Wednesday 17 May 2017

Virgin Media business cable and static IPs

Here is an interesting problem, if you have a Virgin Media cable (Not fibre or leased line) connection (for business) and have requested the static IP service, initially their sales will try and put you off the static IP asking if you need it and saying there are some issues with the service, but won't really tell you why!

Well unfortunately I've now discovered the issue, so thought I'd post about it for others to be wary of this "business class" service. Firstly, we know how the VM cable network works, they have co-ax to the premises that take you back to their cabinet, from there they mux it back to their central exchange. Now the observant of you will note, no separate cabinet for home or business cable, no separate links to the exchange for home or business, so at all times you are sharing this portion of the network. Not a huge issue as capacity is normally good, but something to be weary of that during 'home' hours (after 5pm generally) the service will be noticeably slower.
So this now bring the interesting problem to light, you are connecting to a home service with business features (static IP, etc).


Virgin Media uses a DHCP-based cable network (DOCSIS) and so when your router connects it asks for an IP and is given it, from what I'm assuming is kit at the head end (not cabinet). This is where the problems start, they don't have the ability to add a static allocation from here (Probably how their pools of IPs are allocated to local exchanges/cabinets, and/or their DHCP servers).

Inside the street cabinet doesn't reveal much active equipment, the magnavox amplifier unit is line powered from the main co-ax uplinks (Big chunky cables coming in bottom left) and then split to the cable junctions to end users (bottom middle) and potentially legacy twin-core/pair copper to the right.



This setup of sharing the residential with business then causes them a headache when a business customer asks for a static IP, how to solve that with the DOCSIS implementation Virgin Media has used? What they do is create a GRE tunnel using the business hub (Hitron router) to their datacentre, where they allocate the public IP on that end of the tunnel and allow it to connect out from the datacentre. This also allows them to bypass any content control, filtering, etc, as it is then emerging from the tunnel at their datacentre rather than the regular pool.

Most of you are probably hearing the alarm bells ringing now. GRE tunnel to datacentre, so the tunnel is established using the Hitron router on your premises and breakout is somewhere in the VM datacentre network. This to me shows several potential problems, the first being MTU.
Over the GRE tunnel MTU can and will be reduced, my conversations with VM support suggest this is down to 1440 but I've not fully tested this.
The second is that I'm not not sure where/what is doing the NAT for our connection. Although the Hitron allows me to setup DMZ, port forwarding, etc, I'm not clear if this is working through the GRE tunnel or not! This also introduces a further complication, you CANNOT use the Hitron router in modem-only mode, so you HAVE to use the NAT functions on this router, again not good for a business class product aimed at people who would want to do their own NAT or control via their own server, etc. So you're stuck with the firewall and NAT functions on the Hitron, and whilst basic they seem to do what's needed.

That is until you start to use SIP/VOIP. This seems very problematic, as allocating the RTP data ports seems spotty, registration to a SIP gateway on udp/5060 also seems to be affected as sometimes it works, then stops and won't start again for a long period of time. This is regardless of if you setup your voip server as DMZ because some issues still remain.
Then you have the major showstopper I hit upon, after some arbitrary time the connection will drop (no surprise, they have to upgrade, have outages, etc) but when it comes back, SIP registrations will FAIL. For some reason packets don't make it out of the Virgin Media network. So from your originating server, you can tcpdump and see the traffic, but the receiving end doesn't see it. No matter what you do (reboot Hitron, reboot your server, re-recreate connections, etc) it won't recover, and this brings me to a theory. There is some sort of session being held on the remote end of that GRE tunnel for your static IP. And as such it is blocking/stopping new sessions to the same destination IP, causing your SIP registration to fail and your VOIP solution to stop working. My guess on this is because it depends on what is on the other end of that GRE tunnel, and what it's involvement is in your connection. It may be some type of firewall, in which case it's trying to keep state of UDP sessions and failing miserably. It may be a router, in which case I'd not be expecting the issues we have seen, but it's still possible.

So far Virgin Media have confirmed that there is a known issue with static IP addresses on their business cable solution, but before you buy they won't go into much detail, and after purchase unfortunately you're stuck in this solution where you can either live with the issues on static IP, or drop back to a dynamic DHCP allocated IP and not have the GRE tunnel.

I suspect the solution to this is to move to a dynamic IP on the service and then switch to modem-only mode so nothing is doing NAT on the connection. I'll post back on further diagnostics that I carry out to further explore what the issue is and if it can be worked around. So far no work-arounds I've tried have worked, other then connection out using an alternative UDP port for SIP (Which most SIP providers won't do).

--Update--
After some conversations with VM they have switched the connection to a dynamic IP. Beware, as when they do this they reconfigure things their side, tell you to reboot the cable modem and it takes you offline. That's because the GRE tunnel information is still coded into your cable modem. Factory resets using the front button, rear pin press button and control panel interface for factory reset doesn't seem to work (Doesn't appear to factory reset at all as settings do not revert to when shipped) so this causes you outage. In this case Virgin Media had to send an engineer out to do another reset to the cable modem to resolve this. When they did that the modem connected up and got an IP from the dynamic local pool.
After this connection was restored, and sure enough the VOIP sessions re-established and maintained their connection to the VOIP provider. (Again the VOIP server was setup as DMZ target on the Virgin Media Hitron hub) So this has appeared to solve the issue with SIP registrations over the service.


Mattressnextday - delivery the day after @mattressnextday

You'd think a company advertising their name as mattressnextday.co.uk would be able to deliver a Mattress the next day? (Obviously within certain rules, before x time cut-off, except bank holidays, weekends, etc).
So when I ordered a mattress on a Friday at 10am and when asked for delivery dates (specifically by their website) and I choose the following Tuesday, that you'd expect them to manage that delivery day?
The delivery time schedule was one of those horrible all day things, 8am-6pm so my wife duly waited in all day, it got to 4pm and still no sign which is usually a bad indication! Sure enough, no delivery at all.
I email mattressnextday.co.uk and I've still not had a reply to this (Delivery was supposed to be Tuesday, almost end of Wednesday and not even a quick reply via email). But the mattress turns up Wednesday morning 08:50 without any warning! Luckily my wife was home and accepted the delivery, not even a sorry or any kind of message about being a day late!

Will keep waiting for the reply back from mattressnextday.co.uk and see what they say.
I checked and mattresspossiblynextday.co.uk is available to register, perhaps they should try that url instead?

Friday 12 May 2017

TP-Link HS100 wireless switches for home automation

So my ongoing quest for ultimate home automation continues, and I'm still looking for the best solution for controlling sockets using my home automation server (Ubuntu) which allows me to check the current state of the socket, change it to on/off and also be able to be put anywhere in the house and still controlled (without ethernet to it).

I've gone through several different solutions over the years, one that was in for a while was X10 which used signals over the mains powerline through the house. This worked but had many flaws, ultimately the devices self-destructed as they couldn't cope with power spikes, etc, and because the equipment used the mains supply to transmit/receive it couldn't be protected using surge protectors, etc. So this was dropped.

I then experimented with the 433Mhz generic off the shelf controllable sockets. These are available from most retailers as Energenie sockets and generally come with a remote control and a combination of sockets. They work, but have limited range on the 433Mhz, again cannot be queried to find out if they are on or off and a lot of the commands are fire-and-forget (or hope for the best). I interfaced them with an Arduino using the 433Mhz transceiver pair but this still is a fire-and-forget so not really an ideal solution.

Onto my current idea, the TP-Link HS100 wireless switches:
These retail for around £25 each, so not the cheapest option, but they have some interesting features. Firstly they are wireless, so connect to your 2.4Ghz (only) wireless in the house, so anywhere you have wireless they will work. They can also handle up to 13Amp switching which is higher than most others (Although I'd still not connect it to a high load like washing machine, dishwasher, etc). And the even better bit, they use a communication method that can and has been tapped into, so over IP you can send commands to the units and query their status. Perfect for me as I want to use everything over my IPv4 (wireless) LAN at home to do the monitoring and control.
Researching them, there has been a very good reverse engineering job at https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/ and the author has also provided a python script that will let you query and talk to the devices. This fits exactly with my home automation system.
Now, don't get me wrong, there is a flaw here, these units when you set them up, you install their app to your phone and configure their details using the TP-Link 'cloud' system, which means giving the app your wifi SSID and password, which sends it to the smart switch using a temporary unsecured WIFI AP in setup mode. The unit then talks to the internet/TP-Link cloud for it's command and control. So far nothing here looks too bad, other than it having the ability to snoop your home network and talk to TP-Link! However, since we won't use the TP-Link cloud for our control we could simply drop this and not use it even for initial configuration. Furthermore we can send a command to the sockets to change the server they talk to, in theory cutting them off from TP-Link completely, which if you're paranoid you can do. I'm not too worried about this, so will probably just leave them at default.

So now I have a socket that I can setup a static IP in my DHCP scope, and then use the python utility to query and send commands.
To grab the python code you need, take a look at https://github.com/softScheck/tplink-smartplug
So I setup a script to query my socket and write the current state to a state-file on my home automation server, the script was very simple:
tplink-smartplug.py -t 192.168.xx.xx -c info | grep "Received" | cut -d ":" -f 23 | cut -d "," -f 1 > /tmp/tplink_plug1.out
That gives me either a 1 or a 0 depending on the current state of the socket. To set the state you simply use the python script again:
tplink-smartplug.py -t 192.168.xx.xx -c on
It's as simple as that.
I cannot comment on the longevity of the devices, but so far they are built well, easy to setup and super-easy to use. So I think this might be a new winner for home automation, the only thing I'd like to see is cost drop a little more, but when you think everything that's in the box £25 is pretty cheap!

Let me know your thoughts in the comments please or if you've found alternatives too.