ER7206 routing local WAN traffic through gateway for no reason.
This one is really odd. Traffic originating on the LAN side of the ER7206 destined for another host on the WAN side, but local to the WAN, is routed through the gateway for some reason. Interestingly this only happens with IPv4, the IPv6 traffic is routed correctly.
The ER7206 is configured via an OC300 controller.
WAN Network | AA.BB.CCC.72/29 |
MODEM/ROUTER | AA.BB.CCC.78 |
ER7206 WAN | AA.BB.CCC.73/29 with Gateway = AA.BB.CCC.78 |
ER7206 LAN | 10.99.1.0/24 |
Server | AA.BB.CCC.74 /29 with Gateway = AA.BB.CCC.78 |
Traceroute from host on LAN to Server:
traceroute to AA.BB.CCC.74 (AA.BB.CCC.74), 64 hops max
1 10.99.1.1 0.571ms 0.438ms 0.477ms
2 AA.BB.CCC.78 2.526ms 1.789ms 1.817ms
3 AA.BB.CCC.74 2.263ms 1.960ms 2.024ms
Traceroute from server to ER7206:
traceroute to AA.BB.CCC.73 (AA.BB.CCC.73), 64 hops max
1 AA.BB.CCC.73 1.251ms 0.813ms 0.519ms
This is causing issues because the Gateway is doing things it shouldn't with the local traffic.
I tried adding some static routes and that didn't seem to fix anything. I figured that wouldn't work because it doesn't make sense to add link local routes like that.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Well, I think I know what's going on. I have a Comcast Business account. After much deeper diving and more experimenting. I'm pretty sure the Comcast router is doing some very unethical and out-of-spec ARP spoofing.
If I turn on "ARP Spoofing Defense" and hard code the IP address to its MAC address on the same page on the OC300 then basically everything breaks.
I apologize for the issue, I don't think this is a tp-link problem.
I think the only way I could solve this at the tp-link layer would be by attempting to do some MAC level ACLs at the switch. But even then I don't see a combination of rules that might fix it.
What I would really need is the ability to pin a MAC address to a specific port on a switch and I don't think that exists.
- Copy Link
- Report Inappropriate Content
I initially thought this might have been an ARP issue. But checking the ARP table through the terminal window of the ER7206 I can see that the ARP table is correct. The router definitely has the correct MAC addresses for all the IP addresses involved.
- Copy Link
- Report Inappropriate Content
Hi @gantzm
Thanks for posting in our business forum.
What's wrong with this? I don't see a problem. Point it out for me?
- Copy Link
- Report Inappropriate Content
traceroute to AA.BB.CCC.74 (AA.BB.CCC.74), 64 hops max
1 10.99.1.1 0.571ms 0.438ms 0.477ms
2 AA.BB.CCC.78 2.526ms 1.789ms 1.817ms
3 AA.BB.CCC.74 2.263ms 1.960ms 2.024ms
The traceroute was run from a host inside the LAN. It hits the ER7206 on the LAN side. When in leaves the ER7206 on the WAN side it should go directly to AA.BB.CCC.74, remember the ER7206 address on the WAN is AA.BB.CCC.73. Host AA.BB.CCC.74 and the ER7206 are on the same segment, they can talk directly to each other.
There is something seriously mis-configured for the traffic to first bounce of off AA.BB.CCC.78. It's like the ER7206 doesn't understand the IPv4 link route.
In Linux this route would look something like the following on a router:
AA.BB.CCC.72/29 dev eth0 proto kernel scope link
But the ER7206 is NOT delivering local traffic to the segment it is instead handing it off to the gateway for no reason. In the above traceroute AA.BB.CCC.78 IS NOT the ER7206 it's actually the gateway router.
You'll notice when the trace is run in reverse the traffic never hits the gateway it goes directly where it is supposed to.
And I can demonstrate this is happening because the gateway router passes-thru all traffic except DNS traffic. When I communicate with port 80 on the .74 server everything works. When I try and communicate with port 53 on the .74 server the gateway hijacks that traffic. ( Yeah, I know bad gateway router. But it is what it is. ) So this just isn't an ICMP thing. The ER7206 is routing local traffic incorrectly.
Interestingly enough this is only happening with IPv4 traffic. Local IPv6 traffic is routed correctly. This is most likely because routing in IPv6 is a little more automatic.
- Copy Link
- Report Inappropriate Content
Hi @gantzm
Thanks for posting in our business forum.
gantzm wrote
traceroute to AA.BB.CCC.74 (AA.BB.CCC.74), 64 hops max
1 10.99.1.1 0.571ms 0.438ms 0.477ms
2 AA.BB.CCC.78 2.526ms 1.789ms 1.817ms
3 AA.BB.CCC.74 2.263ms 1.960ms 2.024ms
The traceroute was run from a host inside the LAN. It hits the ER7206 on the LAN side. When in leaves the ER7206 on the WAN side it should go directly to AA.BB.CCC.74, remember the ER7206 address on the WAN is AA.BB.CCC.73. Host AA.BB.CCC.74 and the ER7206 are on the same segment, they can talk directly to each other.
It should hit the gateway first. What's wrong with it? WAN is actually a larger LAN. Does it make sense to you?
Even if there is a problem, it is your ISP's problem that fails to avoid unnecessary routes and find the shortest path.
- Copy Link
- Report Inappropriate Content
No, that's not how this works. The ER7206 is handing the traffic off to the wrong device. This has nothing to do with the ISP. All of this traffic is local to the ER7206, none of this traffic should be seen by the ISP router yet the ER7206 is sending the traffic there for no reason.
Run this up the flag pole to a network engineer and let them see what it's doing. This is not correct.
Explain to me why traffic local to the ER7206 should go to the gateway? The destination is on the same network subnet as the ER7206 WAN port. It's local traffic.
That's like saying if you had 200 computers on a network segment and they wanted to talk to each other that all the traffic would have to go through the gateway first, that clearly doesn't make any sense. And that's not how networks operate.
- Copy Link
- Report Inappropriate Content
Hi @gantzm
Thanks for posting in our business forum.
gantzm wrote
No, that's not how this works. The ER7206 is handing the traffic off to the wrong device. This has nothing to do with the ISP. All of this traffic is local to the ER7206, none of this traffic should be seen by the ISP router yet the ER7206 is sending the traffic there for no reason.
Run this up the flag pole to a network engineer and let them see what it's doing. This is not correct.
Explain to me why traffic local to the ER7206 should go to the gateway? The destination is on the same network subnet as the ER7206 WAN port. It's local traffic.
That's like saying if you had 200 computers on a network segment and they wanted to talk to each other that all the traffic would have to go through the gateway first, that clearly doesn't make any sense. And that's not how networks operate.
What would be your DNS server?
- Copy Link
- Report Inappropriate Content
Stop, this has nothing to do with the ISP or DNS. You're missing the underlying point. Please answer the following question:
Why is the ER7206 sending packets to the gateway address when the destination address is local to the WAN subnet?
That's it, just answer that question.
- Copy Link
- Report Inappropriate Content
gantzm wrote
And I can demonstrate this is happening because the gateway router passes-thru all traffic except DNS traffic. When I communicate with port 80 on the .74 server everything works. When I try and communicate with port 53 on the .74 server the gateway hijacks that traffic. ( Yeah, I know bad gateway router. But it is what it is. ) So this just isn't an ICMP thing. The ER7206 is routing local traffic incorrectly.
Interestingly enough this is only happening with IPv4 traffic. Local IPv6 traffic is routed correctly. This is most likely because routing in IPv6 is a little more automatic.
You mentioned it. So I asked it.
Show me your routing table. I don't see what you said on my test. Argh, I should've tested it myself before I jumped into this mire.
ER706W-4G WAN 192.168.12.4 and subnet 192.168.12.1/24
ER706W-4G LAN 172.31.0.1
A different router and server 192.168.12.5 and 192.168.12.250.
- Copy Link
- Report Inappropriate Content
OK, this is starting to get really weird. So seeing that yours appeared to be working I started doing some experimenting.
I changed the ER7206 WAN address to something completely different and invalid. Then I let it sit for a few minutes to make sure the configuration took hold.
At that point I obvisouly could not communicate with the Internet, which was expected.
Then I reset my ER7206 WAN parameters back to the original settings.
And guess what, it started working correctly, for about 3 minutes.
So for those first 3 minutes I could communicate with my server without the packets going through the gateway.
Afterwards the ER7206 again got confused and traceroutes to the server were getting routed through the gateway, again.
There are no manual routes entered into my ER7206.
What routing table to you wish to see? As far as I can tell, I have no access to the internal routing table on the ER7206. Even from the 'Terminal' I don't see a way to show routes that were not manually entered as static.
- Copy Link
- Report Inappropriate Content
Well, I think I know what's going on. I have a Comcast Business account. After much deeper diving and more experimenting. I'm pretty sure the Comcast router is doing some very unethical and out-of-spec ARP spoofing.
If I turn on "ARP Spoofing Defense" and hard code the IP address to its MAC address on the same page on the OC300 then basically everything breaks.
I apologize for the issue, I don't think this is a tp-link problem.
I think the only way I could solve this at the tp-link layer would be by attempting to do some MAC level ACLs at the switch. But even then I don't see a combination of rules that might fix it.
What I would really need is the ability to pin a MAC address to a specific port on a switch and I don't think that exists.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 790
Replies: 10
Voters 0
No one has voted for it yet.