Wednesday, 17 May 2017

Virgin Media business cable and static IPs

Here is an interesting problem, if you have a Virgin Media cable (Not fibre or leased line) connection (for business) and have requested the static IP service, initially their sales will try and put you off the static IP asking if you need it and saying there are some issues with the service, but won't really tell you why!

Well unfortunately I've now discovered the issue, so thought I'd post about it for others to be wary of this "business class" service. Firstly, we know how the VM cable network works, they have co-ax to the premises that take you back to their cabinet, from there they mux it back to their central exchange. Now the observant of you will note, no separate cabinet for home or business cable, no separate links to the exchange for home or business, so at all times you are sharing this portion of the network. Not a huge issue as capacity is normally good, but something to be weary of that during 'home' hours (after 5pm generally) the service will be noticeably slower.
So this now bring the interesting problem to light, you are connecting to a home service with business features (static IP, etc).

Virgin Media uses a DHCP-based cable network (DOCSIS) and so when your router connects it asks for an IP and is given it, from what I'm assuming is kit at the head end (not cabinet). This is where the problems start, they don't have the ability to add a static allocation from here (Probably how their pools of IPs are allocated to local exchanges/cabinets, and/or their DHCP servers).

Inside the street cabinet doesn't reveal much active equipment, the magnavox amplifier unit is line powered from the main co-ax uplinks (Big chunky cables coming in bottom left) and then split to the cable junctions to end users (bottom middle) and potentially legacy twin-core/pair copper to the right.

This setup of sharing the residential with business then causes them a headache when a business customer asks for a static IP, how to solve that with the DOCSIS implementation Virgin Media has used? What they do is create a GRE tunnel using the business hub (Hitron router) to their datacentre, where they allocate the public IP on that end of the tunnel and allow it to connect out from the datacentre. This also allows them to bypass any content control, filtering, etc, as it is then emerging from the tunnel at their datacentre rather than the regular pool.

Most of you are probably hearing the alarm bells ringing now. GRE tunnel to datacentre, so the tunnel is established using the Hitron router on your premises and breakout is somewhere in the VM datacentre network. This to me shows several potential problems, the first being MTU.
Over the GRE tunnel MTU can and will be reduced, my conversations with VM support suggest this is down to 1440 but I've not fully tested this.
The second is that I'm not not sure where/what is doing the NAT for our connection. Although the Hitron allows me to setup DMZ, port forwarding, etc, I'm not clear if this is working through the GRE tunnel or not! This also introduces a further complication, you CANNOT use the Hitron router in modem-only mode, so you HAVE to use the NAT functions on this router, again not good for a business class product aimed at people who would want to do their own NAT or control via their own server, etc. So you're stuck with the firewall and NAT functions on the Hitron, and whilst basic they seem to do what's needed.

That is until you start to use SIP/VOIP. This seems very problematic, as allocating the RTP data ports seems spotty, registration to a SIP gateway on udp/5060 also seems to be affected as sometimes it works, then stops and won't start again for a long period of time. This is regardless of if you setup your voip server as DMZ because some issues still remain.
Then you have the major showstopper I hit upon, after some arbitrary time the connection will drop (no surprise, they have to upgrade, have outages, etc) but when it comes back, SIP registrations will FAIL. For some reason packets don't make it out of the Virgin Media network. So from your originating server, you can tcpdump and see the traffic, but the receiving end doesn't see it. No matter what you do (reboot Hitron, reboot your server, re-recreate connections, etc) it won't recover, and this brings me to a theory. There is some sort of session being held on the remote end of that GRE tunnel for your static IP. And as such it is blocking/stopping new sessions to the same destination IP, causing your SIP registration to fail and your VOIP solution to stop working. My guess on this is because it depends on what is on the other end of that GRE tunnel, and what it's involvement is in your connection. It may be some type of firewall, in which case it's trying to keep state of UDP sessions and failing miserably. It may be a router, in which case I'd not be expecting the issues we have seen, but it's still possible.

So far Virgin Media have confirmed that there is a known issue with static IP addresses on their business cable solution, but before you buy they won't go into much detail, and after purchase unfortunately you're stuck in this solution where you can either live with the issues on static IP, or drop back to a dynamic DHCP allocated IP and not have the GRE tunnel.

I suspect the solution to this is to move to a dynamic IP on the service and then switch to modem-only mode so nothing is doing NAT on the connection. I'll post back on further diagnostics that I carry out to further explore what the issue is and if it can be worked around. So far no work-arounds I've tried have worked, other then connection out using an alternative UDP port for SIP (Which most SIP providers won't do).

After some conversations with VM they have switched the connection to a dynamic IP. Beware, as when they do this they reconfigure things their side, tell you to reboot the cable modem and it takes you offline. That's because the GRE tunnel information is still coded into your cable modem. Factory resets using the front button, rear pin press button and control panel interface for factory reset doesn't seem to work (Doesn't appear to factory reset at all as settings do not revert to when shipped) so this causes you outage. In this case Virgin Media had to send an engineer out to do another reset to the cable modem to resolve this. When they did that the modem connected up and got an IP from the dynamic local pool.
After this connection was restored, and sure enough the VOIP sessions re-established and maintained their connection to the VOIP provider. (Again the VOIP server was setup as DMZ target on the Virgin Media Hitron hub) So this has appeared to solve the issue with SIP registrations over the service.


  1. Hi Andy, Thanks for an informative article that explains my painful path. Having found that the VM static IP implementation prevented our VOIP from working we went back to dynamic and subscribed to no-ip for DDNS. I am now trying to get a VPN working and failing miserably. Not what your article is about I appreciate but you clearly know what you are talking about so I wondered if you might have any experience of VPN via DDNS using a Hitron and open to making a few suggestions? I have DDNS configured on the Hitron, I have port forwarding setup on port 1723, 1723 is open on the firewall but I get error Error 807: The network connection between your computer and the VPN server was interrupted. Appreciate any thoughts. Thanks in advance, Rob

    1. Hi Rob,
      (Feel free to email me direct if you want a bit more info)
      So I'm assuming PPTP VPN since it's tcp/1723.
      I suspect you're going to struggle with VPN and the Hitron as you need GRE (value 47) pass-through which on the Hitron I've configured doesn't have an option (Others did have the VPN pass-through option).
      Is your server setup as DMZ on the Hitron as that would be the only way to have a chance of it working, but I'd not be hopeful on this.

      Good luck!

    2. Yes PPTP and I noticed no VPN pass through option on the Hitron although I do on my home router which is a 3 year old residential offering from VM. The server is not in the DMZ and that one cannot be but we do have a couple of machines that could be re-purposed. Will give that a go whilst battering VM support. We did actually have this working but following an outage/reboot we have had nothing since. I guess something changed took effect in the reboot or an update was pushed out but no idea what. If we get anywhere will post back. Thanks for your suggestion. Rob

    3. OK, the issue has been identified and rectified so I thought it worth an update. As part of the process to apply the static IP the firmware on the Hitron is updated to add another section to the menu under the DDNS option on the Admin menu (something about VMB I think but it's gone now) When the static IP is removed remotely the firmware is not reset to the dynamic firmware. Now for most things that didn't seem to matter - we had no issues with speed, reliability etc, however, the VM implementation of static IP obviously conflicts with the VPN usage of the GRE tunnel making it impossible for us to set up the VPN. A factory reset on the router did not resolve this issue so an engineer came out, replaced the Hitron with a new one, applied our config and boom VPN up and running.

  2. Hi Andy

    Just a quick note to say thanks for the article. I read this (and many other derogatory posts) about VMB before I decided to go ahead. I took the risk and went ahead anyway as many of the problems didn't really apply to me. So I thought I'd offer my feedback to any others who find it.

    I can't comment on SIP/VOIP, but so far the static IP seems to work as well as a "real" static IP would. It is reliable, and I haven't had a network outage in my first 4 months. The failure to support Modem mode is irritating, but port forwarding from the Hitron to my router and then doing NAT on my router seems to work well. I run very low traffic, so I cannot comment on the effect of this on performance.

    The VMB customer service is terrible, compared to the VM service which I always found good. Keep an eye on your bills. But if everything keeps working, then hopefully customer service isn't something you need to deal with often.

    All in all, VMB was my only choice for a static IP, so I chose them and have no regrets.

  3. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. vpn reviews

  4. I've just come across your blog in my quest to try and understand why I'm unable to get an IPSec VPN to work correctly over a VMB (static IP) connection. The VPN was working just fine, albeit slowly, over a BT ADSL connection before we switched to VMB. If I've understood correctly, if we're to stand a chance of getting this to work we need to ask VMB to revert back to a dynamic IP connection, and this is necessary because it's the only way the Hitron device can be configured to operate in true modem only mode, right? Then having done that we need to use a DDNS service to ensure we have a constant identifier for the VMB WAN address of the connection. I hope I've understood correctly? Man alive! It's been a painful journey with VMB so far. :-/

    1. Hi Keith, yes that would be why as you're applying a VPN over a VPN and it won't interact nicely at all!

      So my recommendation as you say is revert to a dynamic IP address with VM and use or similar to maintain your ip/hostname match. In practice I've had this in place for over 6 months and the IP hasn't changed once, even during maintenance, power failures, etc, so practically the IP doesn't change.

      Hope you get it solved, please do post back when you solve it for you to confirm that did the job!

    2. Thanks for your help and for confirming my understanding of where I need to head next with this, Andy. This is so helpful! I've burned so much time in troubleshooting this so far. Will get busy with these changes and will report back with the results in due course. I also understand from reading Rob M's post that the Hitron may not revert back nicely to dynamic mode. But at least I know to look out for that landmine :)

  5. RCA aux cable - This compose is made particular for TVs and computer game consoles. They are expected to get the video and sound starting with one gadget then onto the next.Top 10 best aux cables

  6. I like this post,And I figure that they having a great time to peruse this post,they might take a decent site to make an information,thanks for sharing it to me. the best vpn uk

  7. That gives off an impression of being fabulous anyway i am still not very beyond any doubt that I like it. At any rate will look much more into it and choose by and by!

  8. I'm constantly searching on the internet for posts that will help me. Too much is clearly to learn about this. I believe you created good quality items in Functions also. Keep working, congrats! click here

  9. "What’s up friends, pleasant piece of writing and good arguments commented
    at this place, I am really enjoying by these."
    Regards: Dream Market

  10. Extraordinary things you've generally imparted to us. Simply continue written work this sort of posts.The time which was squandered in going for educational cost now it can be utilized for studies.Thanks

  11. Thank you very much for this great post. I read that Post and got it fine and informative. Please share more like that. Finde mehr heraus

  12. Your blogs are easily accessible and quite enlightening so keep doing the amazing work guys.

  13. Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging,

  14. I’m so happy to read this. This is the kind of manual that needs to be given and not the accidental misinformation that is at the other blogs. Appreciate your sharing this greatest doc.
    I’m so happy to read this. This is the kind of manual that needs to be given and not the accidental misinformation that is at the other blogs. Appreciate your sharing this greatest doc.

  15. "An impressive share! I have just forwarded this onto a coworker who had been doing a little
    homework on this. And he actually ordered me dinner simply because
    I found it for him… lol. So allow me to reword this….
    Thank YOU for the meal!! But yeah, thanks for spending some time to discuss
    this topic here on your blog."

  16. Pretty much all screen capture plugins can take screenshots of a whole page. I am using Nimbus but they can pretty much all do it. With Nimbus, you can select between capturing the whole page, only the visible part or a selected area ... then you can edit it if you need (crop it, blur some parts, add arrows to point something, add texts, circle things, etc...). I really recommend it instead of the one you talked about in the article.

  17. Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome! smm panels list

  18. I would like to say that this blog really convinced me to do it! Thanks, very good post. Bitcoin Trader

  19. it was a wonderful chance to visit this kind of site and I am happy to know. thank you so much for giving us a chance to have this opportunity.. tmdesign