Re: Bridge mode vs. router mode in DSL modems
On Mon, 7 Mar 2011 00:54:19 -0600
Jason Hsu <jhsu802701@jasonhsu.com> wrote:
> QUESTIONS:
> 1. How do I know if my DSL modem is the culprit blocking remote
> access to my computer? 2. Exactly what is the difference between
> bridge mode and router mode in a DSL modem? I read that if my DSL
> modem is blocking remote access to my computer, switching it to
> bridge mode would remedy this. 3. Why does switching my DSL modem to
> bridge mode cut off Internet access, and why does switching it back
> to router mode restore Internet access?
>
A router connects two or more different IP broadcast domains (different
network addresses) and contains routing rules to decide which interface
to use in relaying packets it receives. An Internet router generally
also contains a simple firewall and does NAT translation.
A bridge is effectively a piece of wire, passing everything between
two parts of the same broadcast domain and doing no processing.
So when you switch from router to bridge mode, the next connection
assigns a public IP address to the next piece of equipment in from the
bridge. If it cannot accept that address, there's a problem. If the
firewall rules do not allow for the public IP address, there's a
problem. The piece of equipment connected to the bridge is also exposed
directly to the Internet.
Only use bridge mode if you know exactly what it does, and that's what
you want, and for most people it won't be.
> BACKGROUND:
>
> I have a small home network. The setup is:
> Internet -> DSL modem -> Firewall/server computer -> Ethernet switch
> -> Main computer
>
> The DSL modem is an Embarq EQ-660R ADSL router. My ISP is
> CenturyLink.
>
> I'm trying to set up an SSH server on the firewall/server computer.
> I have a free account from DynDNS, but their Open Port Tool (at
> https://www.dyndns.com/support/tools/openport.html , which I set to
> port 22) gives me the "timed out" error message. I don't think the
> Shorewall firewall on the firewall/server is the problem, as I have
> the /etc/shorewall/policy file set to accept firewall-to-all
> communications (through port 22) and the /etc/shorewall/rules set to
> accept net-to-firewall (through port 22).
>
> Some searches on Google gave me the idea that my DSL modem could be
> the culprit. This brings me to the questions at the beginning of
> this post.
>
You have a fair way to go before you should advertise as a consultant.
A good working knowledge of networking is an absolute requirement. *You*
should be able to tell *us* the difference between a bridge and router,
and you should certainly be able to troubleshoot this kind of problem.
1. Check that sshd is actually running and is accepting connections on
the WAN port. Try a connection first from localhost, and examine the
configuration file to check that the WAN port and your user are
allowed. By default, with no changes made, it should work.
2. Check that ssh works from a computer directly connected to your
server's WAN port (crossover cable possibly required). You'll need to
tweak IP configurations to do this.
3. Check that the router has a forwarding rule to pass ssh to the
server when back in normal configuration.
4. Check with http://grc.com Shields Up!! as to whether it can see port
22. Ignore Steve's dire warnings everywhere.
If you get to this point without success with external ssh, any further
issues are due to ISP port blocking (an urban myth, as far as I can
see) or dynamic DNS issues. A consultant really ought to have a fixed IP
address, as a dynamic IP address introduces uncertainties where you
don't need them.
Oh, and when ssh is working, move it to an unprivileged (high) port. It
doesn't add much security, but it keeps a lot of rubbish out of your
logs, and that's certainly worth doing.
And you have configured it to work with keys, not passwords, haven't
you?
--
Joe
Reply to: