The rich and powerful route packets however they want. We steal them back for you.

I was contacted by a friend who was struggling with internet drop-outs at one of their business sites. Their router no longer had a functional WAN backup, mostly because Sprint ceased to exist, so internet outages led to an inability to take payments.

Z was getting nowhere with support for this firewall appliance; however he was particularly confused by the guy saying there were “multiple ARP entries” on the WAN interface. I tried to explain it and said that while it was not typical, it was not necessarily problematic.

A few days later Z calls me, because he knows I’m too chickenshit to send him an invoice, so I spent like 2 hours of my holiday weekend unravelling one of the most cursed networks I’ve ever seen.

To set the scene let’s look at the topology MAKO wants you to have:

  • ISP network interface (ONT, modem, etc.) -> MAKO wan port
    • lan1 connected to a switch (L2) consisting of payment terminals
    • lan2 connected to a switch (L2) consisting of the payment “commander”
    • lan3 connected to the “back office” PC
    • lan4 as an additional user network

It’s breathtaking. However here is what we actually had:

  • ISP router pulling a WAN IP
    • cord going off to do VOIP things with “persons unknown”
    • Switch connecting smart TVs, cameras, etc.
      • another switch (5 port)
        • connecting the fuel management unit to the internet
        • also connects the MAKO’s wan port (giving it a LAN IP)
          • a unifi usw24 connected to the lan1 port
            • both the pymt terminals AND the commander connected to this managed switch.
      • Netgear AP/router (not sure if its actually acting as a router)
        • another switch (oh god)
          • probably some label printers and shit idk
          • the fuel management unit (LAN side)
          • the “back office PC”

The mako’s lan1 port goes to a managed switch which does god knows what. (Managed, in this case, means “managed by someone else” AKA not my problem. LOL!)

“Back-office” switch

The back office switch.


“Front-office” tentacle doujin

The stuff nightmares are made of.


Mako the best of it

At this point I’m trying to unravel this topology and suggesting we simplify the network to match the diagram presented by the Mako firewall people. However my friend Z is having none of that, because he doesn’t want to incur downtime run more cables.

At some point we are looking inside the Mako to try and determine how we would configure it to act as the primary router/fierwall. I hover over something on a diagnostic page and Z asks me “do you think it’s weird that this WAN port has only been up for [x hours] but the lan has been up for [x+y hours]?”

WELL YEAH I AGREE: THAT’S FUCKING WEIRD.

At this point we are looking at cables and switch ports, trying to identify a potentially bad switch, cable, port, etc. when something catches my eye. This one blue wire, the wire we’ve identified as being the mako’s wire, the wire for the mako, was hand-crimped. It was also crimped incorrectly, it looks like the first Ethernet cable I ever made: the jacket is sticking way outside the 8p8c.

I tell him: “that cable is sus.” He’s like “what do you mean it’s sus it looks great. There’s no possible way it could be this cable.” I’m like “dood that cable looks like I made it, and that’s a problem because all my cables are shit.”

Z happens to have like “entirely too many feet” of commercially produced cable for reasons unknown, so I talk him into replacing that drop. The rest, as they say, is history.

“sus”

Once this cable was liberated Z commented on its complete disrespect of the minimum bend-radius:

“bend radius”

“Mako update: no outages since cable replacement”

  • Z @ 2022/07/07 10:17 PM CST