Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

BT Business ADSL – Configure a 2Wire Router to Allocate a Static (Public) IP Address

KB ID 0000760 

Problem

I know BT are now shipping the BT Business Hub, to their business ADSL clients, but there’s still a few 2Wire routers out there in the wild. Essentially if you have a range of public IP addresses, this is how to allocate one of the public IP addresses to one of your devices. In my case its a Cisco ASA firewall that I need to have a public IP.

Solution

Firstly I’m going to assume the router is working and connected to the internet, if there’s a problem and you need to reset it you will need the following pieces of information.

1. The BT ADSL Username and password.

2. The public IP address range allocated to you by BT (and the IP allocated to the router).

Note: Plug your device into the router before you start, and set it to get its address via DHCP.

1. Connect to the web interface of the 2Wire router (normally http://192.168.1.254) > Settings > Broadband > Link Configuration > Scroll down the page.

2. Locate the ‘Add additional network’ section > Add in the IP address that BT have told you to allocate to the router, the subnet mask will be provided by BT also, but you can work it out with my subnet calculator if you don’t know > Save >Enter the router password if prompted.

Note: By default the password will be the Serial Number of the router, (on the white sticker). If you have forgotten you can reset it.

3. Select the LAN tab > NAT & Address Allocation > Locate your device > Set the firewall to disabled > Address Assignment = Public (Select WAN IP Mapping) > WAN IP Mapping = Public Fixed {The IP address you want to assign} > Save > Enter the password if prompted.

4. This relies on the router providing DHCP, which it will do by default, though you can check on the Private Network tab.

5. Finally either reboot the device you are assigning the IP address to, (or ‘reload’ if it’s a Cisco ASA).

Related Articles, References, Credits, or External Links

NA

BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.

Google Searches Work, But All the Result Links DON’T(BT Broadband)

KB ID 0000740

Problem

I was covering the phone for one of the days over the Christmas period, and a client had rang in with this problem, at first I thought it was simply an EDNS problem like this. However some testing proved DNS was working fine? Then I thought it was an Internet Explorer problem, until Chrome and Firefox did the same. I could go to Google and search for what I wanted,but all the links (and any other URL I tried, with the exception of YouTube strangely), would not work. SMTP/Email worked, as did FTP and everything else I tested? But HTTP and HTTPS would not, with the exception of Google/YouTube.

So I knew the problem was either the router, (a Cisco 1800 with firewall IOS), or the ADSL circuit itself that was causing the problem.

Solution

As BT Business Broadband ADSL circuits don’t usually come with a Cisco Router, I thought if I rang them I’d get the “We didn’t supply or support that router” speech, so I got the client to dig out their supplied (2Wire) router, and asked him to ring BT while I was on-site.

While he was explaining the problem, the Engineer on the other end said, “Unplug the 2Wire and plug the Cisco router back in, I will ring you back…”. This was strange behavior for BT, and I thought we would be the victim of “BT Syndrome“, and sure enough five minutes later is magically fixed itself.

When BT rang back, they explained that this had been imposed on the client, because they were a ‘little late’ paying their bill, (there’s Christmas spirit for you).

Related Articles, References, Credits, or External Links

NA