Dragonfly network changes - U-Verse almost a complete failure
Matthew Dillon
dillon at apollo.backplane.com
Sun Feb 20 13:07:51 PST 2011
Hahaha... ok, well, I spoke too soon. U-Verse is a piece of crap.
That's my conclusion. Here's some detail:
* The physical infrastructure is fine, as long as you make sure
there's no packet loss. To make sure you have to upload and
download continuously at the same time and look for glitching
and stalls.
* The AT&T iNID/RG router is a piece of crap, and it's impossible
to replace it with anything else because it also takes the VDSL2
from the street.
The iNID/RG router basically has a fully stateful firewall in it
WHICH CANNOT BE TURNED OFF for either static or dynamic IPs. There
are lots of instructions on how to setup static IP and how to 'open'
the firewall to let everything through.
All lies. No matter what you do, the firewall's stateful tracking is
turned on even for your static block. It tries to track every single
'connection' running through it even when the Firewall has been turned
'off' in the config. Worse, it is buggy as hell. It drops connections
(as in sends a TCP RESET!!! to either my end or the remote end)
ALL THE TIME. It loses packets. It drops critical ICMP packets and
gets confused about normal ICMP packets. It gets confused when lots of
connections are opened all at once (for example, running a simple iPAD
video app such as CrunchyRoll)... or running an actual business with
servers. It can't handle third-party NATs...
It can BARELY handle its own NAT but even its own wireless/NAT
(bypassing all my stuff and tying my iPAD directly into the iNID/RG
over the RG's wireless) drops connections noticeably.
On top of that the uverse router/firewall uses MAC-based security and
only allows one IP assignment per MAC. This means that your 'network'
cannot be routed, it can only be bridged, and you can't mix private and
public IPs on the same MAC (which is a very common setup). If the
uverse router/firewall gets packets from the same IP but different MACs,
it blows up... it drops connections, it refuses to route packets, it
gets confused.
I spent a long time with PF and if_bridge and 'fixed' the MAC issue with
filters, and verified that only the correct MACs were getting through,
but I *STILL* get connection drops for no reason.
--
Ok, so what does work? Drilling a PPTP through to a provider works.
That is what I finally did. I drilled PPTP through the U-Verse to my
old provider, so my *original* IP block from my old ISP (who I still
have the DSL line with as a backup) is now running through U-Verse.
Let me repeat that... running my iPAD test through my own NAT and
wireless network through the PPTP link to bypass the U-Verse router
crap and to my old provider, who has LESS bandwidth than the U-Verse
link I'm drilling through, works BETTER than running the iPAD test
directly on U-Verse through the U-Verse iNID/RG/wireless (bypassing
all my own gear).
That's it. That's all that works. Even if you were to get a normal
u-verse link with dynamic IP and no static IP you are still SEVERELY
restricted in what you can do. Your own NAT servers will simply not work
well. You would HAVE to use AT&T's NAT & RG/wireless. You would HAVE
to be on a simple bridged network with no other firewall beyond the
AT&T iNID/RG. You would HAVE to have just one IP assignment for each
machine.
In otherwords, the simplest of network configurations will work.
Nothing else will work very well.
--
It isn't ideal, my old ISP can't push 2 MBytes/sec downlink to me through
the PPTP link. But neither does it drop connections. And my uplink
speed is still good which is the main thing I care about for the DragonFly
network.
I'm going to stick with the U-Verse so I can get rid of the much
costlier COMCAST. However, I am going to cancel the static IP block
and stick with drilling the PPTP through to my old ISP (which I'm
keeping for the backup DSL line anyway).
Sigh. You'd think AT&T would be smart enough to do this properly, but
after 5 years of trying they are still clueless about IP networks. Maybe
in another year or two they will fix their stuff. Or not.
-Matt
More information about the Users
mailing list