Does having multiple RJ45 jacks degrade the Internet signal a lot?

My earlier Google search turned up your second link above, so now I have two copies of the 4200 User Guide. Absolutely no doubt about it, it's a combo DSL modem + router + 4-port switch. What are you seeing that makes you think it's just a DSL modem, because I don't see that.

Think about it for a second. Just because you set the combo device to bridge mode doesn't mean it should disappear, from a management perspective! It would be horribly broken if it DIDN'T continue to respond to its management traffic, even while in bridge mode. If it disappeared after setting it to bridge mode, doing so would be a one way street with no way to return, other than possibly doing a full factory reset. Obviously, that's not the case.

Nope, bad assumptions have led you to a bad conclusion.

My own experience lies with cable modems, and as you say, they do this "redirection" fine. It's not exactly redirection, but I know what you mean.

You've switched topics midstream, which is always confusing.

You started this example by mentioning that the router portion of the

4200 is able to forward all ports to a second (standalone) router, which only applies to new connections coming from the WAN side, going to the LAN side. (Return traffic needs no port forwarding.) That's not unusual or amazing behavior, as I pointed out. It's the exact equivalent of putting one LAN-connected PC in the router's DMZ, if you'll allow me to use Linksys terms.

But now you've turned things around, talking about traffic going from the LAN side to the WAN side, destined for the DSL modem/router. That has nothing to do with the port forwarding mentioned earlier.

No matter how badly written you may think Skype is, my guess is that it's much (MUCH!) worse than you think, if this presentation is to be believed.

Not exactly a conflict, but a simple routing problem. Let's say your modem's LAN interface is 192.168.1.254 (/24), as you suggested above. Now you connect a router to the modem's LAN interface, and you configure the router's LAN interface to be 192.168.1.1 (/24). Both devices are using the 192.168.1.x/24 subnet.

Given that scenario, there are no addressing conflicts, but you won't be able to reach the LAN interface of the modem because there's a router between you and the modem. You fire off a packet to

192.168.1.254 and your PC's network stack checks its netmask, determines that the target IP address is within that netmask, so it uses ARP to translate the IP address to a MAC address. Well, it doesn't get a reply since ARP doesn't pass through a router. Ergo, no communication from the PC to the modem. The fix, as you stumbled upon, is to use a different subnet (or at least a more restrictive subnet mask).

Not applicable/relevant. The problem isn't that the same IP address might be assigned twice. The problem is that there's a router in between these two same-numbered networks. Can't do that. See my more detailed reply to miso.

My understanding is that different subnets are required for a different reason, not to avoid IP address duplication. If both ends of a VPN are using the same subnet, how would the VPN endpoint know that traffic should be passed through the tunnel?

I remember the good old days when the phone company did the telephone wiring.

Christopher A. Young Learn more about Jesus

.

Yeah, but I brought this up because the modem kind of looks like a one port router and you need to be aware of it's address so there are no conflicts when you attached your router. [I think Jeff cringes when I say one port router, but I don't know what else to call it.]

Maybe the idea is if you just had a switch after the modem rather than a wifi router, you would need some management features in the modem. In my case, I DMZ the modem to the router, and then do all management from the router.

Back when I had dialup internet, I got an offer for trial of cable internet. I really love it. Much faster.

Christopher A. Young Learn more about Jesus

.

My earlier Google search turned up your second link above, so now I have two copies of the 4200 User Guide. Absolutely no doubt about it, it's a combo DSL modem + router + 4-port switch. What are you seeing that makes you think it's just a DSL modem, because I don't see that.

Think about it for a second. Just because you set the combo device to bridge mode doesn't mean it should disappear, from a management perspective! It would be horribly broken if it DIDN'T continue to respond to its management traffic, even while in bridge mode. If it disappeared after setting it to bridge mode, doing so would be a one way street with no way to return, other than possibly doing a full factory reset. Obviously, that's not the case.

Nope, bad assumptions have led you to a bad conclusion.

My own experience lies with cable modems, and as you say, they do this "redirection" fine. It's not exactly redirection, but I know what you mean.

You've switched topics midstream, which is always confusing.

You started this example by mentioning that the router portion of the

4200 is able to forward all ports to a second (standalone) router, which only applies to new connections coming from the WAN side, going to the LAN side. (Return traffic needs no port forwarding.) That's not unusual or amazing behavior, as I pointed out. It's the exact equivalent of putting one LAN-connected PC in the router's DMZ, if you'll allow me to use Linksys terms.

But now you've turned things around, talking about traffic going from the LAN side to the WAN side, destined for the DSL modem/router. That has nothing to do with the port forwarding mentioned earlier.

Thanks for the info. I had no idea; I'll look into it.

I've been fighting that problem with VPN's since they were invented. What a VPN does is assign a block of IP addresses, that belong to the other end of the VPN tunnel, to the local network. For example: Remote Network = 192.168.222.xxx Local Network = 192.168.111.xxx The remote VPN router is configured to deliver a block of addresses to be used by VPN callers. Let's say that: Remote Network VPN address pool = 192.168.222.50 -> 99 Remote Network DHCP pool = 192.168.222.100 -> .253

When I connect via the VPN tunnel, my computah will have two IP addresses assigned to it. One is something like 192.168.111.xxx, which is used to talk to machines on the local network. The other is an address from the remote VPN address pool, something like

192.168.222.55. This works well and there are no duplicated IP's.

However, let's pretent for a moment that the Class C networks on both ends are the same. Both system use the 192.168.111.xxx address block. The local DHCP server has no knowledge of the remote VPN pool. It assigns addresses based on NOT being able to ping addresses. Since it can't ping anything on the remote end until AFTER the VPN tunnel has been successfully established, there's a very real chance that the local DHCP server will dispense IP addresses that are currently in use at the remote end.

I've seen it happen and it sucks. The worst case is duplication of the router IP address. If both routers have the same IP address, there are several surprises. The most obvious is that the default gateway is now duplicated on two devices. Outgoing packets don't know whether to hit the internet via the the local router or the remote router. It's not unusual to connect to a remote VPN, and then have all that computers internet traffic go out to the internet via the remote router, which is usually quite slow. Another problem is the inability to administer both routers. When I setup a VPN, I have to have access to both routers. If they both have the same IP address on the VPN, that's not going to happen.

For a while, I was administering a remote VPN that was on

192.168.111.xxx, which was the same as my office LAN (because their admin didn't have a clue and just cloned my setup). When I connected, I could not see their NAS box. That's because my office network printer was on the same IP as their NAS box.

Some VPN implimentations take all this into consideration and make an effort to at least prevent gateway IP duplication. In effect, it hides the remote router, making unwanted outgoing traffic impossible, but also blocks remote admin. Sonicwall does this quite well. Linksys and Netgear do not.

Look again. The 4100 and 4200 both have a single ethernet port with no 4 port switch.

I think the basic disagreement is whether a device that does NAT to a single IP address, and to a single ethernet port, should be considered a router. By definition, a router glues two networks together. On one side, we have the entire internet via the DSL port. On the other side, we have a single machine with a single IP address with all

65,000 IP ports going to this single IP address. Whether to consider a single machine to be a network seems a bit dubious, but lacking any other suitable definition, I guess we now have a one machine network. It's certainly not a bridge as it's working on ISO layer 3 (IP) and not layer 2 (MAC) used in bridging.

I'm sure it's the modem doing the redirection. That's because I've tried configuring various modems at various locations through the router. Some modems work, while others do not. I can change modems around, and the one's that work follow the modem, not the router. I can change routers on a setup that works, and there's no effect.

Yep. It seems to have been introduced somewhere in the Cablelabs specs. I haven't bothered digging in there for the details. The problem is that I don't know what to call it. "Management IP redirection" is the best I can invent.

Yep. Guilty. Sorry(tm).

No, I said that the DSL modem section is doing the redirection. Redirection still works in the bridge mode, which disables the NAT and therefore the router section. Therefore, it must be the DSL modem section doing the redirection.

I think we're both in agreement that the Linksys DMZ is not a real DMZ firewall with its bastion host and inside firewall.

Yep, that's exactly what I'm talking about. This is NOT about a DMZ, where INCOMING traffic is directed to a specific IP address. This is about OUTGOING traffic, being sniffed for anything with a destination IP address pointing to the management IP address of the DSL modem, and getting redirected to the internal management web server. Please forget about DMZ as it only has relevance for INCOMING traffic, while this redirection is all about OUTGOING.

One more, for hacking the 4100/4200:

Ugh... he calls it a router. Grumble.

I think you're missing what I'm saying. It's trivial to adjust the DHCP scope so that DHCP collisions are completely avoided. Many times, it's also easy to ensure that static assignments, including the gateway, are not duplicated. Given all of that, my point is that I still don't think it will work because the VPN endpoint won't know that it should send traffic through the tunnel if both ends of the tunnel are on the same subnet.

Have you tried that? I don't have the resources at the moment, but I don't think it will work.

Agreed, in your photo there's a single Ethernet port, but in the 4200 User Guide you linked earlier, there are multiple references to "Ethernet Ports (1-4)", such as on page 7, "With your computer powered off, connect the Ethernet cable to an Ethernet port (1-4) on the Router." Apparently, someone at Speedstream is confused or there are multiple hardware versions, or...?

I admit, I'm completely baffled by your confusion. Routers don't need to incorporate a switch in order for them to be a router. Heck, a router really only needs a single Ethernet connection, which can be shared WAN/LAN. (Think "router on a stick".) The lack of an included switch, if true, takes nothing away from the router section.

Some clues, taken from the 4200 User Guide:

1. Speedstream always refers to it as a router, never a modem or bridge.
2. Firewall
3. NAT/NAPT
4. Stateful Inspection Firewall
5. Attack protection, Firewall Security
6. DMZ
7. Port Forwarding
8. Session Tracking
9. Content filtering
10. Internet address filtering/blocking
11. Has settings for IP, netmask, and default gateway
12. Includes a DHCP server and DNS forwarder
13. Static routes can be configured
14. RIP 1/2 (Routing Information Protocol)
15. Port Forwarding
16. DynDNS
17. Time Client
18. Has a routing table (static & dynamic routes).

Those things are from a quick skim through the 4200 User Guide. Note that all of those items are typically found in routers, and none of those items are typically found in bridges. I'm unable to explain why you missed the presence of the router.

If you've ever held a 4200 in your hands, you were holding a combo DSL modem and router, and according to the User Guide it also had a 4-port switch, however that detail seems to be in question and not supported by the picture you found.

Redirection? Is this the upstream thing again? I thought we were done with that. I'm much more interested in the downstream direction, where you seemed surprised about the capability to forward all ports to a single IP, i.e., what Linksys calls DMZ. Typical router stuff.

Anyway, I don't quite know what to make of the paragraph above. You refer to modems and routers, but with the confusion regarding the 4200 I don't know which terms to trust. Do you typically add a second router to the mix when you deal with 4200's? Do you refer to the 4200 as a modem, and when you say router you mean a second router attached to the LAN side of the 4200?

I'm talking about the downstream direction. You keep changing the topic to the upstream direction. Focus, please.

Totally agree, but Linksys put the term into common (mis)usage, so no matter how wrong it is, it's out there.

I'm much more interested in the downstream direction, where the 4200's router makes its presence known. The upstream direction is mundane and uninteresting.

So does Speedstream.

Linksys calls the WRT54G a router, too, but it's a router, a bridge, a switch, and an access point, among other things. I guess you gotta call it something, so you let the marketing department loose on it and see what they come up with.

A multifunction Ethernet network appliance? ^_^

TDD

Perhaps for small networks it's trivial. This was a series of four medical offices which merged. I was part of the effort to standardize the apps and network. Including remote users and VPN users, there were about 200 machines, which was barely enough to be accommodated by a single Class C IP block. Instead, we renumbered the networks of each remote office to avoid duplication problems. It was not particularly complicated, but it was time consuming and required a rehearsal.

For a typical home user, this problem is not even an issue. The IT department of wherever they're trying to VPN to takes care of the issues. In most cases, they simply force ALL traffic from the connecting client machine to go through the tunnel. The disconnects the user from his own LAN, and forces plenty of wasted traffic going through the VPN, but is the safest and most secure method. One could even have duplicated gateway IP's and it would still work. Too bad local network printers won't print, but there are workarounds (i.e. USB printing).

Sure. Let's try a bit of math. I have about 15 customer sites that run a VPN of some manner. Each site consumes about 10 static IP's, 10 dynamic IP's, and needs a VPN IP pool of perhaps 20 IP's. That's 40 IP's per site. If all these sites subscribed to the consumer brand of VPN router, which defaults to 192.168.1.xxx, I would need 15*40=600 unique IP addresses to avoid duplication. Obviously, this is not going to fit in a single Class C IP block, which allows only 256 addresses. I can widen the netmask to perhaps /22 for 1024 addresses, but many cheap routers don't work well with more that 256 IP's. Obviously, not all 15 customer sites need a tunnel between them, so this estimate is worst case. Still, it does illustrate why I have a simple rule for assigning IP blocks for remote sites with VPN's. I pick a random IP block starting with 192.168.[3-254].xxx. I avoid building networks using 192.168.[0-2].xxx as these are where the typical home routers are located.

Incidentally, since I started doing this perhaps 10 years ago, I haven't had many address conflict problems. I've also fixed a few small networks that were having weird call in problems by renumbering the office LAN so that the home users can use whatever IP block their router manufacturer finds fashionable.

Agreed. I think I stated that when I mentioned the problem of duplicated gateway (default route) IP addresses.

Of course. Many times with many variations on weirdness and failure depending on flavor (PPTP or IPSec), hardware, firmware, client software, and versions. I have the resources, but I'm lazy/busy and don't want to do anything more while waiting the worlds slowest backup to finish (USB 1.1).

This is interesting but I think we're way off the original question and subject, whatever they might be.

I thought the discussion involved dueling routers. ^_^

TDD

Egads. Y'er right. However, that's all wrong as the photo on the same page only shows the back of the 4100/4200 with a single ethernet port.

What? Me confused? I never said that a switch was required. I merely stated that the 4100/4200 does NOT have a built in 4 port switch as you claimed. It does one ethernet port, which doesn't require a switch (or hub) to work.

Because they've been disabled by AT&T and other vendors. I posted the page at:

because that's what I've been using to attempt to recover features that were disabled. For example, I can't telnet into the modem. SNMP doesn't work. From the manual, it appears that it can become a proper ethernet router, if the necessary features weren't turned off.

This is what the AT&T version looks like:

Note the lack of router-like menus.

This is what the non-AT&T version looks like:

The firewall/DMZ features are missing in the AT&T version. I'm discussing what can be done with the AT&T version.

I have one 4200 and five 4100 DSL modems scattered around the office, car, and house. All have only one ethernet port. I've never seen one with 4 ports in back. I searched with Google images and couldn't find one with 4 ports.

Sigh. Ok, we're done with outgoing redirection. All I said about incoming is that the 4100/4200 sends all ports to a single IP address. No magic (as in the outgoing redirection).

Neither do I. If the AT&T mutation of the 4100 had all the router features mentioned in the docs, it would certainly call it a router. As it stands, it has all the important router features disabled, leaving only the one port "router". I'm undecided as to whether routing the entire internet to a single IP port is really routing.

Yep. That's the recommended AT&T method, double NAT and all. It works because all the IP ports are sent to the 2nd routers WAN IP.

Me? I usually setup the 4100/4200 (and others) for bridging. For AT&T, the PPPoE login is in the router, not the DSL modem (as AT&T recommends). This is not officially correct or default method, but it has given me less grief than any other method. Since the 4100/4200 is now a bridge, I tend to call it a DSL modem. If I wanted to be exact, it's a DSL to ethernet bridge.

In my rant that started this umm.... discussion, I mentioned how it works for incoming traffic in exactly one sentence. Everything I've been talking about has been about the outgoing redirection of the management IP address.

Huh? What does "makes its presence know" mean? I seem to have missed something here.

Thanks. That's awful, but understandable. They want to be sure you don't clone the protocol with another application, or use the Skype client on a non-Skype system. I just wished they didn't have to destroy the code quality in order to accomplish this. No clue if Microsloth can clean up the mess. Hopefully yes, because I like and use Skype, despite the glitches.

Maybe DMZ Host, as mentioned in the wiki, is the better term.

My recollection of the Vietnam war is the DMZ wasn't so DMZd.