Skip to main content
Forum FAQ's
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EE router DMZ not forwarding UDP 1194 (Self hosted OpenVPN server)

Go to solution
bigbloke
Investigator
Investigator

‎11-04-2024 02:10 PM - edited ‎11-04-2024 02:16 PM

Hi Folks
Cutover from Vermin Media to EE FTTP today.

No changes to my internal systems have been made.

heres a high level layout of the network under test:

bigbloke_0-1712837549644.png

As depicted, I have given my firewall external interface a static IP of x.x.x.254 and in the EE router, that IP is set as the 
DMZ IP: 

bigbloke_1-1712837911284.png

As such, all unsolicited traffic arriving at my EE router WAN interface should be forwarded to x.x.x.254
Only a subset of ports are getting through (as verified using Wireshark in promiscuous mode from a laptop on the 
EE box LAN)  UDP port 1194 is not forwarded.

This is not correct DMZ operation!

My dynamic DNS services (client within firewall) have correctly updated since disconnecting virgin media
so that isn't the issue.

The two top level domains I host from this connection are both reachable on TCP 80/443. 

My VPN client (on my android phone) shows my correct EE V4 public IP. (which rules out a DNS issue)  It sends the connection initiation packet, but never receives a response from my firewall.

Looking in the Wireshark traffic logs the reason is obvious!
no UDP 1194 traffic is forwarded from my EE box to the DMZ host! 

I have cross checked this by tcpdumping the EE facing firewall interface and filtering for UDP 
no traffic arrives from the EE router 

Self hosted OpenVPN operation in this manner is a "must have" service here as I use it extensively for:

* SIP telephony
* Home Automation
* Remote Security / Telematics

The fault could be the configuration of an upstream firewall, or the capabilities of the EE Hub itself 

if the EE FTTP service are blocking these ports in DMZ mode , then the offering is not fit for purpose
under the 2015 consumer rights act  .

EE - what steps do you propose to fix this challenge please ?

regards 

BB




0 Helpful
1 SOLUTION

Accepted Solutions
Go to solution
bigbloke
Investigator
Investigator

‎12-04-2024 11:34 AM - edited ‎12-04-2024 11:38 AM

I wont mark my previous post (one up) as a solution - because it is only a work around.

The solution is for EE to update their hub to fix the DMZ feature

regards 

BB

View solution in original post

0 Helpful
15 REPLIES 15
Go to solution
XRaySpeX
Grand Master
Grand Master

‎11-04-2024 02:42 PM

@bigbloke wrote:

As depicted, I have given my firewall external interface a static IP of x.x.x.254 and in the EE router, that IP is set as the DMZ IP: 

What's the REDACTED 'x.x.x'? Shouldn't it be on the same subnet as the router's local IP, i.e. '192.168.1'? In which your DMZ'ed firewall is on the same local IP as the router, i.e. '192.168.1.254'. Clash!

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC => 2020: EE 40 Meg FTTC => 2022: EE 80 Meg FTTC (no landline number)
0 Helpful
Go to solution
bigbloke
Investigator
Investigator
In response to XRaySpeX

‎11-04-2024 02:59 PM - edited ‎11-04-2024 03:00 PM

its redacted by me as I dont like details of my private network setups on public forums
they are all in the common /24 subnet
my router is .1
the internal firewall is .254
the DMZ  IP is .254

Either there is an upstream firewall issue, or the EE router DMZ function doesn't work correctly - I cannot even turn off the EE firewall to verify an upstream firewall issue - VERY frustrating ! 

Regards 

BB

0 Helpful
Go to solution
XRaySpeX
Grand Master
Grand Master
In response to bigbloke

‎11-04-2024 03:05 PM

OK, that avoids the hidden complication I envisaged.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC => 2020: EE 40 Meg FTTC => 2022: EE 80 Meg FTTC (no landline number)
0 Helpful
Go to solution
bigbloke
Investigator
Investigator

‎11-04-2024 03:55 PM - edited ‎11-04-2024 03:56 PM

given that there is no way to bypass the EE box Firewall and that I have a perfectly serviceable downstream industry grade firewall...

Does the ONT bind to the first MAC address its presented with  ?

If I plugged in my downstream firewall directly into the ONT and power cycled it [the ONT] , will it bind to the firewall MAC ?

where does the PPP connection terminate please? in the ONT ? or in the EE router ?

I either need to get this VPN back up or regress to vermin media as people are depending upon it 

Regards 

BB

0 Helpful
Go to solution
XRaySpeX
Grand Master
Grand Master
In response to bigbloke

‎11-04-2024 04:14 PM - edited ‎11-04-2024 05:09 PM

I'm not sure I understand your Qs but as I see it ...

The ONT will service any router that has a WAN port fast enough for it.

PPPoE creds are handled by the router on its WAN side.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC => 2020: EE 40 Meg FTTC => 2022: EE 80 Meg FTTC (no landline number)
Go to solution
bigbloke
Investigator
Investigator

‎11-04-2024 04:46 PM

thanks for that XRaySpeX

I will try and bypass the EE box and bridge directly to the ONT as an interm measure 

failing that - back to Vermin until I get a formal response from EE on Monday

Regards 

BB

0 Helpful
Go to solution
Mustrum
Ace Contributor
Ace Contributor
In response to bigbloke

‎11-04-2024 07:25 PM

@bigbloke  with your VM setup did you have their router set up as a router or did you switch it to bridge mode?

If the latter can you not do away with the EE router and just connect your firewall/server  direct to the ONT. It just needs to be able to handle PPOE and use the standard BT settings.

0 Helpful
Go to solution
bigbloke
Investigator
Investigator
In response to Mustrum

‎11-04-2024 10:35 PM

Hi Mustrum

No, the Vermin router is DOCSIS on the WAN side and doesn't support PPPOE. I use the Vermin / EE box in router mode as it provides me with a "guest wifi" network for works devices and visitors that is outside of the domestic LAN segments .

I will look into a direct firewall to ONT connection tomorrow

Regards 

BB

0 Helpful
Go to solution
Mustrum
Ace Contributor
Ace Contributor
In response to bigbloke

‎11-04-2024 11:10 PM

Ah OK, that makes it a bit harder. But I guess you will have the same issue with many ISP's so maybe using your own router might be your best option. The EE/BT based ones tends to restrict things and tries to keep it simple for the average user, and restricts anything too far from what they thing is normal!

0 Helpful