JP Vossen on 1 Oct 2009 23:02:00 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Comcast "CDV" device & firewalls


 > Date: Thu, 01 Oct 2009 18:45:17 -0400
 > From: Carl Johnson <cjohnson19791979@gmail.com>
 >
 > i will assume that the cdv is a small narrow black box made by arris,
 > which comcast commonly uses these days for their triple play service.

I dunno, never seen it.  It was just installed today, a 2 hour drive 
from me.  They can't even take a pic and email it, since Internet is 
down!  (OK, I could work around it, a couple of ways, but...)


 > this device isn't really a router per se. it's more like just a plain
 > old docsis cable modem with a phone segment tied to it. with that said
 > it shouldn't be surprising that you could ssh into an unfirewalled box
 > from the outside.

OK, *good* that's what I want!


 > you are right about the mac addy trapping. it's one of
 > comcast's ways of preventing you from getting more than one public IP.
 > all you need to do to release this hold on the MAC and to get the cdv
 > to start accepting dhcpdiscovers again is to power cycle it. be aware
 > though that quite often these things have their own battery backup
 > built in. when you pull the power flip the box over and remove the
 > battery from the bottom under the little trap door for a few secs.

OK, we did power cycle it, which killed the phone we were talking on, 
but they did it before I could warn them...  Sigh.  That didn't help, 
but the battery might be the kicker.


 > 1. what firewall rules you implement is up to you. with this in mind,
 > whatever you plug into it will be directly and completely exposed to
 > the open internet.

Again, good, that's what I want.  I was a tad unclear in that the 
firewall is a physical server running M0n0wall; I don't use or trust 
"built-in" crap that the vendor controls and can arbitrary nuke firmware 
on (I'm looking at you Vonage).


 > 2. the phone part does work "similar" to a vonage adapter. what would
 > you like to know about it?

If the gadget is a bridge, where does the "IP" part in VoIP come from? 
IOW, if I have a physical device, be it a laptop or a firewall, on the 
inside of the bridge, and that physical device is what gets a DHCP IPA 
from upstream, how is the VoIP part handled?

My Vonage gadget "wants" to be first in the line, so it grabs the IPA 
and does the FW/NAT/traffic shaping thing.  I can add incoming NAT to it 
to allow me to SSH in from the outside, but any time they update 
firmware they nuke the config and my NAT rule goes away.  Not 
acceptable.  Also, I'd have to trust their FW, or live with double-NAT 
from my FW to theirs.  Nope.

I put the Vonage adapter on its own dedicated FW segment, with the 
M0n0wall providing the "WAN" DHCP.  Once I got the FW rules figured out, 
it works great, and Vonage can't touch my networks.  So from the 
outside, VoIP traffic hits my FW and is NAT'd to the Vonage gadget.  I 
don't understand how that part can work if the CDV is really a bridge. 
What does VoIP traffic use for an IPA?

Bottom line, I kind of don't care how it works if I can get it to do 
what I want.  Ideally I'd like to put the CDV device on a dedicated FW 
segment (like my Vonage), open up & NAT whatever ports it needs, and 
leave it there.  That would require re-installing the old RCA cable 
modem (bridge), plugging the FW into that, and then hanging the CDV 
device off the FW.

I can live with the CDV device being inline upstream from the FW *if* it 
really just passes the traffic without affecting it other than handling 
VoIP however it does.  That was my crappy ASCII art from OP:

{coax} <--> [RCA Bridge] <--> [Firewall] <--> LAN
                                    ^--> [CDV Phone segment]


 > 3. all you need to do to release this hold on the MAC and to get the
 > cdv to start accepting dhcpdiscovers again is to power cycle it.

We did, but it still didn't seem to like the FW.  I think.  I dunno, 
it's hard to t-shoot that stuff over the phone with non-technical folks 
on the far end. The M0n0wall also doesn't have much of a console.  You 
can fiddle a few things and ping, but it doesn't tell you the WAN IPA (I 
should enter a bug).  All of that is of course in the web GUI, but I 
wasn't about to talk the Comcast tech though that.

Thanks for the info!
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug