Best Of

Thank you for your help James.

I apologise for the delay with my response. The past three weeks have been a nightmare and now I have &^%&^$% COVID, so I am quarantined at home! Anyway, I had a whole afternoon of consciousness to work on this problem that crept up to #1 on the to do list.

I dragged out an out of support T35-W NFR box (updated with 12.5.9 Update 2) and factory reset the box, and followed these steps:
1. Obtain the MAC address of a spare (and not a POE port - the Ethernet port supports a non-standard POE and can self-destruct) on the Firebox. You also need to have one port set to the default 10.0.1.1 address so that you can connect via a PC and check that everything is working.
2. Set the Firebox port to Type External and DHCP - no other changes to the default except to give the port a name (e.g. External-4G) and a description.
3. Connect the USB cable from a PC to the TRB140.
4. Log into the TRB 140 portal using the default settings.
5. On the TRB 140, which was previously also factory reset, I set the timezone and changed the Mobile Mode to "Passthrough" and added the MAC address of the FireBox port obtained in step 1. Save these settings and wait for a minute or so.
6. Power down the TRB140 and remove the USB cable.
7. Connect a cat6 cable from the Firebox port to the Ethernet port on the TRB140. Connect a PC to the LAN port on the Firebox and no connection in the WAN port.
8. Switch on the TRB 140 and wait about 5 mins.
9. Switch on the Firebox and wait for it to boot.
10. From the PC log into the WebUI, traverse to Dashboard > Interfaces and you should see the External-4G port is now working with a populated IP address.

So why did it not work when I tried this weeks ago?
1. I attempted to do this in a production environment thinking that this will take 5 minutes - and broke one of my own golden rules. Even when I realised that two hours had passed, I did not fall back to basics.

2. The Firebox that was used for the original configuration attempt is one that sits in front of three other Fireboxes. The problem is that the second external port will not populate while the External link is up. I did think of this and pulled the External link late at night, but it still did not work.

3. That Firebox is also configured to autoblock IP addresses that generate unhandled external packets that try to do naughty things. I noticed, while watching the T35-W that the TRB140 sends a port 67 packet briefly and I suspect that the Firebox blocked the TRB140's traffic thereafter.

Anyway, it all works now and I have given myself the "slap of awareness".

And the issues are?

If your incoming bandwidth is near maxed out, then there is nothing that you can do other than to talk to your ISP about it - to see if there is anything that they can do to block some of the DDOS packets at their end.

Are your connection counts substantially higher than normal?
If so, and if you can find out what packet type(s) are being sent for the DDoS attack and you allow that packet type through your firewall, then you can set a fairly short custom timeout on TCP policies which are allowing these packet types. The default TCP timeout is 60 mins.

@xxup
Without any other info to work on, my hunch is that the upstream device is shutting the connection down unless it sees something specific (perhaps a internet connectivity check from windows, or a DNS query) and simply not bringing it back up till it sees that again.

If you're able to, I would suggest querying the manufacturer of that device and asking what specifically it's looking to see /if/ that is the case.

For example, when the firebox is controlling the 4G USB dongle, it will actually hang up the connection (or disconnect it) rather than leaving it on/open at all times. When the connection is needed, the firebox dials the connect command that's specified for that modem type to make the connection start. Since the TRB140 is doing all that transparently, it's likely waiting for something to happen to do that.

Once we know what it is, it should be trivial to make a PBR/SDWAN type rule to force what it's looking for out that connection to get it online.