12-01-2012 08:40 PM - edited 12-01-2012 08:48 PM
The VSS sets up a VPN using ports 50 (?) 500 & 4500, and also contacts NTP timeservers over port 123. The most critical but not well communicated fact (Voda keep it quiet) is that the VSS will only connect using certain 'whitelisted' IP addresses. This is understandable as Voda have to ensure the device is only used in the UK (3G licence conditions) and the whitelisted IPs are (usually) specific to the UK. The big UK ISPs such as Sky, AOL, TalkTalk etc have their IPs on this list but many smaller ISPs do not have their IPs listed. My IP range was not listed, so I posted mine here and it took about two weeks to get them onto the list.
The VSS has to get an IP address via DHCP from the aDSL modem or router. The simplest and most reliable connection is an aDSL modem running a DHCP server, with a single network LAN connection to the VSS. Any firewall should be disabled so the VSS device can connect via any port the Voda servers. Providing there are no packet size issues the VSS should connect, with the caveat that the external IP must be on the whitelist. My VSS connects on a standard aDSL line in this configuration in a few minutes.
When you have an aDSL modem/router with 4 ports (typically) you have to start the port mapping of ports 8, 50, 123, 500 and 4500 to the VSS LAN IP address (I plan to discuss routers and larger networks later)
12-01-2012 10:26 PM
What you have to do by port mapping is make sure traffic from Voda gets to the VSS - thus you put rules in the port forwarding table to forward traffic from ports 8, 50, 123, 500 and 4500 to the IP address of the VSS. If you are lucky your router will be clever enough to detect traffic coming FROM the VSS and it will port trigger and map this traffic BACK to the VSS - which Is why some routers apparently work without configuration. However most will need some setup.. Alternatively you can set the IP of the VSS as a DMZ but this will not always work.
13-01-2012 07:21 AM
The above post perpetuates an urban myth to the point of being 'incorrect'. A standard domestic router provides NAT support to allow the WAN address associated with the router to be shared by each of the devices on the local LAN (there can be many more that 4 of these - this is in no way limited by the number of ports on the router).
A correct implementation of NAT will ensure that responses to requests issued from a device within the LAN are router back to that same device. You don't have to be lucky for your router to be clever enough - it's part of the specification for NAT; it isn't port based - the router maintains a routing table.
All traffic through the SS is initiated by the SS and thus, should be appropriately routed via NAT. No unsolicited traffic is required for the operation of the SS, so no port mapping is required in a normal domestic set-up. As a result, the SS is plug-and-play for the majority of users.
Explicit port mapping may be required in some circumstances - for example:
- The system admin in a corporate environment may have configured the router firewall to block the default pass-through behaviour for solicited responses.
- There might be some other explicit port mapping rules configured within the router that prevent the normal operation of the SS.
- The implementation of NAT within the router could be defective - i.e. requiring a firmware update
I suspect, but of course cannot prove, that there are a good number of SS users out there who have set up and are maintaining port forwarding rules quite unnecessarily ...
13-01-2012 07:56 AM - edited 13-01-2012 08:03 AM
Port triggering and port forwarding will ensure (if you are lucky;-)) the response is returned from whence it came.... You have taken me too literally and obviously there can be routing to any number of ports. However explicit port forwarding will ensure the data gets where it needs to. I think you need to accept my post as the usual 'part of the story' rather than the full truth. YOU have to accept that in many cases NAT does not work correctly in free chinese boxes given out by many ISPs and we live in the real world, not one where NAT is adhered to 'correctly'
But some routers will do this, and others may block most ports in their firewall. I was also going to discuss the cases similar to my Wireless ISP where there are MANY internal IP addresses and explicit NAT is essential.... Obviously with switches and routers you can masquerade many internal DHCP or static IP addresses to one external IP, or have a mixture of 1:1 NAT and masq.
There are a couple of final points, where you have correct port triggering and / or NAT but you do not get a connection, or (as has been posted earlier) you get a connection but only get some or little data traffic. Where you get a mismatch between expected and required packet sizes (pppoa, pppoe, Sky MER etc) the Voda servers may either bounce back packets - or worse, simply drop them. This packet size mismatch or fragmentation or rejection can be another reason why an apparently good connection does not work..
In summary the Voda SS box is not a piece of rocket science - it requires no more than the same port forwarding a PS3 may need ( and as you somewhat misleadingly point out, it should often not be needed) - but the existence of the WHITELIST considerably obfuscates matters and makes fault finding more difficult. I agree the VSS is often (even in a routing environment plug n play) but many posts here support my case that the NAT is not working correctly (or firewall rules block uncommon ports) thus in the real world we have to explicitly port forward..