Home News Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Issue since moving to 5 static IPs

You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Virgin Media Services > Virgin Media Internet Service

Issue since moving to 5 static IPs
Reply
 
Thread Tools
Old 20-11-2019, 19:21   #1
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Issue since moving to 5 static IPs

Hi all

I hope someone can shed some light! We were on VMB 350/20 with a dynamic IP for a few years, which was relatively trouble free. Our last PCI DSS compliance scan was showing some ports open when our public IP was scanned, even though nothing was open. After some investigation, it was the Hitron that was to blame (even though it was in modem mode, fed into our Draytek Vigor 2830). VMB knew what I was talking about when I contacted them about it and said the only way to resolve this was to move to multiple static IPs.

So we did. Last Friday, this was complete, I reconfigured the Hitron and Draytek, and all was working okay (although the speed had dropped fairly significantly, but that's another issue).

However, our Verifone credit card terminals stopped logging in and would just say "login failed". But when I removed the VMB connection from our Draytek and let it switch to our ADSL backup, they would login fine. We had no problem with the same setup previously when on a dynamic IP.

I got in touch with Verifone who said this:

Quote:
Unfortunately there are some know issues with Virgin media business network

The issue we have with it is how they sort the traffic on their network. In short terms the transaction gets sent out on one port and come back on another. The Ocius software does not recognise the response from Virgin which then means that their is not a successful connection.

What I can recommend is that you change your public facing IP address back to Dynamic. This should then allow the device to connect without any issues.
I have raised this with Virgin and am waiting for someone to get back to me. Does anyone know what this is all about and whether this a way to resolve it without moving back to dynamic?

Thanks in advance.
sebyoung is offline   Reply With Quote
Advertisement
Old 22-11-2019, 11:36   #2
kev445
cf.member
 
Join Date: Oct 2007
Posts: 76
kev445 is on a distinguished roadkev445 is on a distinguished road
Re: Issue since moving to 5 static IPs

What do you get back from:
https://www.speedguide.net/analyzer.php

Please could you copy and paste the share your results box. This could give a clue as to what is happening.
kev445 is offline   Reply With Quote
Old 22-11-2019, 16:41   #3
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

Thanks for your reply! Here are the results.

Quote:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2019.11.22 10:40
IP address: 62.31.xx.xxx
Client OS/browser: Windows 10 (Chrome 78.0.3904.97)

TCP options string: 020405500103030801010402
MSS: 1360
MTU: 1400
TCP Window: 262400 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 1025
Recommended RWINs: 65280, 130560, 261120, 522240, 1044480
BDP limit (200ms): 10496kbps (1312KBytes/s)
BDP limit (500ms): 4198kbps (525KBytes/s)
MTU Discovery: ON
TTL: 113
Timestamps: OFF
SACKs: ON
IP ToS: 00100000 (32)
Precedence: 001 (priority)
Delay: 0 (normal delay)
Throughput: 0 (normal throughput)
Reliability: 0 (normal reliability)
Cost: 0 (normal cost)
Check bit: 0 (correct)
DSCP (DiffServ): CS1 001000 (8) - class 1 (RFC 2474). Similar forwarding behavior to the ToS Precedence field.
sebyoung is offline   Reply With Quote
Old 22-11-2019, 17:45   #4
kev445
cf.member
 
Join Date: Oct 2007
Posts: 76
kev445 is on a distinguished roadkev445 is on a distinguished road
Re: Issue since moving to 5 static IPs

Have you set the MTU to 1400 on the Draytek router for the Virgin media connection?
This may handle the changing of MTU more gracefully compared to the Hitron.

That may resolve the issue for you.

Let us know the outcome .
kev445 is offline   Reply With Quote
Old 22-11-2019, 18:00   #5
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

Thanks Kev, but no dice! New results:

Quote:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2019.11.22 12:00
IP address: 62.31.xx.xxx
Client OS/browser: Windows 10 (Chrome 78.0.3904.97)

TCP options string: 020405500103030801010402
MSS: 1360
MTU: 1400
TCP Window: 262400 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 1025
Recommended RWINs: 65280, 130560, 261120, 522240, 1044480
BDP limit (200ms): 10496kbps (1312KBytes/s)
BDP limit (500ms): 4198kbps (525KBytes/s)
MTU Discovery: ON
TTL: 113
Timestamps: OFF
SACKs: ON
IP ToS: 00100000 (32)
Precedence: 001 (priority)
Delay: 0 (normal delay)
Throughput: 0 (normal throughput)
Reliability: 0 (normal reliability)
Cost: 0 (normal cost)
Check bit: 0 (correct)
DSCP (DiffServ): CS1 001000 (8) - class 1 (RFC 2474). Similar forwarding behavior to the ToS Precedence field.
sebyoung is offline   Reply With Quote
Old 22-11-2019, 18:53   #6
kev445
cf.member
 
Join Date: Oct 2007
Posts: 76
kev445 is on a distinguished roadkev445 is on a distinguished road
Re: Issue since moving to 5 static IPs

If you leave / set the MTU at 1400 and switch over to your ADSL backup, does it work then?
kev445 is offline   Reply With Quote
Old 22-11-2019, 19:12   #7
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

I just set the MTU on WAN1 (ADSL) to 1400 too and can confirm that they work fine. Just not on the VMB!
sebyoung is offline   Reply With Quote
Old 23-11-2019, 12:56   #8
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

Turns out the card machines won't do a keyed 'customer not present' transaction either anymore. I think we'll have to move back to dynamic on Monday.

Appreciate the help so far!
sebyoung is offline   Reply With Quote
Old 24-11-2019, 13:16   #9
Foo Fighter
cf.addict
 
Join Date: Sep 2003
Location: Lancs
Posts: 279
Foo Fighter will become famous soon enoughFoo Fighter will become famous soon enoughFoo Fighter will become famous soon enough
Re: Issue since moving to 5 static IPs

If you have both WANs connected on the draytek then set static IPs on the terminals. You can then create a load balance rule so that those IPs are set to use the asdl WAN. Make anothe rule so that other IPs use the Virgin WAN.
Foo Fighter is offline   Reply With Quote
Old 24-11-2019, 16:41   #10
kev445
cf.member
 
Join Date: Oct 2007
Posts: 76
kev445 is on a distinguished roadkev445 is on a distinguished road
Re: Issue since moving to 5 static IPs

Seb, this has me really stumped…

Unfortunately, if it isn’t an MTU issue, the likelihood of us being able to resolve this ourselves is slim.

Let’s focus on what Verifone are saying, the transaction gets sent out on one port and comes back on another. This is quite an ambiguous statement, making it hard to decipher what they mean.

I’ve been wracking my brain trying to think what it could be, but nothing I come up with makes any sense. It unlikely to be TCP/UDP ports, otherwise nothing would work… Any sort of PC port doesn’t even make the remotest bit of sense either.

If you go back to a dynamic IP address, won’t you have the same PCI compliance issue? If you explain the Hitron is outside your firewall, will this appease them?

Alternatively if you know the IP address the terminal is trying to connect to, I would copy and paste a trace route into an e-mail to Virgin Media support… Explain the issue you’re having, the steps you’ve taken to resolve the issue and how it’s working on your ADSL backup with the same router.
Hopefully they’ll be able to diagnose the cause from their end.
kev445 is offline   Reply With Quote
Old 25-11-2019, 11:52   #11
fizzyade
cf.member
 
Join Date: Aug 2019
Posts: 17
fizzyade is on a distinguished roadfizzyade is on a distinguished road
Re: Issue since moving to 5 static IPs

Quote:
Originally Posted by kev445 View Post
Seb, this has me really stumped…

Unfortunately, if it isn’t an MTU issue, the likelihood of us being able to resolve this ourselves is slim.

Let’s focus on what Verifone are saying, the transaction gets sent out on one port and comes back on another. This is quite an ambiguous statement, making it hard to decipher what they mean.

I’ve been wracking my brain trying to think what it could be, but nothing I come up with makes any sense. It unlikely to be TCP/UDP ports, otherwise nothing would work… Any sort of PC port doesn’t even make the remotest bit of sense either.

If you go back to a dynamic IP address, won’t you have the same PCI compliance issue? If you explain the Hitron is outside your firewall, will this appease them?

Alternatively if you know the IP address the terminal is trying to connect to, I would copy and paste a trace route into an e-mail to Virgin Media support… Explain the issue you’re having, the steps you’ve taken to resolve the issue and how it’s working on your ADSL backup with the same router.
Hopefully they’ll be able to diagnose the cause from their end.
Maybe it's an issue with PAT port translation, but then that doesn't explain why it would work on DHCP and not static ip.

OP have you tried temporarily putting a verifone device on it's own static ip and see if it behaves?
fizzyade is offline   Reply With Quote
Old 26-11-2019, 13:41   #12
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

Hi all, sorry for the late reply. Thanks very much for the continued support!

Quote:
Originally Posted by Foo Fighter View Post
If you have both WANs connected on the draytek then set static IPs on the terminals. You can then create a load balance rule so that those IPs are set to use the asdl WAN. Make anothe rule so that other IPs use the Virgin WAN.
This could work, but the whole reason we have ADSL is as a failover, and this would really put us back to having no backup if the ADSL went down.

Quote:
Originally Posted by kev445 View Post
Seb, this has me really stumped…

Unfortunately, if it isn’t an MTU issue, the likelihood of us being able to resolve this ourselves is slim.

Let’s focus on what Verifone are saying, the transaction gets sent out on one port and comes back on another. This is quite an ambiguous statement, making it hard to decipher what they mean.

I’ve been wracking my brain trying to think what it could be, but nothing I come up with makes any sense. It unlikely to be TCP/UDP ports, otherwise nothing would work… Any sort of PC port doesn’t even make the remotest bit of sense either.

If you go back to a dynamic IP address, won’t you have the same PCI compliance issue? If you explain the Hitron is outside your firewall, will this appease them?

Alternatively if you know the IP address the terminal is trying to connect to, I would copy and paste a trace route into an e-mail to Virgin Media support… Explain the issue you’re having, the steps you’ve taken to resolve the issue and how it’s working on your ADSL backup with the same router.
Hopefully they’ll be able to diagnose the cause from their end.
My feeling is that Verifone's statement isn't technically correct. You're right that if we go back to a dynamic setup, we'll have the same compliance issue. But the thing was - it wasn't actually failing, it was passing but wanted us to attest why these ports are open, and it was the Hitron that was causing this. VMB knew what I was talking about and said that moving to static would fix it, which it did. Perhaps if we move back to dynamic, we can explore why these ports are open when the Hitron is in modem mode...

Quote:
Originally Posted by fizzyade View Post
Maybe it's an issue with PAT port translation, but then that doesn't explain why it would work on DHCP and not static ip.

OP have you tried temporarily putting a verifone device on it's own static ip and see if it behaves?
Good suggestion. We have 5 static IPs, 1 router and 4 card machines. If this works, is there any reason the card machines shouldn't be on fixed IPs?
sebyoung is offline   Reply With Quote
Old 26-11-2019, 22:53   #13
fizzyade
cf.member
 
Join Date: Aug 2019
Posts: 17
fizzyade is on a distinguished roadfizzyade is on a distinguished road
Re: Issue since moving to 5 static IPs

i’d also hazard a guess that the ports you saw on dynamic IP weren’t actually open (or more likely closed). VM block a load of ports known to cause security holes/used by trojans (netbios ones), but for some unknown reason instead of just silently dropping traffic, they send back a port closed which shows the port as responding (but closed).

There’s a document somewhere which details the exact port numbers that are affected by this.

https://www.virginmedia.com/help/vir...internet-ports

Last edited by fizzyade; 26-11-2019 at 22:56.
fizzyade is offline   Reply With Quote
Old 27-11-2019, 11:44   #14
sebyoung
cf.member
 
Join Date: Apr 2015
Posts: 26
sebyoung is an unknown quantity at this point
Re: Issue since moving to 5 static IPs

Quote:
Originally Posted by fizzyade View Post
i’d also hazard a guess that the ports you saw on dynamic IP weren’t actually open (or more likely closed). VM block a load of ports known to cause security holes/used by trojans (netbios ones), but for some unknown reason instead of just silently dropping traffic, they send back a port closed which shows the port as responding (but closed).

There’s a document somewhere which details the exact port numbers that are affected by this.

https://www.virginmedia.com/help/vir...internet-ports
Thanks, that was probably all it was then...
sebyoung is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 16:29.


Server: xenon.zmnt.net
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.