Archive | Networking

Technicolor TG589vn V2 DNS Forwarding

I’ve just had VDSL2 installed at home and have been setting up the new Telecom supplied Technicolor TG589vn V2 Modem.  The previous modem I had, the Technicolor TG582n has some great functionality if you don’t mind diving into the CLI (and the accompanying 800+ page CLI guide!). The TG589 is no different – a basic user friendly web GUI, backed with a much more powerful CLI.

 

I haven’t been able to find the CLI guide PDF for this model yet  but the command set is largely the same. One notable exception is the conditional DNS forwarding configuration which has given me some trouble.  The TG582n had a set of commands for ‘DNS routing’ e.g.

*Update*I’ve now got a copy of the manual. linked below (Thanks Dennis and Phill)

dns server route list and dns server route add.

This has changed in the TG589 to DNS ‘forwarding rules’ and DNS ‘server sets’.

So…We have a list of DNS servers in a dnsset which are used in order of metric (lowest metric is used first). Then we have a set of rules as to which dnsset to use in what circumstance. The rules can match on client address, DNS domain, source interface etc.  it’s quite flexible.

By default there is one dnsset and one forwarding rule. The default dnsset is set ‘0’ and is typically populated with your regular ISP DNS server.  The default forwarding rule has a rule index of 999 and basically says if no other rules match then use dnsset 0.

At home I want the modem to act as the DNS server for all public internet addresses but I want queries for names on my home domain to be forwarded to my Samba domain controller/DNS linux box. Doing this means I can reboot the linux box without loosing internet access.

Here’s how I set it up:

  1. Telnet to the modem – No SSH 🙁
  2. Add a DNS server set: (In this case my ‘dnsset’ will just have one server in it.)
    dns server forward dnsset add set=10 dns=192.168.22.10 metric=20 intf=LocalNetwork
  3. Add the rule to forward any queries for home.rhysgoodwin.com to be forwarded to dnsset 10.
    dns server forward rule add idx=20 set=10 domain=home.rhysgoodwin.com
  4. Finally – the bit that tripped me up for some time was the DNS server ‘response filter’ config option.  I’m not sure technically what this options is for but I had to disable it before the forwarding world work.
    dns server config filter=disabled

In step 3 where you create the rule these are parameters:

idx the index or id of the rule. I think it also implies the order of the rule. Lower index will be matched first.

set is the number of the dnsset to use if this rule matches.

domain this is the domain name to match on. If specified then the rule will only apply to queries for names on this domain. If you leave it blank then the rule will apply to all DNS queries (which match the other parmeters of the rule)

intf which takes an interface name e.g LocalNetwork, PPPoE, PPPoA etc. If specified it means that the rule will only apply if the DNS query comes in on the specified interface.

source which takes a CIDR network address e.g 192.168.22.0/24 for my entire local subnet or 192.168.22.50/32 for a single IP address. If this is specified it means that the rule will only apply if the DNS query is coming the specified address. This is useful in cases where you one pariticular device on the network which you want to use different DNS servers for.

 

To Delete a forwarding rule you must specify the index number exactly like this:
dns server forward rule delete idx 20

 

Happy Forwarding!

 

Here’s the CLI Guide for the TG589vn:

TG589vn-v2CLI
Version: 1.0
Updated: 2014-02-03
Download: TG589vn-v2CLI.zip - 3.51 MB

Also for the TG852n

TG582n_CLI_Guide_v1.0_public
Version: 1.0
Updated: 2013-07-16
Download: TG582n_CLI_Guide_v1.0_public - 2.59 MB

 

 

0

ISA Not Enough Memory (0x80070008)

I came across this one today when one of our web apps in the perimeter network stopped working for external users after a switch failure on our internal network.

We run split DNS so if you ask an internal DNS server for the IP address of webapp.ourdomain.com it will tell you the private address of the perimeter webserver but if you ask a DNS server on the internet you will get the public address which is NAT’d to the ISA server which publishes the app. Now if you ask a DNS server in the perimeter network he will forward the DNS request to an internal DNS server. If the internal DNS server is unavaliable the perimeter server will use recursion to resolve the address and ultimatily end up resolving and caching the public address of the webapp. By now you can probably guess what happens.

  1. Internet user connects webapp.ourdomain.com which is resolved to 203.271.47.15
  2. The connection is NAT’d by our external hardware firewall and  received by the ISA web listener / publishing rule.
  3. The ISA server resolves the name in the “To” section of the web publishing rule using a perimeter DNS server. The address is from the internal domain (ourdomain.com) so the perimeter DNS server tries to forward  the request to an internal DNS server, this fails so the perimeter DNS server uses recursion to resolve the name and returns the public internet address instead of the private address of the web server in the perimeter network. We now have a loop which results on the above error being logged.

There are a couple of ways to deal with this.

  1. Disable recursion on the domain forwarding in the DNS server settings:
  2. Explicitly specify the IP address in the “To” section of the publishing rule.

Another one of those “Only in this exact and unlikely situation” type posts but oh well!

0

Structured Cable at Home

I’ve been a bit slack with my blog lately, partly because in October we bought our first house so that’s been taking up a lot of my time. It’s a good solid 1950’s house but VERY original so it needs a LOT of work.

MePlastering

Me plastering the back room getting it ready for painting.

From network engineer to home handyman / plasterer / carpenter! Don’t worry though I’ve got my priorities straight! Structured cabling and network cupboard is almost complete. I’m quite pleased with how it’s turned out so decided to put up some photos.

Complete Far

Complete Close

NetCupboard1

Cables come up from under the floor into the wall cavity

Fortunately there was a little wee open-cupboard off the hall. It’s a good central point to run all the cables back to. I’ve installed a total of 16 network ports. 6 in the lounge, 2 the dining room and 2 in each of the four bedrooms. The cable is CAT6 and is all run under the floor. I’ve created 3 channels by running 30mm thick strips of pre-dressed pine from top to bottom of the cupboard.

Cables from wall cavity

NetCupboard2

Left channel with bottom capping section installed

The left channel carries the CAT6 up from the floor to the patch panel. It is also used to carry alarm wires down from the ceiling. It has notches which accommodate 3.5mm plywood capping. The right channel is also capped and will be used for carrying power cables. The centre channel is left open and used for running cables between the shelves.

NetCupboard3

Patch panel, yet to be mounted and punched down.

Cables under floor

Cables under floor

Flush Box

PDL 8p8c Module

PDL 8p8c Module

PlateReady

PlateMounted

Next step, get rid of that wallpaper!!!! But like I say, priorities!

Next step, get rid of that wallpaper!!!! But like I say, priorities!

6