×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SRP547W inbound http/ssh & NAT, plus DNS issues

Unanswered Question
Dec 29th, 2011
User Badges:

Hi,


I've just upgraded to one of these and everything appears to be working ok - except inbound http & ssh. I have two connections to the internet using the WAN interface and ADSL2. I have load balancing enabled and some rules to route outgoing traffic one way or the other. Incoming smtp, voip etc work fine.


For the life of me can't work out why http is not working (and ssh as well). After a long period of time I get a "Timeout on gateway" message in the browser.


As an aside the Policy Routing won't allow me to save a port or port range. When I save the page, it sets the port to "0". Ideally I only want to route smtp and voip traffic over ADSL and have everything else go through the WAN connection.


Firmware Version:

1.02.01 (023) Aug 12 2011

ADSL Firmware Version:

0.72.0


Thanks,


Brendon.


Screen Shot 2011-12-30 at 10.04.21 AM.png

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brendonupson Sun, 01/01/2012 - 17:20
User Badges:

OK, found the problem. Policy routing. The policy route is applied regardless of where the connection originated. In this case incoming http requests were being received through the adsl interface, forwarded to the web server then the web server's reply was routed out the WAN2 connection and into a black hole. THIS IS NOT RIGHT.


There needs to be 2 urgent modifications to the firmware:

1. Allow policy routes entered through the web ui to correctly save the port / port range

2. Change the routing logic so that connectings that originate from the internet are routed back through the same interface they arrived on.


As a workaround I have effectively disabled the WAN2 connection and am routing everything through the ADSL interface.

brendonupson Thu, 01/05/2012 - 15:13
User Badges:

I have also discovered another issue with DNS. My mail server now takes ~60 seconds to reply to an initial connection, eg

# telnet my.mail.server 25

Trying 1xx.2xx.2xx.2xx...

Connected to

my.mail.server.

Escape character is '^]'.

>>>> ONE MINUTE DELAY <<<<

220 my.mail.server - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP


The mail server was configured to use the SRP's DNS. When I edited resolv.conf on that server and changed it to use the google public DNS, connection was almost instant. I believe the issue was to do with name resolution when interrogating the DNSBL blacklists.


I can't believe:

a) I'm having so many basic problems with this router

b) Noone has responded ?!


I bought a Cisco because I mistakenly thought it was the best around. A "business class" product.

brendonupson Thu, 01/05/2012 - 16:12
User Badges:

The issue may be reverse DNS not working.


# host 10.100.105.101

;; connection timed out; no servers could be reached


Using the google public DNS:

# host 10.100.105.101

Host 101.105.100.10.in-addr.arpa. not found: 3(NXDOMAIN)

brendonupson Thu, 01/05/2012 - 20:22
User Badges:

I have disabled DNS spoofing and we seem to have a level of service. Not ideal, but working.

brendonupson Fri, 01/06/2012 - 02:39
User Badges:

Nope, not quite right. I disabled WAN2 so we're running on ADSL only with failover to WAN2 and DNS appears to be now behaving itself. While no traffic passes over WAN2.....

brendonupson Fri, 01/06/2012 - 04:12
User Badges:

This is starting to read like a ramble. DNS appears to work correctly for a few minutes after a change via the web ui, then fails.

Actions

This Discussion

Related Content