeable drop in ping times to google.com of around 20ms (in the order of 10%) between half bridge mode, and router mode

    However, if I connect it to my Smoothwall, the RED interface never gets an IP address. This is obviously problematic. I've set the RED interface to DHCP, but it doesn't get anywhere. In more generic Linux terms, a Smoothwall RED interface is in this case ETH1

    Cheers
    Jo

    Cheers
    Jo
     
  2. mstombs

    mstombs Network Guru Member

    Hi,

    have a search here someone else has asked a similar question - I think a firmware update fixed the problem? Despite being the other side of the globe it seems UK and NZ suffer similar issues with PPPoA DSL!

    You cannot "full bridge" PPPoA (as you can with PPPoE). Half-bridge often results in apparently strange IP/netmask/Gateway combinations which Windows doesn't seem to mind but older installs of Linux do, but this isn't a fundamental problem - its just the dhcpc action script that needs to be tweaked, no idea howto in smoothwall!
     
  3. joanywhere

    joanywhere LI Guru Member

    Mate,
    thanks for the response.

    The firmware as shipped is 1.19.02, so I imagine this is pretty up to date.

    I read through the other thread on this topic and couldn't quite work out how to then apply it to my situation. Any thoughts on how to tweak the dhcpc script - smoothwall is just a linux based firewall so I can probably tweak it given some basic ideas :) (did I miss it in the other thread).

    Cheers
    Jo

     
  4. mstombs

    mstombs Network Guru Member

    Linksys routers and Hyperwrt/Tomato firmware use a udhcpc dhcp client but the script is actually contained in system commands in a compiled c routine, but I was able to correct the routing with a firewall script in this thread:-

    http://www.linksysinfo.org/forums/showthread.php?t=52937

    I believe the Linksys c-code does the equivalent of the example 'renew|bound' function you can see here

    http://busybox.net/cgi-bin/viewcvs....mples/udhcp/simple.script?rev=20678&view=auto

    but the gateway assignment fails because there is no existing route to the gateway.

    My understanding is that the ifconfig command normally sets a route to the network that has been defined ie

    ifconfig eth1 192.168.0.1 netmask 255.255.255.0

    also does the equivalent of

    route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1

    but this fails for a full netmask of 255.255.255.255, or when the gateway is not in the network defined by the interface netmask, so you need an explicit route command to say where the gateway is with

    Code:
    route add -host $GW dev eth1
    before trying to set the default route through it.

    Some halfbridge modems 'spoof' the netmask and/or gateway to help the router over this. If they pretend the netmask is wide enough to include the gateway then this specific route command is not needed.

    Good luck with finding what does the equivalent of the dhcpc action script!

    Linksys routers and Hyperwrt/Tomato firmware use a udhcpc dhcp client but the script is actually contained in system commands in a compiled c routine, but I was able to correct the routing with a firewall script in this thread:-

    http://www.linksysinfo.org/forums/showthread.php?t=52937

    I believe the Linksys c-code does the equivalent of the example 'renew|bound' function you can see here.

    http://busybox.net/cgi-bin/viewcvs....mples/udhcp/simple.script?rev=20678&view=auto

    but the gateway assignment fails because there is no existing route to the gateway.

    My understanding is that the ifconfig command normally sets a route to the network that has been defined ie

    ifconfig eth1 192.168.0.1 netmask 255.255.255.0

    also does the equivalent of

    route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1

    but this fails for a full netmask of 255.255.255.255, or when the gateway is not in the network defined by the interface netmask, so you need an explicit route command to say where the gateway is with

    Code:
    route add -host $GW dev eth1
    before trying to set the default route through it.

    Some halfbridge modems 'spoof' the netmask and/or gateway to help the router over this. If they pretend the netmask is wide enough to include the gateway then this specific route command is not needed.

    Good luck with finding what does the equivalent of the dhcpc action script!


    Edit:

    Couldn't resist the temptation to look as I have access to a local copy of smoothwall iso.

    if you look in rc.netaddress.up it calls dhcpd with action script /etc/rc.d/rc.updatered
    rc.updatered assumes dhcpd has done the equivalent of the ifconfig and default route commands.

    If only the route commands have failed (and static ones would in rc.netaddress.up) you need to add

    Code:
    /sbin/route add -host $GATEWAY dev $RED_DEV
    /sbin/route add default gw $GATEWAY
    You should also check these are removed if the modem resyncs, in my experience duplicate default gateways breaks things!
     
  5. joanywhere

    joanywhere LI Guru Member

    Mate.
    It sounds like you might be honing in on something (no thanks to me, all credit to you!).

    As an experiment, I set my RED Nic to DHCP (nothing to do with AM300 in half bridge, just leaving it as a router currently). Everything broke. Here is the output from doing an ifconfig eth1
    Code:
    ifconfig eth1
    eth1      Link encap:Ethernet  HWaddr 00:10:B5:3A:75:07
              inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
    
    route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
    10.1.1.0        *               255.255.255.0   U     0      0        0 eth1
    default         ether           0.0.0.0         UG    0      0        0 eth1

    to confirm, I set it to back to static with my normal settings
    Code:
    ifconfig eth1
    eth1      Link encap:Ethernet  HWaddr 00:10:B5:3A:75:07
              inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
    
    route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
    10.1.1.0        *               255.255.255.0   U     0      0        0 eth1
    default         10.1.1.1        0.0.0.0         UG    0      0        0 eth1
    
    I noticed the default route is different. I set RED back to DHCP and I added the two commands you suggested into the end of the DHCP section of the action script, and forced the network down and up, and got the following route table
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    ether           *               255.255.255.255 UH    0      0        0 eth1
    192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
    10.1.1.0        *               255.255.255.0   U     0      0        0 eth1
    default         ether           0.0.0.0         UG    0      0        0 eth1
    
    However, I still couldn't get to the web.

    Next thoughts? I'm well out of my depth, but am appreciating the help immensely

    Cheers
    Jo
     
  6. mstombs

    mstombs Network Guru Member

    oh dear, according to my theory the first dhcp with the modem in nat router mode 'should' work so may not be a routing problem does Smoothwall get the correct DNS servers?

    In the examples that don't work the gateway is named "ether", can you use "route -n" to display the ip address, not name. In the first example "ether" should be the modem IP address 10.1.1.1. In the second it should be your ISP gateway.

    In the second 'half bridge' does the smoothwall router get the correct WAN ip address on "ifconfig eth1"

    PS: You should edit your post to mask your Ethernet card MAC addresses
     
  7. joanywhere

    joanywhere LI Guru Member

    DNS Stuff

    Right.. .stepping through piecemeal.

    Firstly, this is all with the modem in Router/NAT mode - in the hope that getting DHCP working properly in this mode will also then allow it to work properly in half bridge.

    I set RED back to DHCP, and ran a route -n and also a ping to ether both of which had the expected results (i.e. ether appears as 10.1.1.1, and a pinging ether was successful)

    Code:
    [root@hydrogen etc]# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
    0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 eth1
    [root@hydrogen etc]# ping ether
    PING ether (10.1.1.1) from 10.1.1.2 : 56(84) bytes of data.
    64 bytes from ether (10.1.1.1): icmp_seq=1 ttl=64 time=0.264 ms
    64 bytes from ether (10.1.1.1): icmp_seq=2 ttl=64 time=0.287 ms
    64 bytes from ether (10.1.1.1): icmp_seq=3 ttl=64 time=0.271 ms
    route -n
    looking at DNS servers gives the following
    Code:
    [root@hydrogen etc]# cat /etc/resolv.conf
    nameserver 127.0.0.1
    [root@hydrogen etc]# cat /etc/resolv.conf.dnsmasq
    nameserver 10.1.1.1
    now, pinging google.com fails at this point.

    I haven't been able to work out how to see what DNS the AM300 has actually been given (or how I could potentially override it). I do know however that using the ping utility on the AM300 fails to ping google.com. THe error message the AM300 fails with is
    Code:
    Ping request could not find host. Please check the name and try again.
    implying its got no idea what DNS it should be using :(

    Thoughts on how to sort out the AM300's DNS. FYI Our internal DNS server has hard coded addresses of external servers to look at.

    Man - we haven't even started to look at moving on to the half bridge stuff LOL
     
  8. mstombs

    mstombs Network Guru Member

    Well the half-bridge routing may be a red herring if it just DNS by dhcp that is wrong. By default my modem only gives itself as dns server and runs a dnsproxy service. It 'should' tell you the dns servers on its web gui and have an option to not use its dnsproxy? Can you manually add your own know DNS servers or the OpenDNS ones to smoothwall and still use dhcp for IP and gateway?
     
  9. joanywhere

    joanywhere LI Guru Member

    re:DNS - the status page shows nothing. Using RFC 2364 PPPoA, there is no options re:DNS servers (i.e. obtain automatically, or assign manually). I absolutely would expect the modem to act as a DNS proxy, but cest la vie. The status page shows an IP address and ISP Gateway, and that is it. Note to Linksys; Thats REALLY bogus!!

    I jammed a DNS address into /etc/resolv.conf and everything works just fine in DHCP. Thanks for the great idea!

    Next step, I'm going to fire the modem into half bridge. Wish me luck!!

    Cheers
    Jo
     
  10. joanywhere

    joanywhere LI Guru Member

    YEEHAH!!!

    Unbelievable! Apparently, sticking a manual DNS entry into /etc/resolv.conf on my smoothwall has resolved my half bridge issues as well.

    Ping times are 10% quicker to google.com with only single NAT occurring. I don't have to jack around with port forwarding (i.e. currently i was forwarding EVERYTHING to the firewall), and it just generally feels better (i.e. built the way it should be built)!!

    Interestingly, running a DSL speed test, shows download speeds almost identical to with double NAT, but upload speeds are 10% higher than before. Any thoughts/words of wisdom on that?

    Thanks so much for your help and patience. Name the charity of your choice and I'll happily make a small donation to them!

    Cheers
    Jo
     
  11. mstombs

    mstombs Network Guru Member

    Well done, can you confirm that the current code properly sets the route without the extra commands above - I'm sure others have suffered but never sorted this problem before!

    As to speed - double nat shouldn't make any difference under light load, but load up lots of connections with P2P and the limited processor/memory on the modem will slow things down.
     
  12. joanywhere

    joanywhere LI Guru Member

    Yep, no commands required. Just jammed a known good DNS server into the resolv.conf. In my case (and I've got no idea about best practice on this) I pointed it back internally to our main DNS as this performs all the lookups on internal addresses, specific host entries etc, as well as dns forwarding.

    I'm not sure why the DHCP didn't even give an IP address initially in the half bridge mode or why adding the DNS entry resolved it. The only other thing I can think of is ensuring that the hostname in the DHCP for the RED nic matches the hostname configured in the AM300.

    Cheers
    Jo
     

Share This Page