VM Router Mailserver with static IP - VM Business

Calogero · 03-03-2016, 21:04

Hi All,

I have just got my Virgin Media Business 50Mb fibre with 5 static IPs installed. All up and running at nice speeds, Superhub 2 in router mode. The intention is to run my own mailserver on a Raspberry Pi 2. The Pi has Postfix/Dovecot set up and running and been assigned one of the 5 static IPs. I'm now about to open/forward ports 25, 465 and 993 on the Hub, but it's not giving me any option to set it for the public static IP -- only for the LAN IP range (192.168.0.x). So how would I go about pointing the Hub to the static IP?

Any help appreciated!

Cal

rhyds · 03-03-2016, 21:07

If the hub is in routed subnet mode with its firewall off then the ports should be open anyway (I think all of ours are). If you are still running the hub's firewall then I suggest you look at using a firewall on the pi itself.

Calogero · 03-03-2016, 21:36

Hi Rhyds,

diolch yn fawr. Those three ports are indeed open. I'm a bit confused though, are they open by default on raspbian? Because other ports aren't.

C.

ccarmock · 04-03-2016, 19:43

Quote:

Originally Posted by Calogero

Hi All,

I have just got my Virgin Media Business 50Mb fibre with 5 static IPs installed. All up and running at nice speeds, Superhub 2 in router mode. The intention is to run my own mailserver on a Raspberry Pi 2. The Pi has Postfix/Dovecot set up and running and been assigned one of the 5 static IPs. I'm now about to open/forward ports 25, 465 and 993 on the Hub, but it's not giving me any option to set it for the public static IP -- only for the LAN IP range (192.168.0.x). So how would I go about pointing the Hub to the static IP?

Any help appreciated!

Cal

Hhm the Superhub 2 based business service was not one that offered a route subnet. Are you sure you have the Superhub 2?

If you do and you have 192.168.0.x addresses (apart from 192.168.0.1) on the LAN side it is not working in routed subnet mode. In routed subnet mode the LAN side of the device will have one of your public IP addresses on it.

Calogero · 04-03-2016, 20:14

Hey ccarmock,

It's a VMDG480 with business firmware, so I guess you're right. The subnet's set at 255.255.255.248. It looks like the Hub's not doing any NAT with static. The 2 guest SSIDs on the Superhub remain dynamic/sticky, even if the gateway is static. Would have preferred to have my Asus RT66-U do the routing as it's got far better range, but the engineer told me I would need to tunnel to it, and that's beyond what I'm prepared to learn right now!

Anyhow, as rhyds said, it's working now. Just need to get my head around the fact that the Pi needs super-robust firewalling, iptables and fail2ban before I throw her to the hounds!

C.

ccarmock · 04-03-2016, 20:45

Ah yes that's the business SH 1

I would be interested to know which firmware it is running -there were issues with 2.37.13. There is a 2.37.17 available by request from VMB support which is more stable.

You are right - in routed subnet mode it does not perform any NAT. if you want to hang some clients behind it for general browsing and require NAT then you can hang a router off it and do NAT there.

Calogero · 05-03-2016, 10:14

Hey ccarmock,

Thanks for the heads up; I'm indeed running firmware BUS_V2.37.13. I'll hit VM up on Monday to request a firmware update.
Will also hook the Asus up to one of the ethernet ports with its own static, let it do all the firewalling and NAT for the 'personal use' computers/BlackBerry. Last time I tried this, something didn't work, it regularly dropped the connection -- but most likely that was some misconfiguration on my part.

Thanks for all your comments guys, great forum!

C.

ccarmock · 05-03-2016, 11:21

You could do well to ask them to update that firmware. I suspect eventually they'll push it out to all, but I know if you request it they will push it to you now. They did for me.

When you call they don't really seem that aware of the process, but I had more luck when filling in the form HERE If you then select the "Got a Question or Request" option and ask them to push firmware BUS_2.37.17 and quote your account number you should get it. They gave me a date about 4 days ahead when they would do it. For me it happened late on the day they quoted - around 22:30.

Since that version was pushed I have had no stability issues.

Do note though that after a few days the Superhub web GUI will likely become unresponsive - that happens with both versions of the firmware and is due to a low memory condition on the SH1. It does not affect network traffic though, just the ability to manage the device - fixed by turning off & on!

Hopefully they will be keen to upgrade all the old Business SH1's to the new Hitron device when it supports a routed subnet fixed IP option, that currently they only offer with the SH1

Regarding your Asus - no issue with that.... I have much the same config, except am using a Cisco router.

You could connect your asus to another port on the SH1 and configure the WAN address son the ASUS as static and make it the next available fixed IP in the block they supplied, with a 255.255.255.248 mask.

then turn off Wireless on the SH1 and turn it on on the Asus. Then have the Asus provide DHCP and NAT services to devices behind it.

Depending on how the Asus works you might also need a static default route pointing to the public IP address of the SH1

I have virtually that setup now working perfectly. My mailserver though is on a 192.168.x.x address behind the Cisco and I am doing a static NAT for that on the Cisco. Using one fixed IP for general browse traffic and another for the server.

Calogero · 05-03-2016, 11:54

This is all super helpful, ccarmock. Thanks for taking the time. Yeah, engineer said there's a memory issue on the SH, that's after I did something or other and couldn't log on to the GUI until after the auto-disconnect kicked in (3600ms or so). So long as one knows...

I've assigned the Asus a static via WAN port, so just checking DHCP and NAT are working properly. Very glad to hear about your experience using the mailserver behind the Cisco. As long as DNS A and PTR and MX work, yours looks like an even more secure setup. I have been chastised on other forums for being a fool having the Pi do all the firewalling and maintaining security myself, but I've got a pretty robust policy with good iptables, fail2ban and publickey ssh auth for maintenance. Just waiting for my Comodo SSL/TLS cert and all should be good.

C.

ccarmock · 05-03-2016, 11:58

No problem.... so in my case the A and MX records point to the static IP that I have assigned to the mailserver. That is a secondary address on the Cisco router WAN interface. That router then has a static NAT to the 192.168.x.x address of the server.

I do not use the firewall on the VMB SH1 I use the Cisco firewall.

All wireless on the SH1 is turned off and again I use the Cisco wireless, which is far better.