[gentoo-user] Strange behaviour of dhcpcd

[gentoo-user] Strange behaviour of dhcpcd

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 2160 bytes --]

Hi list

First off: this is a "fixed" issue, in that I don't see the behaviour anymore,
so time is not of the essence ;) . I'm only looking for an explanation, or for
comments from other people who experienced this.

So the issue was some really strange behaviour on the part of dhcpcd.  I
completed a move a few weeks ago and got an internet connection last Wednesday
(using a local cable company, that is, using a cable modem connected to via
ethernet). I reconfigured my system to use regular DHCP (a relief after the
PPPoE mess in the dorm), but dhcpcd could not apply the default route; it
*obtained* one, but failed with "if_addroute: Invalid argument". I tried it
manually, to no effect: "ip route" complained about invalid arguments, and I
think plain "route" said "file exists", but I'm not sure anymore (either way,
the error messages were less than clear).  The funny thing is, I *could* set
the default route, just not to the one advertised via DHCP, but to the x.y.z.2+
instead of x.y.z.1, which even gave me access to the internet part of the time.

Now the funny thing is what fixed it:
 
  *commenting out the entirety of /etc/dhcpcd.conf*

Then dhcpcd ran with   default settings and could apply the default route. Even
more bizarre is the fact that it kept working after uncommenting it again (and
I track it with git, so I'm 100% sure I got it back to its original state).
This leads me to believe that there was some (corrupted?) persistent state
somewhere that got overwritten by starting dhcpcd after I commented out the
file, but I have no clue where.

Has anyone seen this sort of behaviour before, or anything similar to it?  I
searched for the error messages I was seeing, but couldn't find anything.  I
was using gentoo-sources-3.15.9 (now I'm at 3.16.6) and dhcpcd 6.4.3 at the
time, but also had the issue with dhcpcd 6.4.7, to which I could upgrade by
using the aforementioned x.y.z.2 gateway. Perhaps it was a bug in the kernel?
But that's just guessing.

Regards,
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3184 bytes --]

On Monday 27 Oct 2014 23:44:58 Marc Joliet wrote:
> Hi list
> 
> First off: this is a "fixed" issue, in that I don't see the behaviour
> anymore, so time is not of the essence ;) . I'm only looking for an
> explanation, or for comments from other people who experienced this.
> 
> So the issue was some really strange behaviour on the part of dhcpcd.  I
> completed a move a few weeks ago and got an internet connection last
> Wednesday (using a local cable company, that is, using a cable modem
> connected to via ethernet). I reconfigured my system to use regular DHCP
> (a relief after the PPPoE mess in the dorm), but dhcpcd could not apply
> the default route; it *obtained* one, but failed with "if_addroute:
> Invalid argument". I tried it manually, to no effect: "ip route"
> complained about invalid arguments, and I think plain "route" said "file
> exists", but I'm not sure anymore (either way, the error messages were
> less than clear).  The funny thing is, I *could* set the default route,
> just not to the one advertised via DHCP, but to the x.y.z.2+ instead of
> x.y.z.1, which even gave me access to the internet part of the time.
> 
> Now the funny thing is what fixed it:
> 
>   *commenting out the entirety of /etc/dhcpcd.conf*
> 
> Then dhcpcd ran with   default settings and could apply the default route.
> Even more bizarre is the fact that it kept working after uncommenting it
> again (and I track it with git, so I'm 100% sure I got it back to its
> original state). This leads me to believe that there was some (corrupted?)
> persistent state somewhere that got overwritten by starting dhcpcd after I
> commented out the file, but I have no clue where.
> 
> Has anyone seen this sort of behaviour before, or anything similar to it? 
> I searched for the error messages I was seeing, but couldn't find
> anything.  I was using gentoo-sources-3.15.9 (now I'm at 3.16.6) and
> dhcpcd 6.4.3 at the time, but also had the issue with dhcpcd 6.4.7, to
> which I could upgrade by using the aforementioned x.y.z.2 gateway. Perhaps
> it was a bug in the kernel? But that's just guessing.
> 
> Regards,

Since dhcpcd doesn't misbehave any more it would be difficult to check what 
was the cause of this problem.  You didn't say if the cable modem is 
functioning as a router or as in a full or half bridge mode and if there is a 
router between your PC and the modem that distributes IP addresses.  You also 
didn't say if the ISP has allocated an IP block or just a single IP address.

I have had problems with dhcpcd over the years and in particular with it using 
DUID, which my router does not like at all.  Also, for some reason it first 
checks for IPv6, then times out, and eventually it looks for IPv4 which takes 
like forever, each time I connect to my wired network.  In waiting for an IPv4 
address it may set up APIPA and then sometime later will eventually look for 
and obtain an IPv4 address from the router.

I have not found a solution to this annoying behaviour, however wirelessly the 
IP address allocation is established immediately without delays.  Go figure 
...

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 6173 bytes --]

Am Tue, 28 Oct 2014 16:28:37 +0000
schrieb Mick <michaelkintzios@gmail.com>:

> On Monday 27 Oct 2014 23:44:58 Marc Joliet wrote:
> > Hi list
> > 
> > First off: this is a "fixed" issue, in that I don't see the behaviour
> > anymore, so time is not of the essence ;) . I'm only looking for an
> > explanation, or for comments from other people who experienced this.
> > 
> > So the issue was some really strange behaviour on the part of dhcpcd.  I
> > completed a move a few weeks ago and got an internet connection last
> > Wednesday (using a local cable company, that is, using a cable modem
> > connected to via ethernet). I reconfigured my system to use regular DHCP
> > (a relief after the PPPoE mess in the dorm), but dhcpcd could not apply
> > the default route; it *obtained* one, but failed with "if_addroute:
> > Invalid argument". I tried it manually, to no effect: "ip route"
> > complained about invalid arguments, and I think plain "route" said "file
> > exists", but I'm not sure anymore (either way, the error messages were
> > less than clear).  The funny thing is, I *could* set the default route,
> > just not to the one advertised via DHCP, but to the x.y.z.2+ instead of
> > x.y.z.1, which even gave me access to the internet part of the time.
> > 
> > Now the funny thing is what fixed it:
> > 
> >   *commenting out the entirety of /etc/dhcpcd.conf*
> > 
> > Then dhcpcd ran with   default settings and could apply the default route.
> > Even more bizarre is the fact that it kept working after uncommenting it
> > again (and I track it with git, so I'm 100% sure I got it back to its
> > original state). This leads me to believe that there was some (corrupted?)
> > persistent state somewhere that got overwritten by starting dhcpcd after I
> > commented out the file, but I have no clue where.
> > 
> > Has anyone seen this sort of behaviour before, or anything similar to it? 
> > I searched for the error messages I was seeing, but couldn't find
> > anything.  I was using gentoo-sources-3.15.9 (now I'm at 3.16.6) and
> > dhcpcd 6.4.3 at the time, but also had the issue with dhcpcd 6.4.7, to
> > which I could upgrade by using the aforementioned x.y.z.2 gateway. Perhaps
> > it was a bug in the kernel? But that's just guessing.
> > 
> > Regards,
> 
> Since dhcpcd doesn't misbehave any more it would be difficult to check what 
> was the cause of this problem.  You didn't say if the cable modem is 
> functioning as a router or as in a full or half bridge mode and if there is a 
> router between your PC and the modem that distributes IP addresses.  You also 
> didn't say if the ISP has allocated an IP block or just a single IP address.

First off: thanks for the response.  Note that I have no clue about modems
(other than that the modulate and demodulate signals), let alone cable modems
and the wide variety of hardware out there. I also have no clue about the
protocols involved (save for a tiny bit of IP and TCP/UDP).  Just so you know
what to expect.

Anyway, in answer to your queries:

- I do not know for sure how the modem is configured, and whether it hands
  out the addresses itself or whether these come from the other end of the
  cable connection.  But from what I can observe it does *not* function as a
  router; it has *one* Ethernet connection, and that's it.  I did not test it
  in a bridged network, to see if it hands out addresses to multiple clients.
  Our ISP refers to it as a "LAN modem".

  OK, I looked up more information:  It's a Thomson THG571, and the manual (I
  found a copy here:
  http://www.kabelfernsehen.ch/dokumente/quicknet/HandbuchTHG570.pdf) refers
  to "Transparent bridging for IP traffic", and AFAICT makes no mention of
  routing.  It does explicitly say that it gets an IP address from the ISP, so
  I suspect that it acts as a bridge for all IP clients (like the "IP Client
  Mode" in Fritz!Box routers).  So it sounds to me that the DHCP packets likely
  come from a server beyond the router. Is this the half bridge mode you
  alluded to?

  Oh, and there are two powerline/dLAN adapters in between (the modem is in the
  room next door), but direct connections between my computer and my brother's
  always worked, and they've been reliable in general, so I assume that they're
  irrelevant here.

  Furthermore, I found out the hard way that you *sometimes* need to reboot the
  modem when connect a different client for the new client to get a response
  from the DHCP server (I discovered this after wasting half a day trying to
  get our router to work, it would log timeouts during DHCPDISCOVER).  I didn't
  think it was the modem because when we first got it, I could switch cables
  around between my computer and my brother's and they would get their IP
  addresses without trouble.  *sigh*

- At the time there was no router, just the modem.  We now have a Fritz!Box
  3270 with the most recent firmware, but we got it after I "solved" this
  problem.

- I don't know whether we have an IP block or not; I suspect not.  At the very
  least, we didn't make special arrangements to try and get one.

> I have had problems with dhcpcd over the years and in particular with it using 
> DUID, which my router does not like at all.  Also, for some reason it first 
> checks for IPv6, then times out, and eventually it looks for IPv4 which takes 
> like forever, each time I connect to my wired network.

I don't know if this helps, but dhcpcd has a "-4" (aka "--ipv4only") option.

> In waiting for an IPv4 
> address it may set up APIPA and then sometime later will eventually look for 
> and obtain an IPv4 address from the router.

I expect that you've already tried this, but I wonder if a combination of a
longer timeout and "--noipv4ll" would help.

> I have not found a solution to this annoying behaviour, however wirelessly the 
> IP address allocation is established immediately without delays.  Go figure 
> ...

See above.

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[J. Roeleveld]

On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> Am Tue, 28 Oct 2014 16:28:37 +0000
> 
> schrieb Mick <michaelkintzios@gmail.com>:
> > On Monday 27 Oct 2014 23:44:58 Marc Joliet wrote:
> > > Hi list
> > > 
> > > First off: this is a "fixed" issue, in that I don't see the behaviour
> > > anymore, so time is not of the essence ;) . I'm only looking for an
> > > explanation, or for comments from other people who experienced this.
> > > 
> > > So the issue was some really strange behaviour on the part of dhcpcd.  I
> > > completed a move a few weeks ago and got an internet connection last
> > > Wednesday (using a local cable company, that is, using a cable modem
> > > connected to via ethernet). I reconfigured my system to use regular DHCP
> > > (a relief after the PPPoE mess in the dorm), but dhcpcd could not apply
> > > the default route; it *obtained* one, but failed with "if_addroute:
> > > Invalid argument". I tried it manually, to no effect: "ip route"
> > > complained about invalid arguments, and I think plain "route" said "file
> > > exists", but I'm not sure anymore (either way, the error messages were
> > > less than clear).  The funny thing is, I *could* set the default route,
> > > just not to the one advertised via DHCP, but to the x.y.z.2+ instead of
> > > x.y.z.1, which even gave me access to the internet part of the time.
> > > 
> > > Now the funny thing is what fixed it:
> > >   *commenting out the entirety of /etc/dhcpcd.conf*
> > > 
> > > Then dhcpcd ran with   default settings and could apply the default
> > > route.
> > > Even more bizarre is the fact that it kept working after uncommenting it
> > > again (and I track it with git, so I'm 100% sure I got it back to its
> > > original state). This leads me to believe that there was some
> > > (corrupted?)
> > > persistent state somewhere that got overwritten by starting dhcpcd after
> > > I
> > > commented out the file, but I have no clue where.
> > > 
> > > Has anyone seen this sort of behaviour before, or anything similar to
> > > it?
> > > I searched for the error messages I was seeing, but couldn't find
> > > anything.  I was using gentoo-sources-3.15.9 (now I'm at 3.16.6) and
> > > dhcpcd 6.4.3 at the time, but also had the issue with dhcpcd 6.4.7, to
> > > which I could upgrade by using the aforementioned x.y.z.2 gateway.
> > > Perhaps
> > > it was a bug in the kernel? But that's just guessing.
> > > 
> > > Regards,
> > 
> > Since dhcpcd doesn't misbehave any more it would be difficult to check
> > what
> > was the cause of this problem.  You didn't say if the cable modem is
> > functioning as a router or as in a full or half bridge mode and if there
> > is a router between your PC and the modem that distributes IP addresses. 
> > You also didn't say if the ISP has allocated an IP block or just a single
> > IP address.
> First off: thanks for the response.  Note that I have no clue about modems
> (other than that the modulate and demodulate signals), let alone cable
> modems and the wide variety of hardware out there. I also have no clue
> about the protocols involved (save for a tiny bit of IP and TCP/UDP).  Just
> so you know what to expect.
> 
> Anyway, in answer to your queries:
> 
> - I do not know for sure how the modem is configured, and whether it hands
>   out the addresses itself or whether these come from the other end of the
>   cable connection.  But from what I can observe it does *not* function as a
> router; it has *one* Ethernet connection, and that's it.  I did not test it
> in a bridged network, to see if it hands out addresses to multiple clients.
> Our ISP refers to it as a "LAN modem".

Sounds similar to what I've been using for the past 10+ years.

>   OK, I looked up more information:  It's a Thomson THG571, and the manual
> (I found a copy here:
>   http://www.kabelfernsehen.ch/dokumente/quicknet/HandbuchTHG570.pdf) refers
> to "Transparent bridging for IP traffic", and AFAICT makes no mention of
> routing.  It does explicitly say that it gets an IP address from the ISP,
> so I suspect that it acts as a bridge for all IP clients (like the "IP
> Client Mode" in Fritz!Box routers).  So it sounds to me that the DHCP
> packets likely come from a server beyond the router. Is this the half
> bridge mode you alluded to?

Not sure about half-bridge mode. But most cable-modems work in bridge-mode. 
(If they have more then 1 ethernet-port, they act as routers)

>   Oh, and there are two powerline/dLAN adapters in between (the modem is in
> the room next door), but direct connections between my computer and my
> brother's always worked, and they've been reliable in general, so I assume
> that they're irrelevant here.

Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you 
might keep getting a different result each time it tries to refresh.

>   Furthermore, I found out the hard way that you *sometimes* need to reboot
> the modem when connect a different client for the new client to get a
> response from the DHCP server (I discovered this after wasting half a day
> trying to get our router to work, it would log timeouts during
> DHCPDISCOVER).  I didn't think it was the modem because when we first got
> it, I could switch cables around between my computer and my brother's and
> they would get their IP addresses without trouble.  *sigh*

That's a common flaw. These modems are designed with the idea that people only 
have 1 computer. Or at the very least put a router between the modem and 
whatever else they have.
Please note, there is NO firewall on these modems and your machine is fully 
exposed to the internet. Unless you have your machine secured and all unused 
services disabled, you might as well assume your machine compromised.

I once connected a fresh install directly to the modem. Only took 20 seconds 
to get owned. (This was about 9 years ago and Bind was running)

> - At the time there was no router, just the modem.  We now have a Fritz!Box
>   3270 with the most recent firmware, but we got it after I "solved" this
>   problem.
> 
> - I don't know whether we have an IP block or not; I suspect not.  At the
> very least, we didn't make special arrangements to try and get one.

Then assume not. Most, if not all, ISPs charge extra for this. (If they even 
offer it)

--
Joost

Re: [gentoo-user] Strange behaviour of dhcpcd

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 4599 bytes --]

On Friday 31 Oct 2014 06:52:54 J. Roeleveld wrote:
> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> > Am Tue, 28 Oct 2014 16:28:37 +0000

> > (I found a copy here:
> >   http://www.kabelfernsehen.ch/dokumente/quicknet/HandbuchTHG570.pdf)
> >   refers
> > 
> > to "Transparent bridging for IP traffic", and AFAICT makes no mention of
> > routing.  It does explicitly say that it gets an IP address from the ISP,
> > so I suspect that it acts as a bridge for all IP clients (like the "IP
> > Client Mode" in Fritz!Box routers).  So it sounds to me that the DHCP
> > packets likely come from a server beyond the router. Is this the half
> > bridge mode you alluded to?
> 
> Not sure about half-bridge mode. But most cable-modems work in bridge-mode.
> (If they have more then 1 ethernet-port, they act as routers)

Yes, it seems to be a fully bridged modem.  A PC or router behind it will be 
accessible from the Internet using your public IP address provided by the ISP.

In a fully bridged mode the modem only manages encapsulation of your LAN hosts 
ethernet packets (using DOCSIS frames in the case of cable, or ATM frames in 
the case of ADSL).  PPPoE or any other authentication method is undertaken by 
the PC or by the router behind it.  There's no NAT'ing or routing performed by 
the modem - it is just a transparent bridge.

In a typical half bridged mode the modem performs encapsulation of your 
packets AND authentication with the ISP's radius server.  It also passes the 
public IP address over to the host in the LAN, but it doesn't just bridge - it 
routes it.  The half bridged modem acts as an arp proxy.  Some implementations 
advertise more addresses on the LAN side than the public ISP's address and 
offer the host a different IP address to the ISP's (usually public IP + 1 with 
255.255.255.0 instead of 255.255.255.255).  MSWindows machines work fine with 
this, but Linux won't work without setting a static route to the ISP's gateway 
and complains that the gateway is not on public-IP/32.  Cisco routers barf at 
this problem too.


> >   Oh, and there are two powerline/dLAN adapters in between (the modem is
> >   in
> > 
> > the room next door), but direct connections between my computer and my
> > brother's always worked, and they've been reliable in general, so I
> > assume that they're irrelevant here.
> 
> Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you
> might keep getting a different result each time it tries to refresh.
> 
> >   Furthermore, I found out the hard way that you *sometimes* need to
> >   reboot
> > 
> > the modem when connect a different client for the new client to get a
> > response from the DHCP server (I discovered this after wasting half a day
> > trying to get our router to work, it would log timeouts during
> > DHCPDISCOVER).  I didn't think it was the modem because when we first got
> > it, I could switch cables around between my computer and my brother's and
> > they would get their IP addresses without trouble.  *sigh*
> 
> That's a common flaw. These modems are designed with the idea that people
> only have 1 computer. Or at the very least put a router between the modem
> and whatever else they have.
> Please note, there is NO firewall on these modems and your machine is fully
> exposed to the internet. Unless you have your machine secured and all
> unused services disabled, you might as well assume your machine
> compromised.

Yes, the way these modems work you may need to reboot the modem so that it 
flushes its arp cache if you start reconnecting machines to it.


> I once connected a fresh install directly to the modem. Only took 20
> seconds to get owned. (This was about 9 years ago and Bind was running)
> 
> > - At the time there was no router, just the modem.  We now have a
> > Fritz!Box
> > 
> >   3270 with the most recent firmware, but we got it after I "solved" this
> >   problem.
> > 
> > - I don't know whether we have an IP block or not; I suspect not.  At the
> > very least, we didn't make special arrangements to try and get one.
> 
> Then assume not. Most, if not all, ISPs charge extra for this. (If they
> even offer it)

You would typically have two IP addresses with a half bridged modem, but only 
one of these would be usable by the PC/router in your LAN.  Personally I find 
all this a bothersome faff and only buy and set up modems in fully bridged 
mode, so that they get out of the way and let me route things using a router.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 4798 bytes --]

Am Fri, 31 Oct 2014 07:52:54 +0100
schrieb "J. Roeleveld" <joost@antarean.org>:

> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
[...]
> >   Oh, and there are two powerline/dLAN adapters in between (the modem is in
> > the room next door), but direct connections between my computer and my
> > brother's always worked, and they've been reliable in general, so I assume
> > that they're irrelevant here.
> 
> Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you 
> might keep getting a different result each time it tries to refresh.

How so?  You mean if the modem is directly connected to the powerline adapter?
I would be surprised if this were a problem in general, since AFAIU they're
ultimately just bridges as far as the network is concerned, not to mention
that they explicitly target home networks with multiple devices.

But in the end, it doesn't matter, since it's just for my desktop (which
doesn't have WLAN built-in); all other clients connect via WLAN.

FWIW, I chose poewrline because it seemed like a better (and driverless!)
alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm quite
happy with it.

> >   Furthermore, I found out the hard way that you *sometimes* need to reboot
> > the modem when connect a different client for the new client to get a
> > response from the DHCP server (I discovered this after wasting half a day
> > trying to get our router to work, it would log timeouts during
> > DHCPDISCOVER).  I didn't think it was the modem because when we first got
> > it, I could switch cables around between my computer and my brother's and
> > they would get their IP addresses without trouble.  *sigh*
> 
> That's a common flaw. These modems are designed with the idea that people only 
> have 1 computer. Or at the very least put a router between the modem and 
> whatever else they have.
> Please note, there is NO firewall on these modems and your machine is fully 
> exposed to the internet. Unless you have your machine secured and all unused 
> services disabled, you might as well assume your machine compromised.

Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the
modem's job boils down to carrying the signal over the cable network and
(on a higher level) dialing in to the ISP and forwarding packets.  I would not
really expect a firewall there.

> I once connected a fresh install directly to the modem. Only took 20 seconds 
> to get owned. (This was about 9 years ago and Bind was running)

Ouch.

I just hope the Fritz!Box firewall is configured correctly, especially since
there doesn't appear to be a UI for it.  Well, OK, there is, but it's not very
informative in that it doesn't tell me what rules (other than manually entered
ones) are currently in effect; all it explicitly says is that it blocks NetBIOS
packets.  The only other thing that's bothered me about the router is the
factory default (directly after flashing the firmware) of activating WPA2 *and*
WPA (why?!).  I turned off WPA as soon as I noticed.

Out of curiosity, I looked through the exported configuration file (looks like
JSON), and found entries that look like firewall rules, but don't really know
how they apply.  It's less the rules themselves, though, than the context, i.e.,
the rules are under "pppoefw" and "dslifaces", even though the router uses
neither PPPoE nor DSL (perhaps a sign that AVM's software grows just as
organically as everybody else's ;-) ). The one thing I'm most curious about is
what "lowinput", "highoutput", etc. mean, as Google only found me other people
asking the same question.

Anyway, it *looks* like it blocks everything from the internet by default
(except for "output-related" and "input-related", which I interpret to mean
responses to outgoing packets and... whatever "input-related" means), and the
manual seems to agree by implying that the firewall is for explicitly opening
ports. Also, I used the Heise "Netzwerk Check" and it reports no problems, so
I'm mostly relieved.

> > - At the time there was no router, just the modem.  We now have a Fritz!Box
> >   3270 with the most recent firmware, but we got it after I "solved" this
> >   problem.
> > 
> > - I don't know whether we have an IP block or not; I suspect not.  At the
> > very least, we didn't make special arrangements to try and get one.
> 
> Then assume not. Most, if not all, ISPs charge extra for this. (If they even 
> offer it)

That's what I thought :) .

Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) directly
and ask for his opinion.

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[Rich Freeman]

On Fri, Oct 31, 2014 at 6:47 AM, Marc Joliet <marcec@gmx.de> wrote:
> Am Fri, 31 Oct 2014 07:52:54 +0100
> schrieb "J. Roeleveld" <joost@antarean.org>:
>> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
>> >
>> > - I don't know whether we have an IP block or not; I suspect not.  At the
>> > very least, we didn't make special arrangements to try and get one.
>>
>> Then assume not. Most, if not all, ISPs charge extra for this. (If they even
>> offer it)
>
> That's what I thought :) .
>

Generally speaking you can't just attach a modem to your LAN and have
it act as a DHCP server.  Your ISP probably will assign you dynamic
IPs, but they will not as a matter of policy assign you more than one
unless you pay for them.  IPv4 address space is in short supply these
days.

I'm using FIOS and in my case the "modem" is in a box in the basement
and the ISP provides a router with the service.  Whatever you plug
into the "modem" will obtain a DHCP lease for one routable IP.  If you
do plug more than one device into the "modem" then the first device to
get the IP is the only one that will get an IP - the modem won't hand
out another unless it gets a DHCPRelease from the MAC that was issued
the original lease or until that lease expires, or until you call up
the ISP on the phone and get them to release it manually.

Another design would be to issue a new IP anytime a device asks for
one, but to silently cancel the lease of the last IP that was issued
and drop packets using it.  For a single device being plugged in that
won't have any impact, and if for some reason you buy a new router and
plug it in you don't have to worry about your old router still having
a lease.  This is less standards-compliant, but perhaps more
clueless-friendly.

In general, though, you really shouldn't be plugging your ISP's modem
into anything but a router for general use.  In fact, I have the
router provided by my ISP configured as a bridge and running into
another router (FIOS uses MoCA over coax in the standard install and
I'm too lazy to run CatV and beg Verizon to reconfigure the modem to
use the RJ45 connection instead).  Note that if you use an
ISP-provided router there is a good chance that they can essentially
VPN into your LAN.  The last time I called up Verizon over a cablecard
issue they helpfully turned on DHCP on my router so that it started
competing with my DHCP server, and then I was wondering why PXE was
randomly failing.  Now all they can do is disable bridge mode, which
will break my external connection and be a fairly obvious point to
troubleshoot.

--
Rich

Re: [gentoo-user] Strange behaviour of dhcpcd

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 3146 bytes --]

Am Fri, 31 Oct 2014 07:09:08 -0400
schrieb Rich Freeman <rich0@gentoo.org>:

> On Fri, Oct 31, 2014 at 6:47 AM, Marc Joliet <marcec@gmx.de> wrote:
> > Am Fri, 31 Oct 2014 07:52:54 +0100
> > schrieb "J. Roeleveld" <joost@antarean.org>:
> >> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> >> >
> >> > - I don't know whether we have an IP block or not; I suspect not.  At the
> >> > very least, we didn't make special arrangements to try and get one.
> >>
> >> Then assume not. Most, if not all, ISPs charge extra for this. (If they even
> >> offer it)
> >
> > That's what I thought :) .
> >
> 
> Generally speaking you can't just attach a modem to your LAN and have
> it act as a DHCP server.  Your ISP probably will assign you dynamic
> IPs, but they will not as a matter of policy assign you more than one
> unless you pay for them.  IPv4 address space is in short supply these
> days.
> 
> I'm using FIOS and in my case the "modem" is in a box in the basement
> and the ISP provides a router with the service.  Whatever you plug
> into the "modem" will obtain a DHCP lease for one routable IP.  If you
> do plug more than one device into the "modem" then the first device to
> get the IP is the only one that will get an IP - the modem won't hand
> out another unless it gets a DHCPRelease from the MAC that was issued
> the original lease or until that lease expires, or until you call up
> the ISP on the phone and get them to release it manually.
> 
> Another design would be to issue a new IP anytime a device asks for
> one, but to silently cancel the lease of the last IP that was issued
> and drop packets using it.  For a single device being plugged in that
> won't have any impact, and if for some reason you buy a new router and
> plug it in you don't have to worry about your old router still having
> a lease.  This is less standards-compliant, but perhaps more
> clueless-friendly.
> 
> In general, though, you really shouldn't be plugging your ISP's modem
> into anything but a router for general use.  In fact, I have the
> router provided by my ISP configured as a bridge and running into
> another router (FIOS uses MoCA over coax in the standard install and
> I'm too lazy to run CatV and beg Verizon to reconfigure the modem to
> use the RJ45 connection instead).  Note that if you use an
> ISP-provided router there is a good chance that they can essentially
> VPN into your LAN.  The last time I called up Verizon over a cablecard
> issue they helpfully turned on DHCP on my router so that it started
> competing with my DHCP server, and then I was wondering why PXE was
> randomly failing.  Now all they can do is disable bridge mode, which
> will break my external connection and be a fairly obvious point to
> troubleshoot.

Right, thanks for the explanation :) .

Thankfully, our ISP only gave us the modem (though they also offer modems with
WLAN for 5€ a monthg :-/ ). The router we bought off eBay ourselves :) .

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[J. Roeleveld]

On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote:
> Am Fri, 31 Oct 2014 07:52:54 +0100
> 
> schrieb "J. Roeleveld" <joost@antarean.org>:
> > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> [...]
> 
> > >   Oh, and there are two powerline/dLAN adapters in between (the modem is
> > >   in
> > > 
> > > the room next door), but direct connections between my computer and my
> > > brother's always worked, and they've been reliable in general, so I
> > > assume
> > > that they're irrelevant here.
> > 
> > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you
> > might keep getting a different result each time it tries to refresh.
> 
> How so?  You mean if the modem is directly connected to the powerline
> adapter? I would be surprised if this were a problem in general, since
> AFAIU they're ultimately just bridges as far as the network is concerned,
> not to mention that they explicitly target home networks with multiple
> devices.

Actually, a HUB is a better comparison.
All the powerline adapters all connect to the same network. Some you can set 
to a network-ID (think vlan) to limit this.

The one time I played with one, I ended up seeing my neighbours NAS.

> But in the end, it doesn't matter, since it's just for my desktop (which
> doesn't have WLAN built-in); all other clients connect via WLAN.
> 
> FWIW, I chose poewrline because it seemed like a better (and driverless!)
> alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm
> quite happy with it.

If you can ensure that only 2 devices communicate, it's a valid replacement 
for a dedicated network cable. (If you accept the reduction in line-speed)

> > >   Furthermore, I found out the hard way that you *sometimes* need to
> > >   reboot
> > > 
> > > the modem when connect a different client for the new client to get a
> > > response from the DHCP server (I discovered this after wasting half a
> > > day
> > > trying to get our router to work, it would log timeouts during
> > > DHCPDISCOVER).  I didn't think it was the modem because when we first
> > > got
> > > it, I could switch cables around between my computer and my brother's
> > > and
> > > they would get their IP addresses without trouble.  *sigh*
> > 
> > That's a common flaw. These modems are designed with the idea that people
> > only have 1 computer. Or at the very least put a router between the modem
> > and whatever else they have.
> > Please note, there is NO firewall on these modems and your machine is
> > fully
> > exposed to the internet. Unless you have your machine secured and all
> > unused services disabled, you might as well assume your machine
> > compromised.
> Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the
> modem's job boils down to carrying the signal over the cable network and
> (on a higher level) dialing in to the ISP and forwarding packets.  I would
> not really expect a firewall there.

There isn't, usually.

> > I once connected a fresh install directly to the modem. Only took 20
> > seconds to get owned. (This was about 9 years ago and Bind was running)
> 
> Ouch.

I was, to be honest, expecting it to be owned. (Just not this quick).
It was done on purpose to see how long it would take. I pulled the network 
cable when the root-kit was being installed. Was interesting to see.

> I just hope the Fritz!Box firewall is configured correctly, especially since
> there doesn't appear to be a UI for it.  Well, OK, there is, but it's not
> very informative in that it doesn't tell me what rules (other than manually
> entered ones) are currently in effect; all it explicitly says is that it
> blocks NetBIOS packets.  The only other thing that's bothered me about the
> router is the factory default (directly after flashing the firmware) of
> activating WPA2 *and* WPA (why?!).  I turned off WPA as soon as I noticed.

It will have NAT enabled, which blocks most incoming packets. As long as the 
router isn't owned, you should be ok.

> Out of curiosity, I looked through the exported configuration file (looks
> like JSON), and found entries that look like firewall rules, but don't
> really know how they apply.  It's less the rules themselves, though, than
> the context, i.e., the rules are under "pppoefw" and "dslifaces", even
> though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's
> software grows just as organically as everybody else's ;-) ). The one thing
> I'm most curious about is what "lowinput", "highoutput", etc. mean, as
> Google only found me other people asking the same question.

Not familiar with those routers. Maybe someone with more knowledge can have a 
look at the config and shed some light. I would do a find/replace on the 
username and password you use to ensure that is masked before sending it to 
someone to investigate.

> Anyway, it *looks* like it blocks everything from the internet by default
> (except for "output-related" and "input-related", which I interpret to mean
> responses to outgoing packets and... whatever "input-related" means), and
> the manual seems to agree by implying that the firewall is for explicitly
> opening ports. Also, I used the Heise "Netzwerk Check" and it reports no
> problems, so I'm mostly relieved.

Yes, that's a common setting.

> > > - At the time there was no router, just the modem.  We now have a
> > > Fritz!Box
> > > 
> > >   3270 with the most recent firmware, but we got it after I "solved"
> > >   this
> > >   problem.
> > > 
> > > - I don't know whether we have an IP block or not; I suspect not.  At
> > > the
> > > very least, we didn't make special arrangements to try and get one.
> > 
> > Then assume not. Most, if not all, ISPs charge extra for this. (If they
> > even offer it)
> 
> That's what I thought :) .
> 
> Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples)
> directly and ask for his opinion.

Oki, keep us updated.

--
Joost

Re: [gentoo-user] Strange behaviour of dhcpcd

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 7599 bytes --]

Am Fri, 31 Oct 2014 12:16:04 +0100
schrieb "J. Roeleveld" <joost@antarean.org>:

> On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote:
> > Am Fri, 31 Oct 2014 07:52:54 +0100
> > 
> > schrieb "J. Roeleveld" <joost@antarean.org>:
> > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> > [...]
> > 
> > > >   Oh, and there are two powerline/dLAN adapters in between (the modem is
> > > >   in
> > > > 
> > > > the room next door), but direct connections between my computer and my
> > > > brother's always worked, and they've been reliable in general, so I
> > > > assume
> > > > that they're irrelevant here.
> > > 
> > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you
> > > might keep getting a different result each time it tries to refresh.
> > 
> > How so?  You mean if the modem is directly connected to the powerline
> > adapter? I would be surprised if this were a problem in general, since
> > AFAIU they're ultimately just bridges as far as the network is concerned,
> > not to mention that they explicitly target home networks with multiple
> > devices.
> 
> Actually, a HUB is a better comparison.
> All the powerline adapters all connect to the same network. Some you can set 
> to a network-ID (think vlan) to limit this.

Also, AFAICS, all newer ones support encryption (AES128 in my case), where you
pair the devices, for which you need physical access to press the necessary
buttons. This can be used to similar effect IIUC.  No clue on cross-vendor
compatibility, though.  However, encryption was mainly targeted at solving the
next problem:

> The one time I played with one, I ended up seeing my neighbours NAS.

Yeah, that problem gets mentioned a lot.  You can access every other
(compatible) powerline adapter on the same electric network.  Adapters on
different phases could have trouble communicating, I believe, and cross-talk
between cables can lead to data leaking into another network (but my knowledge
on things electric is reaching its end).  In my case, our apartment has an
electric meter that isolates our apartment from the others, so we're fine
(plus, the adapters use encryption as mentioned above)

> > But in the end, it doesn't matter, since it's just for my desktop (which
> > doesn't have WLAN built-in); all other clients connect via WLAN.
> > 
> > FWIW, I chose poewrline because it seemed like a better (and driverless!)
> > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm
> > quite happy with it.
> 
> If you can ensure that only 2 devices communicate, it's a valid replacement 
> for a dedicated network cable.

I didn't explicitly mention this, but the problem is that the router and modem
are in my brothers room (four room shared students apartment, plus bathroom and
kitchen).  Now, I'm not about to drag a cable out of my room, across the hall,
and into my brother's room, never mind that neither of us could close our doors
anymore without unplugging the cable and dragging it back.

So the alternative would have been to teach my desktop WLAN, which would've been
slower unless I could find something for PCI(e) or USB3 that works with Linux,
*without* me having to check out some git repository and manually compile
things in the hope that it works.  The first USB3 WLAN adapter I found would've
lead to that, so I made a snap decision in favour of powerline.  It also didn't
hurt that I was curious about it and wanted to try it out :) .

(I actually had to (unexpectedly) to do that with my wireless keyboard.  Now
there's app-misc/solaar, thankfully, although why Logitech couldn't just stick
with infrared...)

> (If you accept the reduction in line-speed)

How long ago was this?  I read that all modern devices incorporate various
filters to mitigate disturbances coming from other devices and, thus, that they
perform much better (or at least more robustly) than previous generations
(they also *cause* less disturbances). Either way, I can saturate our 16 MiB/s
internet connection with enough parallel downloads (or with a fast enough
server, such as with speedtest.net), and LAN performance is satisfactory.  I
suspect one limiting factor is that the powerline adapters only have Fast
Ethernet connections (of course, so does the router, so it doesn't matter).

[...]
> > > I once connected a fresh install directly to the modem. Only took 20
> > > seconds to get owned. (This was about 9 years ago and Bind was running)
> > 
> > Ouch.
> 
> I was, to be honest, expecting it to be owned. (Just not this quick).
> It was done on purpose to see how long it would take. I pulled the network 
> cable when the root-kit was being installed. Was interesting to see.

I bet :) !

> > I just hope the Fritz!Box firewall is configured correctly, especially since
> > there doesn't appear to be a UI for it.  Well, OK, there is, but it's not
> > very informative in that it doesn't tell me what rules (other than manually
> > entered ones) are currently in effect; all it explicitly says is that it
> > blocks NetBIOS packets.  The only other thing that's bothered me about the
> > router is the factory default (directly after flashing the firmware) of
> > activating WPA2 *and* WPA (why?!).  I turned off WPA as soon as I noticed.
> 
> It will have NAT enabled, which blocks most incoming packets. As long as the 
> router isn't owned, you should be ok.

Right, I *expected* that, but it's nice to be able to verify it.

> > Out of curiosity, I looked through the exported configuration file (looks
> > like JSON), and found entries that look like firewall rules, but don't
> > really know how they apply.  It's less the rules themselves, though, than
> > the context, i.e., the rules are under "pppoefw" and "dslifaces", even
> > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's
> > software grows just as organically as everybody else's ;-) ). The one thing
> > I'm most curious about is what "lowinput", "highoutput", etc. mean, as
> > Google only found me other people asking the same question.
> 
> Not familiar with those routers. Maybe someone with more knowledge can have a 
> look at the config and shed some light. I would do a find/replace on the 
> username and password you use to ensure that is masked before sending it to 
> someone to investigate.

It's not really important, again, I just like to be able to verify it, although
right now I'm probably just being unnecessarily paranoid.  AVM's routers have a
good reputation (which is why we got one), and I'm inclined to trust them unless
given reason to.

> > Anyway, it *looks* like it blocks everything from the internet by default
> > (except for "output-related" and "input-related", which I interpret to mean
> > responses to outgoing packets and... whatever "input-related" means), and
> > the manual seems to agree by implying that the firewall is for explicitly
> > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no
> > problems, so I'm mostly relieved.
> 
> Yes, that's a common setting.

Again, me being overly focused on this, with a dose of paranoia.  I would be
surprised if the firewall were set up differently.

[...]
> > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples)
> > directly and ask for his opinion.
> 
> Oki, keep us updated.

Will do.

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Strange behaviour of dhcpcd

[J. Roeleveld]

On Friday, October 31, 2014 03:46:50 PM Marc Joliet wrote:
> Am Fri, 31 Oct 2014 12:16:04 +0100
> 
> schrieb "J. Roeleveld" <joost@antarean.org>:
> > On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote:
> I didn't explicitly mention this, but the problem is that the router and
> modem are in my brothers room (four room shared students apartment, plus
> bathroom and kitchen).  Now, I'm not about to drag a cable out of my room,
> across the hall, and into my brother's room, never mind that neither of us
> could close our doors anymore without unplugging the cable and dragging it
> back.

I had a similar issue a long time ago. With a little remodeling of the door, 
you can make room for the wire to pass and the door can then still close.
Just make sure you do it without the owner of the building seeing it. 
(Bottom of the door on side of hinge is a common location)

> So the alternative would have been to teach my desktop WLAN, which would've
> been slower unless I could find something for PCI(e) or USB3 that works
> with Linux, *without* me having to check out some git repository and
> manually compile things in the hope that it works.  The first USB3 WLAN
> adapter I found would've lead to that, so I made a snap decision in favour
> of powerline.  It also didn't hurt that I was curious about it and wanted
> to try it out :) .

PowerLine is ok for this kind of use. I just have too many items on the wires 
here that can cause interference.

> (I actually had to (unexpectedly) to do that with my wireless keyboard.  Now
> there's app-misc/solaar, thankfully, although why Logitech couldn't just
> stick with infrared...)
> 
> > (If you accept the reduction in line-speed)
> 
> How long ago was this?  I read that all modern devices incorporate various
> filters to mitigate disturbances coming from other devices and, thus, that
> they perform much better (or at least more robustly) than previous
> generations (they also *cause* less disturbances). Either way, I can
> saturate our 16 MiB/s internet connection with enough parallel downloads
> (or with a fast enough server, such as with speedtest.net), and LAN
> performance is satisfactory.  I suspect one limiting factor is that the
> powerline adapters only have Fast Ethernet connections (of course, so does
> the router, so it doesn't matter).

My internet connection is 180Mbit down, 18Mbit up.
Without Gigabit network (including the WAN-port), I can't get use this.

> [...]
> 
> > > > I once connected a fresh install directly to the modem. Only took 20
> > > > seconds to get owned. (This was about 9 years ago and Bind was
> > > > running)
> > > 
> > > Ouch.
> > 
> > I was, to be honest, expecting it to be owned. (Just not this quick).
> > It was done on purpose to see how long it would take. I pulled the network
> > cable when the root-kit was being installed. Was interesting to see.
> 
> I bet :) !

The rootkit also was installed using "make -j". Suddenly slow server is a bit 
of a give-away.

--
Joost