Community home

machotspur.

Some more info would be good for the people here to know.

Who is your ISP?

What make/model/version/rev firmware is your router? (A sticker on the bottom perhaps will have that info.)

(Some of BT's "Business Hubs" are known to be troublesome.)

Are you able to access your router's configuration pages? (You may need to tweak some settings.)

Are you trying to setup the VSS at home, or in an office.

If an office...

Are there any other systems on site that use eithter PPtP/L2TP VPN's on site, as an endpoint (server?)

Microsoft Small Business Server's remote login/admin portals etc.

If so, unless you can get those service ports changed away from the usual defaults, it's going to be nigh on impossible for the VSS to work, unless you have a router that can do selective port forwarding based on external IP addresses.  (most of the plastic domestic things, and many so called business items, cant do those tricks.)

If you have any LAN HUB's in circuit between the VSS and the router, change them for "SWITCH's", or connect the VSS directly to the router.   I found that if there is a HUB in line, they don't get an IP address to use. (An anti hacking precaution perhaps?  I tried with several HUB's, so it's not as if there is one with a problem.)

I have one working at home now, directly connected to the (Netgear) router with no special firewall rules or port forwards for it at all, but I have had to kill off my own PPtP/L2TP VPN, to free up the needed ports for the VSS.   This was to prove to myself as much as anyone, that what I suspected, was the problem.   Now all I have to do, is persuade office management and IT, to do the needed here at work so we can get our phones working again inside our tin clad office building.

The IP ports that must not be restricted or blocked at your end are.

8

50

53

67

68

123

500

1723

4500

5000

The above ports must also not be restricted/blocked by your ISP, or your routers outgoing firewall rules.

As above, I have found you do not need to "forward" them to the VSS's internal IP address.

Assigning a stattic IP address to the VSS does appear to help however, but again, I have seen it work without such things set.   It would make sence in a corporate environment to give it a stattic IP address within your LAN, if just for future diagnostic/fault tracing needs.  (You can only do that by adjusting settings in your routers DHCP configuration setting pages, or the same service configuration settings in whatever is doing DHCP for your company LAN.

Some specific ISP's routers need some "High Port ranges" forwarding it seems, I've not had that problem.

33433 - 33445 for instance is documented in various places.  Other ranges have been mentioned for some ISP's.

(In which case, you will need to assign a stattic LAN IP address to the VSS, so you will need to access your routers configuraion settings.)

Even when everything is "just so".  For the initial connection/sign-in/firmware update etc to complete, can take between an hour and a full day!  Realy it can!  (And while it is doing that, there is "a lot" of network traffic... 

A restart after a power outage, can take up to an hour for the things to fully come back to life so you can use the service from your phone.

There again, it can be as quick as 10 minutes.

Be careful with the reset button.   It appears that just does a "Factory Reset", after which, it needs to go through a full firmware update cycle when it can again see Vodafones backoffice systems.   That's the restart that can take some hours to complete again, during which, if you watch it, it will appear to reboot/restart a few time all by itself.

Only do that perhaps, if you've had a very short power outage, that caused it to not cleanly reset itself.  In that case, in the first instance, turn it off for a while (5 mins) then back on.  If it still doesnt come back, maybe then consider the reset button.

The above questions/observations are based on my own personal experience with one of these gadgets (a SureSignal V3) and after "a lot" of reading here and elsewhere, plus asking questions of several other people "in the know."

Take care.

Best Regards.

Dave Baxter.

Technical Manager: AR-UK Ltd.

Would placing the VSS in a DMZ solve these problems?

Just as a suggestion have any of you read this thread http://forum.vodafone.co.uk/t5/Vodafone-Sure-Signal/Vodafone-Sure-Signal-Is-It-Compatible-With-PPPoE...  I had problems similar to those described here after installing a new router which was driven by a seperate modem.  The VSS has now been running without problem for about 4 or 5 days now after following the advice in this thread.

Phil

Heyescroft:

Interesting, I've looked into the MTU issue, but my Negear box at home (where the VSS is happily working now) has a MTU limitiation of 1458, while the backhaul to my ISP is via PPPoA.    It certainly doesnt want to take 1500 as a value.

What I have settled on, is absolutely no outgoing restrictions (default router behaviour) and no forwarding rules on the incoming, for any of the ports the VSS is said to need (killing off for now one of my own VPN's in the process) just to prove a point, and the VSS now works.

I'm pretty sure, that unless you can apply external IP address filtered port forwarding rules (that certainly my plastic boxes dont seem able to do well, or the external IP address info I have for Vodafone's server farm is not correct) then it'll be virtually impossible for a VSS to live behind the same router that also has forwarding rules in place for a corporate PPtP/L2TP VPN endpoint on another internal IP address, especially (as we do) that's available for any outside IP address, for when we're traveling.

Plus, if it can be made to work, if ever Vofafone re-arrange (add) server IP addresses to the list, there is a chance that things will stop working, again untill we go in and edit the list of needed IP addreses the VSS needs to converse with..

I'd say this is all good fun, but in reality it is Sooooooo frustrating, due to the lack of definitive and consistant information.

Regards.

Dave Baxter.

Technical Manager AR-UK Ltd.

heysecroft:

Just poking arround the backside configuration pages of our BT Business Hub 3.

It's firewall rules, and port forwarding rules editor, does not give the option of applying rules based on external (WAN) IP addresses, it's all traffic of that type from the big bad world, or nothing that you can forward to an internal IP address.

A recent eBay purchase has just landed on my desk.  An old Linksys WRT54G V3.1 router, that has enough Flash and RAM to run DDWRT or "Tomato" firmware (for other needs.)

But I may just poke about and see what that can (I suspect) provide in the way of much more flexible port forwarding/filtering rules.    That'll take me a while though.

Regards.

Dave Baxter

Technical Manager AR-UK Ltd.

Hi Dave,

The thread I pointed to has a couple of anomolies especially regarding the MTU - my Draytek will only go up to 1492 as does my Linksys but that doesn't seem to be a problem.  Also I haven't bothered with setting up the DMZ so apart from setting the static IP address for the VSS the Draytek is at factory default.  What seemed to be the main problem was that the VSS doesn't seem to like sitting either behind a Draytek Vigor 120 modem or behind a PPPoE broadband link.  I do find it absurd that the thread started about 4 years ago and my VSS is only a couple of weeks old but the same problem still exists

Phil

heyscroft:

Yes, this one seems to run and run...

I've never (yet) got the VSS running here in the office, for the afore mentioned reasons I suspect.  (99.9% sure now.)

The odd thing I did find (an anti hacking measure perhaps?) is that if you have it connected via a HUB to your LAN (I wanted to see what it was trying to do, using Wireshark) it doesnt even complete the DHCP thing and get a LAN IP address!  I could see it's initial ping to the DHCP server, and the server's reply, but that was the only traffic, and you couldnt even ping the thing from a laptop on the same HUB after that.

Plug it into the main system's switch, and it starts to try to get going (but fails due to the conflict of interests in the routers settings) but you can ping it from another machine on the office LAN just fine.

Some cheap routers I suspect have 4 port HUB's in them, not "Switches", so that could be a show stopper too.  However, I'd doubt the Draytek falls into that category.

I do find it odd though, that in this day and age (2014 of course) such things still use a relatively archaic VPN such as PPtP (that has a few documented weakneses now) and on common fixed ports too, so there are bound to be a clash of interests in many cases.     This sort of thing should be true plug and play these days, and able to work arround any local router issues using NAT Traversal techniques much as the "Hamachi VPN" used to do (remember that?)  

Plus as Vodafone would be managing the mediation server(s) if anyone "misbehaved" the curtain could be pulled shut from their end.   But the main thing was, absolutely no router configuration needed.  "It just worked".  Even from behind some particularly restrictive proxying/firewall's as I found to my delight when traveling to far flung places for work back then.

Talking of the 4 letter word.  Best I go do some...

Regards.

Dave.

Hi jabwky.

In some instances it can help, but...

A DMZ only recieves any remaining inbound trafic, that is not already captured and diverted by any other port forwarding rules, to other internal IP addresses..

If for example port 500 is already forwarded to another internal IP address, it will not be passed to the DMZ.   Or so I have found with my "domestic" routers, and the wierd BT Business Hub in the office.

It also does nothing to help if there are restrictions on the OUTBOUND packets.   It is uncommon but some ISP's for instance can block specific traffic FROM you (peer to peer file sharing probes for instance) just as easily as they can block (for example) incoming traffic on ports 80, 25 and 21, so you can't run your own web, mail or FTP servers, on the default ports at least.   Unless you pay them more money.

Many commercial/industrial/infrastructure routers (not the cheap plastic things our ISP's give us) can apply different forwarding rules, depending on the source IP address of the data arriving from the outside, but you have to pay shed loads of £££'s for them, or build your own with OpenBSD and IPFW for example.  Plus the configuration of them is not trivial.

Some of the higher price "generic consumer" routers, can do some of that, but sometimes they don't always work as expected (or even as documented) or they interact badly with other features you need.

Plus, getting to know what external IP addresses are needed, can be a struggle.   But in this case Vodafone have made some of that info available in past posts.

Best Regards

Dave Baxter.

Technical Manager AR-UK Ltd.

Dear Dave

Thank you so much for taking the time to propose some solutions to the problem.

Regrettably though these are way beyond my capability or desire.

I'm just a home user, with a very reliable ISP (Zen) and a run of the mill wireless router that meets all of my other needs perfectly (Netgear N600).

I have just moved my mobile phone to Vodafone, purely on the back of what is shown as being a simple plug in solution to a weak signal. If Sure Signal isn't fit for purpose then I may as well return it/bin it and go back to my previous provider which is far better value.

Can anyone from Vodafone technical area help with a simple solution to this please ?

Thank you