dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7599
share rss forum feed


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

Airwave - Inside or Outside the router/firewall?

Sooooo. I've got a couple of AirWaves to install.
Problem is that Sprint wants them on the outside of the router/firewall - say hooked directly up to your cable modem.

That might work, if you had cable. What if you had FiOS?
In the manual, they give some install instructions for the different ISPs.

Under FiOS, they send the user to another page which has just two lines.
It says to call Tech Support if you have FiOS.

I don't want to call tech support. More importantly, I want the AirWave inside my firewall where it properly belongs.

I've got a FiOS connection running at 50Mbs, I've had routers choke (effectively throttle) on less than that.
I don't know if the AirWave will affect traffic and I'd rather not suspect it if something comes up.

I'm also installing an IPSec VPN here. Could the AirWave interfere?
It might. The AirWave uses IPSec for authentication.

I had my pfSense firewall do a little packet sniffing while the AirWave booted up and phoned home.

By the Red Arrow, you can see it looking up segw.femto.sprint.net and getting the IP of 68.28.61.122 (and 68.28.181.122 and 68.28.116.122).



Lines 16 & 17 show the AirWave IKE handshaking over port 500.
Lines 18 and on are all ESP (Protocol 50) traffic over UDP port 4500.
That's all IPSec traffic (for NAT Traversal).

I made a phone call, looking to see if it generated any other kinds of traffic - found none.

So it looks to me like all you have to do is configure your home router to pass through IPSec VPN Traffic and the AirWave should work fine.

My experience is that most consumer class routers come pre-configured that way.

At the end of all this, I placed both AirWaves inside my firewalls and both did their job. I had to configure my enterprise firewall to pass traffic. But my consumer class firewall was preset to pass VPN traffic and worked just fine.

Kind of makes me wonder...
Why the anemic install booklet - provided by Sprint
insists that that the Airwave be hooked up cloud-side?

NV
--
Any Goal that is Driven by Animosity, is Empowered through Deceit.


dib22

join:2002-01-27
Kansas City, MO
said by Noah Vail:

Kind of makes me wonder...
Why the anemic install booklet - provided by Sprint
insists that that the Airwave be hooked up cloud-side?

My guess is to keep it simple for their support.

From their faq (»support.sprint.com/global/pdf/us···_faq.pdf ):

33. Do specific ports need to be enabled on my router for the AIRAVE to work?
Installation of the AIRAVE should be simple plug and play. AIRAVE uses standard
ports to connect to the Sprint Network via the Internet. These ports are open by
default on most routers and firewalls, and will not need additional configuration. If
your AIRAVE cannot connect to the Sprint network due to a unique network
configuration, you may need to open the following UDP ports on your switch or
router: 500, 4500, 53 and 52428.
Contact your broadband Internet provider, router manufacturer or network
administrator for detailed instructions to open ports on your equipment.



Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
said by dib22:

My guess is to keep it simple for their support.

From their faq (»support.sprint.com/global/pdf/us···_faq.pdf

Oh.

Their install guide was so dumbed down, it didn't occur to me that something more informative might be available on their website.

Like I don't already know I should assume nothing....

NV
--
Any Goal that is Driven by Animosity, is Empowered through Deceit.

killroy2

join:2004-08-19
Bainbridge, OH
reply to Noah Vail
I have been using Sprints airave and now Airvana behind various routers. Just DMZ the Airave and your set.


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
said by killroy2:

I have been using Sprints airave and now Airvana behind various routers. Just DMZ the Airave and your set.

Usually you can't port forward anything else if you're using the DMZ.
Not all routers are like that but it's more common than not.

And, it's the same effort to pass through IPSec as it is to DMZ. Easier usually, most routers come preconfigured to pass through.

NV
--
Any Goal that is Driven by Animosity, is Empowered through Deceit.


airshark
--... ...-- -.. . -. -.... .-.. -.--
Premium
join:2003-05-20
Hollister, CA
Mine is working 100% fine behind my firewall with no port forwarding enabled. It just opens up an IPSEC tunnel and works after being configured properly for the behind-a-router environment.


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
said by airshark:

Mine is working 100% fine behind my firewall with no port forwarding enabled. It just opens up an IPSEC tunnel and works after being configured properly for the behind-a-router environment.

With a consumer router, that's all mine needed. IPSEC is almost always forwarded by default on home-centric hardware.

My enterprise router needed some configuring. But it's an IPSEC endpoint so that's to be expected.

But your larger point - no DMZ/no port forwarding necessary for home users - is solid.

NV
--
Any Goal that is Driven by Animosity, is Empowered through Deceit.