Sunday, October 5, 2008

Part 9 - Lets Review the Network Configuration


So this is what we end up.

A transparent Gateway that we are able to have a direct connection to the internet.

You should be able to do the same. With this configuration your connection issues are history.

Part 8 - Configure the Windows XP SP2 Computer

For my computer, I am connecting directly to the Gateway using USB.

1. Download the USB Drivers for your Gateway. For the Actiontec M1000, the USB Drivers are located at the following URL:
http://www.actiontec.com/support/product_details.php?pid=38&typ=drv#soft
2. Install the USB Drivers
3. Connect the USB Cable between your Gateway and your Computer
4. Open your TCP/IP Properties as shown for the new interface that was added when you plugged in the USB Cable.
5. Set the IP Address to one of your User Assignable Static IP Addresses
6. Set the Subnet
7. Set the Default Gateway to the Reserved Gateway Static IP Address
8. Set the DNS Servers to the same DNS Servers you are using on your Router.
9. Press OK.
10. Make sure that all your other Interfaces on the computer have been disabled or disconnected. If you have wireless on your computer, turn it off.
11. Open a web page in your browser, it should load if you have done everything right.
12. Open a VPN Connection to your work, you should find that the VPN Connection should be stable for weeks on end unless your work has a time-out on VPN Connections.

Success can only be measured in how stable your connection is, if you find you are still suffering the same symtoms, then you should review your network setups again.

Part 7 - Configure the Linksys WRTU54G-TM

Alright, now that we have the Gateway setup, we need to set up our VOIP Router.

In this case it is a T-Mobile@Home VOIP Cisco Linksys WRTU54G-TM.

The reason I went with T-Mobile is for the following reasons:
1. I already had a T-Mobile Account
2. The service was only an additional $10 a month
3. Free Long Distance US and Canada

We have tried Magic Jack and other cheaper solutions, but they cause the same kind of problems that we are trying to fix. We want a clean stable connection at all times with a low ping.

1. Log-in to the VOIP Router and go to the Internet Connection Type Setup.

2. Set your IP Address to one of the User Assignable IP Addresses out of your Block of IP Addresses.
3. Update your Subnet.
4. Enter in your Gateway IP Address.
5. Enter in Static DNS Servers.

If you don't know them, enter in the Gateway IP Address for now.

You can come back here later and update this once you log into the Gateway and determine the DNS Servers the Gateway is using by looking at the Connection Status.

6. Make sure the Operating Mode is Router
7. Disable RIP.

If you determine you need it later you can turn it on, but on this router it usually causes more trouble than it worth. If you notice that websites are too slow to load through the router, try enabling Version 1.

I prefer to use Static Routes where ever possible for performance.
8. Enable the Firewall
9. Enable VPN Passthrough in case there are other VPNs on the network.

Even though this is enabled, you will still loose you VOIP Connection from Time to Time if you have this enabled.

If you would rather not have to worry about the risk of a lost connection with your VOIP Provider. Disable IPSec Passthrough, this will keep any other VPN On the Network using Protocal 50 from connecting.

I have mine enabled just in case applications require it, but I have moved all known VPNs to the Gateway Level of the Network.
10. Set Router Admin User and Password.

These passwords don't need to be as robust as the one on the gateway, but you need to have a complex but memorable password 15+ chars.
11. Disable Remote Access
12. Disable UPnP unless you know you need it for a specific application.

Opions are wide, but my opion is that it isn't secure.

At this point, if you have loaded the correct DNS Servers, you should be able to load a web page in your browser. If you still need to do this, go into your Gateway now and Add the Correct DNS Servers.

If you can't, you did something wrong and need to go back.

Click on the images on this blog, they will open up and you can look carefully for something that you may have miss-understood or I may have left out.

Saturday, October 4, 2008

Part 6 - Configure the Actiontec M1000

Qwest Tech Support gave bad instructions on how to set this up, so if you tried to follow their instructions and failed, you were setup.

(TIP: Use a computer connected directly to the gateway. it isn't critical but if you have changed the Gateway Settings from behind a router, you will have to adjust your Router Settings before you can reconnect to the Gateway.)

1. First thing you need to do is go to the Quick Setup Page and establish your ISP Connection by entering your PPP User Name and Password.
This enables you to use the Internet in case you get into trouble in later steps.

2. Once the ISP Connection has been established, click on the Advanced IP Configuration Button in the lower right hand corner.

This page will open.
Normally, you will need to choose PPPoE or PPPoA. If in doubt, check your modem status before continuing to check the current type of connection you are making to your ISP.

3. Click PPP Auto Connect.

4. Enter your PPP User Name and Password again.
5. Select Block of Static IP Addresses (Unnumbered Mode)

6. Enter the Gateway Address(Unnumbered Mode). This is the "Reserved Gateway" IP Address that you received when you leased your IP Addresses. This is the only Reserved IP Address we will use.

7. Select the DNS Type = Dynamic DNS Addresses (Default)

8. Select "VC-Mux(Default) for your ATM Encapsulation type and Press Apply

Your Modem will reset and you should wait for confirmation that your Modem gives a Connection Status of "Connected" to your ISP before continuing.

If you don't get a confirmation, go to the Modem Status Page one more time to verify you don't have a connection to your ISP.

If confirmed, repeat steps 2-8.

If it still doesn't work, try a different connection type. If you have PPPoA, change it to PPPoE.

That failed, this is where you need Tech Supports Help, you may have a bad password or user name or some other issue.

Don't doubt that they will try to help you though this process of doing the complete setup, they may be more trouble than their worth. You decide.
9. Disable the DHCP Server.
10. Configure Static Routes for each of your user assignable IP Addresses
11. Set Dynamic Routing (RIP) to Version 1
12. Set/Change your Admin User Name. I recommend no less than 15 characters with some random element. Remember, with you firewall and nat disabled, this modem will be subject to potential attack.
13. Set/Change your Admin Password. Here I recommend a randomized password that you can't hopet to remember of 30 characters.

Write it down, if you forget, you will have to start over after reseting your modem back to the factory defaults.

(Note: Make sure you know how to reset your modem/gateway before you change the password.)
14. Disable the Firewall
15. Disable the NAT
16. Go to the Modem Status, copy all your WAN Connection Details for Reference, especially the DNS Servers since you will need these to configure other computers and routers later.
17. Set the LAN IP Address to the Reserved Gateway IP Address. Once you do this, you will loose your connection to the Gateway, use the Reserved Gateway IP Address in the future to connect to your gateway.

(Note: Yes, it is the same IP Address you used above for the Gateway IP Address, it is correct regardless of what QWest would tell you)

Part 5 - Upgrade Actiontec M1000 Firmware QA02

If you are using an Actiontec M1000, you need to verify the current Firm Ware version on your devise.

If your welcome screen on the Actiontec M1000 doesn't look like the picture below, you likely need to upgrade your firmware.

QA02+ is required in order to make your Actiontec M1000 work properly with this configuration.

Instructions and Firmware Update can be found at the following page for the Actiontec M1000:
http://www.qwest.com/internethelp/modems/m1000/index.html?option=drivers

(Note: Make sure you grab the recovery and the recovery utility just in case and write down your PPP user name and password.)

Part 4 - Leasing a Block of 8 Static IPs

QWest with Windows Live started leasing Static IPs on 8/29/2008, previous to this you had to change your ISP to QWest.net.

In order to get a block of Static IPs from Qwest, you have to go to their site online. Calling customer service will do no good, they can only be acquired online.

The link to order Static IPs from QWest with Windows Live is:
https://myaccount.qwest.com/MasterWebPortal/appmanager/home/staticIP

You must go to your ISP to get Static IPs, there isn't any other option.

During the process of leasing your Static IPs, you will need to register with ARIN to identify the user of the Static IPs.

When you have completed the process, you will get a set of 8 IP Addresses. Some of these IP Addresses are reserved, and they can not be used with the exception of the Reserved Gateway IP Address.

Make sure you save a copy of this on multiple computers where you need to administer your network from.

You will make use of this information often.

Part 3 - My Network Setup

To start with, my network was setup as shown on the left.

This wasn't going to work.

Fortunately, my Gateway has two connections on it.

I have a USB and a Ethernet Port.




Hardware used in the configuration of the Static IPs is as follows:

1. Qwest DSL Provided Actiontec M1000 without Wireless Network Module
2. Windows XP SP2 with Enhanced Firewall
3. T-Mobile Hotspot@Home Cisco Linksys Router WRTU54G-TM







When I was finished configuring this network, I ended up with this Network Configuration.

The path to figure this out wasn't easy.

Neither Qwest or T-Mobile seemed to know how to fix my connection issues.

Neither new the cause, and even after I figured out the cause, neither had a solution.

By reading this blog, you will save yourself countless hours of frustration and pain in trying to figure this out for yourself.

I have read many posts on the internet of people's frustration with T-Mobile due to connection issues, I suspect all these issues are directly related to either Firewalls, NATs, and/or VPNs.

The reason I am writing this blog, I couldn't find a resource that specifically addressed this in plain English.

You will notice, that I am not striving for techno jargon.

Please don't correct me, if you are a IT Network Engineer, you aren't my target audience.

Part 2 - The Solution



The only solution for your problem is to remove the NAT (Network Address Translation) from between your VOIP Router and the VPN located on the PC.

In the graphic on the left, you can see the typical setup described by a VOIP Provider.

They tell you to configure your network with default settings on the router and to connect all the computers to the router they provided.

What they don't know, you have other VPNs on the network and they don't tell you of the hell they are creating for you.

The first thing you will need to do to resolve this, contact your Internet Service Provider and get a block of 8 Static IP Addresses.

We will see in later posts how to properly configure these static IP Addresses. But for now, make sure you can get them from your ISP.

If your ISP doesn't support static IPs, you will need a new ISP that does.

I have a block of 8 Static IPs from my ISP, these cost me $14.95 per month with a $50 setup charge from my ISP Qwest with Windows Live.

In the past, Qwest used to make you change your ISP to Qwest.net in order to get Static IPs. Now you can get Static IPs from Qwest with MSN Premium or Qwest with Windows Live.

For this, I never loose either the VPN or the VOIP connection.

As an added benefit, my pings have improved by 5-11ms depending on the site and if you would like you can run your own server from your home. (great for game play)

The reason for this may be obvious, no NAT means no delayed packets.

Once you have the static IPs, you need to understand what additional hardware will be needed prior to configuring the Static IPs.

(Note: The PC will be attached directly to the Internet, you need to have a good firewall for this. Windows Firewall won't cut it.)

One possible way to remove the NAT and use your new Static IPs, is to plug both the VOIP Router and the PC with the VPN directly to the Gateway (DSL Router/Cable Modem).

You need to check your Gateway to see if it supports more than one connection.

You can check this by examing your Gateway physically to count the number of ethernet ports and/or USB Ports. If your Gateway has both, you can normally use any combination of USB and ethernet ports for configuring your network.

If you only have one connection available on your Gateway, you will need to purchase a Network HUB.

A Network HUB doesn't cost very much, you can pick up a used one from FRY's Electronics normally for about $5, you shouldn't spend more than $19.95 for a network HUB.

A Network HUB is just a glorified line spliter, it will give you the additional connections you need on the Gateway.


In Future Posts I will show you how I configured my own VOIP and Gateway with static IPs.

Part 1 - The Cause



More and more people are getting VOIP Service like T-Mobile @ Home and are running into issues when are attempting to use a VPN (Virtual Private Network) to connect to their work.

A lot of people don't realize, but many VOIP Services use VPN Protocals to connect you to their service.

The symptoms include:
1. Repeated Lost Connections to their work
2. Lost Connections and Connection Errors with their VOIP Provider
3. Slowed Internet Connection while both VPNs are connected.

The confusing thing for many, you can still connect both VOIP and the VPN at the same time intermittently, but this is short lived and you will loose your connection.

The cause of your issues, if you don't know by now, you can't have more than one VPN behind a NAT (Network Address Translation) gateway or firewall.