Networking Trouble Shooting for TEA5 Boxes |
(Caution: This document was done as everything we do, hastily. It
contains great information as well as spelling and grammar errors.)
Jargon
(terminology)
For more in depth understanding of many of these terms, go to en.wikipedia.org a great free
resource on
the Internet.
- arp - stands for address
resolution protocol and is used to let network devices know what device
owns what IP address. It is also a command in UNIX to show the arp
table or a specific arp.
- arp table - a list of IP
address with corresponding MAC addresses.
- binary - a numbering
format using 2 base digits 0 and 1. F in hex = 15 in decimal = 11111111
in binary.
- broadcast address - the
highest possible address in a subnet range, used to allow all devices
on a subnet to communicate.
- cat - similar to type in dos, it displays the
contents of a text file.
- chkconfig - a UNIX
program that lets you set and show whether services are turned on at
boot time.
- DHCP - stands for dynamic
host configuration protocol. dhcpd is the daemon that provides
computers on you network with their IP information.
- DNS - stands for domain
name system, a DNS server takes a domain name like ednet.ns.ca and
turns it into an IP address like 142.227.51.1.
- EDNET - ednet refers to
all sites that have an IP address starting with 142.227. Almost every
school and many other sites such as community colleges, local
universities and CAP sites are on the ednet network.
- eth0 - usually pronounced
ether zero is the first network card in the machine and should be
connected directly to your Internet connection.
- eth1 - usually pronounced
ether one is the second network card in the machine and should be
connected to your internal network.
- firewall - a firewall in
network terms is a device that sits between two networks and basically
defends one from the other. The TEA5 box is a firewall that defends the
computers on your internal network from the rest of the computers on
the Internet.
- gateway - in this case,
refers to the IP address that one machines uses to connect to the rest
of the network. For a TEA5 box, the gateway is usually the IP address of
the router, for the boxes inside your firewall, it is the IP address of
eth1 on your TEA5 box.
- grep - a program that
searches text files or the output of commands for certain keywords.
This
is a very useful program when trouble shooting.
- head - a program to show
you the first few lines of a text file.
- hexidecimal or hex - is a
number format consisting of 16 digits 0-9 and A-F. F in hex = 15 in
decimal = 11111111 in binary.
- ICMP - Internet control
message protocol, mainly used by ping and traceroute to determine
network host accessibility. It is unreliable as a test tool and used in
may exploits of proprietary systems to find hosts to infect.
- ifconfig - a command to
display information about your network interfaces.
- IP address - is the
number on the network that a computer is known by like a telephone
number but with the format x.x.x.x where each x is a decimal number
from 0 to 255. There are real world IPs that are addressable on
the Internet and private IPs ( aka. NATed or masqueraded or
fake) that are usually only available in a private network.
- mac address - stands for
media access control and is a unique number consisting of 8 hex digits
from 00 to FF separated by colons.
- man - a program that
gives you the manual page for a UNIX command. For example man ls gives
you the manual for the ls command. Pressing the letter q will quit the
man program.
- masquerading - See nat.
- nat - Stands for
network address translation and is a method of converting an IP or
range of IPs ( usually private ) to a different IP address ( usually
public ) .
- network mask or netmask -
used to let network devices know how much IP address space is available
in a subnet.
- ping - ping is a program
that uses ICMP protocol to test a connection to another computer. It is
unreliable and disabled at the main EDNET firewall.
- port - any time you
connect from one machine to another using IP, you connect on a port.
There are 65535 available ports some common ones are 80-http(web),
22-secure shell, 21-ftp, 23-telnet etc. To see a lot more look at the
file /etc/services on your TEA5 box.
- ps - a program to show
you the status of processes running on your TEA5 box
- router - a router is
basically a network device that routes packets from one network to
another. The TEA5 box can be considered a router but is more
accurately described as a firewall. We usually refer to the DSL or
frame relay connection provided by the phone company as the router.
- service - a UNIX program
to start or stop certain service on the TEA5 box.
- subnet - a specified
piece of the entire range of IP addresses.
- tail - a program to show
you the last line of a text file this is a very useful program in
network trouble shooting.
- tcp - transmission
control protocol used on the Internet.
- udp - user datagram
protocol used on the Internet.
How
EDNET works
The following is a simplified
diagram of how the EDNET network is set up and how your site fits in.
The Internet
cloud refers basically to all addressable network space outside of
142.227.0.0/16. Any traffic that goes from any EDNET site to the
Internet or vice versa must travel through the main ednet firewall. The
main EDNET firewall is not sufficient to protect the computers at you
site from the perils of the Internet. Every site should have a TEA5 box
or other form of firewall to protect itself.
Correctly
setting up your TEA5 box
In order to work correctly the
TEA5 box should be connected as follows:
Internet connection --> DSL or
Frame Relay Router --> TEA5 eth0
TEA5 eth1 --> (Hub or Switch
for internal Network) --> internal computers
Do not plug
both eth0 and eth1 on your TEA5 box and your Internet connection all
into a single hub with all of your other computers. This can
technically be made to work but circumvents most of the security that
we are trying to achieve.
Some benefits of
a TEA5 box over other firewalls
Sites on ednet
are free to use what ever they desire to protect their network ( or
nothing at all for those insane few who doesn't seem to feel that the
Internet may be a dangerous place.) So you may ask, what make a TEA5
box better than some other firewall options.
First, here are the benefits of a TEA5 box.
- this box is based on open source peer reviewed
software. Some people argue that because open source software allows any
one to see the code, any hacker can find security flaws and thus it is
less secure than proprietary software. In actual fact the opposite is
true. The open source model means that every person can look at the
code and there are far more people looking at the code who want it to
be secure than there are people trying to abuse it. Security holes are
made public and fixed more rapidly in open source software than with
proprietary software.
- the TEA5 box is designed by us to meet the exact needs of
most EDNET site's by the people who are responsible for EDNET.
- If you call with a problem, we will be able to diagnose it
more quickly if a TEA5 box is present than if you implement you own
solution.
- TEA5 boxes are continually updated with security patches and
improvements.
- You or an EDNET tech can log into the box and run many
applications to help diagnose problems.
- TEA5 boxes provide more functionality than most other options
and new services can be added whenever required.
Why not to use generic store
bought $50.00 routers from Staples.
- These are difficult to keep up to date as all software
resides on firmware which the user must update manually if and when
updates are made availably. Exploits exist for many by the time they
ship.
- You are limited in configuration to what is predefined by
the makers.
- You can't log in to a shell prompt on the device to diagnose
problems.
Why not to use software that runs
on proprietary operating systems.
- You have to patch them yourself if and when patches become
available. Certain security holes in some operating systems made by a
large company in Redmond have not been patched even though they have
been known about for almost a year.
- There are dozens of software firewalls out there and it is
impossible for us to know all the ins and outs of them all so it is
basically up to you to resolve you own networking issues.
- No one other solution offers all of the advantages in one
package as TEA5 does.
Lets get on
to some trouble shooting already
Approximately
one third of the calls received by EDNET support turn out to be network
related problems within the site itself. EDNET support is not
technically responsible for any problems beyond the router. If you use
a TEA5 firewall we will gladly help with any trouble with it but we
prefer that the onsite technician determine where the problem is first.
The best way to
start is to list some examples of common
network problems encounter with networks in general and with TEA5
boxes and show you how to narrow the problem down.
1. Computers on my network are not
getting an IP address.
If this is only
happening to new machine's you are putting on the network, make sure
you
have a large enough pool of IP addresses. the command 'grep range
/etc/dhcpd.conf' will give you a range of IP addresses available. If
for
example you see the following output 'range 10.0.0.100 10.0.0.120' you
only have 20 IP addresses available. If you have 30 machines on you
network, you need to increase the available number of leases. You can
call support to do this for you or try it you self. The easiest editor
to use on the TEA5 box is nano typing 'nano /etc/dhcpd.conf' will allow
you to change the ranges. Make sure you conform to the rules if IP.
Great tip: Understanding IP
addresses
IPs are made up of 4 numbers from 0 to 255 separated by periods. ex:
10.0.0.1, It is easier to understand IP address if you understand
binary. These four decimal numbers are represented in binary by a
string of 32 binary bits. 10.0.0.1 in binary is
00001010000000000000000000000001. This becomes most relevant when
working with subnet masks. Subnet masks are represented in
several
ways, the most common are similar to IP address ex: 255.255.255.0 or a
slash at the end of the IP address /24. In the latter case, the 24
represents the number of significant bits. When dealing with subnet
masks, it is fairly straight forward when the the number if bits is
divisible by 8 like 8, 16, 24 or 32, but can be more complicated.
The lowest number in a subnet rang is always reserved for the network
and the highest is always reserved for broadcast therefore, every time
you divide a subnet, you loose 2 possible IPs Here
are some examples: |
IP address
|
/Mask
|
Decimal Mask
|
binary Mask
|
Available IPs
|
Network
|
Broadcast
|
192.168.40.1
|
/32
|
255.255.255.255
|
11111111111111111111111111111111
|
1
|
|
|
192.168.40.1
|
/30
|
255.255.255.252
|
11111111111111111111111111111100
|
2
|
192.168.40.0
|
192.168.40.3
|
192.168.40.1
|
/29
|
255.255.255.248
|
11111111111111111111111111111000
|
6
|
192.168.40.0
|
192.168.40.7
|
192.168.40.1
|
/24
|
255.255.255.0
|
11111111111111111111111100000000
|
254
|
192.168.40.0
|
192.168.40.255
|
192.168.0.1
|
/16
|
255.255.0.0
|
11111111111111110000000000000000
|
65534
|
192.168.0.0
|
192.168.255.255
|
Any number of bits is possible from 0 to 32 depending on how large a
network you need. The following is a list of private IP address ranges
you can use inside your site
10.0.0.0/8 (10.0.0.0 to 10.255.255.255), 172.16.0.0/12 (172.16.0.0 to
172.31.255.255) and 192.168.0.0/16 (192.168.0.0 to 192.168.255.255)
|
Is the problem
with all
computers or just some. If it is just one computer, it is either a bad
network configuration in the OS, a bad NIC, a bad network cable or a
bad port on your hub or switch. If it is just some computers, you
likely have a bad hub or switch. If all computers are affected, check
the hub or switch first, next, log into your TEA5 box and make sure the
DHCP service is running. the following command will show you all
process 'ps ax' you will get a long list of processes. To narrow down
the list you can pipe the output through another program called grep to
search for a specific word for example 'ps ax | grep dhcp' will show
you only services with dhcp in the name. If it is running, you will see
output similar to '1067 ?
S 0:04 /usr/sbin/dhcpd eth1'
The first number 10667 is the pid and may be a
different number than shown here, The second field shows which terminal
the process is running on. In this case dhcpd was started buy the
system and thus is not running on a terminal. Next is the state of the
the process, dhcp will almost always show an S for sleeping because
when it does actually run it only takes a fraction of a second to
complete it's job. To see the description for what other states it may
be
in, type 'man ps'. ( Hint : when in man, typing the letter q will get
you out) . The next field is the CPU time used buy the process and
finally the command line that was used to start the process.
If dhcpd is not running, you can try to start
it with this command 'service dhcpd start'. Use ps again to see if it
started ok, if so check a machine to see if it gets an IP address. If
so you are almost good to go. You should try to find out why it didn't
start. The command 'chkconfig --list dhcpd' will show you what run
levels dhcp will start in by default. All TEA5 boxes run in run level 3
so you should see output similar to this.
dhcpd
0:off 1:off 2:off 3:on
4:off 5:off 6:off
Don't worry about any other run levels than 3.
If 3 says off, the following command will turn it on so it should start
at reboot. 'chkconfig --level 3 dhcpd on'.
If dhcpd does not start, a good place to start
searching for answers is the messages file. The output and error
messages from many services are written to the messages file located in
the following directory /var/log. Often typing 'tail /var/log/messages'
immediately after typing a command will show you any messages or errors
produced. A great way to use tail is with the -f option. This will
continue showing you any lines added to the messages file until you
stop it buy pressing <ctrl>C.
At this point you have either fixed the problem
yourself or can at least give more detailed information to tech support
when you call.
Great tip: you can combine commands in UNIX but putting &&
between them. A great place to do this is when you start a process that
may produce some errors. Instead of trying to type 'tail -f
/var/log/messages real fast afterwards, put it all on one line like so:
service dhcpd start && tail -f
/var/log/messages
|
2. I am getting intermittent
connection to the Internet.
This can be caused by several
things. A bad NIC, cable or hub is the most common. The second most
common reason is someone put a device on the network that already uses
the IP address. If you are using DHCP to deliver IP address, make sure
you don't manually set a device to an IP address in the DHCP range. you
can determine the range used by DHCP on your TEA5 box with this command
'grep range /etc/dhcpd.conf' you should see output similar to this
range 10.0.0.100 10.0.4.255
the exact number will be different of course. a good way to
determine if this is your problem is to simply unplug the network cable
from the computer having the problem and go to another machine and ping
the disconnected computers IP address. If you get a response, you will
have to track down the offending machine. The DHCP service running on
the TEA5 box will not give out the same IP address to two different
machines.
3. I put a computer outside the
firewall but people outside can't seem to connect to it.
This is usually 1 of five things.
1. You don't have the computers
IP/gateway/netmask etc set right.
Solution : fix the networking, If
you are not sure what some of the parameters should be, you can find
them on your TEA5 box. type 'ifconfig eth0' to get the broadcast and
netmask, from this you can determine valid IP address for your subnet
and 'route -ne | grep UG" will show you the address of your gateway. If
you need to know the DNS server IP address, type 'cat /etc.resolve.conf'
2. You have a bad NIC/cable/hub.
Solution : replace bad piece
3. You are arping for the same IP
address on the TEA5 box,
Solution : Let's assume you want to use the IP address 142.227.1.1
, on
your TEA5 box, type 'arp -an | grep 142.227.1.1 | grep eth0' . If you
see a
line like this '? (142.227.1.1) at * PERM PUP on eth0' then your TEA5
box
is arping for that IP address. What this means is your TEA5 box is
specifically saying that it has that IP address specified so your
router speaks directly to it and not to your new box. Edit the arp
table on the TEA5 box 'nano /etc/init.d/arp' in the stop section and
the start section, put a hash # in front of all lines refering to that
IP address. There should be two lines in each section. now run 'service
arp stop' and 'service arp start'. After doing this you should also
look at step 4
4. You replaced the computer or a
NIC in the computer with a different one with the same IP address.
Solution : You router's arp table still contains the mac address
of the old card or computer. Resetting the router should clear the arp
table.
5. you are not out side the TEA5
box.
Solution : Assuming your IP address is 142.227.1.1, on the TEA5
box,
type 'arp -an | grep 142.227.1.1' if you see a line like '?
(142.227.1.1) at
00:A0:D1:D2:42:8E [ether] on eth1' making sure that it says eth1 on the
end then your box is plugged in on the inside your firewall or you
have both NICs in your firewall plugged into the same hub in which
case you should see the section on correctly setting up your TEA5 box.
4. I can't ping
some.crazy.site.on.the.Internet.com .
We only allow
ICMP protocol within EDNET. You may or may not be able to ping most
sites within EDNET but unless you use a version of ping that does not
use the ICMP protocol such as TCPing or HPing, you won't be able to
ping the Internet. Ping is only a semi reliable tool for use in network
diagnostics. For example if you have are trying to connect to a web
server that is behind a firewall, the firewall may permit port 80
traffic but not ICMP traffic so a ping would fail but using a web
browser or telnet to connect would succeed. Calling tech support
thinking something is not working because you can't ping it usually
tells us that you didn't try very hard to diagnose the problem on your
own. You should at least try to connect to the box on a known open
port using telnet or other appropriate software.
5. My
hub/switch/printer/computer/telephone/chair/pen/ipod/whoosit isn't
working.
We only look
after your ednet connection and your TEA5 box if you have one. Any
other problem inside of you network is outside of our jurisdiction.
Tech support is very short staffed and we look after the entire
province. It would be nice if we did but we just don't have the time to
help out with every network problem you may have. Only technical people
should be calling EDNET tech support. Other people should contact their
local or board technicians.
6. Everything was working fine until
all of a sudden everything stopped working.
Usually when we
get calls like this , someone has recently plugged another network
device into the internal network that is trying to do the same jobs as
the TEA5 box does. For example if you buy a wireless access point and
plug it into your network, first make sure to disable DHCP and anything
else that may interfere with the TEA5 box.
OK
I'm convinced
So you have
decided now that you want to be the best darn network diagnosing guy or
gal you can be. What , you may ask yourself, should I do. Use the
Internet. If you go to google.ca and enter the exact question you have you
may find hundreds of other people who asked the same question and more
importantly, hundreds more who answered it.
If you want to learn more about Linux, check
the Internet. There are thousands of sites for beginners to help get
you started. Look for words like Linux newbie howto beginner and you
will find about 4000 web pages to help you learn.
Some tools you should learn to use to really shine as a network
tech are the following :
tcpdump - this lets you watch or log various packets as they
travel through you TEA5 box. You can see where they came from, where
there going, what port they are on and a whole lot more.
telnet - telnet is a terrible thing to use to connect to port 23
but great for testing connections to any other port. Not sure if an
smtp mail server is working, connect to port 25 with telnet.
iptables - This is the lifeblood of the firewall. It is what lets
all the packets do what they do and understanding it will help you
figure out what is going wrong.
| - this is the pipe symbol. It is usually on the key above the
enter and it lets you stream the output of one command into the input
of another. Along with other commands like tail and grep it is
invaluable for narrowing down problems.
Also check out those listed in the jargon section at the top.
In
conclusion ( Steve's rant )
Being a network
technician means different things to different people. Some of you may
have gone to university or technical college or a six month IT course
or had no training at all. In the end it makes no difference to us.
What does matter is that you try your best to resolve or diagnose
problems on your own.
When it comes to technology, training is only a
small part. Passing an IT course requires a good memory while fixing
network problems requires good understanding and problem solving
skills. TEA5 boxes are based on a UNIX-like operating system and most
schools teach primarily Windows and Novell so don't be surprised if the
environment is unfamiliar to you.
TEA5 boxes are fairly bullet proof and any time we
find a flaw we fix it and propagate the changes to all existing boxes.
Most of the problems we receive not relating to telephone company
equipment are due to either internal network problems or changes users
have made to the TEA5 box. Please keep a log on or near your TEA5
box and note any changes that you make.
If you have recently made a change to you TEA5 box,
even if it does not seem related, let us know when you call. It may
help speed up resolution of your problem.