One of the drawbacks to being on a cable modem network is that its architecture can allow you and your neighbors to be on one big LAN. We’ve been running on a cable modem network for over five years, and the possible implications of that have not been apparent until Comcast took over Time Warner a few weeks ago. About a week after I received e-mails telling me that Comcast would be reconfiguring our network and some outages might be encountered, “My Network” within each Mac’s Finder suddenly started including Macs belonging to people we didn’t know. That was disturbing considering all my machines run behind a router with NAT (Network Address Translation). After almost two weeks of research, phone conversations with both Comcast and Earthlink (We are actually Earthlink subscribers for our high-speed.), multiple attempts to reconfigure the router and its firewall, I have finally gotten us back to where we were before the problems began. That’s good. Because no one else was going to help out…
I’m not an expert when it comes to networking. But from what I’ve learned since this problem began, I’m convinced it was due to either Earthlink or Comcast changing the subnet (and they both point fingers back and forth at each other) and some of the basic networking features Apple has incorporated into OS X, specifically Bonjour and Apple Filing Protocol (AFP). The D-Link DGL-4300 router I was running with (as well as a D-Link DIR-655 router I tried) does not seem to properly handle the protocols. In the end, I wound up reconfiguring my network using a new Apple Airport Extreme (802.11N) router and the DGL-4300 to isolate the LAN and create a dual 802.11G and 802.11N network.
For security reasons, I’m not going to release the names of the machines we were seeing in our Finder. When we would log in, because the “intruders” appeared to be on our “local network” (a log entry in one of the system logs confirmed that), OS X would try to automount the drives. (The machines were broadcasting their existence using AFP.) Double-clicking on the shares to manually mount them would fail with a “server not operational” and “check the I.P.” messages. However, if I connected directly to the modem and then tried to access the machines, I could if they didn’t have either password protection or the OS X firewall in place. This was a very dangerous place to be, but I had no way of notifying the machine’s owners without leaving my own machine open to direct attack, something I didn’t want to do.
Along with this, even behind the router, when we would tell iTunes to “Look for shared libraries”, iTunes would find other folks iTunes and Limewire music collections. iTunes is only supposed to look on a local subnet, so obviously something had expanded what the definition of local subnet was. Again, unless these music collections were password protected, we could play music from them. There was no way for me to know whether these people intended to leave their music collections open to the world (or some unplanned segment of it) or whether they might be surprised by additional surcharges when they got their next bill for exceeding their bandwidth allocations. From our perspective, the situation was bad since we couldn’t tell if people we didn’t know had access to our iTunes libraries, assuming we put them up for sharing (which I don’t routinely do). Password protecting the libraries did provide a “lock” on them somewhat, but I found it both disturbing and annoying that we were in this situation at all. I told my wife more than once that the only way to solve it might be to move to DSL. Every tech I talked to at both companies didn’t seem to understand a damn thing about subnetting or DHCP, and they were all convinced that these intrusions were coming in over our wireless network. What they didn’t understand was they were talking to an engineer; and in my first troubleshooting steps, I had turned our wireless, which is normally secured by not broadcasting our SSID and using password security, off. The intruders and all the other effects were still there.
Worse, when I did some printer reconfiguration as a result of trying to offset the LAN I.P.’s and subnets into something that might cure the problem, I could see three printers (one Brother MFC and a couple of HP Photosmart printers) we didn’t own appearing in my Printer Browser. I could even add them into our own network, even though trying to print to them produced an error. (That said, I didn’t try printing to them using the direct connect Mac-to-modem method. I suspect I could have printed to them had I done that.)
I bought a D-Link DIR-655 N Extreme router and tried setting up the LAN by attaching the DGL-4300 to the DIR-655, but could not isolate our network using them. I set up on the DIR-655 alone but then found that, even with default settings, it was blocking access to websites critical for my wife’s work. So, I returned it and continued to perform research to find something I could do with the DGL-4300 to get us back to normal. But nothing I tried worked.
A few days ago, I downloaded .pdf manuals about Apple’s Airport Extreme 802.11N router. As I dug into the documentation, I began to feel I wanted to try it out to see if it might help us with our problem. I was impressed with the organization and utility of the Airport Utility and thought I might have better luck with it in terms of blocking Apple specific protocol ports. While I had been critical of it in an earlier blog for not having Gigabit Ethernet ports and wrongly critical of its NAT (It doesn’t have a STEALTH mode, but it does have a NAT.), I had a 5 port Gigabit Ethernet switch I could use to keep the Gigabit-equipped Macs at Gigabit speed. I knew, too, that the router would handle Apple protocols better than anyone else. (We have a network printer that can use IP or Apple-Talk printing, and my wife’s iMac hooks into our LAN solely by wireless.) I debated about spending the money for almost a week before I took the plunge and only did so because of a happy circumstance. My employer gives out monetary awards for “perfect attendance” over a quarter, and I had just earned a Best Buy $50 gift certificate for being in the lucky bunch. That lowered my out-of-pocket expense for the router to $130, something more in line with Apple’s competition. The clincher came when I read a MacWorld article about setting up a mixed mode (802.11 N and G) wireless network. Moving to such a set-up would solve other problems I had been thinking about, so I decided to buy the Apple router.
Once I got it home, I reviewed the article to make sure I had the set-up straight. Since it had been written assuming the user had two Apple routers, I had to do a bit of translating to set the D-Link router up as the “G”. Still, there really wasn’t much to it. Most of our network stayed right where it was. The major difference laid in putting the D-Link router into Bridge mode, figuring out the correct IP and DNS settings, and plugging its WAN port into one of the Apple Extreme N router’s LAN ports, after I had set up the Apple router using the Air Port Utility run on my Mac Pro directly connected to it.
My network is now headed by an Apple Extreme N router which handles the address assignment (DHCP) duties and runs the 802.11N wireless network. My wife’s iMac, her MacBook, and our iPhones all hook into the 802.11G wireless network. My Mac Pro, a D-Link DSM-600 Gigabit Hard Disk, my MacBook Pro (usually), and a HP Laserjet 2100 and Okidata C3200N printers use the Gigabit portion of the wired Ethernet network. When operating in a portable mode, my MacBook Pro uses the 802.11N wireless leg of the network, as will the Apple TV unit we will probably get by year’s end. (Note: I believe when running under Windows XP, my MacBook Pro will only run at “G” speeds. There is no “N” enabler for a Core 2 Duo unit like mine released before the N model wireless cards became an Apple standard.)
Much to my surprise, our local subnet is now correctly recognized by all the machines. I no longer see “the intruders” Macs in My Network, pick up their printers when using the Print Center, or see anyone’s shared music libraries but those in my house. Based on what I found out, I suspect the whole problem around being assigned a new subnet (with a bunch of Macs…if I had been the only Mac on the subnet, I wouldn’t have seen a thing), possibly a new feature in the Apple router that lets you broadcast Bonjour past the WAN port (which I have absolutely turned off), or that most non-Apple routers can’t tell the difference between machines on our local network and those outside, especially when it comes to AFP over TCP and/or Bonjour.
In any case, I’m happier than a clam that our network is back to working like it used to and I now have a wireless G and N network running at optimal speeds.
In the near future, I may set up a Wired Distributed System (WDS) network using another Apple Extreme N router to hook into my wife’s iMac’s Ethernet port to get her machine up on “N” speeds. But that’s another day and another blog. For now, I’m just happy to be using my network without the conglomerated network Comcast would have left me with.