Discussion:
Fritz!Box 7530 inconsistent behavior
(too old to reply)
Graham J
2020-08-17 19:36:33 UTC
Permalink
I've never used one of these before.

Friend has FTTC. Before her router arrived I tested the FTT connection
with my Technicolor TG588v v2 - worked perfectly.

The Fritz!Box 7530 duly arrived. I plugged it, it configured itself via
TR-069 (from Zen); and appears to work OK, Friend can browse websites,
can ping things on the internet, speedtests show the expected speeds,
router shows the correct short distance to green cabinet, appropriate
SNR margins, zero errors.

But, when I ping it from my home, or use F8Lure to monitor the
reliability of the connection, pings fail about 1 time in 10, and F8Lure
shows what looks like a very unreliable connection. By contrast pings
and F8Lure to the Technicolor TG588v v2 gave consistently good results.

Fritz!Box 7530 arrived with firmware 07.13. Version 07.20 is available,
so I upgraded to that. Exactly similar ping responses.

Powered off Fritz!Box 7530. When powered on, no replies to ping at all.
Google suggested Internet - Filters - Lists - Global filter settings -
Clear stealth mode. But it's already clear; so set it; and click Apply.
Now replies to ping with similar failure rate as before.

Today I get my friend to Clear stealth mode - replies stop as before.
Then disable the option "Teredo filter enabled". Some replies - then
nothing. So revert to previous settings: enable stealth mode, enable
Teredo filter. No ping replies whatever since then.

I don't understand this inconsistency. Is the router faulty? Is this
the expected behaviour for this device? Is there another operation
(such as power off/on) required after each "Appply" to complete the changes?

Given that my friend's view of its performance is good, I can't as yet
complain to Zen. But the unreliability of ping responses makes it
difficult to identify future problems.
--
Graham J
Brian Gregory
2020-08-17 20:35:35 UTC
Permalink
Post by Graham J
I've never used one of these before.
Friend has FTTC.  Before her router arrived I tested the FTT connection
with my Technicolor TG588v v2 - worked perfectly.
The Fritz!Box 7530 duly arrived.  I plugged it, it configured itself via
TR-069 (from Zen); and appears to work OK,  Friend can browse websites,
can ping things on the internet, speedtests show the expected speeds,
router shows the correct short distance to green cabinet, appropriate
SNR margins, zero errors.
But, when I ping it from my home, or use F8Lure to monitor the
reliability of the connection, pings fail about 1 time in 10, and F8Lure
shows what looks like a very unreliable connection.  By contrast pings
and F8Lure to the Technicolor TG588v v2 gave consistently good results.
Fritz!Box 7530 arrived with firmware 07.13. Version 07.20 is available,
so I upgraded to that. Exactly similar ping responses.
Powered off Fritz!Box 7530.  When powered on, no replies to ping at all.
 Google suggested Internet - Filters - Lists - Global filter settings -
Clear stealth mode.  But it's already clear; so set it; and click Apply.
 Now replies to ping with similar failure rate as before.
Today I get my friend to Clear stealth mode - replies stop as before.
Then disable the option "Teredo filter enabled".  Some replies - then
nothing.  So revert to previous settings: enable stealth mode, enable
Teredo filter.  No ping replies whatever since then.
I don't understand this inconsistency.  Is the router faulty?  Is this
the expected behaviour for this device?  Is there another operation
(such as power off/on) required after each "Appply" to complete the changes?
Given that my friend's view of its performance is good, I can't as yet
complain to Zen.  But the unreliability of ping responses makes it
difficult to identify future problems.
Stealth mode is the norm these days, at least for IPv4, maybe not always
for IPv6 and means you don't respond to anything (including pings) from
outside.

So as far as I understand it you ought to be able to ping the FritzBox
router only if stealth mode is off.

Maybe the setting is intermittently broken in the FritzBox.

I discarded the FritzBox Zen sent me because I already had suitable
equipment.

I was also put off becausse the translation from German(?) to English in
the FritzBox documentation was bafflingly weird such that it needed work
to even figure out what the settings that are there do.

For instance port forwarding seems, as far as I can see, to be called
port sharing on the FritzBox!
--
Brian Gregory (in England).
Graham J
2020-08-17 20:43:04 UTC
Permalink
Post by Brian Gregory
Post by Graham J
I've never used one of these before.
Friend has FTTC.  Before her router arrived I tested the FTT
connection with my Technicolor TG588v v2 - worked perfectly.
The Fritz!Box 7530 duly arrived.  I plugged it, it configured itself
via TR-069 (from Zen); and appears to work OK,  Friend can browse
websites, can ping things on the internet, speedtests show the
expected speeds, router shows the correct short distance to green
cabinet, appropriate SNR margins, zero errors.
But, when I ping it from my home, or use F8Lure to monitor the
reliability of the connection, pings fail about 1 time in 10, and
F8Lure shows what looks like a very unreliable connection.  By
contrast pings and F8Lure to the Technicolor TG588v v2 gave
consistently good results.
Fritz!Box 7530 arrived with firmware 07.13. Version 07.20 is
available, so I upgraded to that. Exactly similar ping responses.
Powered off Fritz!Box 7530.  When powered on, no replies to ping at
all.   Google suggested Internet - Filters - Lists - Global filter
settings - Clear stealth mode.  But it's already clear; so set it; and
click Apply.   Now replies to ping with similar failure rate as before.
Today I get my friend to Clear stealth mode - replies stop as before.
Then disable the option "Teredo filter enabled".  Some replies - then
nothing.  So revert to previous settings: enable stealth mode, enable
Teredo filter.  No ping replies whatever since then.
I don't understand this inconsistency.  Is the router faulty?  Is this
the expected behaviour for this device?  Is there another operation
(such as power off/on) required after each "Appply" to complete the changes?
Given that my friend's view of its performance is good, I can't as yet
complain to Zen.  But the unreliability of ping responses makes it
difficult to identify future problems.
Stealth mode is the norm these days, at least for IPv4, maybe not always
for IPv6 and means you don't respond to anything (including pings) from
outside.
So as far as I understand it you ought to be able to ping the FritzBox
router only if stealth mode is off.
Maybe the setting is intermittently broken in the FritzBox.
I discarded the FritzBox Zen sent me because I already had suitable
equipment.
I was also put off because the translation from German(?) to English in
the FritzBox documentation was bafflingly weird such that it needed work
to even figure out what the settings that are there do.
For instance port forwarding seems, as far as I can see, to be called
port sharing on the FritzBox!
My German is at the level of asking for a beer or a hot dog with
mustard. But I did wonder whether the English explanations suffer from
being translations. But that doesn't account for the inconsistent
behaviour; if the behaviour had been consistent I'm sure I would have
tolerated the quaint translations.
--
Graham J
Graham J
2020-08-18 07:24:07 UTC
Permalink
Graham J wrote:

[snip]
Post by Graham J
Today I get my friend to Clear stealth mode - replies stop as before.
Then disable the option "Teredo filter enabled".  Some replies - then
nothing.  So revert to previous settings: enable stealth mode, enable
Teredo filter.  No ping replies whatever since then.
This was at about 6:3p pm yesterday.

Today, F8Lure shows ping replies starting at about 8 am. Pings from my
PC are back to replies about 9 times out of 10.

However, this apparently is a known problem: the chap who runs the
F8Lure website has seen the same.
--
Graham J
grinch
2020-08-18 11:09:29 UTC
Permalink
snip


So revert to previous settings: enable stealth mode, enable
Post by Graham J
Post by Graham J
Teredo filter.  No ping replies whatever since then.
Surely this is what you want,it makes the life of the script kids
slightly more difficult.
Post by Graham J
This was at about 6:3p pm yesterday.
Today, F8Lure shows ping replies starting at about 8 am.  Pings from my
PC are back to replies about 9 times out of 10.
I fail to see why you think this is a problem ,what's probably happening
is the router is seeing your unnecessary ICMP traffic as a treat and
responding by blocking it. Which is a good.

ICMP is unnecessary traffic anyway and proves nothing only that the
device is there. My Cisco has an ACL to block all incoming IP4 ICMP as
standard.

Your friend is not having any network issues by your own admission so
why waste Zen's time by reporting a non fault. A little knowledge is a
dangerous thing.
Post by Graham J
However, this apparently is a known problem: the chap who runs the
F8Lure website has seen the same.
Graham J
2020-08-18 12:11:45 UTC
Permalink
snip
 So revert to previous settings: enable stealth mode, enable
Post by Graham J
Teredo filter.  No ping replies whatever since then.
Surely this is what you want,it makes the life of the script kids
slightly more difficult.
No. Every other router I've met either fails to respond to pings, or
has an explicit option to allow it. When allowed, such routers respond
reliably.

Graphing responses to ping is a very useful diagnostic for intermittent
connections, PCs sending spam, and similar poor performance issues.
ICMP is unnecessary traffic anyway and proves nothing only that the
device is there. My Cisco has an ACL to block all incoming IP4 ICMP as
standard.
But you can edit the ACL to allow specific incoming pings; and if you
did so you would expect it to work reliably and consistently.
Your friend is not having any network issues by your own admission so
why waste Zen's time by reporting a non fault. A little knowledge is a
dangerous thing.
True, no network issues.

But her HP Envy printer sometimes fails to connect with HP to tell them
how many pages it's printed so HP know when to send her more ink; and
this function has worked until the upgrade to FTTC required the change
to use the Fritz!Box 7530.

I'm not saying the issues are cause and effect, yet, but the
inconsistent behaviour to ping is worrying. I will swap to a different
router later today and see if the HP problem goes away.
--
Graham J
grinch
2020-08-18 14:05:32 UTC
Permalink
Post by Graham J
But her HP Envy printer sometimes fails to connect with HP to tell them
how many pages it's printed so HP know when to send her more ink; and
this function has worked until the upgrade to FTTC required the change
to use the Fritz!Box 7530.
I'm not saying the issues are cause and effect, yet, but the
inconsistent behaviour to ping is worrying.  I will swap to a different
router later today and see if the HP problem goes away.
I might have an idea why . The firewalls on simple routers just allow
all TCP/UDP ports out via NAT. Perhaps the fritzbox has a better
firewall and only allows out the usual suspects.

Try adding a deny all rule at the end of the firewall rules with a log
statement (assuming it can do this) the firewall log will tell you what
port the HP printer is trying to use ,then create a rule to allow that.

Alternatively port span a switch and use wireshark to packet sniff to
find the port.

Let me know how you get on
Graham J
2020-08-18 16:50:32 UTC
Permalink
Post by grinch
Post by Graham J
But her HP Envy printer sometimes fails to connect with HP to tell
them how many pages it's printed so HP know when to send her more ink;
and this function has worked until the upgrade to FTTC required the
change to use the Fritz!Box 7530.
I'm not saying the issues are cause and effect, yet, but the
inconsistent behaviour to ping is worrying.  I will swap to a
different router later today and see if the HP problem goes away.
I might have an idea why . The firewalls on simple routers just allow
all TCP/UDP ports out via NAT. Perhaps the fritzbox has a better
firewall and only allows out the usual suspects.
Try adding a deny all rule at the end of the firewall rules with a log
statement (assuming it can do this) the firewall log will tell you what
port the HP printer is trying to use ,then create a rule to allow that.
Alternatively port span a switch and use wireshark to packet sniff to
find the port.
Let me know how you get on
Router swapped. Printer prints OK. Now communicating with HP, but only
after power off/on.

Have the Fritz!Box 7530 so I can learn about it, in particular whether I
can log what the firewall does and whether I can create rules for it.
--
Graham J
grinch
2020-08-19 10:25:30 UTC
Permalink
Post by Graham J
Have the Fritz!Box 7530 so I can learn about it, in particular whether I
can log what the firewall does and whether I can create rules for it.
Good luck with that,I spent a whole cup of coffee on the Internet
looking for firewall documentation and all I could find was port
forwarding, even on the Fritzbox site.

They would appear to be designed to protect the great unwashed from the
internet automatically and prevent them from getting hacked. Having
spent 20 years working for ISP's I can understand this, don't give them
something they can break.

Good luck ,Fritzboxen do have a very good reputation for security and
specification ,but they are not cheap.


A little bedtime reading

https://assets.avm.de/files/docs/fritzbox/fritzbox-7590/fritzbox-7590_man_en_GB.pdf
Graham J
2020-08-19 10:57:05 UTC
Permalink
grinch wrote:

[snip]
Post by grinch
A little bedtime reading
https://assets.avm.de/files/docs/fritzbox/fritzbox-7590/fritzbox-7590_man_en_GB.pdf
Yes, I spent some time reading that last weekend.
--
Graham J
Graham J
2020-08-21 18:55:05 UTC
Permalink
Graham J wrote:

[snip]
Post by Graham J
Have the Fritz!Box 7530 so I can learn about it, in particular whether I
can log what the firewall does and whether I can create rules for it.
This from Zen, who supplied the Fritz!Box 7530:

Firewall stealth mode should be off to allow pings from the internet.

Also: "One thing to note about the Fritz is that it only allows 1 ping
request at any one time and this is the default for all the Fritzbox
firmwares."

So using F8Lure for monitoring the reliability of the connection won't
work: it sends pings from two different IP addresses.

This almost certainly explains the intermittent nature of ping replies.
--
Graham J
Brian Gregory
2020-08-21 19:08:03 UTC
Permalink
This post might be inappropriate. Click to display it.
grinch
2020-08-22 14:57:12 UTC
Permalink
Post by Brian Gregory
Post by Graham J
Also: "One thing to note about the Fritz is that it only allows 1 ping
request at any one time and this is the default for all the Fritzbox
firmwares."
That's really weird, meaningless and stupid.
The ping packets arrive one at a time and the box responds to them when
they arrive. How could it do two at once anyway?
Also, I'm not saying it's wrong to respond to them, just that nowadays
most routers don't by default.
Plus since Zen block some ports in a way that isn't stealth anyway it
seems less worthwhile to try and hide behind stealth on Zen. So I don't,
even on my non Zen provided router.
They only block tcp/udp 137 to 139 other than that I don't think they
block any others.

https://support.zen.co.uk/kb/Knowledgebase/Do-Zen-block-any-ports
Post by Brian Gregory
It doesn't seem that long ago that people would argue that you must
respond to pings or you'll get all sorts of weird problems and
slow-downs. But now stealth is normal, supposedly so hackers don't even
know you're there.
I block ICMP incoming but not outgoing for IPv4 and IPv6. In theory you
should not block ICMP on IPv6 but I don't have any issues so far, and
its a quick setting change on my firewall if I do. Obviously my firewall
is stateful.

It would appear that Fritzboxen are designed to protect the vast
majority of internet users from themselves. If you cant make it work as
the per original post buy a draytek.

Try emailing Zen's tech support and ask them to pass it on to their 3rd
line guy to see if there is a solution to the printing problem.I am sure
other people must have had the same issue.
Andy Burns
2020-08-22 15:02:57 UTC
Permalink
I block  ICMP incoming
just block echo requests, or do you block port/host/net unreachables and
fragmentation needed?
grinch
2020-08-23 10:52:41 UTC
Permalink
This post might be inappropriate. Click to display it.
Brian Gregory
2020-08-22 18:15:51 UTC
Permalink
They only block  tcp/udp  137 to 139 other than that I don't think they
block any others.
They block ports 135 to 139.

Why 'only'?
You're not correcting me.
I said they block some ports.
AND THEY DO.
--
Brian Gregory (in England).
grinch
2020-08-23 10:29:36 UTC
Permalink
Post by Brian Gregory
They only block  tcp/udp  137 to 139 other than that I don't think
they block any others.
They block ports 135 to 139.
Why 'only'?
You're not correcting me.
I said they block some ports.
AND THEY DO.
Because some is way to vague they block 4 ports for good sound reasons.
They don't block them on IPv6 ,does windows not use them on IPv6 ? I
don't know as I don't use it.
Brian Gregory
2020-08-23 13:10:18 UTC
Permalink
Post by grinch
Post by Brian Gregory
They only block  tcp/udp  137 to 139 other than that I don't think
they block any others.
They block ports 135 to 139.
Why 'only'?
You're not correcting me.
I said they block some ports.
AND THEY DO.
Because some is way to vague they block 4 ports for good sound reasons.
They don't block them on IPv6 ,does windows  not use them on IPv6 ? I
don't know as I don't use it.
'Some' was fine because I just wanted to make the point that Zen have
broken any attempt at complete stealth as has been "popularised" by the
likes of grc.com's ShieldsUp.

AFAIK Windows uses those ports just the same on IPv6. If they didn't it
would break IPv6 only networks and they wouldn't be able to claim IPv6
compatibility with any credibility.

Come to think of it Zen blocking them on IPv4 without also blocking them
on IPv6 really makes no sense. Nowadays you're pretty much guaranteed to
have your devices behind NAT on IPv4 which acts as a firewall whether
you like it or not whereas on IPv6 it's possible (if your router/gateway
device allows it) to switch your firewall off if you enjoy the thrill of
danger.
--
Brian Gregory (in England).
grinch
2020-08-23 17:34:37 UTC
Permalink
Post by Brian Gregory
Come to think of it Zen blocking them on IPv4 without also blocking them
on IPv6 really makes no sense.
Agreed ,perhaps its an oversight on Zen's part. I tested with this site

https://ipv6.chappell-family.com/ipv6tcptest/

Nowadays you're pretty much guaranteed to
Post by Brian Gregory
have your devices behind NAT on IPv4 which acts as a firewall whether
you like it or not whereas on IPv6 it's possible (if your router/gateway
device allows it) to switch your firewall off if you enjoy the thrill of
danger.
I NAT IPv4 and I have my LAN IPv6 subnet in transparent mode on the
firewall. Seems ridiculous to use a /64 subnet for point to point
networks but that is how it works.

So I am firewalled but using different methods for different IP types
Brian Gregory
2020-08-23 19:09:45 UTC
Permalink
Post by grinch
Post by Brian Gregory
Come to think of it Zen blocking them on IPv4 without also blocking
them on IPv6 really makes no sense.
Agreed ,perhaps its an oversight on Zen's part. I tested with this site
https://ipv6.chappell-family.com/ipv6tcptest/
Yep. Very useful site.
Post by grinch
 Nowadays you're pretty much guaranteed to
Post by Brian Gregory
have your devices behind NAT on IPv4 which acts as a firewall whether
you like it or not whereas on IPv6 it's possible (if your
router/gateway device allows it) to switch your firewall off if you
enjoy the thrill of danger.
I NAT IPv4 and I have my LAN IPv6 subnet in transparent mode on the
firewall. Seems ridiculous to use a /64 subnet for point to point
networks but that is how it works >
So I am firewalled but using different methods for different IP types
It's exactly the same effect though.
Nothing gets back in unless it's related to something you sent out.
--
Brian Gregory (in England).
Brian Gregory
2020-08-23 19:19:10 UTC
Permalink
Post by grinch
Post by Brian Gregory
Come to think of it Zen blocking them on IPv4 without also blocking
them on IPv6 really makes no sense.
Agreed ,perhaps its an oversight on Zen's part.
I think it probably dates back to a ancient times when often users
connected with a simple modem in a way just assigned your public IPv4
address to your PC with nothing in between. This is how it typically
worked on dial up and how it worked with many early USB ADSL modems. It
was long before anyone thought of giving home users IPv6 addresses. Zen
have probably just left their settings as they were since there wasn't
any overwhelming reason to change anything.
--
Brian Gregory (in England).
Andy Burns
2020-08-21 19:10:39 UTC
Permalink
Post by Graham J
Also: "One thing to note about the Fritz is that it only allows 1 ping
request at any one time and this is the default for all the Fritzbox
firmwares."
fair enough, I can understand *some* rate limiting of ping traffic
Post by Graham J
So using F8Lure for monitoring the reliability of the connection won't
work: it sends pings from two different IP addresses.
This almost certainly explains the intermittent nature of ping replies.
Also lets every script kiddie out there interfere with your ping
reliability tests.
Loading...