Ever on and on

I already mentioned that I want access to my Linux server from the network. Verizon’s d-link - still in my network, but not forever - is set up to prevent this. Verizon assumes you have a standard PC, so they preconfigure the d-link to firewall any incoming connections.

That’s not my situation, I have a Linux server with extensive firewalling and more than a few services running on it. I want all the network traffic coming to MY firewall, please, not Verizon’s.

The solution - partial as usual - is the “DMZ” setting. In the d-link configuration you can set a “DMZ” host, which gets most of the traffic the d-link sees forwarded to it. Specifically it seems to forward TCP and UDP traffic, which is a big step. But it’s still intercepting ICMP - so any Ping or traceroute traffic goes to d-link, not Linux. Yet another reason to disable the d-link.

The embedded web server on the VZ FiOS d-link box sucks. That’s all there is too it. I’m polling it every 10 minutes to check the IP address, and it consistently locks up in less than an hour. Every. Single. Time.

The only way to reset the Web server, that I’ve found, is to power-cycle the box. This has a nice symmetry, because power-cycling the d-link gets you a new PPPoE tunnel which gets you a new IP address. But it’s unacceptable that VZ can change my public IP address when the d-link web server is locked up, and I won’t know it.

At least it’s only the web server that locks up, the d-link keeps forwarding packets.

So what are the choices?
1. Restart the d-link every hour - impractical
2. Rewrite script to use http://dynamic.zoneedit.com/checkip.html - works, but not very elegant
3. Turn off the d-link and bring the PPPoE tunnel all the way to my Linux box

Stay tuned.

VZ installed a d-link DI-604 “Broadband router” in between my home network and the ONT on the side of the house. The d-link’s job is setting up the PPPoE connection back to Verizon, NAT, and firewalling. Verizon uses dynamic IP addressing for public IP addresses, and rumour has it that they reassign IP addresses frequently - but the d-link hides these changes.

(Apparently there are some specialized diagnostic tests the d-link knows how to run as well. It appears to be running a custom firmware load, with a version number that doesn’t appear on d-link’s support site. And when I tried to upgrade its firmware, the d-link rejected the new version.)

I want to know my public IP address so I can access my home computer from work or other places. (I use zoneedit.com to maintain an Internet-visible domain name.) The d-link makes this hard! I have used ddclient for this job in the past - basically it connects to the embedded web server on the d-link (or similar devices), and scrapes the IP address out of the web pages. (We used to use this kludge to interface then-modern computers to IBM mainframes - I guess old kludges never die.)

Unfortunately, ddclient only understands “basic” HTML authentication, and the d-link wants “digest” authentication. (Basic is pretty insecure, and Digest uses MD5 hashes which are much better. But all of this is already hidden behind the d-link’s own firewall, so who cares?) In fact, d-link is very picky about its digest authentication - it would talk to firefox and curl, but not lynx, links, or wget, all of which support digest authentication.

So here’s the snippet that works - for a while:

curl -f -s --digest --connect-timeout 10 --interface eth0 -u admin:password http://192.168.0.1/st_devic.html |
egrep '^[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]‘ |
head -n 3 | tail -n 1 | tr -d ‘[:space:]‘

But see the next entry.

The VZ tech who installed my FiOS had his own procedures for speed-testing and speed-tuning, according to him the sites that VZ runs for the purpose give terrible results so none of the service techs use them. (They’re still targeted at DSL, not FiOS speeds.)

He recommended Speakeasy.net’s speed test - Speakeasy has done a very nice job as usual, too bad I can’t get FiOS speeds (and prices) from them - and also http://miranda.ctd.anl.gov:7123/for more repeatable numbers. My Linux box showed near 15M downloads and 1.8M uploads right off the bat, not bad for a 15M/2M service.

The web site he used for tuning Windows downloaded an app that set a bunch of Registry settings. This worked fine (IBM Thinkpad T42, Windows XP) - and anyway if it blew up, my work IT guy would have to fix it! So I didn’t save this URL.

The Apple iBook was a little out of his league, however. He had a CD-R with a collection of tools, one of which was an ethernet driver update, which he thought would do the trick. Only problem is that my iBook already had a newer Ethernet driver! So I let him leave at this point, and did my own research. I’ll post the iBook settings later.

Got my Verizon FiOS service about a week ago. I’m going to keep track of technical notes on it here, there’s not enough information out there about FiOS service yet.

The install itself was unremarkable. A service tech came ~3 days before the actual install, to run fiber to my house and mount the ONT (Optical Network Terminal). The ONT has 6 ports on it: 1 RJ45 for data, 4 RJ11 for phone, and Video. The tech also removed the old copper wires from the side of my house (they weren’t hooked up to anything, my phone is from RCN).

The installer came at 10AM on the scheduled day. Verizon tells you to plan for 4-5 hours, I figured my install would be 2 hours max because everything was very simple: it’s easy to get to the power and existing network just inside the house from the ONT.

Well, I was wrong. In the end the install took 5 1/2 hours - not because anything went wrong, but because the tech just took his time, and his lunch break, and several other breaks. He widened an existing hole in the sill of the house, and ran Cat 5 ethernet in from the ONT. He installed a battery backup unit & power out to the ONT from inside the house. And he hooked up a d-link DI-604 to the cat 5. We tested it out, ran some speed tests, and that was it.

More later.