NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| reply to d_l
Re: SpeedStream 4100: "Bridged mode" vs "PPP on the computer"
Netgear FVS114 firewall. |
When I think of firewall, I don't think of NAT, or port forwarding. I think of Access Control. Some routers have it. Many do not. The screen shot shows my Netgear FVS114 firewall. I have seen such on the D-Link D-704UP, the Netgear FR114P, and the SMC Barricade 7004BR with a certain firmware level, though that was only limited to eight entries each way (outbound and inbound). I have not seen it on earlier firmware versions on the SMC Barricade 7004BR, nor on the oldest hardware level of the Linksys BEFSR11, and related Linksys products.
I believe some call it an SPI filter. Unlike NAT port forwarding, which can only control local port access by the entire Internet, this SPI filter, firewall, or ACL (you pick the term which best fits) controls remote, and local access by IP address, or range of IP addresses.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
d_l
Barsoom
Premium,MVM
join:2002-12-08
Reno, NV
| reply to NormanS
Actually if you allow the modem to issue the 192.168.1.64 IP to your router, you are using the DMZ function of the 4100's internal router. From the CLI of the 4100:
xsh> show ipfw dmz
Firewall DMZ is enabled, DMZ Host IP = 192.168.1.64 |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to d_l
said by d_l  :The underlying CLI of the 4100 has numerous firewall function settings. I haven't tested whether all of them are still functional or not. It is probably possible to go under the AT&T GUI firmware and change some firewall settings which would remain operative once the GUI locks out telnet access.  That is a bit of an obscure thing. Most AT&T users of the SBC issued SS4100 don't even know about the Telnet access, or CLI. I don't find it necessary to use the SS4100 beyond the limited mode that SBC issued; I have all the firewall I need on the router.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
d_l
Barsoom
Premium,MVM
join:2002-12-08
Reno, NV
| reply to NormanS
The underlying CLI of the 4100 has numerous firewall function settings. I haven't tested whether all of them are still functional or not. It is probably possible to go under the AT&T GUI firmware and change some firewall settings which would remain operative once the GUI locks out telnet access. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to 59126125
said by 59126125 :Does it still do firewall functions? I am not aware that the SS4100 has firewall functions. I certainly can't find any. But what do I know? I am just used to having a device with firewall functions; my Netgear FVS 114.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
59126125
Premium
join:2006-01-21
clubs: | reply to nwrickert
Kick ass, I love it when it all clicks. Maybe I'll get the hang of this networking stuff after all.  |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to 59126125
So, all in all, the 4100 is never classified as a router until it actually does the login? That's correct (at least for the SBC version of the 4100). |
|
59126125
Premium
join:2006-01-21
clubs:
| reply to d_l
Oh yeah, forgot about that situation. Which brings up more questions. It apparently wouldn't be doing NAT or have a WAN IP in that situation either. So I'm assuming it would technically be a smart bridge. Does it still do firewall functions? So, all in all, the 4100 is never classified as a router until it actually does the login?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
d_l
Barsoom
Premium,MVM
join:2002-12-08
Reno, NV
1 edit | reply to 59126125
If you set the modem to be PPP on the modem, leave the UserID/PW blank, and let the router or computer initiate the PPPoE connection, you pretty much end up with your Mode 2 with some slight differences, e.g. the modem is continually broadcasting to the computer/router. |
|
59126125
Premium
join:2006-01-21
clubs:
| reply to 59126125
I like pictures since it is easier to remember that way. So I made a diagram of my now corrected understanding of the three PPP settings on the 4100 modem. I'm sure that other people have been confused about this also, so here is the diagram. Again, I would appreciate any corrections and another thank you for the information from nwrickert and wayjac .
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
59126125
Premium
join:2006-01-21
clubs: | reply to nwrickert
Thanks for the info, quite the confusing concept, but at least it makes some sense now. I think it's time for a scotch... |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to 59126125
Correct. |
|
59126125
Premium
join:2006-01-21
clubs:
| reply to nwrickert
Ah, I think it is getting clearer now. So basically, whatever device does the authentication gets assigned the IP from the Redback. So, when the 4100 is set to "PPP on the computer", the modem has to "bridge" straight to a LAN IP for the connection to work to the MAC address. Yet, it keeps a LAN IP so it can be accessed via regular ethernet. Do I finally have it right?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to 59126125
In mode 2 (from your list), the 4100 is not an IP device on the WAN. It has no WAN IP, and it does not know what the public IP should be. It merely accepts ethernet frames from the redback, and bridges them to the local ethernet. It likewise picks up ethernet frames on the local ethernet, and bridges those to the redback.
In addition, it assigns itself an IP address of 192.168.0.1 on the local ethernet, and can exchange IP packets with other systems on the local ethernet. It does not exchange IP packets with WAN hosts - it only bridges ethernet frames but does not look inside those frames. It does give out a DHCP address of 192.168.1.64 to one client on the local ethernet. This would normally be used only for getting the modem statistics.
A local host on the ethernet can do the authentication. But then that same local host has to use the assigned WAN address, and has to extract IP packets from the PPPoE transmissions that it receives. It can't just authenticate - it has to do all of the PPPoE. If that local host wants to act as a router, it can. But then it needs a second ethernet interface.
Mode 3 (bridged mode) differs in that it does not do DHCP. I think (but I'm not sure) that it will still accept packets to IP=192.168.0.1 for requesting statistics. But the computer that wants to see the statistics would need to be manually configured with IP=192.168.1.64, netmask=255.255.0.0.
-------
Let me describe my WAP (Wireless Access Point). The WAP is, in effect, a bridge between the WiFi LAN and the wired LAN. It acts on ethernet frames, and transfers them between the wired LAN and the wireless LAN. It does not do any routing, so both wired and wirless LANs have to share the same range of IP addresses. The WAP happens to also have an IP address. It is a smart bridge, and uses its own IP address so that you can configure it. But, except when you are configuring the WAP (or getting info on settings from the WAP), it is acting only as a bridge.
The 4100 in "PPP on computer" mode is likewise a smart bridge. It is mostly doing bridging, but it has its own IP address on the LAN so that it can be configured and so that you can get info from it. It happens to also give out a DHCP address to make that configuration a little easier to do. |
|
wayjac
Premium,MVM
join:2001-12-22
Indy
·AT&T Midwest
| reply to 59126125
The PPPoE client reguardless of where it is gets the wan IP info
PPP on the modem and PPP on the computer have a lot in common, the modem's lan DHCP server is active, with the correct configuration another device can do the PPPoE.
In Bridged mode the modem's lan DHCP server is disabled.
I agree fully with statement 1 and 3 statement 2 should read just like statement 3 with a few "buts"
--
God bless our troops |
|
59126125
Premium
join:2006-01-21
clubs:
| reply to nwrickert
Ok, still confused. Here is my understanding on how the three different configurations for the 4100 work and would appreciate any corrections.
1. PPP on the modem - modem authenticates, is first IP device in contact with the WAN network and is assigned the WAN IP from the AT&T Redback router. 4100 hands out private IP to first device behind it. 4100 acting as a router.
2. PPP on the computer - any device behind the 4100 can do the authentication, yet the 4100 is still the first IP device in contact with the WAN and still gets assigned the WAN IP from the AT&T Redback router. 4100 hands out private IP to first device behind it. 4100 acting as a router.
3. Bridged Mode - 4100 ceases to exist as far as IP goes and merely translates protocols and forwards packets. The router is now assigned the WAN IP from the AT&T Redback router since it is the first IP device in contact with the WAN. The router is now on the same network as the Redback Router. 4100 acting as a bridge.
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to 59126125
If the 4100 is fully bridged, it is talking ethernet, not TCP/IP. It doesn't have a WAN IP address. The WAN IP address is assigned over PPPoE, so is assigned to the system that actually does the PPPoE. |
|
59126125
Premium
join:2006-01-21
clubs:
| reply to docinthebox
My understanding is when the 4100 is fully bridged the router is then assigned a WAN IP (69.xxx.xxx.xxx), but if the 4100 is configured to "PPP on the computer" it still hands out a LAN IP (192.xxx.xxx.xxx) to the router.
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to 59126125
Let's remember that the 4100 has several modes of operation. In some of those modes, it is acting as a router.
We were, in particular, discussing the "PPP on computer" mode. There, it is simply taking the ethernet frames it receives encapsulated in the ATM data, and placing them on the local ethernet. It is not examining the content of those frames at all. It is not seeing the IP address encoded in the PPPoE data that is encapsulated in the ethernet frames.
Quite separately from its action as above, it also gives out a single DHCP address purely for communication on the LAN.
For LAN communication, it will receive ethernet frames addressed to the 4100 MAC address. For PPPoE communication it will handle frames addressed to the ISP equipment at the other side of the bridge (which tunnels through the ATM network). There is no difficulty distinguishing between these two classes of frames. |
|
docinthebox
join:2003-01-25
Laurel, MD | reply to 59126125
I thought the 4100 is forwarding packets from the WAN side (69.xxx.xxx.xxx) to the WAN port of the router which is still 69.xxx.xxx.xxx. It is the router that's connecting 69.xxx.xxx.xxx with 192.xxx.xxx.xxx |
|
