11-04-2024 02:10 PM - edited 11-04-2024 02:16 PM
Hi Folks
Cutover from Vermin Media to EE FTTP today.
No changes to my internal systems have been made.
heres a high level layout of the network under test:
As depicted, I have given my firewall external interface a static IP of x.x.x.254 and in the EE router, that IP is set as the
DMZ IP:
As such, all unsolicited traffic arriving at my EE router WAN interface should be forwarded to x.x.x.254
Only a subset of ports are getting through (as verified using Wireshark in promiscuous mode from a laptop on the
EE box LAN) UDP port 1194 is not forwarded.
This is not correct DMZ operation!
My dynamic DNS services (client within firewall) have correctly updated since disconnecting virgin media
so that isn't the issue.
The two top level domains I host from this connection are both reachable on TCP 80/443.
My VPN client (on my android phone) shows my correct EE V4 public IP. (which rules out a DNS issue) It sends the connection initiation packet, but never receives a response from my firewall.
Looking in the Wireshark traffic logs the reason is obvious!
no UDP 1194 traffic is forwarded from my EE box to the DMZ host!
I have cross checked this by tcpdumping the EE facing firewall interface and filtering for UDP
no traffic arrives from the EE router
Self hosted OpenVPN operation in this manner is a "must have" service here as I use it extensively for:
* SIP telephony
* Home Automation
* Remote Security / Telematics
The fault could be the configuration of an upstream firewall, or the capabilities of the EE Hub itself
if the EE FTTP service are blocking these ports in DMZ mode , then the offering is not fit for purpose
under the 2015 consumer rights act .
EE - what steps do you propose to fix this challenge please ?
regards
BB
Solved! See the answer below or view the solution in context.
12-04-2024 08:07 AM
Picking up on your comment:
The EE/BT based ones tends to restrict things and tries to keep it simple for the average user, and restricts anything too far from what they thing is normal!
Whilst I take your point, If they offer a device with a capability , and that capability doesn't work as advertised , then the device is not "fit for purpose" under consumer law , and the issue needs to be resolved.
If no one pulls then up on it , we all continue to get ripped off.
A sad state of affairs but it seems to be the way of the world today
Regards
BB
12-04-2024 11:25 AM
We've all pulled them up on it since its inception in Oct '23 on various detailed points on its missing or non-working functionality.
12-04-2024 11:31 AM
Well I can now confirm, beyond reasonable doubt, that
the fault is the DMZ function in the EE router isn't working correctly!
In fact I am currently typing this reply via the OpenVPN connection as "Demonstrable proof" .
The workaround was indeed to use another router which quite simply, I shouldn't have to do as DMZ is supposed to be a supported feature of the EE (not so) smart Hub
In the spirit of giving back to the community, here is my workaround:
In my junk box I found a c***py old Linksys ACM3200 router which I re-flashed with OpenWRT (because I trust it and its better than the stock firmware)
I logged in and configured the LAN subnet to my desired range;
The DHCP IP address range to my desired range;
I configured the V4 WAN manually for PPPoE using the details on EE's website:
This setup , to the best of my knowledge, only works for Full fibre. Fibre to the Cab (FTTC) requires additional
VLANs on the WAN side which out of the box this device doesn't appear to support.
Having saved the config and confirmed the LAN changes worked I plugged it in place of the EE router:
within seconds the ONT activity light was flashing so the Internet was "Up"
I went into the Linksys' GUI and under :
Network > DHCP and DNS > Static Leases
In there , I found the currently assigned firewall external interface, and set its IP address
to my preferred one (avoiding all clashes) and applied it
Unplugging and re-plugging the firewall ethernet from the Linksys forced the setting of the
required static IP.
I was now ready to tell the Linksys that the firewall was the DMZ host.
In the linksys under Network > Firewall > Port forwards I clicked [ADD] and created the
following rule:
[SAVE] and [APPLY] buttons then pressed
From my 4G phone I started the VPN client - it worked instantly - thus proving the blocker was the EE provided
router DMZ function not working correctly.
my SIP phone works , home assistant can be accessed , everything appears spot on .
I haven't cancelled the EE visit on Monday as there is a minimum contracted downlink speed issue as well , and I need their guy to see the VPN / DMZ issue with their own eyes so it gets reported to seniors for the good of everyone - not just me.
Hope this helps someone else dig themselves out of the same hole until EE upgrade their routers to fix their shortcomings.
Regards
BB
12-04-2024 11:34 AM - edited 12-04-2024 11:38 AM
I wont mark my previous post (one up) as a solution - because it is only a work around.
The solution is for EE to update their hub to fix the DMZ feature
regards
BB
12-04-2024 05:46 PM
@bigbloke thanks for the update, glad you got it working, and handy you had a better spec router to use. 😉
13-04-2024 10:06 AM
The Linksys ACM3200 is the second least reliable router I have ever owned ! (the least reliable being a netgear that was so bad I gave it a sacrificial burning in a Chiminea before sending it back to Netgear with a covering letter 🙂 )
I originally bought the 3200 to use with Openwrt as I wanted a second router to bridge house to garden shed on 5.8GHz and re-broadcast the house network on 2.4 GHz. However, it suffers from memory corruption when above room temperature, and also has a wonky 5.8GHz 3rd wifi radio, but lasted long enough to prove the point about the EE router (hence it was in my junk box).
Ordered a Draytek via amazon to serve as its long term replacement (hopefully here today) . Draytek in my experience were like when Datsun became Nissan or Skoda was bought by VAG. Whilst Draytek's early products were nothing to write home about, their current range are sensibly put together good menu systems and work exceptionally well - albeit at a higher price point.
regards
BB