[CLUE-Tech] After DSL upgrade - some wierd problems

David Anselmi anselmi at anselmi.us
Sun May 23 11:56:32 MDT 2004 

Paul wrote:
> Actually, that should not depend on your ISP.  It should depend on the 
> router.  Your machine would resolve the hostname to an external IP, so 
> it would send it to your router.  The router *should* see that the IP is 
> on its external interface, and send it to there.  So it should never go 
> to the ISP's router.

Ok, I agree with you -- except that isn't what happens.  My router 
doesn't have a route for its external IP so if it made a routing 
decision it would pick the default gateway (the WAN interface).  Why 
does it need to make a routing decision?  The dest IP is on the router, 
the packet should be sent there as you say.

But when I traceroute the first hop is the router's eth0 (inside 
interface).  The second is a router at Qwest.  The third doesn't answer 
(odd now that I think about it).  Well, using ICMP rather than UDP does 
answer but the last hop shows up twice.

So this does depend on my ISP getting traffic from me to me and being 
willing to turn it around at their router.

If I add a route to the modem that says my external IP is reached on 
eth0 (rather than wan0) things break.  My hypothesis is that in that 
case the packets aren't DNAT'd.

There is more going on than I can explain, clearly.

> However, most routers have an "anti-spoofing" rule to prevent IPs coming 
> from the internal LAN from going to the external interface.  Some do not.

What most routers?  It seems that my Cisco 678 doesn't (I would guess 
the same for other "SOHO" DSL routers).  Are you saying this is 
automatic or something they can be configured to do?

What do you mean by anti-spoofing?  You seem to be saying "drop packets 
with dest IP equal to my external IP unless they come in on my external 
interface".  Do people really do that?  It seems silly (I can't telnet 
to my external interface from my internal network).

OTOH, I know people do egress filtering (drop traffic coming in an 
internal interface if the source IP doesn't match an internal network). 
  And what I would call anti-spoofing is "drop traffic coming in an 
external interface if the source IP (not dest) matches an internal network".

I could be mixing things up though so please explain.

Thanks!
Dave

More information about the clue-tech mailing list