Monday, June 7, 2010

AT&T 3G Microcell on a FIOS network. Pitfalls to avoid.

If you recently bought a 3G microcell, and your internal network is not one of the usual router defaults like 192.168.0.x or 192.168.1.x, beware: the 3G microcell seems to be a little picky about those...

In my case, I am on FIOS with an internal network with that's neither of the above (192.168.100.x), using a Linux box for both DHCP and DNS, and forwarding a few services to an internal box. I bought the thing, did the online pre-registration, and started the connection. No matter what, the thing would not connect. Besides the fact that they want attempt cycles of 90 minutes, there is nothing that one can check on the damn box to know what's really happening. :(

After checking both the FIOS and the ATT&T forums, it seemed that the best setup is to configure the microcell IP to be reserved, and set that IP to be the DMZ (to bypass any firewall issues). still didn't work...

I found a list of required ports for the thing, which include:
  • 443 TCP (HTTPS)
  • 123 UDP (NTP)
  • 500 UDP (IPSEC)
  • 4500 UDP (IPSEC NAT)
I had 443 already mapped, so I cleared that mapping. Started the damn cycle allover again. nothing...
Even though it was already in a DMZ, I set the forwarding rules for the ports. Still, nothing. Called the tech support line and gave them the whole list of things I've done. He had no more ideas...

Finally, I found another post in the FIOS forums that simply said: "I had to reset the firewall to factory defaults, and it worked".

I took the plunge and did the same. Which, by the way, includes a default IP numbering based on 192.168.1.x. Reserved the IP for the thing, set it as a DMZ, and it worked. Not believing that something as dumb as a numbering difference could cause the problem, I set the router back to a 100 based IP, going through the same process to reserve the IP for the unit and setting it as the DMZ. Reboot everybody, and immediately stops working! Revert back to a 1.x IP, and everything works again...

So, my solution was the difficult one: renumber the entire internal network to the 192.168.1.x, and reconfigure all the systems in the house (many!) I cannot imagine something that silly was the cause of all the pain. Knowing that the firewall has been port forwarding all this time without issue leads me to blame the microcell for all this pain. It probably has some dumb internal rule.

So, if you get said device, here's my recommended setup:

  • Make sure your network in on 192.168.0.x or 192.168.1.x (most of you will be)
  • Check that your MTU is 1492 (no more than 1500), this is the default in most cases, but check.
  • Check that IP fragment blocking is disabled (default for me)
  • Set up a reserved DHCP address for the microcell (check your documentation). For the FIOS (actiontec) router it is under the advanced settings/ip allocation
  • Set up the reserved IP as the DMZ for the firewall. Some people frown on this, but that thing is locked up so tight, it is close to impossible to hijack it for a nefarious purpose.
What would have been nice and possibly saved me loads of time (took close to 3 days to get this thing going!) would have been a simple status landing page on the device. Even if it was something as cryptic as an internal status code. At least that could then be fed to the tech support guy so he can look it up and tell me "your microcell can't receive packets", so I have a better clue as to what's going on. But I digress...

I hope the tale help you if you run into a similar situation.

Later,
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)