Networking Trouble Shooting for TEA5 Boxes

(Caution: This document was done as everything we do, hastily. It contains great information as well as spelling and grammar errors.)

The following is a simplified diagram of how the EDNET network is set up and how your site fits in.

    The Internet cloud refers basically to all addressable network space outside of 142.227.0.0/16. Any traffic that goes from any EDNET site to the Internet or vice versa must travel through the main ednet firewall. The main EDNET firewall is not sufficient to protect the computers at you site from the perils of the Internet. Every site should have a TEA5 box or other form of firewall to protect itself.

In order to work correctly the TEA5 box should be connected as follows:

Internet connection --> DSL or Frame Relay Router --> TEA5 eth0

TEA5 eth1 --> (Hub or Switch for internal Network) --> internal computers

    Do not plug both eth0 and eth1 on your TEA5 box and your Internet connection all into a single hub with all of your other computers. This can technically be made to work but circumvents most of the security that we are trying to achieve.

    Sites on ednet are free to use what ever they desire to protect their network ( or nothing at all for those insane few who doesn't seem to feel that the Internet may be a dangerous place.) So you may ask, what make a TEA5 box better than some other firewall options.

First, here are the benefits of a TEA5 box.

Why not to use generic store bought $50.00 routers from Staples.

Why not to use software that runs on proprietary operating systems.

    Approximately one third of the calls received by EDNET support turn out to be network related problems within the site itself. EDNET support is not technically responsible for any problems beyond the router. If you use a TEA5 firewall we will gladly help with any trouble with it but we prefer that the onsite technician determine where the problem is first.

    The best way to start is to list some examples of common network problems encounter with networks in general and with TEA5 boxes and show you how to narrow the problem down.

    If this is only happening to new machine's you are putting on the network, make sure you have a large enough pool of IP addresses. the command 'grep range /etc/dhcpd.conf' will give you a range of IP addresses available. If for example you see the following output 'range 10.0.0.100 10.0.0.120' you only have 20 IP addresses available. If you have 30 machines on you network, you need to increase the available number of leases. You can call support to do this for you or try it you self. The easiest editor to use on the TEA5 box is nano typing 'nano /etc/dhcpd.conf' will allow you to change the ranges. Make sure you conform to the rules if IP.

    Is the problem with all computers or just some. If it is just one computer, it is either a bad network configuration in the OS, a bad NIC, a bad network cable or a bad port on your hub or switch. If it is just some computers, you likely have a bad hub or switch. If all computers are affected, check the hub or switch first, next, log into your TEA5 box and make sure the DHCP service is running. the following command will show you all process 'ps ax' you will get a long list of processes. To narrow down the list you can pipe the output through another program called grep to search for a specific word for example 'ps ax | grep dhcp' will show you only services with dhcp in the name. If it is running, you will see output similar to '1067 ?        S      0:04 /usr/sbin/dhcpd eth1'

    The first number 10667 is the pid and may be a different number than shown here, The second field shows which terminal the process is running on. In this case dhcpd was started buy the system and thus is not running on a terminal. Next is the state of the the process, dhcp will almost always show an S for sleeping because when it does actually run it only takes a fraction of a second to complete it's job. To see the description for what other states it may be in, type 'man ps'. ( Hint : when in man, typing the letter q will get you out) . The next field is the CPU time used buy the process and finally the command line that was used to start the process.

    If dhcpd is not running, you can try to start it with this command 'service dhcpd start'. Use ps again to see if it started ok, if so check a machine to see if it gets an IP address. If so you are almost good to go. You should try to find out why it didn't start. The command 'chkconfig --list dhcpd' will show you what run levels dhcp will start in by default. All TEA5 boxes run in run level 3 so you should see output similar to this.

dhcpd           0:off   1:off   2:off   3:on   4:off   5:off   6:off

    Don't worry about any other run levels than 3. If 3 says off, the following command will turn it on so it should start at reboot. 'chkconfig --level 3 dhcpd on'.

    If dhcpd does not start, a good place to start searching for answers is the messages file. The output and error messages from many services are written to the messages file located in the following directory /var/log. Often typing 'tail /var/log/messages' immediately after typing a command will show you any messages or errors produced. A great way to use tail is with the -f option. This will continue showing you any lines added to the messages file until you stop it buy pressing <ctrl>C.

    At this point you have either fixed the problem yourself or can at least give more detailed information to tech support when you call.

 

Great tip: you can combine commands in UNIX but putting && between them. A great place to do this is when you start a process that may produce some errors. Instead of trying to type 'tail -f /var/log/messages real fast afterwards, put it all on one line like so: service dhcpd start && tail -f /var/log/messages

This can be caused by several things. A bad NIC, cable or hub is the most common. The second most common reason is someone put a device on the network that already uses the IP address. If you are using DHCP to deliver IP address, make sure you don't manually set a device to an IP address in the DHCP range. you can determine the range used by DHCP on your TEA5 box with this command 'grep range /etc/dhcpd.conf' you should see output similar to this

range 10.0.0.100 10.0.4.255

the exact number will be different of course. a good way to determine if this is your problem is to simply unplug the network cable from the computer having the problem and go to another machine and ping the disconnected computers IP address. If you get a response, you will have to track down the offending machine. The DHCP service running on the TEA5 box will not give out the same IP address to two different machines.

1. You don't have the computers IP/gateway/netmask etc set right.

Solution : fix the networking, If you are not sure what some of the parameters should be, you can find them on your TEA5 box. type 'ifconfig eth0' to get the broadcast and netmask, from this you can determine valid IP address for your subnet and 'route -ne | grep UG" will show you the address of your gateway. If you need to know the DNS server IP address, type 'cat /etc.resolve.conf'

2. You have a bad NIC/cable/hub.

Solution : replace bad piece

3. You are arping for the same IP address on the TEA5 box,

Solution : Let's assume you want to use the IP address 142.227.1.1 , on your TEA5 box, type 'arp -an | grep 142.227.1.1 | grep eth0' . If you see a line like this '? (142.227.1.1) at * PERM PUP on eth0' then your TEA5 box is arping for that IP address. What this means is your TEA5 box is specifically saying that it has that IP address specified so your router speaks directly to it and not to your new box. Edit the arp table on the TEA5 box 'nano /etc/init.d/arp' in the stop section and the start section, put a hash # in front of all lines refering to that IP address. There should be two lines in each section. now run 'service arp stop' and 'service arp start'. After doing this you should also look at step 4

4. You replaced the computer or a NIC in the computer with a different one with the same IP address.

Solution : You router's arp table still contains the mac address of the old card or computer. Resetting the router should clear the arp table.

5. you are not out side the TEA5 box.

Solution : Assuming your IP address is 142.227.1.1, on the TEA5 box, type 'arp -an | grep 142.227.1.1' if you see a line like '? (142.227.1.1) at 00:A0:D1:D2:42:8E [ether] on eth1' making sure that it says eth1 on the end then your box is plugged in on the inside your firewall or you have both NICs in your firewall plugged into the same hub in which case you should see the section on correctly setting up your TEA5 box.

    We only allow ICMP protocol within EDNET. You may or may not be able to ping most sites within EDNET but unless you use a version of ping that does not use the ICMP protocol such as TCPing or HPing, you won't be able to ping the Internet. Ping is only a semi reliable tool for use in network diagnostics. For example if you have are trying to connect to a web server that is behind a firewall, the firewall may permit port 80 traffic but not ICMP traffic so a ping would fail but using a web browser or telnet to connect would succeed. Calling tech support thinking something is not working because you can't ping it usually tells us that you didn't try very hard to diagnose the problem on your own. You should at least try to connect to the box on a known open port using telnet or other appropriate software.

    We only look after your ednet connection and your TEA5 box if you have one. Any other problem inside of you network is outside of our jurisdiction. Tech support is very short staffed and we look after the entire province. It would be nice if we did but we just don't have the time to help out with every network problem you may have. Only technical people should be calling EDNET tech support. Other people should contact their local or board technicians.

    Usually when we get calls like this , someone has recently plugged another network device into the internal network that is trying to do the same jobs as the TEA5 box does. For example if you buy a wireless access point and plug it into your network, first make sure to disable DHCP and anything else that may interfere with the TEA5 box.

    So you have decided now that you want to be the best darn network diagnosing guy or gal you can be. What , you may ask yourself, should I do. Use the Internet. If you go to google.ca and enter the exact question you have you may find hundreds of other people who asked the same question and more importantly, hundreds more who answered it.

    If you want to learn more about Linux, check the Internet. There are thousands of sites for beginners to help get you started. Look for words like Linux newbie howto beginner and you will find about 4000 web pages to help you learn.

Some tools you should learn to use to really shine as a network tech are the following :

tcpdump - this lets you watch or log various packets as they travel through you TEA5 box. You can see where they came from, where there going, what port they are on and a whole lot more.

telnet - telnet is a terrible thing to use to connect to port 23 but great for testing connections to any other port. Not sure if an smtp mail server is working, connect to port 25 with telnet.

iptables - This is the lifeblood of the firewall. It is what lets all the packets do what they do and understanding it will help you figure out what is going wrong.

| - this is the pipe symbol. It is usually on the key above the enter and it lets you stream the output of one command into the input of another. Along with other commands like tail and grep it is invaluable for narrowing down problems.

Also check out those listed in the jargon section at the top.