9

Discussion topic: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

Reply
This message was authored by IHateSteps This message was authored by: IHateSteps

Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

In the interest of being prepared (I was a cub scout once) I'm researching the right procedures to follow once my sky broadband is installed.

I currently run with VM broadband, a pfSense firewall which forwards ports 80/443 to a server (advertised using Cloudflare DNS) which itself runs traefik and authentik to decide  which connections to forward where, and for whom.  It sounds complicated, especially when I start talking about about docker and containers, but it really is not.

 

For the time being I want to retain a standard (if DV can be called standard) telephone line.  Moving fully to VOIP will come later.

 

On receipt of my new connection I will need to configure port forwarding for minimum of ports 80 and 443 to discrete ports on my lan-connected HP Server.  Can somebody point me to the documentation which covers this activity?

 

Thanks!

 

 

 

 

 

 

 

 

 


Best Answers
This message was authored by Eeeps This message was authored by: Eeeps Answer

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

I suggest double NAT is the way to go, at least initially.

 

The key to that is to have the pfSense in the DMZ of the Sky Hub.

This means that there are no port forward configuration steps on the Sky Hub - the DMZ will forward all ports.

Also, DMZ provides a simple stateless NAT, only the destination address is changed on the incoming IP headers and source address in the outgoing IP headers.

 

For me this made my move from VM to Sky really simple from an internal network point of view.
As you say, Sky still see their HUB which means they will investigate any issues you might raise with them.

View this Answer within the discussion

Reply

All Replies

This message was authored by cookiemonsteruk This message was authored by: cookiemonsteruk

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

Posted by a Superuser, not a Sky employee. Find out more

@IHateSteps 

 

Thats one for @mae-3 . 

----------------------------------------------------
Sky Stream , Sky Superfast, SR203 router, Tp link td w9970 + Asus RT AX58U (backup), Xbox Series X, google home mini, LG 43 inch UHD tv, samsung a5 2017 and samsung s21

If I get it right mark as answered
If I get it wrong humour me
If I say something you like give a thumbs up
This message was authored by mae-3 This message was authored by: mae-3

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

@IHateSteps 

 

The pfSense firewall is compatible with Sky and one only needs to connect to the ONT (FTTP full-fibre ultrafast) or purchase a modem when connected to FTTC (VDSL2 modem superfast) and connect pfSense to either of these devices using DHCP Option 61 (DHCP client identifier 61) and DHCPv6 Prefix Delegation (PD) for IPv6 traffic for WAN.

 

The user credentials for DHCP Option 61 are 'anything@skydsl|anything' without the quotes.

 

The forwarding of ports for pfSense remains the same and the connection details for Cloudflare are as VM.

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
IHateSteps
Topic Author
This message was authored by IHateSteps This message was authored by: IHateSteps

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

@mae-3 

 

Thanks for your considered response which I had already been aware given that I'd been aware of this potential requirement when I first looked at the various FTTH/P services a few months back.

 

The difficulty is that for every different providing a fibre-based landline service (and this number is dropping quite rapidly it seems) there is a different implementation.  I have noted that some use the router or hub to connect to client telephones, while others allow for a direct connection to the ONT.  I am sure there are technical reasons for the variation  - but I see this is 'Too much information (TMI)'.

 

I need a landline for the moment (not just for my community alarm pendant) so full VOIP is not an immedate option, although I am planning this some months from now.  I have so far failed to find any option for changing the point which the DV service terminates, thus I have to keep the hub connected, with its Sky configured internet address.

 

I cannot help but think that I could implement some clever routing/forwarding configuration allowing me to retain my pfsense as a routed network behind the sky hub, while keeping the hub as a layer 3 device, thus maintaining the DV setup and leaving in place the tools by which Sky monitor our network status, and ensure service levels.  Of course, double-natting is also an option, though my port-forwarding will require some additional head-scratching.

 

It is for questions regarding port forwarding, firewall rules and static routes, etc, for which I have been searching for a manual for the hub device.  While there are a good number of posts available on port forwarding and other techniques, these often date from earlier routers and technologies.

This message was authored by mae-3 This message was authored by: mae-3

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

@IHateSteps 

 

Port forwarding on the Sky Hub https://helpforum.sky.com/t5/Broadband-Talk/How-to-set-up-port-forwarding/ba-p/2662260 

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
This message was authored by TimmyBGood This message was authored by: TimmyBGood

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

Posted by a Superuser, not a Sky employee. Find out more

@IHateSteps wrote:

 I have noted that some use the router or hub to connect to client telephones, while others allow for a direct connection to the ONT.   


Probably not the latter in practice.  While earlier models of Openreach ONT had one or two 'phone' ports, the current widely deployed units just have one ethernet socket.  Direct connection of telephony to the optical network was clearly once considered as a potential topology (even supported by a BBU), but was subsequently rejected.

* * * * * * *

Sky Glass 55" (on ethernet) & two Stream Pucks (one ethernet / one WiFi)
BT Halo 3+ Ultrafast FTTP (500Mbs), BT Smart Hub 2
This message was authored by mae-3 This message was authored by: mae-3

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

@IHateSteps 

 

The phone, Digital Voice (DV) is a VoIP proprietary BT solution. When you take on a new provider, eg: Sky then as you know they have their own VoIP solution.

 

So, if and when you move the DV will stop working as it only works with BT's Hubs.

 

1. Keep the Sky Hub in the circuit and you'll keep the free offering of VoIP line with excessive call charges. And use pfSense in double NAT.

2. Put the firewall in the circuit connected directly to ONT and route through pfSense and use a non-proprietary VoIP solution with ATA connected to pfSense, eg: cheaper calls with several VoIP offerings.

3. Play around and have the pfSense and Sky Hub behind it but the solution is proprietary and not everything is known about Sky's VoIP solution. One has to DHCP relay for IPv6 through pfSense for Sky Hub.

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
This message was authored by Eeeps This message was authored by: Eeeps Answer

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

I suggest double NAT is the way to go, at least initially.

 

The key to that is to have the pfSense in the DMZ of the Sky Hub.

This means that there are no port forward configuration steps on the Sky Hub - the DMZ will forward all ports.

Also, DMZ provides a simple stateless NAT, only the destination address is changed on the incoming IP headers and source address in the outgoing IP headers.

 

For me this made my move from VM to Sky really simple from an internal network point of view.
As you say, Sky still see their HUB which means they will investigate any issues you might raise with them.

IHateSteps
Topic Author
This message was authored by IHateSteps This message was authored by: IHateSteps

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

I would like to thank @Eeeps and @mae-3 and everyone else for their suggestions.   I can't help but think we need to have some kind of place to publish solutions to problems, so that those of us coming along later can see what they did.

 

I was getting rather depressed by the lack of port forwarding with port translation that I took for granted with pfSense - which led me to initially ignore the opportunities offered by the DMZ.

 

Bizarrely, I'd just seen a posting on another site describing the DMZ / Double NAT option - when I returned here.

 

I'll loop back around when I've got it working, and leave a desription of what I had to do.

 

 

IHateSteps
Topic Author
This message was authored by IHateSteps This message was authored by: IHateSteps

Re: Forwarding tcp/udp ports from new sky hub to existing destinations on my lan

As promised, here is my final solution based on responses from @Eeeps and @mae-3 .

 

To save my sanity, and to reduce the load on my wheelchair batteries from constantly chugging between different cupboards and bits of electronics I made use of the otherwise forgotten additional ethernet port to be found on the little usb3 hub attached to my primary pc.

 

I connected and set both interfaces on my pc to DHCP, connecting the temporary interface to the back of the router in a spare socket.  I then configured the sky router to 192.168.1.1 (note the 1 in the third octet).  After enough time to read War & Peace, the sky router rebooted.

 

I connected the pfsense WAN to my lan switch, found the mac, and reserved that address as 192.168.1.254, made it the DMZ host.  Two more reboots later, I have my sky router'l LAN on 192.168.1.0/24.

 

I then switch cables so that the pfsense WAN is connected to the main LAN port on the sky router, and connect the LAN port of the pfsense into my main switched LAN network.  I now have a pc connected to both networks temporarily (somewhat insecure, but only temporary).  Here's a picture:

Sky Network #1.drawio.png

 

With the temporary connection from my PC to the 'Sky LAN' disconnected I can traceroute, ping and connect in all sorts of ways to the internet.

I find also that the connections inbound, which rely on port forwarding and an reverse proxy server all work without any hesitation.  The code which detects my wan ip still correctly identified the WAN IP of the sky router.

 

All in all, a much easier job than expected.

 

Some thoughts that I hope Sky adopt in their forthcoming new router:

1.  Resort back to the kind of configuration that there used to be in my last experience with Sky broadband which are simple menu settings for like requirements.  Lan stuff on a LAN menu, WAN on a WAN, and DNS further on, etc.

2.  Making the router simple just to make support easier will only put off the slightly more knowledgeable users.

3.  Port forwarding is a common requirement.  Don't hide the function behind two separate menus, and place the automatic (UPNP) options behind an unknown password prompt.

4. As much as the VirginO2 routers were hated by users, they actually incorporated the majority of required functions in their firmware, modem mode was effective, and the telephone line worked in both router AND modem mode.  VMO2 actually listened to customers when the background muttering reached louder levels. 

 

If anyone wants to know more about how I got this working, PM me and I'll draw some more diagrams.

Reply

Was this discussion not helpful?

No problem. Browse or search to find help, or start a new discussion on Community.

Start a new discussion

On average, new discussions are replied to by our users within 4 hours

New Discussion