Hi Folks
Cutover from Vermin Media to EE FTTP today.
No changes to my internal systems have been made.
heres a high level layout of the network under test:
As depicted, I have given my firewall external interface a static IP of x.x.x.254 and in the EE router, that IP is set as the
DMZ IP:
As such, all unsolicited traffic arriving at my EE router WAN interface should be forwarded to x.x.x.254
Only a subset of ports are getting through (as verified using Wireshark in promiscuous mode from a laptop on the
EE box LAN) UDP port 1194 is not forwarded.
This is not correct DMZ operation!
My dynamic DNS services (client within firewall) have correctly updated since disconnecting virgin media
so that isn't the issue.
The two top level domains I host from this connection are both reachable on TCP 80/443.
My VPN client (on my android phone) shows my correct EE V4 public IP. (which rules out a DNS issue) It sends the connection initiation packet, but never receives a response from my firewall.
Looking in the Wireshark traffic logs the reason is obvious!
no UDP 1194 traffic is forwarded from my EE box to the DMZ host!
I have cross checked this by tcpdumping the EE facing firewall interface and filtering for UDP
no traffic arrives from the EE router
Self hosted OpenVPN operation in this manner is a "must have" service here as I use it extensively for:
* SIP telephony
* Home Automation
* Remote Security / Telematics
The fault could be the configuration of an upstream firewall, or the capabilities of the EE Hub itself
if the EE FTTP service are blocking these ports in DMZ mode , then the offering is not fit for purpose
under the 2015 consumer rights act .
EE - what steps do you propose to fix this challenge please ?
regards
BB
Well I can now confirm, beyond reasonable doubt, that
the fault is the DMZ function in the EE router isn't working correctly!
In fact I am currently typing this reply via the OpenVPN connection as "Demonstrable proof" .
The workaround was indeed to use another router which quite simply, I shouldn't have to do as DMZ is supposed to be a supported feature of the EE (not so) smart Hub
In the spirit of giving back to the community, here is my workaround:
In my junk box I found a c***py old Linksys ACM3200 router which I re-flashed with OpenWRT (because I trust it and its better than the stock firmware)
I logged in and configured the LAN subnet to my desired range;
The DHCP IP address range to my desired range;
I configured the V4 WAN manually for PPPoE using the details on EE's website:
This setup , to the best of my knowledge, only works for Full fibre. Fibre to the Cab (FTTC) requires additional
VLANs on the WAN side which out of the box this device doesn't appear to support.
Having saved the config and confirmed the LAN changes worked I plugged it in place of the EE router:
within seconds the ONT activity light was flashing so the Internet was "Up"
I went into the Linksys' GUI and under :
Network > DHCP and DNS > Static Leases
In there , I found the currently assigned firewall external interface, and set its IP address
to my preferred one (avoiding all clashes) and applied it
Unplugging and re-plugging the firewall ethernet from the Linksys forced the setting of the
required static IP.
I was now ready to tell the Linksys that the firewall was the DMZ host.
In the linksys under Network > Firewall > Port forwards I clicked [ADD] and created the
following rule:
[SAVE] and [APPLY] buttons then pressed
From my 4G phone I started the VPN client - it worked instantly - thus proving the blocker was the EE provided
router DMZ function not working correctly.
my SIP phone works , home assistant can be accessed , everything appears spot on .
I haven't cancelled the EE visit on Monday as there is a minimum contracted downlink speed issue as well , and I need their guy to see the VPN / DMZ issue with their own eyes so it gets reported to seniors for the good of everyone - not just me.
Hope this helps someone else dig themselves out of the same hole until EE upgrade their routers to fix their shortcomings.
Regards
BB
