02 March, 2017

Yesterday, I knocked myself off the Internet

Yesterday, I spent some time poking about the Actiontec MI424WR (Rev I) that Verizon supposedly provided "for free" as an incentive to subscribe to FiOS.  Supposedly, in order to be (fully) supported, you need a Verizon approved router, including one of these.  I'm not sure their site allows one to complete the online (service) order without agreeing to rent, purchase, or otherwise prove you have (or will have) one of Verizon's routers.  You may be able to finish the order these days, but as I recall, two years ago when I was ordering, their maze of forms and JavaScript wouldn't allow a submission without one.  Anyhow...I read a recent thread on DSL Reports with regards to residential class accounts being able to have static IP addresses (they don't allow that) and the workaround of using dynamic DNS services prompted me to start poking around to see what services (dyndns.org, noip.com, etc.) that the Verizon router supports directly.

I have VLANs set up on my switch, one for TWC/Spectrum WAN (although I don't subscribe to any of their services presently), one for my VOIP LAN, one for most of the rest of my LAN, one for FiOS WAN, and one for the FiOS LAN.  The nexus for everything is a PC running Linux functioning as a router.  I knew there was the possibility of an address "conflict" if I plugged in the WAN port on the Actiontec (because Verizon only allows one DHCP lease at a time) so initially I powered up the Actiontec with the WAN cable unplugged.

After puttering about with a lot of its settings (ugh, I hate the Actiontec Web interface), I'm not sure what possessed me, but I thought, hey, my Linux router has a DHCP lease, and since Verizon's systems will only allow one lease at a time, I thought plugging in the Actiontec WAN cable should be no problem.  If it tries to obtain a lease it will just be denied, whether by DHCPNAK or just timing out.

Emmmm....wrong!  Very shortly after plugging in the WAN cable, the "Internet" LED came on.  First I thought, "wait, what?"  That was shortly followed by "oh, crap!"  Sure enough, I logged onto my "production" router, tried the usual "ping", and there were no replies whatsoever.  There isn't anything of consequence connected to the LAN ports of the Actiontec; it was pretty much just connected so that I could get in to configure it, and possibly switch things up a bit if a Verizon TSR demanded to have it online.  So either the lease which Linux had obtained was somehow "transferred" to the Actiontec, or the lease Linux had was invalidated, and at any rate, in that state the Linux router was of no (WAN) use.  (It still routed just fine between all the LANs.)  I basically knocked myself off the Internet, because nothing on my network is set up to operate through the Actiontec.  I thought, you idiot, you should have logged onto the switch and issued "shutdown" to the interface for the Actiontec WAN port first.

As you may gather from some of my previous postings, here on the I Heart Libertarianism blog or on Google+, I get pretty anxious about not having Internet connectivity, so to lift a line from Dickens, this was not the best of times.  I think this is mostly because I have the family's email server here, not to mention virtually all the important notifications I have would go to a philipps.us or joe.philipps.us address.  It's also the DNS master for a number of my domains, including philipps.us.  I know, I know...the TTLs on the SOA records themselves should make them valid for two weeks, so even without Internet for an extended-ish time, things should not fall apart entirely.

Email servers very typically keep retrying for several days, maybe even as much as a week, so that should not be so terrible.  As a further mitigation of any failure of my email server here, it just so happens I was one of the people who got in on the "ground floor" when Google was beta testing Google Apps (the Web services, not the usual meaning these days of the apps to access Google on Android). As a consequence, I have a "no cost" G Suite configuration as a less preferred MX.  Therefore, it would be somewhat messy from an email history standpoint, but a catchall account on G Suite would have any email which my setup cannot suck in.  Still...I think it's the thought that without Internet, even that backup setup is no good because I can't get to it.  I would have to "borrow" someone else's Internet access even to see what's over at my G Suite account.

This would be compounded by the fact that these days, many of my access passwords are utter gibberish, thanks to KeePass and KeePassX.  The database is in my Google Drive, but also backed up on my local computer.  The implication is, it's another one of those "bootstrap" problems, without Internet, I don't have access to the master KeePass database, and even if I work from the copy, say from a computer at the Erie County library, it's going to be a LOT of tedious typing because the library's computers are likely not going to be able to run the KeePass software.  I'd be working with revealing the decrypted passwords on KeePassDroid on my Nexus 7.  For any Web services which will accept it, I turn on basically everything printable except space for the KeePass generator, and typically 20 characters.  So yeah....lots of tedious typing if I have to use another computer.

Despite the minor panic I was in, I thought, come on, this shouldn't be that difficult, you really should have a way out of this.  You can try ifdown on the Internet interface (happens to be eth3), followed by ifup.  Nope, that didn't really do anything.  Just calm down a little, and work the problem.  If you get back on the Actiontec, you should be able to pick and prod your way around it, and find the "release DHCP lease" button, which you know is in there somewhere.  That would at least mollify Verizon's backend(s) (or the ONT) into letting Linux get a usable address again.  That was in fact the key.  After hitting "release" on the Actiontec, I was able to ifdown/ifup one more time, and Linux got an address/lease.  However...it was not the IPv4 address I had before.  Rats.

As mentioned, the whole exercise started with wondering about Actiontec's implementation of dynamic DNS.  This is precisely what I needed to do.  This happens so infrequently that I have a Google Keep checklist for IPv4 address changes (which I have exported to a Google Doc for linking in this blog entry).  I have that accessible on my Nexus 7, so all I have to do is find it on there, and I'm good to go.  I copied the list, renamed it with "1-Mar-2017" in the title, and went about executing its items.

There were items on the checklist that I still had to figure out on the spot.  For example, for some of the items, I did not know the pathnames of what needed changing, or what item in the relevant file.  So in a sense, it's good this happened, because it has made me refine the process and therefore improve it.  Still, it's a pain whenever my address changes.  Some of it could probably be scripted or automated, but it's one of those things that happens so infrequently, I have to wonder how much utility there is in writing anything.

Anyhow...obviously, I'm back online, or I couldn't be posting this.  Hopefully I'll be better prepared for the next time my address changes.

Direct all comments to Google+, preferably under the post about this blog entry.

English is a difficult enough language to interpret correctly when its rules are followed, let alone when the speaker or writer chooses not to follow those rules.

"Jeopardy!" replies and randomcaps really suck!

Please join one of the fastest growing social networks, Google+!