AirPort Extreme Port Forwarding Assistance Sought

  • Posted: 14 December 2009 11:54 PM

    I have never needed to do port forwarding before, but with a recent purchase of a DVR surveillance system that is web-capable, I finally have such a need; and I need some help…

    Here’s my set-up:

    Verizon DSL -> Westell DSL Modem -> Ooma Hub (VOIP) -> AirPort Extreme

    From the APE, an ethernet cable to the DVR in question…

    I attach a couple screen shots of the Ooma’s hub’s settings, as well as the APE’s.

    Basically, I have the Ooma hub force the IP address onto the APE with:

    DHCP start & end and DMZ = 172.27.35.10

    I also have the Ooma hub port forward to the APE (on port 85), although that would seem not necessary…

    In the APE utility, I have Port Mapping to 10.0.1.6, a static IP for the DVR on port 85 (TCP & UDP)  I also have “share a public IP address” selected…

    I can see the DVR cameras locally within the LAN.  While VPN’d into my employer’s network, I tried to access the home network, and could not.  Not being certain VPN would allow me to see while within the LAN, I had my mom try, and no dice…

    Any ideas?  The guys on the Ooma board have been awesome.  The DVR company didn’t know much about Macs and especially the Ooma…

    The 75kb attachment limit doesn’t allow me to do the 2nd one, and even the one I did attach is very, very small…

    [ Edited: 15 December 2009 12:03 AM by HammockGuy ]

    Image Attachments

    Picture 2.png

    Click thumbnail to see full-size image

         
  • Posted: 15 December 2009 10:56 AM #1

    Double NAT is always tough.

    One test, just to see if it is workable, is to switch the two devices - attach the Airport Extreme to the DSL modem, and the Ooma to an ethernet port on the AE, and see if that works. Based on the basic documentation on Ooma’s site, that may cause an issue with Quality of Service for VOIP calls on the Ooma, but the Ooma should still work, and at least you know it is doable.

    However, it could be that Verizon is blocking port 85 at the DSL modem anyway, so it may not work even that way. If the DVR allows it and this is an issue, you could always try a different port.

    If this works for the DVR sharing but VOIP call quality becomes an issue, you can always try another router that enables QoS settings (the Airport Extreme, unfortunately, does not), though Ooma’s documentation does point out that many routers don’t do it correctly anyway.

         
  • Posted: 15 December 2009 04:13 PM #2

    One more thing that I just noticed: where is that address range (172.27.35.1 for the Ooma, 172.27.35.10 which you assigned for the ethernet port of the Ooma, for the AE) come from? Is the Westell modem also a router, and you assigned them from there? Or is that address something that comes from the modem from Verizon by default?

    That address is in a private, non-routable address space, so packets from the public internet cannot arrive there - the router from the sending end will discard the packets as unroutable. I recall dealing with a DSL modem that a friend had that had a private IP address from Verizon, but I didn’t realize that they were still doing that.

    (If you have a public IP address that you know, I wouldn’t actually post it here, by the way.)

    If you go to https://www.grc.com/x/ne.dll?bh0bkyd2 (GRC Corporation’s ShieldsUp! service) it will tell you your public IP address. (While you are there, you can also test to see if you have any ports open by clicking the “Proceed” button and following the instructions on the next page.) If the Westell modem is also routing packets, you’ll need to figure out how to port forward your packets there.

         
  • Posted: 15 December 2009 04:28 PM #3

    doogald, thank you for your replies!  I saw your first one earlier in the day, but have been in meetings and too busy to respond…

    You have given me some homework, and I’m most thankful. From my research, Verizon does not block port 85, but I suppose that could be the issue though.  I am aware of people who have the Ooma and router switched, the APE in particular, and while it works, as you said, call quality suffers.  There is no QOS on the APE, so I really need to make this configuration work…

    The address of the webserver on the Ooma hub is 172.27.35.1.  I don’t believe the Westell modem routes traffic. Wow.  I think you nailed it.  I’m wrong, it seems that it is a router:

    http://www.dslreports.com/faq/6096

    The sentence that caught my attention:

    “Because the Westell is actually a router and by default blocks ports, some popular games and applications may not work correctly. Therefore changes must be made to open certain ports or assign a specific IP to a computer.
      -To open ports please check here.
      -To enable IP Passthrough please check here.”

    Rushing-off to another mtg.  Drat.  Thanks!

         
  • Posted: 15 December 2009 08:56 PM #4

    Heading home in a bit, and I’m looking forward to try some things…

    The link provide earlier was for the Westell 6100, for for AT&T.  Probably doesn’t matter, but it does with respect to the instructions.  Found this for Verizon (Westell 6100), which we have:

    http://www.dslreports.com/faq/13600

    There’s some good stuff in this url:

    “The 6100 is a modem/router combination unit, meaning it contains a DSL modem and a general purpose NAT (Network Address Translation) router. “Bridging” means disabling both the public and private side of the NAT router, thereby turning the 6100 into a simple DSL-to-Ethernet bridge, or “dumb modem”.

    If you are already using a router, or want to, (examples: if you already have your LAN set up and simply need to connect it to the internet; or you want to add wireless connectivity to your connection; or you want to use an optimised-for-gaming router; or you want to add a VoIP router), you will want to bridge the 6100.

    For optimum performance and reliability the connection should only be going through one NAT router. When the connection goes through multiple NAT routers, troubles like NAT conflicts will cause router lock ups and loss of connectivity, and configuring access for things like game consoles, VPN tunnels, remote access, server applications, security cameras, or high-end multiplayer games will be difficult if not impossible.”

    and…

    “When the Westell is bridged, it will have no router functions at all, no subnet, no IP, and no default gateway. The router connected to the Westell will acquire and hold the Public IP address and will determine the LAN IP addresses and subnet.”

    So, I’m guessing (hoping) that this thing is in NAT router mode.  If so, I’ll turn it into a bridge…

         
  • Posted: 16 December 2009 06:25 AM #5

    doogald, the modem is indeed in router mode.  I followed the rather simple instructions on how to make it a bridge, and after doing so I had internet connectivity direct to my pc (modem to pc via ethernet).  When connected directly to the router (modem -> AirPort Extreme), there was no connectivity from the APE…

    Do I now need to go into the AirPort utility to change some settings to have it work with the corresponding changes that I’ve made in the modem?

    Thanks for your sharing.

         
  • Posted: 16 December 2009 10:11 AM #6

    HammockGuy - 16 December 2009 10:25 AM

    doogald, the modem is indeed in router mode.  I followed the rather simple instructions on how to make it a bridge, and after doing so I had internet connectivity direct to my pc (modem to pc via ethernet).  When connected directly to the router (modem -> AirPort Extreme), there was no connectivity from the APE…

    Do I now need to go into the AirPort utility to change some settings to have it work with the corresponding changes that I’ve made in the modem?

    One thing that it could be, considering that this is DSL, is that your DSL connection requires PPPoE. When you hook up the PC directly to the modem, do you need to use a login for DSL from the PC (perhaps there is an icon for this) for the internet to start working? (I should say that I have helped people with DSL, but I use a cable provider myself, and it’s been a while since I have seen how a DSL connection works these days, and I’m not sure that Verizon is still using PPPoE.) When the Westell was in router mode perhaps it had the settings for PPPoE login?

    (In Airport Utility, if you need to use PPPoE, in the “Internet” page that you attached a screen shot of earlier, you can change that first setting “Connect Using:” from “Ethernet” to “PPPoE”, and then add username, password, etc.).

    If you did not need to use a login from the PC, you shouldn’t need to do this based on your description of how you set up the Airport base station, but perhaps you should reset the Airport Extreme and set it up from scratch again?

    In the end, though, I do think that you want to to have the Ooma device between the modem and the Airport router, for the VOIP performance reasons that Ooma list, so keep that in mind.

         
  • Posted: 16 December 2009 02:57 PM #7

    If the Ooma is between the modem (in bridge mode) and APE then it will need its own IP address. Your DSL is probably not set up to allow this. Possible, but not likely.

    If you have only one IP address available (most home DSL scenarios) then Ooma will have to be behind a NAT of some sort. Might be the DSL modem/router in router mode, or might be behind APE if modem is in bridge mode.

    I have a similar situation (FiOS rather than DSL but same principle applies). When I set up my APE behind the Verizon router the APE detected double-NAT (*) and offered to set APE to bridge. So it acts as wireless access point but not as a router. I’m surprised that your APE didn’t offer that mode to you.

    * It actually detects that the WAN interface has a private IP address

         
  • Posted: 16 December 2009 09:25 PM #8

    Thanks guys.  Doogald, I’ll try some more tonight.  I seem to recall being asked to login into the modem from the pc, but I don’t remember.  If so, then it seems that I’d need to provide that info to the APE too.  Makes sense…  I hope that’s all it is.

    If a reset of the APE is needed, how is that best done?

    vpndev, since my Ooma will need its own IP address in this configuration, as you say, what is the easiest or best way to find-out if my DSL service will allow for this?

    I guess I’ve been running with two routers since day one then.  My Verizon modem is definitely router cable and has been in that mode.  And my APE, as far as I can tell is also in router mode, but maybe it is just a wireless access point.  What are the indicators in the APE Utility that would show this?

    At work now, heading home, but not sure I can make any progress tonight as my wife will be using the internet quite a bit…  Drat.  Thanks for the thoughts and ideas!

         
  • Posted: 17 December 2009 05:02 PM #9

    If you need to reset APE then paperclip on the reset switch (very small button on the back) for 10 (?) seconds is the way. Let go when the light blinks orange.

    Interestingly, I didn’t find a simple indication to show that that APE was acting as a bridge rather than a router. But you can see it if you start down the path for manual setup. You won’t actually change anything. Click “Manual Setup” and you get to a panel with tabs, and icons above it (Airport | Internet | Printers | Disks | Advanced). Click Internet and you’ll see details of the connection. The last item in the panel shows “Connection Sharing:” and if it’s bridged it will say “Off (Bridge Mode)”. In this mode, APE is not doing NAT or DHCP - those are done by the Verizon modem/router.

    If you want to switch the Verizon router to bridge mode (I don’t have details for that model but they’re around on internet) then *do* make sure to release the DHCP lease as the last thing you do before the switch. In fact, I’d release it and then unplug the phone line in back while you switch modes. If you don’t then you might not be able to get a new address until the old one expires. That might be an hour but could be a day. Yukky.

    My suggested sequence would be to release the modem/router DHCP address lease and then unplug the DSL phone line. Next reconfigure the modem/router to bridge mode. Third is to reset (paperclip) APE and let it start up. The default settings should be OK to get on internet (IIRC).

    You should now have just APE acting as router (gateway), and no double-NAT. Find which port you need forwarded to Ooma and set that in APE. You will probably also want to assign a specific IP (one of your LAN addresses such as 192.168.1.x) to Ooma based upon its MAC (Ethernet) address. APE can do that but I forget the details (and finding out will blow my current setup, which I don’t want to do right now). But APE does support specific assignment of DHCP based upon MAC address. You could also set Ooma with a pure static address outside the DHCP range but that’s more work.

         
  • Posted: 18 December 2009 12:53 AM #10

    vpndev, thank you so much for giving me such a detailed response!  I actually printed it out earlier in the day.  I think I’ll have a chance on Fri night or if not, over the weekend.  I will most certainly report back…  Thanks again!

         
  • Posted: 23 December 2009 06:43 AM #11

    Well, I made some time tonight, and I’m not having any success.  I am now physically connected to my DSL modem in bridge mode so I can post…

    I followed the above sequence with a DHCP release, line disconnet, and a switch to bridge mode.  That all went well.  When I now try to connect to the DSL modem GUI, I cannot as it no longer has an IP address.  Makes sense I guess…  I reset the APE, and went through the set-up again.  I found myself not certain as to how to complete the process…  When asked how I connect the internet, I said that I use DSL with PPPoE.  I believe this is correct as I did need to login to the DSL modem.  So, I put that username and password in the APE, under Internet Connection, but to no avail.  Under PPPoE, I have the connection Always On.  The IP Address is 0.0.0.1 and the the DNS Server and Domain Name fields are blank…

    Also, I have the Ooma completely out of the loop now.  While I have connectivity direct to the modem via ethernet cable (DLS modem -> PC), when I go through the APE, I lose it (DSL modem -> APE -> PC).  After doing a reset, choosing PPPoE, the AirPort Utility states that I have a “Problem” with the internet connection - that my Apple device does not have a valid IP address :-(.  I’m then prompted to change some setting, like how I connect (Ethernet vs. PPPoE) and Configure IPv4 (Using DHCP or manually).  Sorry for jumping around, but the AP Utility also says that I’m trying to use PPPoE, but no PPPoE server can be found…

    Darn near 3 am.  I’m going to reset the modem, making it a router again, and try to put things back so we’ll have connectivty (internet and phone) tomorrow.

    [ Edited: 23 December 2009 07:10 AM by HammockGuy ]      
  • Posted: 24 December 2009 03:44 AM #12

    Ok, progress in the sense of getting back connectivity…

    The Verizon Westell 6100 modem is now in dummy bridge mode. Current set-up for wired & wireless connectivity:

    DSL modem -> APE

    With good notes as to how I got here (connectivity with modem in bridge mode), including some from Verizon and Apple support, I decided to get the Ooma involved again. We are dry-loop, so we have been without a phone (no cell coverage in this canyon)...

    With the Ooma inserted in middle again, no connectivity, and the AirPort Utility went amber, with a Double NAT notice. I guess it’s seeing the Ooma as another router…  The descriptive language escapes me now, but I believe I need to change some settings on the Ooma now. Just not sure how to have visibility to it (Ooma set-up page).

    Once the Ooma phone service is restored, I can finally get back to what got me started here - port forwarding for the surveillance cameras so I can access them via the web.

         
  • Posted: 24 December 2009 05:31 PM #13

    UPDATE -

    I decided to “ignore” the double NAT notice in the APE’s router utility.  Light turned green, but nothing, yet.  I guess I had to wait a bit, but eventually the Ooma light turned blue and I had access to Ooma set-up at 172.27.35.1.  All phones and computers are online and working well.  I am back to everything working as it was, but with the modem in bridge mode now.  With full functionality restored, I am now back to attempting to get the surveillance DVR on the web.  Before doing so, a question, please…

    I still have a double NAT, that I’ve essentially ignored.  What are the ramifications of this action or inaction, with the way things are now, and my objective to get these cameras online?  If there is an easy fix, please do share.  Oh, here is what the Apple APE had to say about double NAT:

    “This Apple wireless device has a private IP address on its Ethernet WAN port.  It is connected to a device that is using NAT to provide private IP addresses.  You should change your Apple wireless device from using DHCP and NAT to bridge mode.”

    Thanks for any additional input.

         
  • Posted: 27 December 2009 04:48 PM #14

    HammockGuy - any further updates on this situation? I’m having a similar problem hooking up a Netcomm VOIP ATA to my system. Also using modem in bridge mode, APE as NAT.

    So far I’ve tried various connections without success (though not ATA between modem and APE, as you seem to be talking about).

         
  • Posted: 27 December 2009 06:26 PM #15

    I still don’t have our DVR online…  Truth be told, I’m somewhat happy at the moment to just have everything back to the way it was.

    I can access the cameras within the LAN, but when using the surveillance company’s DDNS, no dice.  When I try making the DVR a static IP on the DVR box itself (disabling DHCP), the DDNS is lost; which I guess makes sense.  I plan to call the surveillance company tomorrow…

    I will indeed report back on any progress.