Help! Verizon FIOS and Actiontec router keeping me from MetaFilter
February 27, 2008 10:46 AM Subscribe
Help me, AskMe, you're my (last) hope. The Actiontec wireless router that Verizon insists is the only thing they can give me to use for our home FIOS service is keeping me from accessing MetaFilter at home.
Obviously, I'm submitting this from work, which I would MUCH rather not do.
Verizon brought in the new router last month to fix a problem we were having with the TV channel guide. It fixed that, and everything else internet-related seemed to be working just fine - we can send and receive email and access the internet, but I couldn't reach any of the MetaFilter sites. I first tried all the standard fixes - deleted my cookies, turned off my firewalls - and got nowhere. I asked the admins by MeMail from work, and they didn't have any further suggestions either. I also spent a few hours on the phone with a couple of Verizon reps, who insisted that the router was working properly and the problem must be with either my computer at home or the website I was trying to reach.
Here's where it gets really weird. I did some poking around on my own in the router menu, and finally found a Security Log that listed a large number of blocked "Outbound Traffic" events. The error message for each was "Blocked - NAT out failed" and the details given were "First packet in connection is not a SYN packet". Most (but not all) of these failed connections were to IP address 74.53.68.130 - which is MetaFilter.
Since I was now way over my head technically, I wrote mr_crash_davis for advice. His response was so helpful (albeit still over my head), I'll quote it in full:
Well, for a TCP/IP handshake to occur, three things have to happen:
The client sends a SYN to the server.
In response, the server responds with SYN-ACK.
The client sends an ACK back to the server.
So, it seems obvious that your attempt to connect to MeFi is dropping its SYN somewher along the line. Since this all happened post-router change, it also seems obvious that it's dropping in the router. Now the question becomes 'Why is the router dropping the SYN portion of the TCP/IP handshake, and only to this one site?'
A bit of Googling turns up a number of sites where people with Verizon FIOS are having this issue, so at least you're not alone. Most of them have narrowed it down to either a NAT port forwarding problem or a problem in the "advanced filtering" section of the router. A suggestion on a few sites is to try an upgrade to the router firmware, here: [link]
I'll do some more poking around and see what else I can find.
Armed with this additional information, I spent several more hours on the phone with several different Verizon reps. They insist the browser is upgraded with the most recent firmware. They tried configuring the router several different ways, and even had me download Firefox just to be sure it wasn't a browser issue. Nothing worked. The next-to-last technician I got had me do a hard reboot of the router with a paperclip - that looked like it was going to work, since when I got back on I was able to call up, briefly, the MetaFilter home page, but when I tried to switch to any other page (including the login page) it hung up again. Checking the Security Log confirms it was the same error - First packet in connection is not a SYN packet.
The last person I spoke with tried everything again, and then called Actiontec for assistance. To my great consternation and dismay, the official word now is "yes, it's something to do with the router, but they don't have a fix for it, and we're not the manufacturer, so we don't support it. However, that's the only router we can provide you to support your FIOS network."
This did not make me happy. I was told I still have the option of bypassing the router and plugging the internet cable directly into the computer if I should ever want to visit that website that's not working, but that really doesn't sound appealing to me. However, since I would much prefer visiting MeFi at home and not the office (I am a self-employed attorney, and was keeping myself logged out at work precisely so I didn't waste too much time here during the day), that may be the only way I'll ever get to participate on MeFi again, at least until we get a new internet provider at home or Actiontec upgrades their routers.
To sum up:
It's not a cookie issue, or a firewall issue.
It's not a browser issue - the same thing happens in IE and Firefox.
Email is working, the internet is working - it appears that some domains are throwing the same error, but all of the .metafilter ones are.
Finally, there is definitely a connection between my computer and MeFi. The Verizon techs had me "ping" the site, and it returned a ping. That led one tech to insist that the problem was that I had been blocked by the website itself (the admins assure me that isn't the case!) The problem is solely in the Actiontec wireless router, which for some unknown reason is failing to complete a back-and-forth connection with MetaFilter (and possibly other sites as well).
So - does anyone else have any suggestions? Ever heard of or had this problem or a similar one before? As I say, you're my only hope.
Obviously, I'm submitting this from work, which I would MUCH rather not do.
Verizon brought in the new router last month to fix a problem we were having with the TV channel guide. It fixed that, and everything else internet-related seemed to be working just fine - we can send and receive email and access the internet, but I couldn't reach any of the MetaFilter sites. I first tried all the standard fixes - deleted my cookies, turned off my firewalls - and got nowhere. I asked the admins by MeMail from work, and they didn't have any further suggestions either. I also spent a few hours on the phone with a couple of Verizon reps, who insisted that the router was working properly and the problem must be with either my computer at home or the website I was trying to reach.
Here's where it gets really weird. I did some poking around on my own in the router menu, and finally found a Security Log that listed a large number of blocked "Outbound Traffic" events. The error message for each was "Blocked - NAT out failed" and the details given were "First packet in connection is not a SYN packet". Most (but not all) of these failed connections were to IP address 74.53.68.130 - which is MetaFilter.
Since I was now way over my head technically, I wrote mr_crash_davis for advice. His response was so helpful (albeit still over my head), I'll quote it in full:
Well, for a TCP/IP handshake to occur, three things have to happen:
The client sends a SYN to the server.
In response, the server responds with SYN-ACK.
The client sends an ACK back to the server.
So, it seems obvious that your attempt to connect to MeFi is dropping its SYN somewher along the line. Since this all happened post-router change, it also seems obvious that it's dropping in the router. Now the question becomes 'Why is the router dropping the SYN portion of the TCP/IP handshake, and only to this one site?'
A bit of Googling turns up a number of sites where people with Verizon FIOS are having this issue, so at least you're not alone. Most of them have narrowed it down to either a NAT port forwarding problem or a problem in the "advanced filtering" section of the router. A suggestion on a few sites is to try an upgrade to the router firmware, here: [link]
I'll do some more poking around and see what else I can find.
Armed with this additional information, I spent several more hours on the phone with several different Verizon reps. They insist the browser is upgraded with the most recent firmware. They tried configuring the router several different ways, and even had me download Firefox just to be sure it wasn't a browser issue. Nothing worked. The next-to-last technician I got had me do a hard reboot of the router with a paperclip - that looked like it was going to work, since when I got back on I was able to call up, briefly, the MetaFilter home page, but when I tried to switch to any other page (including the login page) it hung up again. Checking the Security Log confirms it was the same error - First packet in connection is not a SYN packet.
The last person I spoke with tried everything again, and then called Actiontec for assistance. To my great consternation and dismay, the official word now is "yes, it's something to do with the router, but they don't have a fix for it, and we're not the manufacturer, so we don't support it. However, that's the only router we can provide you to support your FIOS network."
This did not make me happy. I was told I still have the option of bypassing the router and plugging the internet cable directly into the computer if I should ever want to visit that website that's not working, but that really doesn't sound appealing to me. However, since I would much prefer visiting MeFi at home and not the office (I am a self-employed attorney, and was keeping myself logged out at work precisely so I didn't waste too much time here during the day), that may be the only way I'll ever get to participate on MeFi again, at least until we get a new internet provider at home or Actiontec upgrades their routers.
To sum up:
It's not a cookie issue, or a firewall issue.
It's not a browser issue - the same thing happens in IE and Firefox.
Email is working, the internet is working - it appears that some domains are throwing the same error, but all of the .metafilter ones are.
Finally, there is definitely a connection between my computer and MeFi. The Verizon techs had me "ping" the site, and it returned a ping. That led one tech to insist that the problem was that I had been blocked by the website itself (the admins assure me that isn't the case!) The problem is solely in the Actiontec wireless router, which for some unknown reason is failing to complete a back-and-forth connection with MetaFilter (and possibly other sites as well).
So - does anyone else have any suggestions? Ever heard of or had this problem or a similar one before? As I say, you're my only hope.
Lots of inconclusive stories on the Google, but if you ask me I'm guessing they have a broken NAT implementation.
posted by rhizome at 10:59 AM on February 27, 2008
posted by rhizome at 10:59 AM on February 27, 2008
I wish I could help. These types of issues are very frustrating, especially when Verizon says that they're not the manufacturer and they don't support it (was the correct?). If so, quite honestly that's bad business.
FWIW, I have FIOS and the Actiontec router and have no problem with MeFi sites. Since I wanted my home network WiFi to be "controlled" by my Apple Express, when the tech installed the Actiontec I asked him to turn off the WiFi component, which he did. I have an Ethernet cable going from the Actiontec to my Apple Express.
posted by Taken Outtacontext at 11:07 AM on February 27, 2008
FWIW, I have FIOS and the Actiontec router and have no problem with MeFi sites. Since I wanted my home network WiFi to be "controlled" by my Apple Express, when the tech installed the Actiontec I asked him to turn off the WiFi component, which he did. I have an Ethernet cable going from the Actiontec to my Apple Express.
posted by Taken Outtacontext at 11:07 AM on February 27, 2008
Best answer: See this MetaTalk thread. Hopefully you can tweak MTU settings on the router.
posted by zsazsa at 11:07 AM on February 27, 2008
posted by zsazsa at 11:07 AM on February 27, 2008
Ditto what TO said, I am a successful Actiontec + MeFi user as well. Verizon's router does do some stuff with the VOD & Guide stuff, you may not be able to use those features if you take it out of the loop.
posted by kellyblah at 11:23 AM on February 27, 2008
posted by kellyblah at 11:23 AM on February 27, 2008
Interesting, Taken Outtacontext, and that suggests a potential solution. yhbc, I assume that you have the same ActionTech router as TO -- have you tried to plug your computer directly into the router via an ethernet cable, and tested to see if you can get to MeFi? If so, then probably the best solution for you is to do exactly as TO did -- get another inexpensive wifi router that doesn't suck as much ass as the ActionTech one does, plug it into your ActionTech via ethernet, shut off the wifi on the ActionTech, and totally route around the problem. Hell, you should be able to get a Linksys 802.11g (WRT54G) for around $40 or so these days...
posted by delfuego at 11:26 AM on February 27, 2008
posted by delfuego at 11:26 AM on February 27, 2008
Response by poster: delfuego, the computer is plugged directly into the router (it's a wireless router, but its not being used as such - we only have the one computer at home).
Knowing that there are successful FIOS/Actiontec people here is encouraging, though. The last test (which I have been putting off, because it's a pain moving the computer around under the desk it is at) is to plug the internet cable directly into the computer. If that does eliminate the Guide feature on the television (as kellyblah mentioned), then that is not a viable solution, since my wife has said TV is more important than MetaFilter.
If it does work without screwing up the TV features, than it's a fix for now, since we don't need to use the router to access any other computer. I'll see if I can try that tonight.
Thanks, all.
posted by yhbc at 11:38 AM on February 27, 2008
Knowing that there are successful FIOS/Actiontec people here is encouraging, though. The last test (which I have been putting off, because it's a pain moving the computer around under the desk it is at) is to plug the internet cable directly into the computer. If that does eliminate the Guide feature on the television (as kellyblah mentioned), then that is not a viable solution, since my wife has said TV is more important than MetaFilter.
If it does work without screwing up the TV features, than it's a fix for now, since we don't need to use the router to access any other computer. I'll see if I can try that tonight.
Thanks, all.
posted by yhbc at 11:38 AM on February 27, 2008
Two questions:
1. You say you're not using the router wirelessly, but did you actually turn off the wireless capability? If not, there's always the possibility someone nearby is on your network and is causing the trouble.
2. Are you by any chance logging into a VPN at home? If so, and the PPTP settings aren't right, that could be causing the trouble.
posted by cerebus19 at 11:59 AM on February 27, 2008
1. You say you're not using the router wirelessly, but did you actually turn off the wireless capability? If not, there's always the possibility someone nearby is on your network and is causing the trouble.
2. Are you by any chance logging into a VPN at home? If so, and the PPTP settings aren't right, that could be causing the trouble.
posted by cerebus19 at 11:59 AM on February 27, 2008
I am having the same problem with my Actiontec router, and haven't found a way to fix it... I hate the thing... I'm hoping there's someone out there with a better answer than this one.
What I ended up doing is installing Tor, and using the Tor button in Firefox whenever I want to go to MeFi. It's not an optimal solution, but it does work.
posted by Philbo at 12:30 PM on February 27, 2008
What I ended up doing is installing Tor, and using the Tor button in Firefox whenever I want to go to MeFi. It's not an optimal solution, but it does work.
posted by Philbo at 12:30 PM on February 27, 2008
Response by poster: cerebus19 - "I don't know" is the only answer I have to both your questions. I'm not the sharpest technical knife in the drawer. The truth is, I generally know just enough to screw things up, which is why the earlier MeTa and AskMe threads on MTU settings that zsazsa pointe to are both intriguing and terrifying. I might try to look at those settings in the router tonight too, but without being able to actually reference those threads while at home, that might be a little difficult.
posted by yhbc at 1:08 PM on February 27, 2008
posted by yhbc at 1:08 PM on February 27, 2008
If you have another router sitting around, what happens if you plug the "originating" cable into the other router and the Actiontec router and your own computers into the network ports of the other router?
Or could you put a switch upstream from the Actiontec router?
I know fuck-all about networking, though, so these are both probably terrible ideas that will give you a disease.
posted by ROU_Xenophobe at 1:56 PM on February 27, 2008
Or could you put a switch upstream from the Actiontec router?
I know fuck-all about networking, though, so these are both probably terrible ideas that will give you a disease.
posted by ROU_Xenophobe at 1:56 PM on February 27, 2008
Any possibility of running a second router? Split the incoming cable with a router. One goes to your computer, the other goes to the Actiontec thingy. Leave everything except your computer plugged in to the Actiontec. This should give you a clear connection to the outside world, while still leaving the Actiontec router connected to do its own things.
This is assuming that your computer isn't necessary for the Actiontec to do it's TV menu job, of course.
posted by caution live frogs at 1:59 PM on February 27, 2008
This is assuming that your computer isn't necessary for the Actiontec to do it's TV menu job, of course.
posted by caution live frogs at 1:59 PM on February 27, 2008
(At any rate if it works it might get you through in the mean time, until an update is released that fixes the Actiontec)
posted by caution live frogs at 2:03 PM on February 27, 2008
posted by caution live frogs at 2:03 PM on February 27, 2008
Response by poster: Okay! Here I am at home, and after playing around a bit I found that changing the MTU setting to force a manual setting of 1480 under the "advanced wireless options" in the router (it was set at "automatic", but the figure given was 1500) gets me access - but only when using Firefox as a browser. Something still ain't right, but we're making progress now.
posted by yhbc at 6:23 PM on February 27, 2008
posted by yhbc at 6:23 PM on February 27, 2008
Response by poster: Wow. The 1480 setting now gets me in while using IE as well.
I still have no idea what I've done, but I seem to have done it right.
Thanks, everyone, for all your help!
posted by yhbc at 6:26 PM on February 27, 2008
I still have no idea what I've done, but I seem to have done it right.
Thanks, everyone, for all your help!
posted by yhbc at 6:26 PM on February 27, 2008
Related but Off Topic: I had a problem where if I used VPN I couldn't connect to any outside site, just my work network. If I shut down VPN I could once again get out to other sites. I plugged my computer directly into the Actiontec and it worked as it should. So the problem seemed to be either with my work network or my Apple Express. Trying to broker a fix between Apple and work was next to impossible. Each was blaming the other (sound familiar? -g).
I gave up and decided I'd simply have to turn VPN on and off whenever I wanted to go outside the network. One day, it just started working. I have no idea why.
posted by Taken Outtacontext at 9:03 AM on February 28, 2008
I gave up and decided I'd simply have to turn VPN on and off whenever I wanted to go outside the network. One day, it just started working. I have no idea why.
posted by Taken Outtacontext at 9:03 AM on February 28, 2008
yhbc:
Basically, the MTU setting is the max packet size you can send, where a packet is a piece of information passed from network device to network device. Certain hosts have a MTU cap or freak out with larger MTUs. The default normally works, but overhead gets headed to packets for various reasons thus pushing your packet size over the limit.
Or at least, that's my understanding from when my school went through similar issues last year and the MTU thing fixed it.
posted by jmd82 at 7:54 PM on February 28, 2008
Basically, the MTU setting is the max packet size you can send, where a packet is a piece of information passed from network device to network device. Certain hosts have a MTU cap or freak out with larger MTUs. The default normally works, but overhead gets headed to packets for various reasons thus pushing your packet size over the limit.
Or at least, that's my understanding from when my school went through similar issues last year and the MTU thing fixed it.
posted by jmd82 at 7:54 PM on February 28, 2008
Response by poster: Thanks for the better explanation, jmd. It still irks me, however, that (1) Verizon says that its FIOS network must have the MTU set at 1492, but (2) the router they supply to you is set at a default of 1500, but (3) that still doesn't work, although 1480 will, and (4) Verizon won't tell you how to fix this themselves or even acknowledge there is sometimes a problem.
posted by yhbc at 5:32 AM on February 29, 2008
posted by yhbc at 5:32 AM on February 29, 2008
This thread is closed to new comments.
posted by rhizome at 10:54 AM on February 27, 2008