Internet Box 3's WiFi does not work correctly

Andreas F · Oct 23, 2023

Internet Box 3's WiFi does not work correctly

The IB3’s WLAN seems to be a minor disaster to me (latest firmware 14.00.50/02003). My network and system is not trivial, but works perfectly without the IB’s WiFi (maintain WiFi using Apple Time Capsule). I’ve now tried switching on the IB3’s WLAN and had to observe unspeakable problems:

1. Problem: I have reserved several IP4 addresses (via IB3 configuration). I don’t understand how IB3 manages to assign reserved addresses to my devices. Since several of them are connected to the IB (switch in between) via Ethernet cables, network problems would immediately arise when these devices were switched on. It can’t be the case that the WLAN DHCP is happily using reserved addresses! Does anyone know how this happens?

2. Problem: I adjusted the IB3 SSID name slightly, but otherwise didn’t change anything in the IB3’s WLAN default settings. After this SSID name change, it is almost impossible to connect the iPad (Air 3rd gen.) or iPhone (13 mini) via WLAN. Before the name change, it worked straight away. It takes many minutes until the tick on the iOS device shows a valid connection. On the IB3 I can see what is happening under ‘WLAN steering’ (simultaneous access to the IB via computer) and notice that some of Swisscom’s own IP addresses are used for a short time, but their use does not remain stable. Only when the tick for the fully established connection finally appears on the iOS device after many minutes of dithering (if at all) then a reserved IP address has been used. Horrible!!

The IB3’s WLAN is simply not usable. My questions: Have others encountered similar problems? If so, can they be fixed or do I have to forget about the IB3’s WLAN?

PowerMac · Oct 23, 2023

Regarding point 1: Of course that shouldn’t be the case. Since I avoid DHCP reservations in my network as much as possible (if I do, I always set the IP on the device itself), I can’t say much about it. Possibly Does it help to delete the reservations and recreate them?

Regarding point 2: I have always had a self-selected SSID for my WiFi at home and have never had any problems with many Apple devices (various iPhones and iPads). Is this only the case the first time you connect, or every time you bring the devices into reception area?

WalterB · Oct 23, 2023

PowerMac

@Andreas F

I also use fixed IP addresses for the Internet-Box 3 and have never noticed that addresses that had already been reserved were used again for other devices??

I don’t have such a small network.

Network 23.10.23.jpg

Werner · Oct 23, 2023

@Andreas F

Nobody has actually asked the most important question yet.

Have you actually unplugged the Time Capsule or at least turned off the router mode?

If you get a double no, this would explain all your problems with the IB3 very well.

Andreas F · Oct 23, 2023

Thanks for all the contributions and attempts to help me. I have found the solution in the meantime.

@Werner First of all, of course I use the Apple Time Capsule (ATC) in “DHCP Only” mode, so it’s not in router mode, otherwise I would have “Double NAT”.

The problems seem to have come from the fact that I have severely restricted the DHCP range of the IB (192.168.1.3.. 192.168.1.15) so that the IB and the ATC do not get in each other’s way, since with the exception of the Swisscom TV Box (the Otherwise it doesn’t work without stuttering) I maintain my actual LAN and WLAN behind the ATC. This left only 2 IP addresses unreserved below 192.168.1.15, i.e. 192.168.1.7 and 192.168.1.10. The IB never found it or it took more than 5 minutes to do so (problem 2) or it used a reserved number above 192.168.1.15 (problem 1). If I give the IB the DHCP range of (192.168.1.3.. 192.168.1.99), then the WLAN connections are established within useful Frist and the IB no longer tries to use strange IP addresses like 169.254.66.6, which are in my LAN of course have nothing to do with it. The fact that the IB is even trying to do this surprises me a little.

With the less narrow DHCP range, the IB’s WLAN now works well.

Thank you one weigh!

r00t · Oct 23, 2023

Hi @Andreas F

I think I can explain the problem.

The problems seem to have come from the fact that I have severely restricted the DHCP range of the IB (192.168.1.3.. 192.168.1.15) so that the IB and the ATC do not get in each other’s way, since with the exception of the Swisscom TV Box ( otherwise it doesn’t work without stuttering) I maintain my actual LAN and WLAN behind the ATC.

Solution: You should only operate one DHCP server within a subnet. So you don’t have to “split” the network. Simply deactivate a DHCP server, either on the IB or the TC. (This is how you don’t share networks - multiple independent DHCP servers in the same subnet are, if I may say so directly, worst practice and only cause problems)

To prevent tracking from being possible, most devices today use a specially generated MAC address for each WLAN. In other words, if you disconnect your iPhone from the TC and connect it to the IB, it looks like a completely new device to the IB and tries to lease a second address.

Since your DHCP range on the IB was probably overfilled, your device had to wait until the lease time of another address expired and was distributed by the IB. If a device does not manage to lease an address within a while, it automatically assigns itself an APIPA (169.254.x.x) address - the Internet box is not there involved 😉.

Since there is apparently a second DHCP server in the network (the Timecapsule), some of the clients have leased an address from there (with DHCP, the server that responds fastest always wins). Hence the addresses outside the IB rank.

A note at this point: When we talk about a reserved address, we usually mean an address that is permanently bound to a client via a DHCP server (you can do this via Webgui). Addresses that can be assigned by DHCP are called DHCP pools.

I hope I was able to shed some light on the matter with this post. Otherwise, please let us know 🙂

LG

r00t

Andreas F · Oct 23, 2023

@r00t Thanks for the suggestions and explanations.

I have been using both DHCP servers for a very long time, the one from the IB and the one from the ATC. This has actually worked pretty well so far, although of course I agree that it would be better to just use one. But that doesn’t seem so easy to me for the following reasons. I have been using Swisscom IBs since 2014. Maintaining my system via the IB was a disaster for many years compared to the ATC. In addition, the security of the ATC was far superior to that of the IB (e.g. for a long time the IB only had WAP (no WAP2/WAP3), no protection via MAC addresses) and otherwise the IB software was full of unspeakable bugs for years (which, by the way, is still not the case today It’s really ok; for example, in all these years I’ve experienced a firmware rollout for the IBs at most twice that didn’t crash my system Rollouts have even more problems than before; they always mean a lot of maintenance work for me, sic).

So the most I could do is turn off the DHCP server on the IB. Small question: Then I can no longer use the IB’s WLAN, right? I’m also not entirely sure whether I will still be able to assign the desired IP address to all devices, including switches, without reservations from the IB. It should be possible to start the IB vs. ATC in different sequences, otherwise maintenance will be very difficult. Swisscom wants to be able to carry out firmware rollouts at any time, or I also want to be able to make updates to the ATC at any time, which always means a restart and thus a different order in which the DHCP servers come into play. If I have both DHCP servers running, then I can make consistent reservations in both for the devices for which I want to have fixed IP addresses. That all seems to me to speak in favor of continuing to operate the two DHCP servers, doesn’t it?

r00t · Oct 23, 2023

Hi @Andreas F

Luckily I got one of the golden IBs - mine always networked well 😉.

In addition, the security at ATC was far superior to that of the IB (e.g. for a long time the IB only had WAP (no WAP2/WAP3), no protection via MAC addresses)

So the Timecapsule has and will never support WPA/3. Apple is quietly withdrawing from this division, I don’t think there will be any more updates. I would slowly decommission them. Even as a backup NAS, the Timecapsule is no longer a viable solution due to the lack of RAID IMO.

So the most I could do is turn off the DHCP server on the IB.

You can, as long as you don’t have an internet booster. (I’m not sure whether the WLAN boxes also use special DHCP options)

Small question: Then I can no longer use the IB’s WLAN, right?

Yes - you have already proven it yourself 😉 (IP addresses outside the IB pool).

I tested it briefly myself and it also works wonderfully with “foreign” DHCP servers.

You’re trying to introduce a boundary that doesn’t exist. The DHCP servers compete within your entire network - in both WLANs. Since the Timecapsule is logically closer to your devices, it is usually faster. But theoretically you would have to keep all IP reservations twice in your setup, just in case the IB is faster…

I’m also not entirely sure whether I will still be able to assign the desired IP address to all devices, including switches, without reservations from the IB.

Attention opinion: In this network environment, DHCP reservations are an unnecessary hack. When was the last time you changed the IP of one of your switches? Simply configure it statically - it’s also better in the case of troubleshooting, then you can ping your way through the network and see where the problem is. If you assign the “static” addresses via DHCP, you never know whether the server was simply down or there is actually a connection problem.

I would be very interested in your use case for DHCP reservations. If you like, it would be great if you could describe a little why you don’t use “real” static addresses.

Apart from that: Of course it works. All DHCP clients I know never give up. e.g. Windows:

_The Windows-based computer tries to re-establish the lease of the IP address. If the Windows computer does not find a DHCP server, it assigns itself an IP address after generating an error message. The computer then broadcasts four discover messages, and after every 5 minutes it repeats the whole procedure until a DHCP server comes on line. A message is then generated stating that communications have been re-established with the DHCP Serv_er.

It should still be possible to start the IB vs. ATC in different sequences, otherwise maintenance will be very difficult.

With two asynchronous DHCP servers (different lease DBs) it’s even more difficult - just because you restart the DHCP server, the clients don’t immediately lose all their addresses.

If I have both DHCP servers running, then I can make consistent reservations in both for the devices for which I want to have fixed IP addresses.

You’re solving a problem that you wouldn’t have had without reservations 😊.

That all seems to me to speak in favor of continuing to operate the two DHCP servers, doesn’t it?

No! 😉

LG

r00t

POGO 1104 · Oct 23, 2023

@Andreas F wrote:

…..In addition, the security at ATC was far superior to that of the IB (e.g. for a long time the IB only had WAP (no WAP2/WAP3), no protection via MAC addresses)

1. In my experience, the IB’s were able to use WPA2 right from the start. Even the predecessor router “Centro Grande” could already support WPA2…

2. As is well known, MAC address “filters” are not really a security benefit…

Herby · Oct 23, 2023

OT:

I “disposed of” my ATC last year…

Were just wastes of energy for me.
I can also back up the Mac to my “new” NAS. Like the PC.
The old NAS after more than 10 years of use is about to be thrown away…

Although it still delivered its service perfectly…

Exactly, the love energy…

Wherever she comes from 😉

kaetho · Oct 23, 2023

@r00t wrote:

…

I would be very interested in your use case for DHCP reservations. If you like, it would be great if you could describe a little why you don’t rely on “real” static addresses.

…

There are certainly several reasons to do something like that. One is convenience. Why should I bother with the sometimes fiddly configuration menus for a static IP when it can also be done centrally from one place?

Another advantage is clarity. I can see all IPs fixed in this way centrally at a glance.

And another reason is the clients switching between multiple networks. If the IP address is fixed in the DHCP server via reservation, I can assign the device its own IP in every network. For example, my test Raspi has 192.168.1.15 in the IB3 network and 192.168.10.15 in the cascaded home network. And if I operate this Raspi in the network of my Eltern without an IP being fixed for this Raspi, it gets an IP from the standard DHCP range of the router of my Eltern, which is between 192.168.3.100 and 192.168.3.199 and can be addressed directly , without me having to manually take it into the 3-way network.

The manual address reservation on the IB has never really caused me any problems so far. It actually works reliably.

Andreas F · Oct 24, 2023

@r00t @kaetho These are exactly some of the reasons: Good clarity, central and areas can be organized logically, and when I switch between my office at ETH and at home, my laptop works immediately , without having to always remodel static configurations.

Andreas F · Oct 24, 2023

@POGO 1104 My first IB could only do WPA. MAC address filters actually don’t mean much security gain today, but they did in 2014. In addition, the IB’s configuration software was so bad and so slow for years that I simply didn’t have time to mess around with it to configure my system. Something like that With the ATC it was possible to do it very well and efficiently. But since the ATC will sooner or later bless the time, I’m thinking about what to do next and am considering switching to the IB WLAN led to the problems mentioned above.

Andreas F · Oct 24, 2023

@r00t @kaetho @POGO 1104 Another reason regarding security was the many ghost devices that had been reported by the IB for years. The world-side port of the IB cannot be closed either, as Swisscom personnel want/need to be able to access it at any time. Especially with the IB software, which had been lousy for years at the time, it was a nightmare to have to wait for something like that to be secure. Since I am one of the more exposed people, I simply didn’t trust the security of the IB and therefore tried to have my actual network behind the IB, which is still the case, by the way. Unfortunately, in my opinion, The IB still doesn’t have bridge mode. The only exception are the home theater devices, which I connected via a switch to an IB port via cable because the TV box didn’t work otherwise.

kaetho · Oct 24, 2023

@Andreas F wrote:…Unfortunately, in my opinion, The IB still doesn’t have bridge mode.

But that is no longer a problem today. DDNS on the IB, second router in the DMZ, and there are no disadvantages in daily operation.

r00t · Oct 24, 2023

Hi @Andreas F

Thanks for the insights, I didn’t even think about moving devices, so I can understand that reservations make sense in certain cases 🙂.

World-side port of the IB cannot be closed because Swisscom personnel want/need to be able to access it at any time. Especially with the IB software, which had been lousy for years at the time, it was a nightmare to have to wait for something like that to be secure. Since I am one of the more exposed people, I simply didn’t trust the security of the IB and therefore tried to have my actual network behind the IB, which is still the case, by the way.

So behind a box other than the Timecapsule? According to your descriptions so far, everything seems to be in the same subnet. It doesn’t matter which DHCP server assigns the IP, every device can still be accessed from the IB. I don’t see any security gain in your current setup. Or have I misunderstood something?

As mentioned before, you can’t share networks with DHCP, you would need multiple subnets and a router with ACLs / a firewall in between.

If you (like me) don’t want Swisscom to be able to look into your home network, you either have to use a third-party router or Use double NAT + firewall. If you use port forwarding, you can activate DMZ mode as @kaetho mentioned, then all incoming traffic will be forwarded to the defined host.

Personally, I have a pfSense behind my IB.

By the way, the double NAT scenario would be the one in which you should no longer use the IB’s WLAN, since it would be in front of your firewall.

The only exception are the home theater devices, which I connected via a switch to an IB port via cable because the TV box didn’t work otherwise.

Is the simplest solution, for me personally the TV-Box behind the pfSense also works, but it requires a bit of configuration work (IGMP proxy, firewall rules that allow multicast traffic, etc.)

LG

r00t