Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[PhilipD]

Hi

I use the Thinkbroadband line monitor which pings my router continuously to have a record of any issues and I've noticed a couple of differences with the ZyXEL to previous routers.

1) With DoS protection enabled on the ZyXEL it sees the pings from Thinkbroadband as a DoS attack, some seem to get through but a lot are blocked.  I've raised this with ZyXEL tech support as I suspect they've set too low a threshold on the number of pings it takes to trigger a DoS reaction.  With DoS off pings get through okay.

2) Ping response times: I've included 2 charts from Thinkbroadband plotting ping responses.  I know this isn't a network issue as I was swapping routers around with the problems I had and could see the immediate differences.  The same higher latency peaks were seen regardless if connecting via the HG612 or using the internal VDSL modem.  So the ZyXEL isn't responding consistently to pings, look at the overnight period and compare to a trace from the Billion.  Lots of slow responses to pings from the ZyXEL even though nothing is using the router overnight, so there should be no reason for some higher latency responses.

I did think it may be QoS, so tried turning it off and also tried setting ICMP to the Voice priority, but it didn't change the ping responses.  Is this a problem, should this be happening? 

Regards

Phil

[jid]

Different routers handle the priority of ICMP pings differently - the Zyxel probably just puts them at a lower priority than the Billion.

I'd say this is backed up as QoS affects them on the Zyxel, so its likely thats its putting a lower priority on ping traffic, hence you see different ping times than with the Billion

[PhilipD]

Hi

Yes I thought that, although turning QoS off or setting pings to a higher priority queue didn't seem to change it.  However if there is no traffic passing overnight, why would pings get a lower priority as there is nothing to prioritise them over?

Regards

Phil

[npr]

1) With DoS protection enabled on the ZyXEL it sees the pings from Thinkbroadband as a DoS attack, some seem to get through but a lot are blocked.  I've raised this with ZyXEL tech support as I suspect they've set too low a threshold on the number of pings it takes to trigger a DoS reaction.  With DoS off pings get through okay.

The firewall log reports it as a "Port Scan Attack" 
I've got around it by using the following iptables rule which allows pings from a TBB range of IP's.

The telnet command I used:
iptables -I INPUT 1 -s 80.249.99.0/24 -p icmp --icmp-type echo-request -j ACCEPT

The following command can be used to show the rules in the chain INPUT before and after issuing the above command.
iptables -L INPUT --line-numbers

AFAIK this setting does not survive a reboot.

[PhilipD]

Hi

I've added that rule in now and re-enabled DoS, which then interestingly was still showing a Port Attack (Pings) from 2 IP addresses away from my own IP address, on browsing to the IP address I'm met with a FireBrick FB6102 log in page.  The IP address belongs to my own ISP so it's their own monitoring box, no wonder the Internet LED blinks constantly. 

It also seems to indicate these haven't been tested too well if the DoS is blocking a more or less industry standard line monitoring tool that must be in use by many ISPs.  I've not known a DoS system on any other router flag these pings as an attack before.

I will drop support another email with the type and model of this FireBrick.

Edit, just reading Thinkbroadbands explanation of their monitoring and it's only one ping a second, seems a rather oversensitive DoS system on these then.

Regards

Phil

[npr]

But is the TBB ping graph working now?

You could always add another rule to allow the ISP pings, I guess you'll be waiting a while for ZyXEL support to get this fixed. 

[PhilipD]

Hi

Yes indeed, I've added two rules and re-enabled the DoS which is logging quite a few pings as attacks from AT&T in America for some reason, plus constant attacks registered from various places in China.

Thinkbroadband is working fine now with DoS enabled.

Regards

Phil

[kitz]

Different routers handle the priority of ICMP pings differently - the Zyxel probably just puts them at a lower priority than the Billion.

I'd say this is backed up as QoS affects them on the Zyxel, so its likely thats its putting a lower priority on ping traffic, hence you see different ping times than with the Billion

This has been mentioned before and its been assumed to be QoS and priority given to ICMP

Its never really been much of an issue with me (providing Im on a decent PN gateway).

[tbailey2]

Hi

I've added that rule in now and re-enabled DoS, which then interestingly was still showing a Port Attack (Pings) from 2 IP addresses away from my own IP address, on browsing to the IP address I'm met with a FireBrick FB6102 log in page.  The IP address belongs to my own ISP so it's their own monitoring box, no wonder the Internet LED blinks constantly. 

Regards

Phil
Which log are you finding the entries in please? I 've run this command this after initially blocking TBB (okay now) but can't find any log entries - Attack seems the correct category but all the logs appear to be empty....  I'd already enabled the relevant entries under the Security log settings

Also, is there a GUI command to establish a new session without rebooting?

TIA

[AArdvark]

Also, is there a GUI command to establish a new session without rebooting?

Click the Connection Status 'Button' Bottom left main screen.
Then click the Status Button far right middle of screen (Button with > on it)
The screen you get to gives 'Device Informaton', 'System Status', 'Interface Status'.
9-10 lines down on the Device Information listing is the 'Disconnect/Connect Button'
You can kill your PPP session with this. It can take a while to re-establish so wait 20-30 seconds and watch the 'Internet light' on the modem.

all the logs appear to be empty....

In Log settings under Syslog Settings have you set the 'Mode' to Local File.
This is the way I got log entries to appear.

[tbailey2]

Okay thanks - no had missed that 'Local' setting but enabled now and am seeing entries 

Okay on the session button.

I also see that it only seems to allow one Telnet session currently - while that was open DSLstats couldn't connect to the ZyXel... I don't suppose there is a setting ... 

[AArdvark]

Firmware version 6b2 introduced a 1 Telnet session limit.

It appears it is still there. (Kitz had reported the problem to Zyxel, looks like they have not changed things (yet ??!!).

If you require multiple Telnet sessions you will need to downgrade to firmware 6b1. 

[PhilipD]

Hi

Another interesting problem.  Found my download speeds have consistently halved, from 75Mbps to 37Mbps (and this can't be blamed on a PlusNet gateway, I'm not with them  ), turning of QoS on the ZyXEL and back up to 75Mbps, turn it back on and it drops to half, upload speeds are unaffected.  The WAN managed upstream and downstream settings are blank, so I tried manually adding full line speeds and it makes no difference.

Even stranger is speed via Wi-Fi are full speed and not restricted, let the wired LAN seems to be restricted to half speed.  So QoS has somehow get itself confused, turn QoS off and all okay.

Edit: Seems to have been caused by a QoS rule I had put in to priorities ICMP pings and this was from LAN to WAN (I was trying to see if I could give them a higher priority) and this appears to have reserved half the bandwidth via the LAN.

Regards

Phil

[AArdvark]

I don't think it was reserving half the bandwidth.
It sounds like the rule was forcing every packet passing from WAN to LAN to be examined and you were hitting the processing limit of the processor.
The reason the WiFi was working OK was that the rule was not operating on it.
There are interfaces for Lan1 to Lan4 and Wireless.

Out of interest what did you set the rule to ?

[PhilipD]

Hi

I added a new entry in Queue Setup leaving everything at defaults but selecting the Interface as WAN, then under Class Setup added a new Classifier for ICMP set to use the from Interface as VDSL, set IP protocol to ICMP, and set the outgoing queue to the new one added.

The idea was to try and raise the priority of the pings being received by the router, however I don't think this would make any difference anyway as I would think the QoS is only affecting traffic going from WAN to LAN/WLAN or back again, and would miss doing anything to pings being received only on the WAN side. 

Regards

Phil