Superhub How can I configure Shub2ac?

andrewclark · 09-05-2015, 21:57

I have been using a combination of the older Virgin Superhub and a Draytek Vigor 2900 but recently found I could not get the upgraded speed of 50Mb/s.
Virgin sent me a new Superhub 2AC but in the meantime I discovered that the (10 year old) Draytek 2900 just can't cope with more than 20Mb/s so I have changed it for a much faster 2920n.
The problem I have is getting the new Shub to output an IP address to the Draytek that is NOT in the internal IP range that I am using (192.168.0.x).
On the old Shub I was able to set its LAN-facing IP to 192.168.2.2 which the Firewall saw as a "WAN IP" and that worked fine. The new one won't accept that: "LAN ip address and cable modem IP address cannot be on same subnet". Of course it can't.
Virgin suggested trying a higher subnet number of 192.168.5.1 as the lower ones were reserved but it won't accept that either!
I'm baffled as to how to get this to work, but surely this must a common setup to have your own Firewall and not rely on the Shub to be the only layer of protection.
(BTW I am testing it unconnected to the cable network at present as I need to keep my current internet connection live until I can be sure this will work).
Any advice appreciated.
TIA.
Andrew

qasdfdsaq · 10-05-2015, 01:20

Uhh why are you trying to use double NAT at all?

Just put it in modem mode and bypass the Superhub's IP settings completely...

jb66 · 10-05-2015, 07:58

Or just use the hub

andrewclark · 10-05-2015, 09:57

Quote:

Originally Posted by qasdfdsaq

Uhh why are you trying to use double NAT at all?

Just put it in modem mode and bypass the Superhub's IP settings completely...

Because in modem mode you can't use the only valuable feature of Shub2ac, the dual wireless, which I use for other devices around the house when my main PC and firewall are shut down.

I was able to configure it on the old Shub. Just need a procedure to replicate it with the new one.

---------- Post added at 10:57 ---------- Previous post was at 10:56 ----------

Quote:

Originally Posted by jb66

Or just use the hub

Hub is only 4 ports. I already use 8, and the firewall additional 4.

**Hugh** · 10-05-2015, 12:09

I use the SH2AC downstairs and a Tenda N600 upstairs for WiFi throughout the house (both using dual band).

The Tenda is connected by Cat6 cable, and I just use it for WiFi, so just reserved a DHCP address for it on the SH2AC, and that works for me.

qasdfdsaq · 10-05-2015, 14:46

Quote:

Originally Posted by andrewclark

Because in modem mode you can't use the only valuable feature of Shub2ac, the dual wireless, which I use for other devices around the house when my main PC and firewall are shut down.

So you're unwilling to trust the Superhub's firewall to protect your PC but you're willing to trust it to protect everything else that is more vulnerable?

Hmmm.

andrewclark · 10-05-2015, 17:07

Quote:

Originally Posted by qasdfdsaq

So you're unwilling to trust the Superhub's firewall to protect your PC but you're willing to trust it to protect everything else that is more vulnerable?

Hmmm.

Well I don't really want to turn this into a debate about the vulnerabilities of Windows compared with fetching email on Android and iPad but my money would not be on the security provided by Microsoft who constantly have to patch even current Windows versions every month.

A Draytek box has kept me completely secure for over 10 years, offers Stateful Packet Inspection, DoS protection, flexible content filters and much more and I am happy to continue putting my faith in it if someone will just answer my query.

Jong1 · 10-05-2015, 17:14

I think you need to explain exactly what you are trying to set on the SuperHub that leads to this error, because on the face of it what you are doing is really straight forward.

On the SH2, set the SH2's LAN IP to 192.168.x.1 (I would always use .1 rather than .2 for the SuperHub) in DHCP Settings and the Draytek to 192.168.x.2 in DHCP Reservation, for example.

On the Draytek, you then setup your Draytek as a router on a different subnet (if x=2, then the Draytek subnet could be 192.168.0.* or 192.168.1.*. With the normal issues around double nating this should work fine.

This should all "just work", so it sounds like you are getting confused somewhere and it would help if you spelt out exactly what you are setting and where.

But the reason people are replying some what quizzically to this question is because what you are doing is not at all, in your words, "common". There are two things people commonly do:

- Use another router altogether. Here they put the SuperHub into "modem mode" and don't use the superhub' firewall or WiFi at all

- Use the SuperHub as the router and firewall but extend their network by using a second router as an "Access Point" (AP). Here the second device (eg. Your Draytek) has its firewall and its DHCP server disabled (either by explicitly settings "AP Mode", or by manually disabling them, and is assigned a static IP on the same subnet as the rest of the LAN. The AP provides 3/4 more LAN ports and another WIFi network to reach the parts the SuperHub cannot reach

You seem to be trying to use the Draytek to provide a 2nd firewall/NAT, but only for some devices (not those that connect directly to the SuperHub by Ethernet or WiFi) and maybe a 2nd wifi network. This is very unusual and could cause problems ("double NATing" is not generally a good idea). But, double NAT issues aside there is no reason why what you are doing should simply "not work". I'd recommend you decide either to use your Draytek as a router/firewall, if not happy with the SH2's, leave it on all the time and put the SH2 into modem mode, or use the Draytek as an AP to provide extended wifi and more ports. Ethernet switches are dirt cheap these days if you just need more LAN ports. But if you really want to do things your way it should be really easy, so tell us exactly what you are doing on the SH2 and I'm sure it can work.

Eeeps · 10-05-2015, 17:38

Quote:

Originally Posted by andrewclark

Well I don't really want to turn this into a debate about the vulnerabilities of Windows compared with fetching email on Android and iPad but my money would not be on the security provided by Microsoft who constantly have to patch even current Windows versions every month.

A Draytek box has kept me completely secure for over 10 years, offers Stateful Packet Inspection, DoS protection, flexible content filters and much more and I am happy to continue putting my faith in it if someone will just answer my query.

Here's my guess as to what is happening.

Because the SH is not connected on the cable side it will have a default subnet mask of 0.0.0.0

The guess I'm making is that the SH software does a very simple validity check using this mask. Unfortunately this mask is for one subnet that encompasses all IP addresses. Any LAN side address you choose will this be in that range.

Try connecting the modem to the cable so it gets a proper subnet mask.

Ian

andrewclark · 10-05-2015, 18:47

Quote:

Originally Posted by Jong1

I think you need to explain exactly what you are trying to set on the SuperHub that leads to this error, because on the face of it what you are doing is really straight forward.

On the SH2, set the SH2's LAN IP to 192.168.x.1 (I would always use .1 rather than .2 for the SuperHub) in DHCP Settings and the Draytek to 192.168.x.2 in DHCP Reservation, for example.

On the Draytek, you then setup your Draytek as a router on a different subnet (if x=2, then the Draytek subnet could be 192.168.0.* or 192.168.1.*. With the normal issues around double nating this should work fine.

This should all "just work", so it sounds like you are getting confused somewhere and it would help if you spelt out exactly what you are setting and where.

But the reason people are replying some what quizzically to this question is because what you are doing is not at all, in your words, "common". There are two things people commonly do:

- Use another router altogether. Here they put the SuperHub into "modem mode" and don't use the superhub' firewall or WiFi at all

- Use the SuperHub as the router and firewall but extend their network by using a second router as an "Access Point" (AP). Here the second device (eg. Your Draytek) has its firewall and its DHCP server disabled (either by explicitly settings "AP Mode", or by manually disabling them, and is assigned a static IP on the same subnet as the rest of the LAN. The AP provides 3/4 more LAN ports and another WIFi network to reach the parts the SuperHub cannot reach

You seem to be trying to use the Draytek to provide a 2nd firewall/NAT, but only for some devices (not those that connect directly to the SuperHub by Ethernet or WiFi) and maybe a 2nd wifi network. This is very unusual and could cause problems ("double NATing" is not generally a good idea). But, double NAT issues aside there is no reason why what you are doing should simply "not work". I'd recommend you decide either to use your Draytek as a router/firewall, if not happy with the SH2's, leave it on all the time and put the SH2 into modem mode, or use the Draytek as an AP to provide extended wifi and more ports. Ethernet switches are dirt cheap these days if you just need more LAN ports. But if you really want to do things your way it should be really easy, so tell us exactly what you are doing on the SH2 and I'm sure it can work.

Hi Jong

Thanks for your very full and considered reply.

I don't profess to be any kind of network expert (although I have worked in IT for 30 years) and it may be that I am missing something here. (Ian has suggested another possibility that the error is being generated by the Shub2ac not being connected to cable, but I have not yet activated this unit and didn't want to until I was sure I could use this hub as the old one still works fine - so I cannot currently check that theory).

My basic assumption (possibly wrong) was that my firewall would have to run different subnets on the WAN and LAN side to work.

If that is not the case then there is, as you say, no need for all this double-NATing.

At present my firewall LAN IP is set to 192.168.0.1 to match my existing Home/Office network which has a number of fixed-IP devices like print servers etc. in the range 192.168.0.x and remaining ones allocated via DHCP. I could change that if necessary but with a lot of hassle. However that is also the default IP address of the Shub2ac so I set out to change that first as it will cause an IP conflict.

As I explained in the original post I started trying to set it to 192.168.2.1 (which happens to be what the old Shub is set to and it allocates 192.168.2.2 to the WAN side of my old Draytek). That generates the error message I gave above.

I have currently set Shub2ac at 192.168.0.100 and got the Firewall connected to it and receiving 192.168.0.101 as its DHCP-allocated WAN IP.

If that is a valid configuration with both sides of the firewall in the same subnet I will happily run with that, but I'd like you to confirm that that is correct, if you will, before I attempt to activate the Shub2ac with Virgin.

Regards
Andrew

---------- Post added at 19:47 ---------- Previous post was at 19:42 ----------

Ian

You could well be correct.

However connecting the Shub2ac to the cable does not result in it being given a WAN IP by Virgin at present so I would probably have to ring them to get the device activated properly. I am reluctant to do that until I can prove that it will work with my firewall (see my fuller response to Jong1 above).

Regards
Andrew

Jong1 · 10-05-2015, 19:47

I wouldn't recommend having the LAN and WAN side of the Draytek on the same subnet. Maybe it might work, but it could also cause some even more weird problems down the line.

It's very odd that setting the SH2 to 192.168.2.1 and letting the SH2 assign an address for the Draytek doesn't work. ???. If 192.168.0.100 works it doesn't sound like it could be because you are not connected to the Virgin network, although I guess anything is possible. You didn't mess around with the subnet mask did you? Have you tried 192.168.1.1? If that doesn't work either I think it would be useful to have ALL the settings you have changed on the SH2. Maybe do a hard reset, then set it up, then grab screenshots of all the SH2 settings you have changed. I'll admit I've never tried to use any IP other than 192.168.0.1, but 192.168.x.1 should work.

andrewclark · 10-05-2015, 20:50

Hi Jong
>I wouldn't recommend having the LAN and WAN side of the Draytek on the same subnet. Maybe it might work, but it could also cause some even more weird problems down the line.
Fine. I won't go with that then.
>It's very odd that setting the SH2 to 192.168.2.1 and letting the SH2 assign an address for the Draytek doesn't work. ???
It is, but a Virgin Tech agreed that 1.1, 2.1 up to 4.1 were reserved for the Guest SSIDs on this box. He suggested trying 5.1 but that doesn't work either. All give the error message and don't actually change the setting.
Anyway the Subnet Mask (which I have not changed) is 255.255.255.0 and only the last octet can be modified.
I have changed very little on the settings in the Shub2ac - just the DHCP Settings and tried enabling one of the Guest Networks to prove it really does allocate addresses in the 1.x range. And I have reset to Factory Settings twice to start again.
I think I am only left with two choices if I am going to use this box:-
1. Use Modem Mode and forget the nice dual-Wireless with 5GHz band.
2. Revert the box to Factory Defaults and IP 192.168.0.1 and change everything else on my network to 1.x.

Unless anyone can come up with another solution?

Or I could just abandon this new hub and revert to my old one which works fine in Router Mode with the new firewall! (I don't know about any issues with double NAT - would need to get more info on that. Perhaps someone can enlighten me?).

Regards
Andrew

Jong1 · 10-05-2015, 21:43

Maybe they reserve the bottom 3 or 4 bits. You could try 192.168.16.1 or up. Just an idea. "4" is binary 100, so if they are applying a hidden mask probably all up to 7 at least are reserved. Sorry if we're just guessing now!

andrewclark · 10-05-2015, 21:55

Hi Jong
I have messed around with this for days so for now I am going to run with the old router and the new firewall and change all my IP's to 1.x. When I am sure everything is OK I may move over to the new Shub2ac and just use it's default IP.
Many thanks for all your input to date - everyone!

qasdfdsaq · 11-05-2015, 00:00

Quote:

Originally Posted by Jong1

Maybe they reserve the bottom 3 or 4 bits. You could try 192.168.16.1 or up. Just an idea. "4" is binary 100, so if they are applying a hidden mask probably all up to 7 at least are reserved. Sorry if we're just guessing now!

It should accept pretty much .anything other than 0, 1, and 2. The Superhubs are far more flexible than certain competitors' routers, it doesn't even have to be in the 192.168. range. You could set it to 10.69.69.69 if you felt like it.