Nasty Flaw in Vigor Routers (all models) - Beware!

["Ian" <ian@xxxxxxxxxxxxxxxxxxxxxxxx>]

I have in the past been a vocal supporter of Vigor routers (and will
probably remain so) but we have come across an issue in use that means you
really have to beware.

There's a flaw in the Vigor's implementation of the ARP protocol that comes
to light if the subnet mask of the local LAN is anything other than
255.255.255.0, ie, anything other than a Class C network.

We experienced this on one of our customer's networks and got basically
nowhere with trying to resolve it - helpful but no actual fix was the best
we can say about draytek's support (they did a lot - remotely checking the
routers, swapping one out etc).

When the same problem happened again for another site, we dug a little
deeper, and found the problem.

I know this description may be incomplete, but bear in mind, I'm trying to
be hlpful in my explanation here.

ARP is like a lower level version of DNS. Just as DNS takes a hostname and
finds the IP address, ARP takes an IP address and finds the MAC address for
that device (or the MAC address of the gateway that will lead to that IP
address).

Almost all IP devices don't look up the MAC address fresh each time - they
use a cache to store previous results and make the process faster. (MAC
addresses don't usually change very often)

Vigor routers only have a small ARP Cache - it can hold 256 MAC address/IP
address pairs. The real problem is the way it decides whether it already
"knows" the MAC address for a given host. Basically, it only
checks the last
octet of the IP address.

If the subnet mask is 255.255.255.0 (Class C) then only the last octet
matters anyway, so it all works okay.

OTOH, If the subnet mask is 255.255.0.0 (Class B), then the router cannot
tell the difference (for example) between the addresses:

10.1.1.1 and
10.1.2.1

It will not update the ARP cache correctly for these devices, and the
situation is about as random as random can be - sometimes it will talk to
the right device, sometimes it will drop the packet, and sometimes it will
try to talk to the wrong device (which will completely ignore it, as the IP
address is wrong).

This is a known issue for Draytek, and they are working on a fix. It
affects
*ALL* models of Draytek router, and is becoming more widely known, so it's
becoming more of an issue for them.

It has been discussed for some time on the draytek support forums, and a
workaround has been posted. It's not easy, but it can help - basically, in
a
Class B environment, you have to ensure that all routers, printers and
servers have a unique last octet in their IP address.

I still think Vigor routers are a great product, but would add the provisio
- for Class C networks *ONLY* until this issue is patched by Draytek.


Ian.