punkwalrus (punkwalrus) wrote,

Technical junk

What a rough day. I literally spent probably 5 hours today on the phone with Veritas trying to fix our backup server. Four tickets and several levels of techs had been assigned. The consensus seems to be that a previous tech had munged it up around ticket #1 or #2.

In other news, I got ssh working on my FIOS connection. I can now ssh in.

I still have some weird network issues I can't pin down, but they are more annoyances than real problems. The biggest annoyance is traceroute. Here's a traceroute from my Internet box (at work) to Livejournal:

[punkie@remotehost]$ traceroute livejournal.com
traceroute to livejournal.com (, 30 hops max, 38 byte packets
1 2.d6bccf.client.atlantech.net ( 0.489 ms 0.495 ms 0.344 ms
2 core02-ss-ge-1-0-0.ss.atlantech.net ( 0.492 ms 0.441 ms 0.417 ms
3 * core01-ss-ge-0-1-0.1.ss.atlantech.net ( 0.550 ms 0.529 ms
4 edge01-ash-ge-0-1-0.ash.atlantech.net ( 1.808 ms 1.763 ms 1.866 ms
5 equinix-ashburn.layer42.net ( 2.441 ms 2.228 ms 2.353 ms
6 g6-3-400.core2.eqx.layer42.net ( 84.162 ms 84.561 ms 84.560 ms
7 g6-16-91.core2.eqx.layer42.net ( 146.261 ms 144.558 ms 138.357 ms
8 te1-1-925.core1.scl2.layer42.net ( 85.158 ms 84.918 ms 84.832 ms
9 g4-3.800.core2.scl2.layer42.net ( 84.973 ms 85.146 ms 84.829 ms
10 te4-1-926.core1.sfo.layer42.net ( 86.189 ms 86.252 ms 85.763 ms
11 ge0-2-0.edge1.tme.sixapart.com ( 86.212 ms 85.771 ms 86.166 ms
12 ve102.core1.tme.sixapart.com ( 86.753 ms 86.509 ms 86.325 ms
13 livejournal.com ( 86.179 ms 86.339 ms 85.802 ms

Yet, from my home systems, behind the FIOS router, I get this:

[punkie@localhost]$ traceroute livejournal.com
traceroute to livejournal.com (, 30 hops max, 38 byte packets
1 cerberus ( 0.329 ms 0.263 ms 0.210 ms
2 livejournal.com ( 0.908 ms 0.910 ms 0.670 ms
3 livejournal.com ( 4.951 ms 4.503 ms 4.965 ms
4 livejournal.com ( 4.979 ms 4.207 ms 4.916 ms
5 livejournal.com ( 8.395 ms 8.594 ms 7.361 ms
6 livejournal.com ( 7.569 ms 6.668 ms 7.385 ms
7 livejournal.com ( 82.541 ms 81.784 ms 82.545 ms
8 livejournal.com ( 82.451 ms 81.717 ms 82.422 ms
9 livejournal.com ( 84.999 ms 84.390 ms 84.900 ms
10 livejournal.com ( 82.736 ms 81.701 ms 82.336 ms
11 livejournal.com ( 85.079 ms 84.021 ms 84.889 ms

The connection to my system is this:

{ internet } ==> [FIOS ROUTER] -- via "DMZ port" --> [LINUX GATEWAY] --> [localhost]

I think there's some packet my router is filtering out, or some SNAT issue. The FIOS Router (FR) gets DHCP (not PPOe) from Verizon, and then gives out the private address of to my Linux Gateway (LG) via DHCP with NAT. The LG then gives out private addressing with DHCP (or static) NAT to the rest of my network (including localhost in that map). I suppose I could remove my LG, but it provides internal DNS for my SETI Hosts, web caching and web filtering, things the Verizon router does not have. Besides, it's highly configurable.

When I had cable Internet, the cable modem was in front of the LG. My ssh port was 2222; I did this to reduce auto-probe denials from skript kiddies. This was forwarded to a box that did ssh to the rest of the network. When I got FIOS, I thought I could port forward my renamed port 2222 to port 2222 on the LG, but that did not work. What I had to do instead was put the LG on the FR's "DMZ," which pretty much exposes the whole line to raw Internet... but this is okay, security-wise, because the LG protects me the same way it did because the raw Internet from the cable modem. But as you can see, traceroute is not working.

I think it's filtering some UDP packet traceroute depends on. I am not sure if the FR is doing this, or the connection between the FR and the LG. I am going to hook up a vanilla Linux box to a non-DMZ port off the FR, and see if I get the same result, and if so, then I'll know it's something Verizon does (or at least the router).
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded