Firewall and Modem are not Friends

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Firewall and Modem are not Friends

#1

Post by lajackson »

We switched providers from DSL to Cable.

I activated the firewall. The speed drops from 25M outside the firewall to 9M inside the firewall.

I can plug my laptop into the modem and get a green light with 25M of speed. The modem WiFi also delivers 25M.

The firewall has an orange light and Church computers on the network get 9M of speed.

Do I need to change the modem settings? Turn off DHCP, reconfigure the LAN IP address?

Edit: It is an Arris DG2470 modem and a Cisco 881W firewall.

Thanks.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall and Modem are not Friends

#2

Post by russellhltn »

If at all possible, I'd replace or configure the modem to be just a modem. Many times ISPs will supply something that's also a router etc. The fact it has WiFi tells me it's this more complex device. There's no point to having a router behind a router.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Firewall and Modem are not Friends

#3

Post by Mikerowaved »

I agree with russellhltn. We are running an 881W and tests shows it can pass close to 100Mb up and down. Sometimes ISP's can either help you configure it to be a modem only, or can swap it for a plain Docsis 3 modem.

To more directly answer your questions, you need to leave DHCP on, as that's how the 881W gets it's WAN address assigned. The LAN address can remain as is. If you haven't already, you'll want to log into your DG2470 and disable the wireless for both bands, as that would provide a path that bypasses the firewall.

Just so we're all on the same page, can you describe how you are checking your speed numbers?
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall and Modem are not Friends

#4

Post by russellhltn »

I noticed you were testing using church computers and not your laptop. I'd suggest running a test with just your laptop connected to the church firewall. Nothing else.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: Firewall and Modem are not Friends

#5

Post by lajackson »

Mikerowaved wrote:I agree with russellhltn. We are running an 881W and tests shows it can pass close to 100Mb up and down. Sometimes ISP's can either help you configure it to be a modem only, or can swap it for a plain Docsis 3 modem.

To more directly answer your questions, you need to leave DHCP on, as that's how the 881W gets it's WAN address assigned. The LAN address can remain as is. If you haven't already, you'll want to log into your DG2470 and disable the wireless for both bands, as that would provide a path that bypasses the firewall.

Just so we're all on the same page, can you describe how you are checking your speed numbers?
With my Android phone, I logged into the modem WiFi and used the Speedtest app by Ookla to get 27/4. I did this on both WiFi bands. Before I left, I disabled both of them.

Using my laptop, I plugged into the modem and used the Speakeasy.net site to get 27/4.

Using my laptop, I plugged into the back of the Cisco 881W router and used the Speakeasy.net site to get 8/3. Nothing else was connected to the Cisco router at the time.

Using a Family History Center computer, I used the Speakeasy.net site to get 9/3.

For a while, there was no Internet access at all through the Cisco router. That's why I think the cable modem is conflicting with the Cisco router.

There are WAN and LAN area settings in the modem. I have left the WAN settings alone.

In the LAN IP area of the modem, there is a DHCP Server Enable box that is checked. Should I uncheck it? Is the modem trying to provide internal 192.168.n.n network addresses and conflicting with the router trying to provide 10.n.n.n addresses? Or is that what is providing the Cisco router its IP address for the WAN, as you suggested?

There is also in the modem a DNS override box that is not checked, probably meaning that the cable modem is trying to use the DNS settings listed there. I thought of checking the box and entering the Church-required DNS settings, since I figured this could also be a cause of the equipment conflict.

But before I do, I agree that I would rather try to configure the cable modem to just be a modem.

Thanks for your help so far. Moving from the world of 100k, it is refreshing to get 8M even when everything is not working right.

Additionnal note: When I plugged my laptop into the back of the cable modem, I always got a green light. When I plugged the Cisco router into the back of the cable modem, I always got a flashing amber light. I am headed out to the Internet now to gather up some cable modem information.
harddrive
Senior Member
Posts: 501
Joined: Thu Jan 03, 2008 7:52 pm

Re: Firewall and Modem are not Friends

#6

Post by harddrive »

lajackson, it almost sounds like you have a port speed issue on the router. You can find out what speed the router is getting when you got into TM.LDS.ORG and select the router and go into console and run the following command show interface fastethernet4. You will see the following return below.

FastEthernet4 is up, line protocol is up
Hardware is PQII_PRO_UEC, address is 44d3.ca06.f99c (bia 44d3.ca06.f99c)
Description: OUTSIDE
Internet address is 71.178.6.158/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255

What you want to look at is the BW section and in my case it is saying 100,000 Kbits/sec or 100 Mbits/sec. If your says 10,000 Kibts/sec that means that you are only connected at 10 megabits/sec and thus the reason that you are only getting 9 megabits/sec.

Then you can check the running config from the same location and check to make sure that it says that speed and duplex are set to auto and not hard coded to 10 megabits/sec.

Hope this helps you out.

Terry
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall and Modem are not Friends

#7

Post by russellhltn »

harddrive wrote:it almost sounds like you have a port speed issue on the router.
Yes. Typically ports are "auto-detect", but when both sides are that way, something strange happens to the negotiation.

Since you seem to have some control of the modem, see if you can force it to be 100 Mbit/Full Duplex - or some other setting that makes them both happy.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: Firewall and Modem are not Friends

#8

Post by lajackson »

harddrive wrote:show interface fastethernet4
My lines are identical, except for the addresses.
harddrive wrote:show running-config
duplex auto
speed auto

So those all appear to be good.

I did notice in the no ip nat service . . . section there are two lines:
ip nat inside source list [. . .] overload

Is that normal?

A friend at lunch suggested I check for a Network Address Translation conflict. I understand the concept, but would not know where to look.

Isn't this fun?
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: Firewall and Modem are not Friends

#9

Post by lajackson »

russellhltn wrote:Since you seem to have some control of the modem, see if you can force it to be 100 Mbit/Full Duplex - or some other setting that makes them both happy.
I will look for that this evening.

Also, to close a loop, I have read the modem manual and learned that the amber light on the cable modem Ethernet port is normal. I was concerned that I got green with my laptop, but amber with the Cisco router and thought that might indicate a problem. I turns out that green indicates a 1 Gbps capable device is attached. Amber indicates a 100 Mbps/10Mbps device is attached. Either light flashes when there is activity on the port.

So I guess I have a pretty good laptop, eh?
harddrive
Senior Member
Posts: 501
Joined: Thu Jan 03, 2008 7:52 pm

Re: Firewall and Modem are not Friends

#10

Post by harddrive »

It just means that you have a laptop the is capable of 1 Gigabits/sec. The overload is ok because you have over a 1000 addresses going to be using a single IP address when it gets natted.

Throughput and NAT aren't the same. NAT is network address and throughput is how much data can be put on the wire in a second.

so if the laptop is connected to port 1 on the router, you only get 8 megabits/sec and the Family History Center is on port 3 and they are getting 9 megabits, then there is a configuration problem on the router.

Would you be willing to do a show run command on the router and past it here or send me a private message with it. I will compare it to the routers here. It would also be great if you could send us the show interface for Ethernet 1, 3 and 4. This way we can see the reported bandwidth.

Just thinking that it would be good to get the global service desk involved because if we find the issue on the router, then they will need to be brought into make any changes.
Post Reply

Return to “Meetinghouse Internet”