DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vodafone Sure Signal (VSS) with Draytek router

  • wilsodg
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
31 Mar 2010 21:58 #61472 by wilsodg
Apologies for this long post.
I'm trying to get a Vodafone Sure Signal (VSS) to work with my Vigor 2910 router. Basically this is a Femtocell device which gives 3G coverage in your house and hooks back to Vodafone via your broadband link. Sounds great for those of us living in rural areas where there are limited vodafone masts, but it's proving to be a nightmare for some early adopters to get it working, and VF support seems unable to provide assistance.

Here's how it is supposed to work.
All traffic between the VSS and the Vodafone network, with the exception of the DNS and synchronisation traffic, is carried within a VPN tunnel. The following firewall rules are required as a minimum to allow the VPN to be established between the VSS and the Vodafone network. These rules assume a stateful firewall, otherwise connections will be required in both directions.
Source: VSS Destination : 212.183.133.177
IP; port 50; ESP
UDP; port 4500; IPSEC NAt Traversal
UDP; port 500; ISAKMP

In order to setup the VPN the VSS requires the ability to resolve IP addresses for hosts in the vap.vodafone.co.uk domain. These are specified on the Vodafone Public DNS servers. The DNS server used by the Vodafone Sure Signal must be DHCP assigned. Standard DSL connectivity includes DHCP assignment of DNS server

In order to function the VSS requires a synchronisation signal from the Vodafone network. This is carried outside the VPN tunnel and the following firewall rules will be required. These rules assume a stateful firewall, otherwise connections will be required in both directions.

Source VSS
Destination: 212.183.133.181&182;
ICMP port 8 (ping for keep alive)
UDP port 123 (NTP for synchronisation)

In Vigor speak, I have bound the VSS to an IP address, and because of the dual WAN, I have bound the IP to a WAN. I opened ports 50, 500 and 4500, and redirected ports 8 and 123 to the VSS IP address. No success.

I've tried other variants, but in desperation, since I have a range of permanently assigned WAN IP address, I defined a DMZ host for one of the WAN IP's to the VSS, and also address mapped the WAN IP to the VSS IP. I assume this basically has all ports open for that WAN IP /VSS IP combination, all outgoing VSS traffic will go via the WAN IP, and all incoming traffic to that WAN IP is by default routed to the VSS IP. Still no joy. I also changed the MTU to 1492 (max), and have no firewall activated.

The VSS sits there with a light flashing to indicate it cannot communicate with Vodafone. VF say it is either a problem with my ISP (BT) or my router. The router logs show outbound traffic to the VF addresses, and some inbound comms too.

  • Has anyone out there got a VSS working with a Draytek router? What settings?
    Am I missing a trick somewhere on open /redirected ports, and in theory, does the DMZ/address mapping idea have merit?
    Is the Vigor 2910 a stateful firewall?
    Is it likely an issue with the establishment of the VPN tunnel, or something to do with the synchronisation pings?
    Any ideas on what might be wrong?
    Any ideas on how to further determine the source of the problem?


Many thanks

Please Log in or Create an account to join the conversation.

More
01 Apr 2010 09:16 #61479 by voodle
Since it mentions ICMP for ping, have you tried setting the router to allow pings from the internet?

Please Log in or Create an account to join the conversation.

  • wilsodg
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
02 Apr 2010 09:15 #61493 by wilsodg
I think I have. I cannot find anything to specifically allow ICMP ping, but the couple of places (e.g. DoS) where you can check to block it are unchecked.

I'm also getting this from the firewall log. What does it mean?
Code:
wan->lan @S:R=13:1 p 212.183.133.178 -> 81.nnn.nn.nn PR udp len 20 1060 frag 1040@1480


(I have masked out my own WAN IP address for obvious reasons)
I assume it is recording the address 212.183.111.178 (Vodafone) coming back to my router, using protocol udp but what does the 'len 20 1060 frag 1040@1480
' mean?

Please Log in or Create an account to join the conversation.

More
03 Apr 2010 01:02 #61511 by drewy
I've got one, had it for a while. Use it with a 2820vn.

Had no connection problems with it. Initially just plugged it into a router port, assign it a fixed dhcp entry and it's own vlan ('cause it don't know what it's doing...)
Worked fine, no port mapping or anything.

A while later after I noticed it started losing connectivity most nights. After some more thinking it turned out that those nights I had been playing bad company 2.
So (got a 8 ip block) I assigned one wan ip directly to it and mapped the same ports that you do to it. This stopped it dropping it's connection while I was playing :)

My actual mappings are:

tcp 50
udp 4500
udp 500
udp 123

Please Log in or Create an account to join the conversation.

More
03 Apr 2010 09:43 #61517 by njh
It looks like this is some sort of IPSec device as it uses ports 500 (IPSec) and 4500 (IPSec/NAT-T). Have you made sure that IPSec VPN is turned off in your router? Also is there something specifically to turn on VPN passthrough or does turning off IPSec achieve that? (There may be a telnet command).

Are you sure you need tcp on port 50 or is it protocol 50 that you need? Port 50 is possible but protocol 50 is more likely. You cannot enable protocol 50 but allowing VPN passthrough should do the trick.

UDP 123 is just for a time server. You may get away without that is the router behaves well. I think my Draytek used to but my current Linux box does not.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

More
06 Apr 2010 09:33 #61555 by voodle
To enable ping from the internet on the 2910, go to the System Maintenance menu then Management and on there untick Disable PING from the Internet

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami