Issue since moving to 5 static IPs
 

Hi all

I hope someone can shed some light! We were on VMB 350/20 with a dynamic IP for a few years, which was relatively trouble free. Our last PCI DSS compliance scan was showing some ports open when our public IP was scanned, even though nothing was open. After some investigation, it was the Hitron that was to blame (even though it was in modem mode, fed into our Draytek Vigor 2830). VMB knew what I was talking about when I contacted them about it and said the only way to resolve this was to move to multiple static IPs.

So we did. Last Friday, this was complete, I reconfigured the Hitron and Draytek, and all was working okay (although the speed had dropped fairly significantly, but that's another issue).

However, our Verifone credit card terminals stopped logging in and would just say "login failed". But when I removed the VMB connection from our Draytek and let it switch to our ADSL backup, they would login fine. We had no problem with the same setup previously when on a dynamic IP.

I got in touch with Verifone who said this:

I have raised this with Virgin and am waiting for someone to get back to me. Does anyone know what this is all about and whether this a way to resolve it without moving back to dynamic?

Thanks in advance.

Re: Issue since moving to 5 static IPs
 

What do you get back from:
https://www.speedguide.net/analyzer.php

Please could you copy and paste the share your results box. This could give a clue as to what is happening.

Re: Issue since moving to 5 static IPs
 

Thanks for your reply! Here are the results.

Re: Issue since moving to 5 static IPs
 

Have you set the MTU to 1400 on the Draytek router for the Virgin media connection?
This may handle the changing of MTU more gracefully compared to the Hitron.

That may resolve the issue for you.

Let us know the outcome :).

Re: Issue since moving to 5 static IPs
 

Thanks Kev, but no dice! New results:

Re: Issue since moving to 5 static IPs
 

If you leave / set the MTU at 1400 and switch over to your ADSL backup, does it work then?

Re: Issue since moving to 5 static IPs
 

I just set the MTU on WAN1 (ADSL) to 1400 too and can confirm that they work fine. Just not on the VMB!

Re: Issue since moving to 5 static IPs
 

Turns out the card machines won't do a keyed 'customer not present' transaction either anymore. I think we'll have to move back to dynamic on Monday.

Appreciate the help so far!

Re: Issue since moving to 5 static IPs
 

If you have both WANs connected on the draytek then set static IPs on the terminals. You can then create a load balance rule so that those IPs are set to use the asdl WAN. Make anothe rule so that other IPs use the Virgin WAN.

Re: Issue since moving to 5 static IPs
 

Seb, this has me really stumped…

Unfortunately, if it isn’t an MTU issue, the likelihood of us being able to resolve this ourselves is slim.

Let’s focus on what Verifone are saying, the transaction gets sent out on one port and comes back on another. This is quite an ambiguous statement, making it hard to decipher what they mean.

I’ve been wracking my brain trying to think what it could be, but nothing I come up with makes any sense. It unlikely to be TCP/UDP ports, otherwise nothing would work… Any sort of PC port doesn’t even make the remotest bit of sense either.

If you go back to a dynamic IP address, won’t you have the same PCI compliance issue? If you explain the Hitron is outside your firewall, will this appease them?

Alternatively if you know the IP address the terminal is trying to connect to, I would copy and paste a trace route into an e-mail to Virgin Media support… Explain the issue you’re having, the steps you’ve taken to resolve the issue and how it’s working on your ADSL backup with the same router.
Hopefully they’ll be able to diagnose the cause from their end.

Re: Issue since moving to 5 static IPs
 

Maybe it's an issue with PAT port translation, but then that doesn't explain why it would work on DHCP and not static ip.

OP have you tried temporarily putting a verifone device on it's own static ip and see if it behaves?

Re: Issue since moving to 5 static IPs
 

Hi all, sorry for the late reply. Thanks very much for the continued support!

This could work, but the whole reason we have ADSL is as a failover, and this would really put us back to having no backup if the ADSL went down.

My feeling is that Verifone's statement isn't technically correct. You're right that if we go back to a dynamic setup, we'll have the same compliance issue. But the thing was - it wasn't actually failing, it was passing but wanted us to attest why these ports are open, and it was the Hitron that was causing this. VMB knew what I was talking about and said that moving to static would fix it, which it did. Perhaps if we move back to dynamic, we can explore why these ports are open when the Hitron is in modem mode...

Good suggestion. We have 5 static IPs, 1 router and 4 card machines. If this works, is there any reason the card machines shouldn't be on fixed IPs?

Re: Issue since moving to 5 static IPs
 

i’d also hazard a guess that the ports you saw on dynamic IP weren’t actually open (or more likely closed). VM block a load of ports known to cause security holes/used by trojans (netbios ones), but for some unknown reason instead of just silently dropping traffic, they send back a port closed which shows the port as responding (but closed).

There’s a document somewhere which details the exact port numbers that are affected by this.

https://www.virginmedia.com/help/vir...internet-ports

Re: Issue since moving to 5 static IPs
 

Thanks, that was probably all it was then...