Kool Aid Served Daily

I lost connection to the SWAN (Sun Wide Area Network) yesterday. It turns out that both the punchin (Solaris IPSEC/VPN tool) servers at Sun and my home router decided to misbehave. The first really illustrated how difficult it is for a company to broadcast that services are down when they use that medium to spread knowledge. And the second was frustrating on several fronts.

I pulled a network cable slightly at one point in the early triaging, so I couldn't ping from one side of the office to the next. When I fixed that issue, I still couldn't ping outside the house. So I called up Cox 's customer service. I was really amazed by their phone system trying to triage my issue. It walked me through isolating the issue on the cable modem, then my router, and finally my computer. Like the normal technicians, it had no clue about OSes other than WinXP or Mac OSX. It would ping and probe my cable modem and the router. It made me feel good that it couldn't get past the router.

After 25 productive minutes with the automated system (I'm serious - at the end of the session with it, I knew the problem was with my router.), I got passed to a live tech. He started to repeat the stuff the automated system had me do, but I got him past that quickly. He did isolate that my cable modem was in standby - the automated system should have done that.

He had me connect my desktop up to the cable modem directly and I was getting out. So there was the nail.

Now I've done everything but reset the factory settings on this router. Evidently the WAN ethernet port is hosed. I also had at least two power outages in the morning. My computers are protected, the router is not.

Anyway, I dropped a Linksys WRT55AG in there and I remembered quickly why I hadn't done that in the past. Most broadband routers support simple firewalls and port blocking. Both the Belkin and the Netscreen 10 box allowed you to punch open a port and also allowed you to redirect it. So, port 8085 on my Belkin became port 80 on my internal web server. The Linksys does allow you to open ports, but it does not allow you to redirect them. I tried my Linksys WRT54GL, hoping since it was more modern it would be easier to configure. Nope, it still didn't have the feautures that I wanted. (I've got WRT54GL because I wanted to install a Linux distro on it and look at putting a slimmer OpenSolaris on it.) I ended up keeping the WRT54GL as my router - when I went back to the WRT54GL, it wasn't working like I wanted.

The big fear for me wasn't configuring apache to serve two addresses. No, it was in getting sendmail to listen to two ports. See, cox.net blocks port 25. They say they only block it coming out, but they also block it going in. It turns out my version of sendmail had support to handle this:

[tdh@adept mail]> diff sendmail.mc sendmail.mc.stock
113c113
< DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
---
> dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
120c120
< DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
---
> dnl DAEMON_OPTIONS(`Port=XXXX, Name=MSA, M=E')dnl

If you just do the MSA change, you loose the ability get mail on port 25, so you need to also uncomment the line for MTA. Also, I had to remove the 'a' option since mail was being rejected due to not being authorized:

Diagnostic-Code: smtp; 530 5.7.0 Authentication required

So now I could get out and things could get in. This was when I found out that I still could not punchin. I thought perhaps that the router was blocking IPSEC/VPN requests, but the version of punchin I was using let me know that a IPSEC-ized ping was getting through to the punchin servers. I tried different boxes (both clients and servers), still no result. I used my laptop to get into the VPN servers. And I got a new version of punchin.

Finally, someone let me know the servers were hosed.

I've confirmed all of my services are working correctly (last time I had to change my internal server before a trip, I couldn't ssh back in). Guess I'll have to get another WRT54GL to play with.