Network autonegotiation is easily misunderstood. Consider two 10/100Mb devices attached to one another – a PC connected to a router. For each of these devices, it’s possible to configure the connection to use either 1) a fixed speed and duplex or 2) to negotiate the optimal shared speed and duplex with whatever it is connecting to. What is not intuitive is that both devices must be configured with the same settings. The connection will suffer a performance hit, or may not work at all, if the two devices are configured differently.

A common misconception about autonegotiation is that it is possible to manually configure one link partner for 100 Mbps full-duplex and autonegotiate to full-duplex with the other link partner. In fact, an attempt to do this results in a duplex mismatch. This is a consequence of one link partner autonegotiating, not seeing any autonegotiation parameters from the other link partner, and defaulting to half-duplex.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094713.shtml#auto_neg

If both devices are configured to autonegotiate speed and duplex, then each will attempt to make the best possible connection among the possibilities they have in common. However, if one of the devices is set to use a fixed speed and duplex and the other device is set to autonegotiate, the autonegotiating device can determine the speed but not the duplex of the other device and so falls back to its default duplex mode. In the case of Cisco switches, the default duplex mode is half-duplex.

…it is possible for a[n autonegotiating] link partner to detect the speed at which the other link partner operates, even though the other link partner is not configured for auto-negotiation. In order to detect the speed, the link partner senses the type of electrical signal that arrives and sees if it is 10 Mb or 100 Mb.

It is not possible to detect the correct duplex mode in the same method that the correct speed can be detected. In this case, the [...] port of [the autonegotiating] switch [...] is forced to select the default duplex mode. On Catalyst Ethernet ports, the default mode is auto-negotiate. If auto-negotiation fails, the default mode is half-duplex.

http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080094781.shtml

Half-duplex as a default duplex mode is not unique to Cisco switches. Below is a link to an article on www.dell.com written by Rich Hernandez, a senior engineer with the Server Networking and Communications Group at Dell, that contains a table summarizing “all possible combinations of speed and duplex settings, both on 10/100/1000-capable switch ports and on NICs.” Included are combinations that would yield no link or link fail conditions, as well as combinations that would yield a duplex mismatch.

http://www.dell.com/content/topics/global.aspx/power/en/ps1q01_hernan?c=us&cs=555&l=en&s=biz

The importance of using identical settings on both sides of a network connection is stressed in a KB article from www.symantec.com with information on how an autonegotiating port may report that it has established a full-duplex connection with a NIC configured for 100MBs/Full, but in fact is communicating at less than expected capacity.

Only by explicitly setting both sides of the link to the same duplex mode would the link work flawlessly.

http://www.symantec.com/business/support/index?page=content&id=TECH87827

Understanding link data errors

The page at the link below contains two tables that explain the various errors and counters logged by a network switch and the possible causes.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00800a7af0.shtml#ustand

Troubleshooting Ethernet Collisions

Collisions may appear to indicate communication problems with a network connection, but as a technote from cisco.com states, collision counters alone are not indicative of network problems.

…collisions are a way to distribute the traffic load over time by arbitrating access to the shared medium. Collisions are not bad; they are essential to correct Ethernet operation.

There is no set limit for “how many collisions are bad” or a maximum collision rate.

In conclusion, the collisions counter does not provide a very useful statistic to analyze network performance or problems.

http://www.cisco.com/en/US/products/hw/modules/ps2033/products_tech_note09186a008009446d.shtml

Late Collisions

When a collision is detected by a station after it has sent the 512th bit of its frame, it is counted as a late collision.

The station that reports the late collision merely indicates the problem; it is generally not the cause of the problem. Possible causes are usually incorrect cabling or a non-compliant number of hubs in the network. Bad network interface cards (NICs) can also cause late collisions.

http://www.cisco.com/en/US/products/hw/modules/ps2033/products_tech_note09186a008009446d.shtml

One of those instances was yesterday, when I was trying to connect to my firm’s FTP site from an external network connection. From inside the office, using the internal IP address, FileZilla connected normally and displayed the contents of the root directory after I authenticated.

From outside the office, connecting via the hostname ftp.domain.com, FileZilla would connect normally and authenticate successfully, but it would not display the contents of the root directory. Instead, the server would send a “425 Can’t open data connection” message. FileZilla would then report “Error: Failed to retrieve directory listing”.

Here’s the complete conversation between the client and the server (names and IP addresses changed to protect the firm’s identity):

Status: Resolving address of ftp.domain.com
Status: Connecting to 38.98.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220-Microsoft FTP Service
Response: 220 Company Name
Command: USER ftp_username
Response: 331 Password required for ftp_username.
Command: PASS **********
Response: 230-Welcome to the Company Name FTP service.  Unauthorized use is strictly prohibited.
Response: 230 User ftp_username logged in.
Status:	Connected
Status:	Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (192,168,0,114,13,156).
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Timeout (120 seconds): closing control connection.
Error: Could not read from socket: ECONNRESET - Connection reset by peer
Error: Disconnected from server

The interesting thing, I thought, was that when the server agreed to use passive mode, it did so with a port on the internal IP address, which is unroutable from outside the network.

The fix is to use active mode

OK, if you’re reading this, you probably just want to know how to make it work. FileZilla uses passive mode by default, but due to the network configuration of certain servers, active mode is required to establish a data connection. A bit of background reading with some explanation is farther down.

In FileZilla, click on Edit | Settings.

Under Connection, click on FTP and choose Active as the Transfer Mode.

Under Connection, under FTP, click on Active mode and choose “Ask your operating system for the external IP address” (the default setting).

Under Connection, under FTP, click on Passive mode and choose “Fall back to active mode” (this is an optional setting).

What is the difference between active and passive mode?

According to the FileZilla wiki page on network configuration:

In passive mode, which is recommended (see below), the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing, and establishes a secondary connection to the address returned by the server.

In active mode, the client opens a socket on the local machine and tells its address to the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.

The difference, then, is which side gets to determine the address used during the connection. In passive mode, the server provides the address, while in active mode, the client provides the address.

Why do I need to use active mode?

You probably shouldn’t need to use active mode, and in fact, it requires more configuration by the user of the FTP client to use active mode.

In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Analogously, in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Only outgoing connections have to be allowed on the server side.

http://wiki.filezilla-project.org/Network_Configuration#Technical_background

So, it boils down to who’s going to be responsible for the NAT and firewall configuration. Using passive mode places the responsibility on the server side of the connection, while using active mode places it on the client side. Typically, the FTP server administrator should be better equipped to handle this responsibility than the average FTP client user.

Passive mode

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you’ll have to allow outgoing connections to all ports in your firewall.

Active mode

In active mode, the client opens a socket and waits for the server to establish the transfer connection.

http://wiki.filezilla-project.org/Network_Configuration#Setting_up_FileZilla_Client

I’m behind a NAT router and I’ve never had any problems with passive mode. On the other hand, I seem to be able to connect to all my sites without any problem with the client in active mode, too, and I haven’t had to open any ports in Windows Firewall or forward any ports on my router. So maybe active mode doesn’t require as much configuration as the wiki page leads me to believe. Or maybe I’m just getting lucky and I’ll eventually run into problems if I continue to run in active mode.

Why does the server respond with the local IP address?

The FileZilla people offer a a partial explanation for why I’m seeing the internal IP address when I connect using the hostname. Back in Settings, under Connection | FTP | Passive mode, is some support text that reads: Some misconfigured remote servers which are behind a router, may reply with their local IP address.

The wiki page is pretty good reading, and has some interesting stuff on NAT, but I think that I’ll offer this plain-language, local IP address explanation when troubleshooting FTP connections.

OpenDNS

The OpenDNS nameserver IP addresses are:

• 208.67.220.220
• 208.67.222.222
• 208.67.220.222
• 208.67.222.220

http://www.opendns.com/support/article/197

Google Public DNS

The Google Public DNS nameserver IP addresses are:

• 8.8.8.8
• 8.8.4.4

http://code.google.com/speed/public-dns/docs/using.html

So which DNS servers are faster for you?

Try out namebench. It hunts down the fastest DNS servers available for your computer to use. (For Mac OS X, Windows, and UNIX.)

http://code.google.com/p/namebench/

Using OpenDNS to filter (whitelist/blacklist) content

If you have an account with OpenDNS, you can whitelist and blacklist IP addresses. A free account allows you to whitelist or blacklist 25 addresses; paid accounts allow more.

1. Create an account at OpenDNS.
2. Set up a network for your physical location (your current IP address).
3. Configure your machine to use the OpenDNS servers.
4. Install the client software for updating a dynamic IP in an OpenDNS network – http://www.opendns.com/support/article/90.

• Windows 7 – https://store.opendns.com/setup/operatingsystem/windows-7
• Ubuntu – https://store.opendns.com/setup/operatingsystem/ubuntu
• Mac OS X – https://store.opendns.com/setup/operatingsystem/apple-osx-leopard

Technically more sophisticated users may discover that manually setting the DNS servers on a computer allows that computer to circumvent the OpenDNS filtering. To prevent a machine from bypassing the OpenDNS filtering, you could configure the DNS servers directly on the router and then block all outgoing DNS requests to all DNS servers except the OpenDNS servers.

OpenDNS system status

It’s a good idea to be able to check the condition of your DNS server.

The OpenDNS system status page’s IP address is http://208.69.38.170/.

Seriously restricting internet access

What I really want to do is severely restrict internet access on a single machine on my LAN. For this machine, I want to manage a small whitelist of domains and block access to everything else. OpenDNS doesn’t seem to offer this type of functionality.

introduction

This is a slightly useful network monitor graphing thing for Win32.
It just sits in its own window, pinging a host, and giving you a
graph of how long it takes each time.

Because all great (err) things should be free, this should be too.
Not only that, we’re pretty much giving away all rights to it, giving
you the source, and letting you do what you want with it (see the
license below).

features

• Host configuration
• Hops configuration
• Refresh rate configuration
• Graph scale configuration
• Configurable text for window
• Automatic start-on-system-start
• Static window size (120×40)
• Small memory footprint

license

Copyright (C) 1999-2000 Nullsoft, Inc.

This software is provided ‘as-is’, without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.

Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Note that this license is borrowed from zlib.

download

Current version: 0.4 (8/1/00)
Download: netmon04.exe

version history

v0.4 (8/1/00)

• first public release

But, I was able to find lots of useful links, which I’ve posted here for future reference.

Default AirPort Base Station passwords are “public.”

Resetting an AirPort Base Station or Time Capsule FAQ (with pictures of the different models)
http://support.apple.com/kb/HT3728

AirPort Utility 5.5.3 for Windows
Post Date: June 14, 2011
http://support.apple.com/kb/DL1391

Time Capsule and AirPort Extreme Base Station Firmware Update 7.5.1
Post Date: March 31, 2010
http://support.apple.com/kb/DL965

AirPort Extreme Firmware Update 5.7 for Windows (drop shaped)
Post Date: January 03, 2006
http://support.apple.com/kb/DL411

All about Time Capsule, AirPort Extreme, and AirPort Express base station firmware updates
http://support.apple.com/kb/HT1218

To download and install any available firmwares on your AWD, simply open AirPort Utility. An alert indicates that an update is available (if one is). Click the Update button. If you are updating more than one base station, click Show Details to select the base stations you want to update.

AirPort + Time Capsule (General support page)
http://www.apple.com/support/airport/

Using the AirPort Admin Utility to create a WDS network with multiple base stations
http://support.apple.com/kb/HT4262

AirPort Extreme Base Station Setup Guide
http://manuals.info.apple.com/en/airportextremebasestationsetupguide.pdf

AirPort: Slow 802.11n connection speed when connected using older WEP or WPA security mechanisms
(Use WPA2 Personal authentication)
http://support.apple.com/kb/TS3361

• Slow down your Internet performance
• View files on your computers and spread dangerous software
• Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords
• Send spam or perform illegal activities with your Internet connection

IT security needs to use a layered approach. While no single layer of security is enough to withstand every attack, each additional layer serves to further harden your system and discourage would-be attackers and free-loaders. Here are six settings on your router which, if properly configured, will better protect your network, your computers, and your data.

1. Change the default password for the administrator account on your wireless router or access point. This is absolutely essential and should have been the very first thing you did after you unboxed it. Don’t use a word in the dictionary or anything easily guessed.
2. Limit access to your wireless LAN by using MAC address filtering. A MAC address (also called the physical address) is an identifier unique to each network adapter. MAC address filtering involves looking up the MAC address of each device that will connect to the WLAN and adding them to a list in the router’s control panel. MAC addresses can be spoofed, so filtering shouldn’t be the only security method used.
3. Change your SSID (network name). A router’s default SSID (Service Set Identifier) can be used to identify your hardware, which could help a hacker determine the default administrator password (see step 1). A default SSID also suggests that the network was poorly configured, making it appear to be an easier target. Change it to something you and your family would recognize (your pet’s name, for example), but that’s not publicly identifiable (don’t use your name, your address, etc.).
4. Don’t disable SSID broadcasting Disabling SSID broadcasting will prevent casual browsers from finding your network, but it also means you will have to manually enter the name of your network on each device and your laptop will periodically ping your SSID. Not broadcasting your SSID does nothing to secure your network, it just makes it less obvious to your neighbors.
   Source: http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/
5. Use the strongest encryption form supported by your router and all of your other devices. The best choice is WPA2 with the “TKIP+AES” algorithm, which is the newest type of wireless encryption and provides the highest level of encryption available. WPA2 has been available on most devices manufactured in the past few years. WPA-PSK, also called WPA-Personal, encryption is the next best, and 128-bit WEP is the weakest level of encryption and not very good, but better than nothing. Use a strong password, ideally a string of at 20+ random alpha-numeric characters. You can find such random strings at https://www.grc.com/passwords.htm . If you must use WEP, change your key often.
6. Disable remote administration. The ability to remotely administer your WLAN router via the Internet should be turned off unless you absolutely need this. It is usually turned off by default, but it’s a good idea to check. The only downside to this is that you will have to physically connect a computer to the router in order to configure it, which isn’t necessarily a downside at all.

With the router and WLAN now well-configured, hacking your home network will be much more difficult. Below are a few more suggestions to further increase your protection.

If you can afford a second NAT router, you can dramatically improve your LAN’s security. Basically, you create a second LAN by connecting the wireless router to the modem, connecting a second, wired router to the wireless router and then put one or more of your PCs behind the second, wired router. This means that anyone who accesses your WLAN still can’t get to the PCs behind the second, wired router.

Read more about using a second NAT router to create an even more secure LAN at GRC.com.

Test your connection for vulnerabilities with third-party software. Use the ShieldsUP! port probe from GRC.com to check whether your router is detectable by port scanners.
https://www.grc.com/x/ne.dll?bh0bkyd2

McAfee Wi-FiScan surveys your current Wi-Fi connection, your wireless equipment, and local environment to assess security risks introduced by your wireless network. Wi-FiScan uses an ActiveX control to gather information. If security or performance issues are found, McAfee will suggest ways to reduce your risk.
http://us.mcafee.com/root/wsc/default.asp

Netstumbler, by Marius Milner, will determine your network’s vulnerabilities and unauthorized access points, and also reveal the sources of network interference and weak signal strength.
http://www.netstumbler.com/downloads/

Protect your machine from attacks from within your LAN. Use a software firewall on every device and make sure that port 113 is stealthed. If you are using Windows, run Windows Updates every month or keep Automatic Updates on. Install some anti-virus software (Microsoft Security Essentials seems quite nice) and keep that up to date, too. Turn off services like File Sharing unless you need them and understand the consequences.

For the borderline-paranoids, you can turn off DHCP (Dynamic Host Configuration Protocol) entirely and configure each device to connect using a specific IP, or at least assign all of your devices static IP addresses well away from the first address dynamically assigned by your router. For example, if your router starts assigning IP addresses at 192.168.0.100, give your devices static addresses above 192.168.0.150. This will make it more of a nuisance for someone who does access your network to find the machines connected to it, as they won’t exist near the address assigned dynamically to the intruder. You can change the default IP address of the router itself, too, but that will be immediately obvious to anyone who gets in.

Verify that your computer’s Wake on Wireless LAN (WoWLAN) function is disabled (check your BIOS).

A Wi-Fi network is only vulnerable when it is on, so turn off your router when you aren’t using it. Turn off your computers, or at least hibernate/sleep them, when not in use. (Don’t forget to turn off the monitors, too.) Better yet, just kill the power at the surge protector, as all of these components still draw power when turned off. You’ll be surprised at how much energy you can save.

The farther the Wi-Fi signal reaches, the easier it is for others to detect and exploit it. If possible, place the router where it will have the most difficulty broadcasting the signal outside your home, such as in the basement, in a closet, or toward the center of your home. While not a feature of all wireless routers and access points, some allow you to reduce the transmitter power. If possible, adjust it so that you still get a decent signal inside, but it doesn’t leak too far outside your home.

Don’t connect to unprotected wireless networks yourself, as it’s possible for someone on that network to monitor your traffic. If you must connect to an unprotected network, enter passwords only on sites that use encryption (those that display the padlock icon in the lower-right corner of your browser and with a URL in the address bar that begins with https). Never select the ‘connect to available wifi networks automatically’ setup option under your Network Connections window.

Ensure that your router’s firewall is enabled, along with related built-in security features that block anonymous requests or pings from the WAN side.

The DMZ feature of your router allows you to put a machine ‘outside’ of the protection of the NAT router. Only use this if you understand the consequences.

For a good Ars Technica article that includes a chart of common devices (Wii, PS3, Xbox 360, etc.) and their support for the various levels of encryption, read The ABCs of securing your wireless network.

While we’re on the subject, you might want to consider choosing the right channel to obtain the best wireless signal.

My Xbox, which had been connected for months with an Open NAT while using a old Siemens Speedstream 4100 modem, never had any problems connecting.

I double checked all the connections, powercycled the Xbox, then ran the network tests from the System blade. It would pass all of the tests up until the Xbox Live test, at which point it would fail spectacularly and restart the tests – but this time displaying a “Disconnected” message at the Network Adapter test.

I bypassed the router and plugged the Xbox straight into the DSL modem and was able to connect, but with a Strict NAT. (I should have realized the significance of this right away, but I didn’t.)

So I reconnected the router and kept experimenting. After a while, I noticed that my computers connected to the router also lost their connections when I tried to sign in to Xbox Live.

As it turns out, the suspicious-looking disconnection message was accurate – something the Xbox was doing was causing the router to reboot.

I Googled around and found a few good posts about this problem.

First, I disabled UPnP on the D-Link router thanks to the advice in this Ars Technica forum post. Then I configured it to assign the Xbox a static IP address and then put that IP address in the DMZ. Now the Xbox was able to connect to Xbox Live, but the NAT status was Strict.

I wasn’t going to settle for that, though. I wanted to get an Open NAT.

So I took it out of the DMZ and port forwarded UDP 88 and both UDP & TCP 3074 ports to the static IP address, but the NAT status was still Strict.

Giving the Xbox a static IP address and forwarding the ports had fixed similar connection issues and permitted an Open NAT for almost everyone else, why wasn’t it working for this setup?

More Googling finally turned up the explanation. The Motorola Netopia 2210 contains a NAT router, so no matter what I did with the D-Link’s settings, I was going to keep getting the Strict NAT from the modem as long as it was handling the PPPoE. (This is what I should have realized earlier, when I was connecting the Xbox directly to the modem.)

“The Motorola/Netopia 2210 is also a router with full DHCP functions and may not function correctly when connected directly to another router. Not changing the modem to Bridged Ethernet may result in double NAT’ing, increased latency, possible IP conflicts, or possibly a network that doesn’t work at all.”
- http://www.dslreports.com/faq/15855

The solution was to configure the modem to use “Bridged Ethernet” mode and set up PPPoE on the router.

As long as you’re setting up PPPoE on the router, you may want to select “Keep Alive” or “Always On”, if those options are available, or set the Maximum Idle Time to “0″. You should also confirm that the MTU value is “1492″ and that value is used on all the devices on the network.

Also note that the Motorola Netopia 2210 has an “Internet” light that lights up green whenever there is an active PPPoE session initiated by it. The light will stay off when the PPPoE session is initiated by a router or other device.