Telstra NBN and VPN's

Discussion in 'Networking, Telephony & Internet' started by Symon, Apr 26, 2019.

  1. Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    So, my network setup looks like this -

    Code:
    HFC -> NBN Modem -> Telstra Frontier -> pfsense router -> Switch -> devices
    I use pfsense as a VPN router primarily as well as running other packages. Generally this setup works without issue however from time to time the Telstra box decides that it will block attempts to connect to the VPN. This normally isn't too much of an issue as I can connect the pfsense box directly into the NBN modem and bypass the Telstra box for a few days until Telstra sorts out whatever the problem is and the VPN starts working through it again. However last time it happened when I was overseas and the wife (rather technically challenged) wasn't happy.

    I do want to keep using the Telstra box as it has the 4G backup which does come in handy, so I had an idea and tried to set it up like this -

    Code:
    HFC -> NBN Modem -> Switch -> Telstra Box -> WAN 1 pfsense -> Switch -> devices
                         |---------------------> WAN 2 pfsense ----|
    But it looks like the NBN Modem can't handle having more than one device plugged into it.

    Is there some way of doing this? Or should I just give up and throw the Telstra box away and live without having the 4G backup?
     
  2. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    7,216
    Location:
    Brisbane
    Or get a different router that supports VPN and 4G failover?
     
  3. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    I just checked, the HFC modem definitely supports learning 8 MAC addresses simultaneously.
     
  4. OP
    OP
    Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    That's interesting, wonder why it doesn't work - will look into it further. Thanks!
     
  5. OP
    OP
    Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    Played around with this last night and still no dice. When I have NBN Modem -> switch -> pfsense it works fine, but as soon as I plug in the Telstra box into the switch I lose connection on the WAN port of pfsense. From looking at the logs the NBN modem can't decide which device to give an IP address to, so it just oscillates between the two in a continuous connect/disconnect cycle.

    VPN through the Telstra box still isn't working, so it looks like I'll have to live without 4G backup for a while.
     
    Last edited: Apr 27, 2019
  6. BuD

    BuD Member

    Joined:
    Jun 28, 2001
    Messages:
    5,232
    Location:
    brisbane
    Your not missing much with 4g backup. From what I have come across so far it's pretty flaky . Starts out at 6mbit but after so much data will drop to 1.5. of course signal strength in the home plays a.big part to. Easier and better just replying on phone data for basic web/email when service offline

    You can still keep the Telstra router with 4g and buy your own better router because to get 4g to work if your service goes down, you simply have to plug it into power with wan unplugged and the 4g will kick in
     
    Last edited: Apr 27, 2019
  7. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    the modem is just a bridge modem that terminates a layer 2 VLAN onto an ethernet port, all the layer 3 addressing comes from your ISP. since Telstra only give you a single public IP, their router and your pfsense box are probably fighting over that IP. going back to your original diagram, you really need the pfsense WAN2 interface to only come up if there is no layer 3 connectivity to the WWW through WAN1. the problem then becomes that the Telstra router uses a network heartbeat protocol to fail over to 4G, so that will come up and keep WAN1 active.
     
  8. OP
    OP
    Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    As I had a spare PC handy I did this setup -
    Code:
    HFC Modem -> pfsense -> switch -> pfsense -> network
                             |--Telstra--|
    Which didn't work either. As soon as the Telstra modem has it's WAN port connected the link goes down. It's as if it somehow checks to see if the IP is being used by that modem and if not - drop.

    I guess I can live without the 4G backup, it does come in handy as they are still doing works on the network here so it does go down every few weeks or so. Much to the wife's annoyance.

    When I'm overseas there is no way technically challenged wife will be able to do that.
     
    Last edited: Apr 28, 2019
  9. dimension11

    dimension11 Member

    Joined:
    Mar 16, 2016
    Messages:
    21
    Every device adds complexity and an additional potential failure point in the network. Not sure what you're running your pfSense off off, but their latest versions (Eg. SG3100) have 4G backup and still allow you to have 2 seperate networks.

    I would go NBN Modem => pfSense => Switch / Network
    and let pfSense handle all of the hard lifting Eg. with 4G backup
     
  10. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    the built-in 4G failover is free though.
     
  11. dimension11

    dimension11 Member

    Joined:
    Mar 16, 2016
    Messages:
    21
    Is there no way to remove the simcard from the Telstra and configure that into the pfSense?
     
  12. darkanjel

    darkanjel Member

    Joined:
    Feb 28, 2005
    Messages:
    463
    Location:
    Sydney
    What do you need the VPN for? (If it's not critical, you can drop the pfSense and use an alternative like on-demand VPN on your relevant boxes)
    What happens if you leave the 4G permanently on with the WAN unplugged, i.e. does it provide permanent 4G? (If it does, then you can just plug it into the pfSense as a dual WAN)

    I'd also consider teaching the wife how to bridge phone to internet (depending on data allowance), or providing really simple instructions/video on how she can plug in the Frontier for emergency 4G. It's not difficult, so if she's not motivated to learn/follow then she might not be as annoyed at the lack of internet as suggested ;)
     
  13. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    I am pretty sure Telstra will have forseen that being tried.
     
  14. Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    5,125
    Location:
    ( ͡° ͜ʖ ͡°)
    Truth, "Smart" modem is a steaming pile of shit at the best of times. If Telstra spent as much money on half assedly designin the smart modem as they did marketing it all it wouldn't be so awful.

    it's not going to work on anything else. Tried reusing one of those smart modem 4G dongles - just a huewai USB modem running custom stick mode firmware. Seems the SIM is locked to that USB only.
     
    Last edited: May 1, 2019
  15. OP
    OP
    Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    It's running on an old PC that doesn't have a 4G modem.

    Exactly.

    Not without pulling it apart, and I'm pretty sure Telstra would have locked it down somehow.

    Where I am it actually isn't that bad. When running on 4G it maintains 5MB+ d/l for most of the time.

    The VPN is critical, and I want to have my entire network routed through it. If I go for on-demand via an app or something I would need to have around 30 simultaneous connections, most VPN providers only give you 5 before it costs you more money.

    If you leave the Telstra box on 4G long enough they will say that you are violating their ToS and will eventually disable it. I'm already getting emails from them about plugging it back in.

    You aren't married are you? :p
     
  16. darkanjel

    darkanjel Member

    Joined:
    Feb 28, 2005
    Messages:
    463
    Location:
    Sydney
    It doesn't make sense if Telstra is dropping your VPN upstream, sounds more like the Frontier is crapping itself out but you'd be in the position to diagnose. I would also use this reasoning to get the 4G connection details via tech support, even if it takes half a day as ultimately I'd prefer a box over any standard modem/router.

    With the connection details, you can chuck it into your phone/tablet to see if it connects, then buy a 4G modem for pfSense to do the automatic fail-over.

    Unrelated to IT issues, divorced :lol::lol: The simplest solution so far is some basic user training, so for example, a yellow ethernet cable with a yellow sticker on the right port to switch isn't "too difficult" but yes, I can understand not wanting to address the issue. However, it's giving you a problem that's going to cost you time/money, so something's gotta give somewhere... you're gonna pay to sort this out either in time, or in money for extra VPN connections, or a 4G modem to connect to pfSense, whatever it may be. If the budget is tight, you might be able to convince her that way (and be very supporting/enthusiastic/encouraging)... otherwise you might just have to suck it up and spend the time/money, or just drop functionality as discussed ;)
     
  17. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    some reading suggests it's a known problem.

    GLWT. assuming you could even get beyond the level one script reading droid who is the only person you can actually contact, Telstra will simply say they don't support the use of the VPN any more than they do any other 3rd party software application, and the chances of them opening up a potential security hole in their failover 4G solution to assist one customer solve their non-supported issue is zero.
     
  18. darkanjel

    darkanjel Member

    Joined:
    Feb 28, 2005
    Messages:
    463
    Location:
    Sydney
    If that's the case, then 1: it's worth reporting to the ombudsman to get the details, as I would perceive that as a reasonable outcome, and easy to push (although it will take three months), and 2: I don't see how immediately changing to pfSense would fix the issue?
     
  19. OP
    OP
    Symon

    Symon (Plugging your Socket)

    Joined:
    Apr 17, 2002
    Messages:
    4,486
    Location:
    Santiago, Chile
    May you enjoy your long and happy life :lol::thumbup:

    I think that is where I will land. I was originally thinking to myself "surely it can't be so bloody hard" but then again I forget to account for the Telstra factor. High time I looked around and found another provider, just been too lazy to do that previously.
     
  20. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    9,891
    Location:
    Melbourne
    non-supported use of a 3rd party application that will be covered by a point somewhere in the T&C. TIO won't touch it, and Telstra would go to court to prevent release of the security details.
     

Share This Page