Dragonfly network changes - U-Verse almost a complete failure

Matthew Dillon dillon at apollo.backplane.com
Sun Feb 20 13:07:51 PST 2011


    Hahaha... ok, well, I spoke too soon.  U-Verse is a piece of crap.
    That's my conclusion.  Here's some detail:

	* The physical infrastructure is fine, as long as you make sure
	  there's no packet loss.  To make sure you have to upload and
	  download continuously at the same time and look for glitching
	  and stalls.

	* The AT&T iNID/RG router is a piece of crap, and it's impossible
	  to replace it with anything else because it also takes the VDSL2
	  from the street.

    The iNID/RG router basically has a fully stateful firewall in it
    WHICH CANNOT BE TURNED OFF for either static or dynamic IPs.  There
    are lots of instructions on how to setup static IP and how to 'open'
    the firewall to let everything through.

    All lies.  No matter what you do, the firewall's stateful tracking is
    turned on even for your static block.  It tries to track every single
    'connection' running through it even when the Firewall has been turned
    'off' in the config.  Worse, it is buggy as hell.  It drops connections
    (as in sends a TCP RESET!!! to either my end or the remote end)
    ALL THE TIME.  It loses packets.  It drops critical ICMP packets and
    gets confused about normal ICMP packets.  It gets confused when lots of
    connections are opened all at once (for example, running a simple iPAD
    video app such as CrunchyRoll)... or running an actual business with
    servers.  It can't handle third-party NATs...

    It can BARELY handle its own NAT but even its own wireless/NAT
    (bypassing all my stuff and tying my iPAD directly into the iNID/RG
    over the RG's wireless) drops connections noticeably.

    On top of that the uverse router/firewall uses MAC-based security and
    only allows one IP assignment per MAC.  This means that your 'network'
    cannot be routed, it can only be bridged, and you can't mix private and
    public IPs on the same MAC (which is a very common setup).  If the
    uverse router/firewall gets packets from the same IP but different MACs,
    it blows up... it drops connections, it refuses to route packets, it
    gets confused.

    I spent a long time with PF and if_bridge and 'fixed' the MAC issue with
    filters, and verified that only the correct MACs were getting through,
    but I *STILL* get connection drops for no reason.

    --

    Ok, so what does work?  Drilling a PPTP through to a provider works.
    That is what I finally did.  I drilled PPTP through the U-Verse to my
    old provider, so my *original* IP block from my old ISP (who I still
    have the DSL line with as a backup) is now running through U-Verse.

    Let me repeat that... running my iPAD test through my own NAT and
    wireless network through the PPTP link to bypass the U-Verse router
    crap and to my old provider, who has LESS bandwidth than the U-Verse
    link I'm drilling through, works BETTER than running the iPAD test
    directly on U-Verse through the U-Verse iNID/RG/wireless (bypassing
    all my own gear).

    That's it.  That's all that works.  Even if you were to get a normal
    u-verse link with dynamic IP and no static IP you are still SEVERELY
    restricted in what you can do.  Your own NAT servers will simply not work
    well.  You would HAVE to use AT&T's NAT & RG/wireless.  You would HAVE
    to be on a simple bridged network with no other firewall beyond the
    AT&T iNID/RG.  You would HAVE to have just one IP assignment for each
    machine.

    In otherwords, the simplest of network configurations will work.
    Nothing else will work very well.

    --

    It isn't ideal, my old ISP can't push 2 MBytes/sec downlink to me through
    the PPTP link.  But neither does it drop connections.  And my uplink
    speed is still good which is the main thing I care about for the DragonFly
    network.

    I'm going to stick with the U-Verse so I can get rid of the much
    costlier COMCAST.  However, I am going to cancel the static IP block
    and stick with drilling the PPTP through to my old ISP (which I'm
    keeping for the backup DSL line anyway).

    Sigh.  You'd think AT&T would be smart enough to do this properly, but
    after 5 years of trying they are still clueless about IP networks.  Maybe
    in another year or two they will fix their stuff.  Or not.
  
						-Matt






More information about the Users mailing list