cancel
Showing results for 
Search instead for 
Did you mean: 

Remote Connectivity

hregister
Newbie
Posts: 2
Registered: ‎09-03-2014

Remote Connectivity

Hi,
I have been trying for some time to setup a VPN between two SonicWalls. However, there appear to be issues with specific ports traversing the Metronet/Plusnet network.
Initially I thought this might have been a problem with the Vigor2710 ADSL router catching and blocking the VPN traffic. To test I configured a DMZ ip address on the router and pointed this to a laptop running wireshark. I then purchased an Amazon EC2 VPS instance and ran nmap against a variety of ports.
TCP ports 80 and 443 did not reach the promiscuous laptop, neither did UDP port 500. What was interesting is that TCP 3389 and UDP 4500 did.
I figured that without much debugging output on the router, it could still be responsible for blocking this traffic. So, I swapped it with a Cisco 877 router and configured the following basic access lists and NAT rules:

ip nat inside source list acl-NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.15.254 443 interface Dialer0 80
ip nat inside source static tcp 192.168.15.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.15.254 443 interface Dialer0 3389
ip nat inside source static udp 192.168.15.254 500 interface Dialer0 500
ip nat inside source static udp 192.168.15.254 500 interface Dialer0 4500

ip access-list standard acl-NAT
permit 192.168.0.0 0.0.255.255

ip access-list extended atm-in
remark - Access Rule - ATM IN - From WAN to LAN
permit tcp any eq www any
permit tcp any eq 443 any
permit tcp any eq 3389 any
permit udp any eq 500 any
permit udp any eq 4500 any
permit udp any eq bootps host 255.255.255.255 eq bootpc log
deny  icmp any any fragments log
deny  icmp any any time-exceeded log
deny  icmp any any host-unreachable log
permit icmp any any echo-reply log
permit icmp any any packet-too-big log
deny  icmp any any log
permit udp any eq domain any
permit udp any eq ntp any
evaluate tcptraffic
deny  tcp any any log
deny  udp any any log
deny  ip any any log
ip access-list extended atm-out
remark - Access Rule - ATM OUT - From LAN to WAN
permit tcp any any eq www reflect tcptraffic timeout 30
permit tcp any any eq 443 reflect tcptraffic timeout 30
permit tcp any any eq ftp reflect tcptraffic timeout 30
permit tcp any any eq 22 reflect tcptraffic timeout 30
permit tcp any any eq 587 reflect tcptraffic timeout 30
permit tcp any any eq 873 reflect tcptraffic timeout 30
permit tcp any any eq 993 reflect tcptraffic timeout 30
permit tcp any any eq 3389 reflect tcptraffic timeout 30
permit udp any any eq ntp
permit udp any any eq domain
permit udp any any eq 500
permit udp any any eq 4500                                                   
deny  tcp any any log
deny  udp any any log


Looking at the nat translations I can see outbound traffic hitting these rules and I can browse the internet without issue. From my amazon instance I ran a number of traceroute commands, which gave the following outputs:

[root@ip-172-31-xx ~]# traceroute -T -p 443 84.51.xx.xx
traceroute to 84.51.xx.xx (84.51.xx.xx), 30 hops max, 60 byte packets
1  ec2-50-112-0-198.us-west-2.compute.amazonaws.com (50.112.0.19Cool  0.728 ms  0.730 ms  0.560 ms
2  205.251.232.39 (205.251.232.39)  6.239 ms 205.251.232.223 (205.251.232.223)  6.255 ms 205.251.232.39 (205.251.232.39)  6.030 ms
3  205.251.232.216 (205.251.232.216)  0.707 ms 205.251.232.204 (205.251.232.204)  0.937 ms 205.251.232.210 (205.251.232.210)  1.187 ms
4  205.251.232.76 (205.251.232.76)  6.409 ms  13.145 ms 205.251.232.75 (205.251.232.75)  6.748 ms
5  205.251.225.161 (205.251.225.161)  13.135 ms 205.251.225.167 (205.251.225.167)  6.441 ms 205.251.225.161 (205.251.225.161)  13.011 ms
6  ae0-3.sea22.ip4.tinet.net (77.67.68.161)  13.244 ms  13.353 ms  13.312 ms
7  xe-10-0-0.sea23.ip4.tinet.net (89.149.184.166)  13.210 ms xe-11-0-2.sea23.ip4.tinet.net (89.149.184.142)  13.220 ms xe-11-0-1.sea23.ip4.tinet.net (89.149.184.110)  6.402 ms
8  as3356.sea21.ip4.tinet.net (199.229.231.186)  27.569 ms  27.440 ms  27.519 ms
9  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  158.518 ms  157.527 ms  157.539 ms
10  ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54)  158.006 ms  157.842 ms  157.079 ms
11  ae-3-3.ebr1.Chicago2.Level3.net (4.69.132.62)  157.347 ms  156.521 ms  157.640 ms
12  ae-6-6.ebr1.Chicago1.Level3.net (4.69.140.189)  156.555 ms  156.276 ms  157.615 ms
13  ae-2-2.ebr2.NewYork2.Level3.net (4.69.132.66)  157.342 ms  157.822 ms  158.504 ms
14  ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253)  157.336 ms  158.110 ms  157.975 ms
15  ae-46-46.ebr1.NewYork1.Level3.net (4.69.201.41)  157.087 ms ae-4-4.ebr1.NewYork1.Level3.net (4.69.141.17)  157.901 ms ae-47-47.ebr1.NewYork1.Level3.net (4.69.201.45)  159.006 ms
16  ae-41-41.ebr2.London1.Level3.net (4.69.137.65)  157.843 ms ae-42-42.ebr2.London1.Level3.net (4.69.137.69)  156.847 ms ae-41-41.ebr2.London1.Level3.net (4.69.137.65)  156.652 ms
17  ae-57-222.csw2.London1.Level3.net (4.69.153.134)  157.558 ms ae-59-224.csw2.London1.Level3.net (4.69.153.142)  158.263 ms ae-56-221.csw2.London1.Level3.net (4.69.153.130)  157.196 ms
18  ae-25-52.car5.London1.Level3.net (4.69.139.102)  159.407 ms  158.417 ms  164.057 ms
19  PLUSNET-TEC.car5.London1.Level3.net (217.163.45.250)  154.204 ms  145.276 ms  156.536 ms
20  te8-1.ptn-gw01.plus.net (212.159.0.105)  144.579 ms  144.770 ms  145.364 ms
21  link-a-central10.ptn-ag01.plus.net (212.159.2.129)  152.032 ms  145.442 ms  152.065 ms
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
FAIL

[root@ip-172-31-** ~]# traceroute -T -p 22 84.51.xx.xx
traceroute to 84.51.xx.xx (84.51.xx.xx), 30 hops max, 60 byte packets
1  ec2-50-112-0-198.us-west-2.compute.amazonaws.com (50.112.0.19Cool  0.589 ms  0.778 ms  0.747 ms
2  205.251.232.39 (205.251.232.39)  1.195 ms  5.508 ms  1.017 ms
3  205.251.232.216 (205.251.232.216)  1.949 ms 205.251.232.204 (205.251.232.204)  1.811 ms 205.251.232.210 (205.251.232.210)  40.231 ms
4  205.251.232.78 (205.251.232.7Cool  6.602 ms 205.251.232.76 (205.251.232.76)  6.650 ms 205.251.232.75 (205.251.232.75)  29.499 ms
5  205.251.225.167 (205.251.225.167)  6.526 ms 205.251.225.165 (205.251.225.165)  13.039 ms  13.241 ms
6  ae0-3.sea22.ip4.tinet.net (77.67.68.161)  13.389 ms  13.275 ms  13.222 ms
7  xe-11-0-0.sea23.ip4.tinet.net (89.149.184.190)  6.543 ms xe-11-0-1.sea23.ip4.tinet.net (89.149.184.110)  6.581 ms xe-11-0-2.sea23.ip4.tinet.net (89.149.184.142)  13.310 ms
8  as3356.sea21.ip4.tinet.net (199.229.231.186)  27.492 ms  27.447 ms  27.214 ms
9  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  157.605 ms  157.587 ms  157.560 ms
10  ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54)  157.883 ms  157.128 ms  157.529 ms
11  ae-3-3.ebr1.Chicago2.Level3.net (4.69.132.62)  157.216 ms  156.817 ms  157.549 ms
12  ae-6-6.ebr1.Chicago1.Level3.net (4.69.140.189)  156.011 ms  157.091 ms  156.713 ms
13  ae-2-2.ebr2.NewYork2.Level3.net (4.69.132.66)  156.484 ms  156.898 ms  157.047 ms
14  ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253)  157.532 ms  157.107 ms  156.964 ms
15  ae-46-46.ebr1.NewYork1.Level3.net (4.69.201.41)  157.661 ms  156.379 ms ae-47-47.ebr1.NewYork1.Level3.net (4.69.201.45)  157.849 ms
16  ae-43-43.ebr2.London1.Level3.net (4.69.137.73)  157.043 ms ae-41-41.ebr2.London1.Level3.net (4.69.137.65)  158.523 ms ae-44-44.ebr2.London1.Level3.net (4.69.137.77)  156.803 ms
17  ae-57-222.csw2.London1.Level3.net (4.69.153.134)  157.470 ms  157.189 ms ae-56-221.csw2.London1.Level3.net (4.69.153.130)  156.890 ms
18  ae-25-52.car5.London1.Level3.net (4.69.139.102)  157.061 ms  156.503 ms  157.313 ms
19  PLUSNET-TEC.car5.London1.Level3.net (217.163.45.250)  147.586 ms  162.177 ms  144.025 ms
20  te8-1.ptn-gw01.plus.net (212.159.0.105)  144.162 ms  143.914 ms  145.144 ms
21  link-a-central10.ptn-ag01.plus.net (212.159.2.129)  311.703 ms  325.580 ms  401.343 ms
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
FAIL

[root@ip-172-31-xx ~]# traceroute -T -p 3389 84.51.xx.xx
traceroute to 84.51.xx.xx (84.51.xx.xx), 30 hops max, 60 byte packets
1  ec2-50-112-0-198.us-west-2.compute.amazonaws.com (50.112.0.19Cool  1.000 ms  0.850 ms  0.738 ms
2  205.251.232.223 (205.251.232.223)  0.751 ms  0.973 ms  0.778 ms
3  205.251.232.210 (205.251.232.210)  1.121 ms 205.251.232.198 (205.251.232.19Cool  3.147 ms 205.251.232.216 (205.251.232.216)  1.284 ms
4  205.251.232.73 (205.251.232.73)  13.227 ms 205.251.232.78 (205.251.232.7Cool  13.387 ms 205.251.232.75 (205.251.232.75)  13.239 ms
5  205.251.225.161 (205.251.225.161)  13.052 ms  12.948 ms 205.251.225.163 (205.251.225.163)  13.185 ms
6  ae0-3.sea22.ip4.tinet.net (77.67.68.161)  31.507 ms  13.303 ms  13.315 ms
7  xe-10-0-0.sea23.ip4.tinet.net (89.149.184.166)  13.197 ms xe-11-0-2.sea23.ip4.tinet.net (89.149.184.142)  13.287 ms xe-11-0-1.sea23.ip4.tinet.net (89.149.184.110)  6.702 ms
8  as3356.sea21.ip4.tinet.net (199.229.231.186)  27.499 ms  27.544 ms  27.420 ms
9  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  157.515 ms  157.657 ms  157.282 ms
10  ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54)  157.209 ms  157.561 ms  157.143 ms
11  ae-3-3.ebr1.Chicago2.Level3.net (4.69.132.62)  157.330 ms  155.939 ms  155.952 ms
12  ae-6-6.ebr1.Chicago1.Level3.net (4.69.140.189)  158.073 ms  171.580 ms  157.579 ms
13  ae-2-2.ebr2.NewYork2.Level3.net (4.69.132.66)  156.406 ms  157.249 ms  157.545 ms
14  ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253)  156.446 ms  157.868 ms  157.012 ms
15  ae-48-48.ebr1.NewYork1.Level3.net (4.69.201.49)  157.749 ms ae-46-46.ebr1.NewYork1.Level3.net (4.69.201.41)  156.856 ms ae-47-47.ebr1.NewYork1.Level3.net (4.69.201.45)  157.637 ms
16  ae-44-44.ebr2.London1.Level3.net (4.69.137.77)  157.522 ms  157.310 ms ae-42-42.ebr2.London1.Level3.net (4.69.137.69)  156.141 ms
17  ae-56-221.csw2.London1.Level3.net (4.69.153.130)  157.947 ms ae-58-223.csw2.London1.Level3.net (4.69.153.13Cool  165.049 ms ae-57-222.csw2.London1.Level3.net (4.69.153.134)  164.496 ms
18  ae-25-52.car5.London1.Level3.net (4.69.139.102)  195.437 ms  195.440 ms  195.054 ms
19  PLUSNET-TEC.car5.London1.Level3.net (217.163.45.250)  148.364 ms  150.752 ms  154.817 ms
20  te8-1.ptn-gw01.plus.net (212.159.0.105)  144.893 ms  144.113 ms  145.191 ms
21  link-a-central10.ptn-ag01.plus.net (212.159.2.129)  149.224 ms  169.848 ms  157.888 ms
22  84.51.xx.xx.xxxxx850.adsl.metronet.co.uk (84.51.xx.xx)  170.008 ms  172.847 ms  170.069 ms
SUCCESS

[root@ip-172-31-xx ~]# traceroute -U 84.51.xx.xx
traceroute to 84.51.xx.xx (84.51.xx.xx), 30 hops max, 60 byte packets
1  ec2-50-112-0-198.us-west-2.compute.amazonaws.com (50.112.0.19Cool  0.824 ms  0.687 ms  0.793 ms
2  205.251.232.39 (205.251.232.39)  0.843 ms  0.736 ms 205.251.232.223 (205.251.232.223)  0.816 ms
3  205.251.232.210 (205.251.232.210)  0.762 ms 205.251.232.216 (205.251.232.216)  0.896 ms 205.251.232.198 (205.251.232.19Cool  0.945 ms
4  205.251.232.73 (205.251.232.73)  13.250 ms 205.251.232.76 (205.251.232.76)  13.477 ms 205.251.232.73 (205.251.232.73)  6.669 ms
5  205.251.225.161 (205.251.225.161)  12.985 ms 205.251.225.163 (205.251.225.163)  13.115 ms 205.251.225.165 (205.251.225.165)  13.091 ms
6  ae0-3.sea22.ip4.tinet.net (77.67.68.161)  13.263 ms  13.286 ms  13.184 ms
7  xe-10-0-0.sea23.ip4.tinet.net (89.149.184.166)  13.395 ms xe-11-0-2.sea23.ip4.tinet.net (89.149.184.142)  13.232 ms xe-11-0-1.sea23.ip4.tinet.net (89.149.184.110)  6.337 ms
8  as3356.sea21.ip4.tinet.net (199.229.231.186)  27.257 ms  27.426 ms  27.335 ms
9  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  157.328 ms  157.531 ms  157.432 ms
10  ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54)  157.634 ms  157.278 ms  157.481 ms
11  ae-3-3.ebr1.Chicago2.Level3.net (4.69.132.62)  157.445 ms  158.896 ms  156.700 ms
12  ae-6-6.ebr1.Chicago1.Level3.net (4.69.140.189)  157.548 ms  158.489 ms  157.567 ms
13  ae-2-2.ebr2.NewYork2.Level3.net (4.69.132.66)  157.040 ms  163.615 ms  156.230 ms
14  ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253)  157.045 ms  157.770 ms  157.128 ms
15  ae-47-47.ebr1.NewYork1.Level3.net (4.69.201.45)  157.255 ms  156.907 ms ae-46-46.ebr1.NewYork1.Level3.net (4.69.201.41)  157.861 ms
16  ae-42-42.ebr2.London1.Level3.net (4.69.137.69)  157.033 ms  157.557 ms ae-43-43.ebr2.London1.Level3.net (4.69.137.73)  157.383 ms
17  ae-57-222.csw2.London1.Level3.net (4.69.153.134)  157.174 ms ae-59-224.csw2.London1.Level3.net (4.69.153.142)  158.480 ms ae-58-223.csw2.London1.Level3.net (4.69.153.13Cool  157.297 ms
18  ae-25-52.car5.London1.Level3.net (4.69.139.102)  223.244 ms  222.380 ms  211.209 ms
19  PLUSNET-TEC.car5.London1.Level3.net (217.163.45.250)  150.541 ms  151.417 ms  150.911 ms
20  te8-1.ptn-gw01.plus.net (212.159.0.105)  152.123 ms  152.046 ms  151.246 ms
21  link-a-central10.ptn-ag01.plus.net (212.159.2.129)  176.127 ms  176.710 ms  175.574 ms
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
FAIL

[root@ip-172-31-xx ~]# traceroute -I 84.51.xx.xx
traceroute to84.51.xx.xx (84.51.xx.xx), 30 hops max, 60 byte packets
1  ec2-50-112-0-198.us-west-2.compute.amazonaws.com (50.112.0.19Cool  0.764 ms  0.849 ms  0.776 ms
2  205.251.232.39 (205.251.232.39)  0.745 ms  0.911 ms  0.829 ms
3  205.251.232.210 (205.251.232.210)  0.961 ms  0.920 ms  1.040 ms
4  205.251.232.76 (205.251.232.76)  13.094 ms  6.646 ms  13.548 ms
5  205.251.225.165 (205.251.225.165)  13.184 ms  13.072 ms  13.171 ms
6  ae0-3.sea22.ip4.tinet.net (77.67.68.161)  12.987 ms  13.184 ms  12.984 ms
7  xe-10-0-0.sea23.ip4.tinet.net (89.149.184.166)  13.138 ms  13.511 ms  13.302 ms
8  as3356.sea21.ip4.tinet.net (199.229.231.186)  35.566 ms  34.949 ms  34.722 ms
9  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  157.316 ms  157.651 ms  157.440 ms
10  ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54)  156.982 ms  157.080 ms  157.219 ms
11  ae-3-3.ebr1.Chicago2.Level3.net (4.69.132.62)  156.987 ms  156.902 ms  156.940 ms
12  ae-6-6.ebr1.Chicago1.Level3.net (4.69.140.189)  157.036 ms  157.194 ms  157.005 ms
13  ae-2-2.ebr2.NewYork2.Level3.net (4.69.132.66)  156.980 ms  156.773 ms  156.799 ms
14  ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253)  157.338 ms  157.293 ms  157.057 ms
15  ae-47-47.ebr1.NewYork1.Level3.net (4.69.201.45)  156.992 ms  157.235 ms ae-4-4.ebr1.NewYork1.Level3.net (4.69.141.17)  157.266 ms
16  ae-44-44.ebr2.London1.Level3.net (4.69.137.77)  156.919 ms  156.874 ms  156.855 ms
17  ae-59-224.csw2.London1.Level3.net (4.69.153.142)  157.433 ms  157.444 ms  157.500 ms
18  ae-25-52.car5.London1.Level3.net (4.69.139.102)  191.268 ms  190.619 ms  169.979 ms
19  PLUSNET-TEC.car5.London1.Level3.net (217.163.45.250)  162.101 ms  161.691 ms  162.178 ms
20  te8-1.ptn-gw01.plus.net (212.159.0.105)  146.028 ms  145.981 ms  146.013 ms
21  link-a-central10.ptn-ag01.plus.net (212.159.2.129)  154.785 ms  154.442 ms  154.747 ms
22  84-51-xx-xx.xxxxx850.adsl.metronet.co.uk (84.51.xx.xx)  170.010 ms !X * *
SUCCESS

This is also confirmed by the nmap results

From looking at these results it implies that there is some sort of filtering being applied at link-a-central10.ptn-ag01.plus.net. Has anyone else experienced this?

I tried to raise this with technical support; however, I received the following response.

---------
Dear Adam,
Thank you for getting back in touch, regarding your query in to port blocking.
I would like to begin by assuring you that we are not blocking any ports on the network as this does not benefit us in any way.
Please allow this to put your mind at rest, as I am part of the second line support team and can confirm that the information supplied so far is correct. Also that any kind of networking issues, Port forwarding, VPN etc are not supported by the teams working these tickets.
I do not wish to waste your time any further on this matter and ask that you direct any further support requirements to the Community pages or a 3rd party support team.
---------

Although this is affecting my VPN setup, I think this is more of a networking issue. Grateful for any assistance you might be able to offer.
Many thanks,
Adam
3 REPLIES
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Remote Connectivity

The Plusnet firewall is set to 'Off' or 'Low' I assume?
https://portal.plus.net/my.html?action=firewall
hregister
Newbie
Posts: 2
Registered: ‎09-03-2014

Re: Remote Connectivity

EDIT: Apologies, it turns out there is a firewall in the Metronet Portal; however, when you browse to the firewall page, reauth.php is called and its not possible to select 'turn off'. I've raised this with support so hopefully it will be resolved soon. Thanks for your help.
---------
I don't have a Plusnet portal only a Metronet one as they were bought out by Plusnet. In there I don't have the option to configure a firewall...
Plusnet Staff
Plusnet Staff
Posts: 6,346
Thanks: 31
Fixes: 5
Registered: ‎26-11-2011

Re: Remote Connectivity

Do you have the ticket reference so we can take a look at that for you?
Chris Pettitt
Cloud Environments Engineer