Best practice advice required for DSE 1169 & USR8054 Wireless network...

Forums › New Zealand Broadband › Best practice advice required for DSE 1169 & USR8054 Wireless network...

BadCam

103 posts

Master Geek

Topic # 9999 29-Oct-2006 14:44

Hi Geekzone patrons.

I'm after ANY advice you can give me on how best to set up my home network. Where am i going wrong & what can i do to improve how i have things set up? I have a few specific questions, but if anyone can think of anything else that may be helpful, please do chip in. First some info about my existing setup:

Telecom Adventure
DSE1169 router Rev 3 REL9 v5 Firmware REL9P-B1
USR8054 Wireless router
PC (which I'm using here) connected wireless via Belkin F5D 7050 USB device
Laptop connected via USR5410

The DSE router has an Lan IP of 192.168.1.2 subnet 255.255.255.0 which connects to the USR8054 through the USR's WAN port. The USR has a WAN IP of 192.168.1.3 and LAN IP of 192.168.123.254. DHCP is turned off and the laptop and PC have static IP addresses of 192.168.123.XXX etc

NAT is active on both routers. The PC has the free version of Zone Alarm and the laptop has no firewall as it is just used for surfing & if it fries can be rebuilt reasonably quickly.
WEP 128 is enabled, SSID broadcast is off and MAC filtering is on. I can't seem to get the Belkin & the USR8054 to communicate with WPA otherwise I would be using that.

Should I set up the USR so that it is conneected to the DSE via the Lan port & not the WAN. Should I activate the firewall on the USR, and if so, how do i do this?

I use Skype a LOT. I have friends all over the world and Skype saves me an absolute fortune in toll bills. Since telecom have introduced Go large skype doesn't seem to be performing well so I tried port forwarding. I opened the ports on the DSE router for the IP of the USR8054 192.168.1.3 & then the ports on the USR8054 for IP 192.168.123.XXX for the PC for both UDP & TCP traffic. Is this correct? I know that the DSE port is seen by www.grc.com as open but it doesn't seem to be making any difference with skype. How do i know if I have portforwarded correctly? Can i filter traffic through the port open to my PC only, so that it doesn't act as a security risk for the laptop? Skype is set up under tools to look for the open port. Could it be because NAT is enabled on both routers and this is causing soe network confusion?

I understand that I can upgrade the DSE router to the equivalent of an XH1175 using a firmware upgrade and a spare jumper. Has anyone tried this, and what beniefit would i get from doing this? Is it difficult to do? and is it worth the trouble of doing so?

Thanks y'all. ANY advice at all would be more than welcome.

barf

643 posts

Ultimate Geek

Reply # 50164 29-Oct-2006 15:12

Hi BadCam and welcome to to geekzone
You have some good equipment there, but using two networks both with NAT (aka double NAT) is not a good practice and could be why your Skype isn't working.
Connect the USR wireless AP to your DSE modem-router via it's LAN port. This uses the USR as a bridge instead of a router (a bridge is like connecting two hubs or switches together). Before doing so, setup the LAN IP of the USR to something like 192.168.1.1 then, make sure the USR's DHCP server is off and the DSE's DHCP server is on. Setup your laptop and PC to use DHCP (automatically assign IP) and the DSE should assign IPs, via wireless, to your computers.

You should now have one network instead of two which will make port forwarding much easier.
There is little difference between the 1169 and 1175 that I can see.

If you feel like going the whole nine yards you could use PPP-half-bridge on the DSE and plug it into the USR's WAN port and set that port to be a DHCP client. Using this solution is technically the best but has some caveats. You cannot plug anything except the USR's WAN port into the DSE and any wired stations you have would need to be plugged into the USR's LAN ports. Then you could use the firewalling features of the USR properly and do all your port forwarding on that. (PPP half bridge changes the DHCP server to propagate an Internet IP instead of a LAN IP and as such can only have one client)

Sniffing the glue holding the Internet together

BadCam

103 posts

Master Geek

Reply # 50170 29-Oct-2006 16:26

Barf

Thanks for the welcome and response. I might just have a go at setting up the single network sometime this week, but that last suggestion sounds great. Would it be possible to step me through that? Why exactly is it better?

Do I need to enable bridge filtering on the DSE router for instance? Is this PPP-half-bridge? I already have the DSE connected via the USR's WAN port, do I not? How do I set the WAN port to be the DHCP client. I assume that I enable DHCP server under the DSE Lan configuration. Does DHCP gateway selection need to be set?

You say that: "You cannot plug anything except the USR's WAN port into the DSE and any wired stations you have would need to be plugged into the USR's LAN ports."

Nothing is currently, nor do i intend to plug anything into the DSE ports apart from the USR WAN. The only device I have connected (which I forgot to mention is a Brother multifunction printer plugged into a LAN port on the USR. Any future additional devices would be wireless. Did I understand you correctly?

I'm sorry, I understand a lot of this stuff (or at least, muddle my way through it), but could you please clarify this for me?:
"PPP half bridge changes the DHCP server to propagate an Internet IP instead of a LAN IP and as such can only have one client"
What do you mean by one client and by propagating an internet IP?

How would I set up the firewall using the DSE configuration? How can I filter the Skype traffic so that it just goes to the PC?

I'm trying to contain myself here. You don't know what sort of monster you have unleashed by responding to my message. Thanks anyway.

barf

643 posts

Ultimate Geek

Reply # 50173 29-Oct-2006 17:02

BadCam: Barf

Thanks for the welcome and response. I might just have a go at setting up the single network sometime this week, but that last suggestion sounds great. Would it be possible to step me through that? Why exactly is it better?

It is better because NAT is a problem. IPs that start with 192.168. 172.16. and 10. are special private network addresses that are unreachable from the Internet, hence port forwarding which translates packets destined to your internet IP to a LAN IP (for example skype packets would hit your router and not your PC if you diddn't port-forward). When using NAT (ie default config on the DSE) the Internet IP is in the router, but by using PPP half-bridge you can let a computer or another router have that precious Internet IP.

Do I need to enable bridge filtering on the DSE router for instance? Is this PPP-half-bridge?

I already have the DSE connected via the USR's WAN port, do I not? How do I set the WAN port to be the DHCP client. I assume that I enable DHCP server under the DSE Lan configuration. Does DHCP gateway selection need to be set?

To enable PPP half-bridge goto the DSE's web-based config and click 'Misc Configuration' then click 'for help on this page' at the top and follow the instructions for enabling PPP half bridge there. Ignore all other settings and follow the instructions. If it doesn't work you might need to factory-reset and put in your ISP username & password, save & reboot, then try again. If the USR got it's WAN IP automatically it is already a DHCP client and you won't need to make any changes to your USR's WAN port configuration, otherwise it should be obvious where to enable it in the configuration.

You say that: "You cannot plug anything except the USR's WAN port into the DSE and any wired stations you have would need to be plugged into the USR's LAN ports."

Nothing is currently, nor do i intend to plug anything into the DSE ports apart from the USR WAN. The only device I have connected (which I forgot to mention is a Brother multifunction printer plugged into a LAN port on the USR. Any future additional devices would be wireless. Did I understand you correctly?

Thats cool you understand correctly, I was just mentioning that for complete correct-ness :-)

I'm sorry, I understand a lot of this stuff (or at least, muddle my way through it), but could you please clarify this for me?:
"PPP half bridge changes the DHCP server to propagate an Internet IP instead of a LAN IP and as such can only have one client"
What do you mean by one client and by propagating an internet IP?

PPP half bridge only works when one device is directly connected. It is turning your DSE into a simple modem and leaving routing up to the USR router.

How would I set up the firewall using the DSE configuration? How can I filter the Skype traffic so that it just goes to the PC?

I'm trying to contain myself here. You don't know what sort of monster you have unleashed by responding to my message. Thanks anyway.

LOL
Going with the half-bridge you can essentially forget about doing port forwarding on the DSE and instead do your port forwarding on the USR wireless router only. You seem to already have a solid understanding of what port forwarding is. Once you are online with this configuration use your USR's to do port forwarding to your PC. Good luck and keep us posted.

Sniffing the glue holding the Internet together

BadCam

103 posts

Master Geek

Reply # 50210 29-Oct-2006 21:50

Hi Barf

I have set up the ppp-half-bridge and all seems to have gone well. Skype is port forwarding.

However I have one issue (which is good really - only one) and that is www.grc.com shows my port 80 as being open. How do I stealth this port please? Thanks.

freitasm

BDFL - Memuneh
61781 posts

Uber Geek
+1 received by user: 12434

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 50216 29-Oct-2006 22:34

If GRC (or any other test) is showing the port open it's because a) it's forwarding to a PC on your LAN or b) the router is allowing HTTP access to admin pages from the WAN side.

If b is the option you pick, make sure to disable admin pages access from outside your network.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

barf

643 posts

Ultimate Geek

Reply # 50232 30-Oct-2006 04:11

by default only LAN IPs can administer the router so unless you need to run a webserver on port 80 don't worry about it. if you do change the port the webserver listens to in the DSE router config.

Sniffing the glue holding the Internet together

antigrav

68 posts

Master Geek
Inactive user

Reply # 50237 30-Oct-2006 08:40

Someone please correct me if I'm wrong but I believe that all Xtra customers were being moved to the new plans, Go Large's traffic shaping is killing your Skype, the traffic managment is Draconian unless they are just working out bugs.

I am so glad I stopped the service request to be switched to Xtra! Try Woosh's new plan, all the up sides of the Go Large plan with NONE of the down sides, and with the interleaving removed from Woosh connections (but not Xtra) your skype experience will be improved. (Xtra customers can't have interleaving turned off, but all CUB's and RUB's (prolly not WUB's) wholesale plans can)

Yeah, ok so now I really sound like a Woosh cheerleader, but I am impressed.
I just hope they get enough 'normal' users to join so the average BW usage isn't too sky high.

barf

643 posts

Ultimate Geek

Reply # 50331 30-Oct-2006 18:30

it's only the go large plan that has traffic management - although that shouldn't affect skype but traffic management isn't cool either way. go on a pro plan and enjoy 350kbps bittorrents any time of the day

Sniffing the glue holding the Internet together

BadCam

103 posts

Master Geek

Reply # 50528 31-Oct-2006 20:29

Barf (and others)

Thanks for all your advice. Sorry to admit that I didn't do all as suggested. For some reason I just can't my PC to stay online unless I use a static IP address. I've done the same to the laptop. I do however have PPP-half-bridge working very nicely and the port forwarding seems to have made some difference to my Skype conversations. I'm stealthed and all seems to be well. I thank you.

Skype isn't as good as I have experienced, but at least it's good enough to put up with and the jitters I have been experiencing have reduced considerably.

Besides. I've learnt something new about networking and for that I'm grateful. I just love the ability to go to forums such as this and receive such helpful advice especially because it's free and quite often very timely. I'll be ticking around and making more use of it .

I think I also prefer the static IP setup because I can limit the number of IP's my system can give out. This matched with the MAC addresses and WEP security (I think I'll give WPA a go now this setup seems to be working nicely) seems to be giving me a reasonably secure system. Do you agree? Is there something I'm missing here?

I do have one more question for the moment. Make that three:

1) What number should I give my subnet in order to limit the number of I addresses DHCP can give out? Is that what subnet does? I just want four or five IP's given out max.

2) If I need further help, should I come back to this thread, or should I start afresh? I like the idea of all the history being here, but sometimes a big thread can just be too much.

3) Is it true that I'm being taken off telecom's Adventure plan and thrown into Go Large. Can they do this without asking me? Now, I don't mind the unlimited CAP, but I do mind the traffic shaping when it affect me using Skype.

Thanks once again.