Wireless client ARP caching, or the worst kind of high-tech laziness

As I no longer work as the senior network engineer at Plantronics, I have been reconfiguring an old Cisco 8xxW series device for use as my local router/gateway.  Given that I no longer administer a WLC, I am configuring the access point in autonomous mode.  I have been suffering for the last couple days because everything was working terrifically, except that I no longer had connectivity between wireless devices.

More specifically, wireless clients could connect to wired clients, and vice versa.  Wireless clients could not interact with other wireless clients, unless the ARP request happened in the first few moments after one of the wireless clients authenticated (before the AP added the client’s IP address to it’s internal table).  After much gnashing of teeth, packet traces, and web searches related to things like PSPF, I found this little gem on Cisco’s website:

When the wireless device receives an ARP request for an IP address not in the cache, the wireless device drops the request and does not forward it. In its beacon, the wireless device includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life. (link)

As it turns out, all that is required is for my access point to actually respond to client ARP requests instead of sometimes forwarding the requests (dropped by the client) or dropping them out of hand.  I tested both of these, and they both worked great.

dot11 arp-cache
dot11 arp-cache optional

Now I have back the functionality I really wanted, which is to say, ARD from my laptop to the Mac Mini in the living room to add more time for children with homework and the burden of parental controls without actually having to get my lazy ass up and walk there.

Laziness rules.

Routing Loops

For amusement value, this is what happens when you have a rogue network engineer who decides to appropriate and advertise an IP network already in use in your enterprise.  IP addresses changed to protect confidentiality.  AddressA is located in China, Routers A-C are located at WHQ in California, and Routers D-H are located in Europe.

>tracert AddressA
Tracing route to AddressA over a maximum of 30 hops
1 1 ms <1 ms <1 ms routerA
2 <1 ms 1 ms <1 ms routerB
3 3 ms 3 ms 3 ms routerC
4 * * * Request timed out.
5 167 ms 162 ms 164 ms routerD
6 165 ms 171 ms 163 ms routerE
7 165 ms 165 ms 164 ms routerF
8 187 ms 189 ms 190 ms routerG
9 190 ms 190 ms 190 ms routerH
10 * * * Request timed out.
11 199 ms 199 ms 202 ms routerD
12 199 ms 211 ms 197 ms routerE
13 200 ms 199 ms 204 ms routerF
14 222 ms 225 ms 225 ms routerG
15 223 ms 224 ms 224 ms routerH
16 * * * Request timed out.
17 233 ms 234 ms 235 ms routerD
18 241 ms 237 ms 233 ms routerE
19 237 ms 234 ms 235 ms routerF
20 258 ms 259 ms 258 ms routerG
21 263 ms 264 ms 260 ms routerH
22 * * * Request timed out.
23 291 ms 321 ms 306 ms routerD
24 319 ms 327 ms 272 ms routerE
25 278 ms 275 ms 269 ms routerF
26 292 ms 295 ms 294 ms routerG
27 294 ms 295 ms 293 ms routerH
28 * * * Request timed out.
29 310 ms 304 ms 309 ms routerD
30 318 ms 304 ms 307 ms routerE
Trace complete.


Blogging in class. Most professors would be upset about students having a laptop open and in use during class, but for some reason, I’m in Computer Science 101 over the summer. Sadly, despite being in E2, the engineering building that’s just a couple of years old, there’s no wireless, so I’ll have to wait to get home to actually publish.

The class is Algorithms and Abstract Data Types, one of the main prerequisites for upper division CS classes (or CMPS, as they abbreviate it here). By and large, it’s a theory class, with 65% of the grade based on homework, midterms, and final, which are, by and large, composed of proofs regarding algorithms. The other 35% comes from 5 programming assignments, in which we’re tasked with implementing abstract data types in Java and ANSI C. The programming assignments are pretty trivial, I’ve done two so far, and they’ve taken about 5 hours each.

We have a midterm on Friday, which is going to be all proofs on induction, recurrence relations, asymptotic notation (Big/Little-O, Big/Little-Omega, and of course, Theta). I’ve taken a lot of upper-division physics, and while this doesn’t compete with Mathematical Methods or 2nd quarter E&M, it is quite more of a challenge than I expected.

It’s more of a challenge for my classmates than it is for me, and I’m close to feeling guilty about how easily I’m managing. All I can do is be compassionate towards those who are less prepared.


I am considering purchasing hosting from Dreamhost for my domains (crcon.net, egbt.us, fryballs.net, kaigen.us), I have a few more questions for them with respect to what they’ll host for me. I’d like to be able to host a private irc server and a private http proxy (squid over stunnel or some such). Also, I want to be able to send outgoing email through them, encrypted (SMTP over TLS with authentication), since my ISP blocks port 25 incoming and outgoing, and I’ve no trust in the people that run their mail gateway.

I also need to replace my linux firewall with a Cisco router which still needs to be configured. Said router has IPSec VPN capability, which will be nice when I’m out and about with the powerbook, and will let me run VLANs on my switch, using the hackish “router on a stick” methodology. I’ll probably reinstall my lunix firewall box with OpenBSD and run some slicked up pf and snort on it in front of my most privatest of networks.

My biggest concern with all of this is having my email hosted offsite (I use IMAP over SSL), and losing a significant amount of speed, since I receive a significant amount of email every day. I’m also trying to figure a way to implement greylisting in this architecture.

Technical Update

Current Services

Now my internet connection is quite fast, as I am wired into my university’s network. However, my incoming port 80 (http) is blocked, as is my incoming and outgoing port 25 (smtp). Given that I own my own domains and more specifically the email to them, smtp service is quite important to me. Malice lives at a friend’s house, and relays mail in and out of my home via a non-standard port (powered by qmail). At the moment, only two websites of any content exist in my domain space, those are EGBT (powered by vBulletin & MySQL) and this blog (powered by Moveable Type & MySQL); these both run on malice, which I believe is connected upstream by a 6/2 dsl line. Nameservice to the domains is provided by technics (master) and malice (slave); malice is the ‘primary’ in the whois records.

Continue reading

Monterey 2600

Came down to the Monterey 2600 meeting tonight, but noone’s around, at either location. Mayhaps their site needs updating. Either way, this is the third failed 2600 meeting attempt, so next time around I’m not driving around just to find an empty coffee shop. Maiki is bothered because he might have to start his own meeting. ;]