Wednesday, 17 May 2017

Virgin Media business cable and static IPs

Here is an interesting problem, if you have a Virgin Media cable (Not fibre or leased line) connection (for business) and have requested the static IP service, initially their sales will try and put you off the static IP asking if you need it and saying there are some issues with the service, but won't really tell you why!

Well unfortunately I've now discovered the issue, so thought I'd post about it for others to be wary of this "business class" service. Firstly, we know how the VM cable network works, they have co-ax to the premises that take you back to their cabinet, from there they mux it back to their central exchange. Now the observant of you will note, no separate cabinet for home or business cable, no separate links to the exchange for home or business, so at all times you are sharing this portion of the network. Not a huge issue as capacity is normally good, but something to be weary of that during 'home' hours (after 5pm generally) the service will be noticeably slower.
So this now bring the interesting problem to light, you are connecting to a home service with business features (static IP, etc).


Virgin Media uses a DHCP-based cable network (DOCSIS) and so when your router connects it asks for an IP and is given it, from what I'm assuming is kit at the head end (not cabinet). This is where the problems start, they don't have the ability to add a static allocation from here (Probably how their pools of IPs are allocated to local exchanges/cabinets, and/or their DHCP servers).

Inside the street cabinet doesn't reveal much active equipment, the magnavox amplifier unit is line powered from the main co-ax uplinks (Big chunky cables coming in bottom left) and then split to the cable junctions to end users (bottom middle) and potentially legacy twin-core/pair copper to the right.



This setup of sharing the residential with business then causes them a headache when a business customer asks for a static IP, how to solve that with the DOCSIS implementation Virgin Media has used? What they do is create a GRE tunnel using the business hub (Hitron router) to their datacentre, where they allocate the public IP on that end of the tunnel and allow it to connect out from the datacentre. This also allows them to bypass any content control, filtering, etc, as it is then emerging from the tunnel at their datacentre rather than the regular pool.

Most of you are probably hearing the alarm bells ringing now. GRE tunnel to datacentre, so the tunnel is established using the Hitron router on your premises and breakout is somewhere in the VM datacentre network. This to me shows several potential problems, the first being MTU.
Over the GRE tunnel MTU can and will be reduced, my conversations with VM support suggest this is down to 1440 but I've not fully tested this.
The second is that I'm not not sure where/what is doing the NAT for our connection. Although the Hitron allows me to setup DMZ, port forwarding, etc, I'm not clear if this is working through the GRE tunnel or not! This also introduces a further complication, you CANNOT use the Hitron router in modem-only mode, so you HAVE to use the NAT functions on this router, again not good for a business class product aimed at people who would want to do their own NAT or control via their own server, etc. So you're stuck with the firewall and NAT functions on the Hitron, and whilst basic they seem to do what's needed.

That is until you start to use SIP/VOIP. This seems very problematic, as allocating the RTP data ports seems spotty, registration to a SIP gateway on udp/5060 also seems to be affected as sometimes it works, then stops and won't start again for a long period of time. This is regardless of if you setup your voip server as DMZ because some issues still remain.
Then you have the major showstopper I hit upon, after some arbitrary time the connection will drop (no surprise, they have to upgrade, have outages, etc) but when it comes back, SIP registrations will FAIL. For some reason packets don't make it out of the Virgin Media network. So from your originating server, you can tcpdump and see the traffic, but the receiving end doesn't see it. No matter what you do (reboot Hitron, reboot your server, re-recreate connections, etc) it won't recover, and this brings me to a theory. There is some sort of session being held on the remote end of that GRE tunnel for your static IP. And as such it is blocking/stopping new sessions to the same destination IP, causing your SIP registration to fail and your VOIP solution to stop working. My guess on this is because it depends on what is on the other end of that GRE tunnel, and what it's involvement is in your connection. It may be some type of firewall, in which case it's trying to keep state of UDP sessions and failing miserably. It may be a router, in which case I'd not be expecting the issues we have seen, but it's still possible.

So far Virgin Media have confirmed that there is a known issue with static IP addresses on their business cable solution, but before you buy they won't go into much detail, and after purchase unfortunately you're stuck in this solution where you can either live with the issues on static IP, or drop back to a dynamic DHCP allocated IP and not have the GRE tunnel.

I suspect the solution to this is to move to a dynamic IP on the service and then switch to modem-only mode so nothing is doing NAT on the connection. I'll post back on further diagnostics that I carry out to further explore what the issue is and if it can be worked around. So far no work-arounds I've tried have worked, other then connection out using an alternative UDP port for SIP (Which most SIP providers won't do).

--Update--
After some conversations with VM they have switched the connection to a dynamic IP. Beware, as when they do this they reconfigure things their side, tell you to reboot the cable modem and it takes you offline. That's because the GRE tunnel information is still coded into your cable modem. Factory resets using the front button, rear pin press button and control panel interface for factory reset doesn't seem to work (Doesn't appear to factory reset at all as settings do not revert to when shipped) so this causes you outage. In this case Virgin Media had to send an engineer out to do another reset to the cable modem to resolve this. When they did that the modem connected up and got an IP from the dynamic local pool.
After this connection was restored, and sure enough the VOIP sessions re-established and maintained their connection to the VOIP provider. (Again the VOIP server was setup as DMZ target on the Virgin Media Hitron hub) So this has appeared to solve the issue with SIP registrations over the service.


4 comments:

  1. Hi Andy, Thanks for an informative article that explains my painful path. Having found that the VM static IP implementation prevented our VOIP from working we went back to dynamic and subscribed to no-ip for DDNS. I am now trying to get a VPN working and failing miserably. Not what your article is about I appreciate but you clearly know what you are talking about so I wondered if you might have any experience of VPN via DDNS using a Hitron and open to making a few suggestions? I have DDNS configured on the Hitron, I have port forwarding setup on port 1723, 1723 is open on the firewall but I get error Error 807: The network connection between your computer and the VPN server was interrupted. Appreciate any thoughts. Thanks in advance, Rob

    ReplyDelete
    Replies
    1. Hi Rob,
      (Feel free to email me direct if you want a bit more info)
      So I'm assuming PPTP VPN since it's tcp/1723.
      I suspect you're going to struggle with VPN and the Hitron as you need GRE (value 47) pass-through which on the Hitron I've configured doesn't have an option (Others did have the VPN pass-through option).
      Is your server setup as DMZ on the Hitron as that would be the only way to have a chance of it working, but I'd not be hopeful on this.

      Good luck!

      Delete
    2. Yes PPTP and I noticed no VPN pass through option on the Hitron although I do on my home router which is a 3 year old residential offering from VM. The server is not in the DMZ and that one cannot be but we do have a couple of machines that could be re-purposed. Will give that a go whilst battering VM support. We did actually have this working but following an outage/reboot we have had nothing since. I guess something changed took effect in the reboot or an update was pushed out but no idea what. If we get anywhere will post back. Thanks for your suggestion. Rob

      Delete
    3. OK, the issue has been identified and rectified so I thought it worth an update. As part of the process to apply the static IP the firmware on the Hitron is updated to add another section to the menu under the DDNS option on the Admin menu (something about VMB I think but it's gone now) When the static IP is removed remotely the firmware is not reset to the dynamic firmware. Now for most things that didn't seem to matter - we had no issues with speed, reliability etc, however, the VM implementation of static IP obviously conflicts with the VPN usage of the GRE tunnel making it impossible for us to set up the VPN. A factory reset on the router did not resolve this issue so an engineer came out, replaced the Hitron with a new one, applied our config and boom VPN up and running.

      Delete