Re: Verizon EV-DO and local addresses



On Fri, 2008-10-24 at 13:26 -0500, Jason Martens wrote:
> Hey all,
>    I just learned some interesting information about Verizon's EV-DO
> policies.  I have a Verizon card, and I could connect just fine, but
> every time it would disconnect after less than a minute with the
> following message:
>
> Oct 24 12:46:37 tank pppd[17248]: Script /etc/ppp/ip-up started (pid 17292)
>
> Oct 24 12:46:45 tank pppd[17248]: Script /etc/ppp/ip-up finished (pid 17292), status = 0x0
>
> Oct 24 12:47:14 tank pppd[17248]: rcvd [LCP TermReq id=0xb]
>
> Oct 24 12:47:14 tank pppd[17248]: LCP terminated by peer
>
> Oct 24 12:47:14 tank pppd[17248]: Connect time 0.7 minutes.
>
> I tried adding the lcp-echo-failure and -interval options, but this made
> no difference for me.  Since I work for a company using lots of Verizon
> cards, I placed a call to enterprise support, and they informed me that
> if they detect *any* private address traffic over the EV-DO connection,
> they terminate it.  Sure enough, after disabling all of my local
> interfaces, the connection has been up for > 30 minutes now.
>
> However, I really wanted to use the EV-DO for internet access, but eth0
> for lan access.  I added this rule which I think sends all 10.*
> addresses out the local interface instead of ppp0, but I'm not an expert
> in iptables by any stretch so use at your own risk:
>
> iptables -I OUTPUT -o eth0 -s 10.0.0.0/8

I stumbled across this post and it finally clued me in to a problem
I've been having. I have an EVDO card plugged into my linux box which
NATs out to my laptop. Occasionally a TCP connection would time out
and be dropped, but then my laptop would send out a FIN/ACK packet
regardless. The NAT machine would get confused and just pass it out to
the network with the laptop IP as the source IP. Verizon would
immediately kick me off.

The solution I came up was to replace:
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

With:
iptables -A FORWARD -i eth0 -o ppp0 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j drop-and-log-it

This way extraneous outgoing packets fall through to the DROP rule
rather than get sent out un-NATted. My connection seems much more
stable now.

Anyways thanks to the original poster; hope my rambling story is
likewise helpful to someone.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]