Discussion:
Draytek 120 modem - Sonicwall TZ100 router - cannot get WAN to connect
(too old to reply)
Peter
2011-10-21 17:51:48 UTC
Permalink
I have had the 120 running with a Draytek 2900 router for 1-2 years.

The 120 provides a PPPOE interface.

In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.

Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.

I cannot find quite the equivalent settings in the TZ100. Under
General I set PPPOE, the username and password, and there are two
options for the IP (obtain automatically, or specify the IP) and I
have tried them both, with 0.0.0.0 in the latter case, but it doesn't
connect.

In the Advanced tab there are various things like Auto Negotiate.
There is also a MAC address config, which I recall from the D-Link 300
modem days *was* critical as you had to match the modem's MAC, but the
Vigor 120 doesn't seem to need this as I have two of them and can just
swap them over.

Google doesn't turn up anything...

Sonicwall provide some limited support but the login details they
emailed me don't work, even though I have confirmed the account
creation email :)

The rest of the router seems to configure easily enough using the
wizard, and apart from the two VPNs (site-site IPSEC, remote worker
PPTP) which will be complicated, I think it should just work.

Any suggestions would be much appreciated.
Ghostrecon
2011-10-21 18:36:55 UTC
Permalink
Post by Peter
Any suggestions would be much appreciated.
In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.
Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.
I'd have thought for the modem it should be
PPPoA (vcmux)
wan I/p - obtain automatically
vci 38 vpi 0
--
(º•.¸(¨*•.¸ ¸.•*¨)¸.•º)
<.•°•. Nik .•°•.>
(¸.•º(¸.•¨* *¨•.¸)º•.¸)
Peter
2011-10-21 19:02:07 UTC
Permalink
Post by Ghostrecon
Post by Peter
Any suggestions would be much appreciated.
In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.
Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.
I'd have thought for the modem it should be
PPPoA (vcmux)
wan I/p - obtain automatically
vci 38 vpi 0
I cracked it...

ZEN phone support is excellent.

Now I have a different issue. With a laptop plugged into the LAN port
(the one also used for the config) I can ping IPs, but cannot ping any
URL.

Yet the DHCP is enabled in the router, for both the LAN and the WIFI
interfaces.

There is a massive amount of other config, for the firewall, for
routing, etc. I am not sure where to start on this. However, I have
run the wizard for the basic config...

I wonder if anybody has any suggestions. It is just the TZ100W issue.
The ISP connects OK.
Ghostrecon
2011-10-21 19:15:55 UTC
Permalink
Post by Peter
Post by Ghostrecon
Post by Peter
Any suggestions would be much appreciated.
In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.
Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.
I'd have thought for the modem it should be
PPPoA (vcmux)
wan I/p - obtain automatically
vci 38 vpi 0
I cracked it...
ZEN phone support is excellent.
Now I have a different issue. With a laptop plugged into the LAN port
(the one also used for the config) I can ping IPs, but cannot ping any
URL.
Yet the DHCP is enabled in the router, for both the LAN and the WIFI
interfaces.
There is a massive amount of other config, for the firewall, for
routing, etc. I am not sure where to start on this. However, I have
run the wizard for the basic config...
I wonder if anybody has any suggestions. It is just the TZ100W issue.
The ISP connects OK.
after the modem has connected and the router gets its wan i/p do you get
primary dns as 212.23.3.100 and 212.23.6.100 ?.

what i/p's can you ping I assume its only the router i/p
--
(º•.¸(¨*•.¸ ¸.•*¨)¸.•º)
<.•°•. Nik .•°•.>
(¸.•º(¸.•¨* *¨•.¸)º•.¸)
Peter
2011-10-21 19:26:28 UTC
Permalink
Post by Ghostrecon
after the modem has connected and the router gets its wan i/p do you get
primary dns as 212.23.3.100 and 212.23.6.100 ?.
Yes, I see those allocated by ZEN's DHCP server.
Post by Ghostrecon
what i/p's can you ping I assume its only the router i/p
I can ping various external IPs.

But URLs time out. I have tried a few which I know one can ping; quite
a number of well known sites don't respond to pings.
Ghostrecon
2011-10-21 20:05:12 UTC
Permalink
Post by Peter
Post by Ghostrecon
after the modem has connected and the router gets its wan i/p do you get
primary dns as 212.23.3.100 and 212.23.6.100 ?.
Yes, I see those allocated by ZEN's DHCP server.
Post by Ghostrecon
what i/p's can you ping I assume its only the router i/p
I can ping various external IPs.
But URLs time out. I have tried a few which I know one can ping; quite
a number of well known sites don't respond to pings.
what os is the laptop running? If you go to the network properties on the
laptop I am assuming that the router has assigned an i/p address similar to
the modem LAN i/p .. last number different? with a subnet mask of
255.255.255.0 - what is the entry as gateway?
--
(º•.¸(¨*•.¸ ¸.•*¨)¸.•º)
<.•°•. Nik .•°•.>
(¸.•º(¸.•¨* *¨•.¸)º•.¸)
Peter
2011-10-21 20:20:12 UTC
Permalink
Post by Ghostrecon
Post by Peter
Post by Ghostrecon
after the modem has connected and the router gets its wan i/p do you get
primary dns as 212.23.3.100 and 212.23.6.100 ?.
Yes, I see those allocated by ZEN's DHCP server.
Post by Ghostrecon
what i/p's can you ping I assume its only the router i/p
I can ping various external IPs.
But URLs time out. I have tried a few which I know one can ping; quite
a number of well known sites don't respond to pings.
what os is the laptop running? If you go to the network properties on the
laptop I am assuming that the router has assigned an i/p address similar to
the modem LAN i/p .. last number different? with a subnet mask of
255.255.255.0 - what is the entry as gateway?
I have the DHCP server in the TZ100 enabled and set for

172.16.21.60 .. 79 for the W0 (WLAN) interface
192.168.10.60 .. 79 for the X0 (Ethernet) interface

On the laptop

IPCONFIG /ALL

shows stuff which looks normal. with a ...76 IP assigned (has to be OK
otherwise there would be no connectivity, and I would not even be able
to config the router) and for the DHCP server it shows 192.168.10.1.

For the DNS servers I see 212.23.3.100 and 6.100, which is right for
ZEN.

Yet, name lookups don't work.
alexd
2011-10-21 21:48:56 UTC
Permalink
Post by Peter
IPCONFIG /ALL
shows stuff which looks normal. with a ...76 IP assigned (has to be OK
otherwise there would be no connectivity, and I would not even be able
to config the router) and for the DHCP server it shows 192.168.10.1.
For the DNS servers I see 212.23.3.100 and 6.100, which is right for
ZEN.
Yet, name lookups don't work.
Test it with nslookup.

nslookup hostname

to use OS DNS servers.

nslookup hostname 8.8.8.8

to use Google public DNS, for example.

If you've enabled Enforced Client AV, you won't be allowed to prat about on
the internet without AV installed. If you've specified authentication on a
zone [= group of interfaces] you'll have to authenticate before you're
allowed out. Plenty to keep you busy there!
--
<http://ale.cx/> (AIM:troffasky) (***@ale.cx)
22:43:50 up 35 days, 3:57, 5 users, load average: 0.15, 0.07, 0.12
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King
Peter
2011-10-21 22:15:53 UTC
Permalink
Post by alexd
Post by Peter
IPCONFIG /ALL
shows stuff which looks normal. with a ...76 IP assigned (has to be OK
otherwise there would be no connectivity, and I would not even be able
to config the router) and for the DHCP server it shows 192.168.10.1.
For the DNS servers I see 212.23.3.100 and 6.100, which is right for
ZEN.
Yet, name lookups don't work.
Test it with nslookup.
nslookup hostname
to use OS DNS servers.
nslookup hostname 8.8.8.8
to use Google public DNS, for example.
If you've enabled Enforced Client AV, you won't be allowed to prat about on
the internet without AV installed. If you've specified authentication on a
zone [= group of interfaces] you'll have to authenticate before you're
allowed out. Plenty to keep you busy there!
I have tested with the internal diagnostics (System / Diagnostics) and
sure enough, for the DNS server 1 and 2 ir reports "DNS request
failed" (timeouts).

When I choose the DNS name lookup test and enter some URL, it gets the
same result.

Curiously enough I see that it is then accessing the base gateway IP
for that purpose of .... 1, not the ZEN DNS IPs.

I wonder if there is some disconnect between the nameservers, and the
base gateway?

But the Draytek is configured as far as I can tell identically, but
works.

I thus suspect the DNS issue is related to the PPPOE modem, as per
that URL I found.

I can't see where Enforced Client AV is :)

Also pings to numeric external IPs work fine.
alexd
2011-10-21 22:24:37 UTC
Permalink
Post by Peter
Post by alexd
nslookup hostname
to use OS DNS servers.
nslookup hostname 8.8.8.8
to use Google public DNS, for example.
I have tested with the internal diagnostics (System / Diagnostics) and
sure enough, for the DNS server 1 and 2 ir reports "DNS request
failed" (timeouts).
Try nslookup from one of your client devices.
--
<http://ale.cx/> (AIM:troffasky) (***@ale.cx)
23:22:13 up 35 days, 4:35, 5 users, load average: 0.08, 0.08, 0.12
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King
Peter
2011-10-22 07:37:00 UTC
Permalink
Post by alexd
Post by Peter
IPCONFIG /ALL
shows stuff which looks normal. with a ...76 IP assigned (has to be OK
otherwise there would be no connectivity, and I would not even be able
to config the router) and for the DHCP server it shows 192.168.10.1.
For the DNS servers I see 212.23.3.100 and 6.100, which is right for
ZEN.
Yet, name lookups don't work.
Test it with nslookup.
nslookup hostname
to use OS DNS servers.
nslookup hostname 8.8.8.8
to use Google public DNS, for example.
That works! It returns the IP of various URLs.

So what does that leave me with?

To eliminate the possibility of an issue with the laptop I am using,
connected to the router's config port X0 (the modem goes to X1) I have
connected the router in place of the old Draytek one, but I get the
same issue on the PCs attached to the LAN.

I can do a packet log from the router diagnostics, representing a ping
of an IP and then a ping of the same URL, and I see loads of stuff on
X0 and X1, with the said IP appearing on both X0 and X1 at various
times, and this is true even for the URL lookup.

However my expertise does not stretch to understanding the log...

c:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ph-home
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056
PCI-E Gigabit
Ethernet Controller
Physical Address. . . . . . . . . : 00-1E-8C-CD-FF-09
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.X.50
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.X.1
DNS Servers . . . . . . . . . . . : 192.168.X.1

(X is my editing :))

I feel the problem must be in the routing between 192.168.X.1 (which
is the gateway that name lookups use on both the router DNS test and
on any PCs attached) and the actual nameservers. Whereas nslookup goes
straight to the specified nameserver IP, doesn't it?
alexd
2011-10-22 08:21:51 UTC
Permalink
Post by Peter
I feel the problem must be in the routing between 192.168.X.1 (which
is the gateway that name lookups use on both the router DNS test and
on any PCs attached) and the actual nameservers. Whereas nslookup goes
straight to the specified nameserver IP, doesn't it?
Sounds like the DNS relay on the Sonicwall doesn't work. Go into the DHCP
scope settings and manually specify DNS servers there. Then upgrade the
firmware :-)
--
<http://ale.cx/> (AIM:troffasky) (***@ale.cx)
09:19:17 up 35 days, 14:32, 5 users, load average: 0.01, 0.06, 0.16
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King
Peter
2011-10-22 10:07:14 UTC
Permalink
Post by alexd
Sounds like the DNS relay on the Sonicwall doesn't work. Go into the DHCP
scope settings and manually specify DNS servers there. Then upgrade the
firmware :-)
I replaced the two ZEN nameserver entries (dynamically allocated by
DHCP) with just one of 8.8.8.8 and I get DNS working instantly from
within the router!

On the PC, it also works, but only on one that uses DHCP for both the
IP and the DNS. On another one which is on a fixed IP, the gateway of
192.168.X.1 does not work. If I also manually config the nameserver on
it to 8.8.8.8 then that also works.

On that PC, I get this result

c:\>nslookup www.cisco.com 212.23.6.100
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 212.23.6.100: Timed out
Server: UnKnown
Address: 212.23.6.100

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

c:\>nslookup www.cisco.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: e144.cd.akamaiedge.net
Address: 88.221.32.170
Aliases: www.cisco.com, www.cisco.com.akadns.net
geoprod.cisco.com.akadns.net, www.cisco.com.edgekey.net
www.cisco.com.edgekey.net.globalredir.akadns.net

So it looks like ZEN's nameservers are duff.

But if I reconnect the draytek router,
nslookup www.cisco.com 212.23.6.100
also works then.

I have checked the draytek config and it does not have a fixed
nameserver there. It shows
Primary DNS: 212.23.3.100 Secondary DNS: 212.23.6.100

so, for it, the ZEN nameservers work OK.

However, putting 8.8.8.8 everywhere is not the full solution because
for example I cannot access ZEN's usenet server. Maybe everything
needs rebooting...
Angus Robertson - Magenta Systems Ltd
2011-10-22 08:32:00 UTC
Permalink
Post by Peter
I have the DHCP server in the TZ100 enabled and set for
172.16.21.60 .. 79 for the W0 (WLAN) interface
192.168.10.60 .. 79 for the X0 (Ethernet) interface
I have essentially the same set-up, Sonicwall TZ200 and Vigor 120, although
I have a cable modem connection as well with fallover between ADSL and
cable modem.

Your problem here is ADSL authentication, the 172.16.xx.xx private IP range
is provided by BT Wholesale when there is no connection to your real ISP.
There was a BT ADSL fault in Stepney Green exchange in Docklands last week
that meant 172.16.xx.xx IP were being offered instead of proper IPs to many
ISPs that interconnect in Docklands.

In Sonicwall interfaces, you should set X1 for PPPoE assuming the Vigor is
plugged into that port, with obtain IP address automatically, and your ADSL
login and password.

Angus
Peter
2011-10-22 09:24:49 UTC
Permalink
Replying to both of you :)
Post by alexd
Sounds like the DNS relay on the Sonicwall doesn't work. Go into the DHCP
scope settings and manually specify DNS servers there. Then upgrade the
firmware :-)
I will try that. Firmware has been updated already.
Post by alexd
Post by Peter
I have the DHCP server in the TZ100 enabled and set for
172.16.21.60 .. 79 for the W0 (WLAN) interface
192.168.10.60 .. 79 for the X0 (Ethernet) interface
I have essentially the same set-up, Sonicwall TZ200 and Vigor 120, although
I have a cable modem connection as well with fallover between ADSL and
cable modem.
Your problem here is ADSL authentication, the 172.16.xx.xx private IP range
is provided by BT Wholesale when there is no connection to your real ISP.
There was a BT ADSL fault in Stepney Green exchange in Docklands last week
that meant 172.16.xx.xx IP were being offered instead of proper IPs to many
ISPs that interconnect in Docklands.
I think the 172.16 is a default IP range in the Sonicwall, used for
its wifi AP feature. I did not change it. I just changed the IP range,
to only about 5 clients max.

But I am not using wifi anyway. I have tried it, and it does the same
things. Currently I have admin over wifi disabled, which is a good
thing, but even when I enable it it still doesn't want to work ;)
Post by alexd
In Sonicwall interfaces, you should set X1 for PPPoE assuming the Vigor is
plugged into that port, with obtain IP address automatically, and your ADSL
login and password.
I have done that. In essence I have this
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7456
and there is nothing I can see which could be wrong there.

I should add that even pinging numeric IPs fails quite a lot of the
time. There is a big packet loss somewhere.

I also tried changing the X0 port IP from 192.168.X.1 to X.2. The
default is 192.168.168.168 which I did not use. I want a particular
value of X because I have various fixed IP devices on the LAN which
are set to that value (printers for example).
Angus Robertson - Magenta Systems Ltd
2011-10-22 11:12:00 UTC
Permalink
Post by Peter
Post by Peter
172.16.21.60 .. 79 for the W0 (WLAN) interface
I think the 172.16 is a default IP range in the Sonicwall, used for
its wifi AP feature.
Sorry, misread WLAN for WAN, but you should have reported the X1 WAN
interface details, including the DNS offered by the ISP, which is what you
referring to.

Sonicwall wireless settings are bizarre, needing a separate subnet and DNS,
I never got them working on my older TZ170W and just bought a Linksys
access point instead so I could use the same subnet as my wired LAN. My
TZ200 has not wireless, learnt my lesson last time.

So worry about LAN access first, before WLAN access.

Angus
Peter
2011-10-22 11:28:37 UTC
Permalink
Post by Angus Robertson - Magenta Systems Ltd
Post by Peter
Post by Peter
172.16.21.60 .. 79 for the W0 (WLAN) interface
I think the 172.16 is a default IP range in the Sonicwall, used for
its wifi AP feature.
Sorry, misread WLAN for WAN, but you should have reported the X1 WAN
interface details, including the DNS offered by the ISP, which is what you
referring to.
Sonicwall wireless settings are bizarre, needing a separate subnet and DNS,
I never got them working on my older TZ170W and just bought a Linksys
access point instead so I could use the same subnet as my wired LAN. My
TZ200 has not wireless, learnt my lesson last time.
So worry about LAN access first, before WLAN access.
Angus
I got it nearly all working eventually, by using the google DNS of
8.8.8.8 everywhere, including on the fixed-IP PC.

However, ZEN's usenet server is refusing connections if the DNS comes
from 8.8.8.8 (no idea why) although www ops work OK.

However overall the data speeds are very low. Downloading a 50MB file
from ZEN's own ISP space runs at 30kbytes/sec via the Sonicwall and at
550kbytes/sec via the Draytek. All I am doing is swapping over the
router, and power cycling the modem and the router, and rebooting the
computer(s).

And the Draytek is using ZEN's nameservers just fine, and passing them
on to clients.

So there is something pretty drastic that's wrong.

I have spent nearly 2 days on this fcucking thing but I don't have
anybody to help me, so unless some amazing suggestion turns up I will
send it back, and try to find a spare Draytek 2900 on Ebay (again).

I also absolutely need the existing site-site VPN and teleworker VPN
functions and if this lot is anything to go by, those will be an
absolute pig to get working.

Sonicwall have tightened their "user sphere" massively. Even the
firmware download requires secure reg via their website, and the
router is complaining that it will not achieve full functionality
unless registered with them (every time you try to go into config)
which of course it can't do without DNS working. I nearly got it to
log in there but then their site timed out.

This Sonicwall box appears to be a piece of fcucking crap which only
complete full time boffins can understand but why have such a
ludicrous registration environment? It is like they were selling
atomic bombs and want to know exactly where each one is installed.

They offer no support even via their high security portal, and nobody
replies to postings on their forum (which is behind their high
security portal also) which is as usual (Draytek have the same deal,
no support).
Gordon Henderson
2011-10-22 12:46:10 UTC
Permalink
Post by Peter
So there is something pretty drastic that's wrong.
I have spent nearly 2 days on this fcucking thing but I don't have
anybody to help me, so unless some amazing suggestion turns up I will
send it back, and try to find a spare Draytek 2900 on Ebay (again).
I'm guessing that the existing 2900 still works OK and you're just
looking for a backup...

So what about just buying a new Draytek 2820n - modem, router combined
with Wi-Fi and all the VPN support too. (And hardware encryption for
the VPN which I don't think the 2900 has BICBW)

Then keep the Vigor 120 + 2900 as the backup...

Have to say though - I've used a lot of Drayteks in the past but have sort
of gone off them recently. I've had NAT issues with long-term sessions
(e.g. SIP/IAX keeping the NAT session alive for days) I think they're
doing to the 28xx series what they did to the 26xx routers - put too
much into them, resulting in code bloat and other side-effected issues,
but right now, I don't know of a decent solution with the built-in VPN
features you're after.

I've gone down the route of using a Linux box with a Vigor 120 to provide
a solution for the more discerning customer (with separate Draytek AP700
Wi-Fi units) and using ssh and/or OpenVPN for remote access. More spaghetti
to plumb together, but at least all the functions are separate and well
controlled.

Gordon
Peter
2011-10-22 13:13:18 UTC
Permalink
Post by Gordon Henderson
Post by Peter
So there is something pretty drastic that's wrong.
I have spent nearly 2 days on this fcucking thing but I don't have
anybody to help me, so unless some amazing suggestion turns up I will
send it back, and try to find a spare Draytek 2900 on Ebay (again).
I'm guessing that the existing 2900 still works OK and you're just
looking for a backup...
I am looking for something that

1) can be replaced if it packs up (currently there are no 2900s on
Ebay)

2) does an SSL VPN for remote connections (GPRS/3G networks often
don't support PPTP)

3) is more reliable than the Draytek, whose site-site IPSEC VPN
function crashes fairly regularly (and I have an SMS-triggered power
cycling thingy in the office to fix this remotely ;)) THIS is the most
irritating thing. It is always fixed by power cycling only the router
at the dialing end of the VPN. If it doesn't dial out, even going into
its config and dialing out manually (clicking on the VPN Dial button)
won't work.
Post by Gordon Henderson
So what about just buying a new Draytek 2820n - modem, router combined
with Wi-Fi and all the VPN support too. (And hardware encryption for
the VPN which I don't think the 2900 has BICBW)
I've been reading about them in the support forums, and while one
needs to be very careful because they tend to be mostly negative
reports, the new boxes seem to be pretty buggy in the VPN features
too.

I was looking at the 2910 or 2910, IIRC, and asked around about the
VPN reliability, but got no feedback.
Post by Gordon Henderson
Then keep the Vigor 120 + 2900 as the backup...
Have to say though - I've used a lot of Drayteks in the past but have sort
of gone off them recently. I've had NAT issues with long-term sessions
(e.g. SIP/IAX keeping the NAT session alive for days) I think they're
doing to the 28xx series what they did to the 26xx routers - put too
much into them, resulting in code bloat and other side-effected issues,
but right now, I don't know of a decent solution with the built-in VPN
features you're after.
I have a 26xx-box here and a good number of the features in it simply
did not work. It is now running the internet for an old granny :)
Post by Gordon Henderson
I've gone down the route of using a Linux box with a Vigor 120 to provide
a solution for the more discerning customer (with separate Draytek AP700
Wi-Fi units) and using ssh and/or OpenVPN for remote access. More spaghetti
to plumb together, but at least all the functions are separate and well
controlled.
You have the expertise to do that, obviously.

I am happy to use separate WIFI APs. The Draytek 800 is a nice one,
for example. We have one installed here.

The issues with the TZ100 may indicate it is actually faulty. For
example even just accessing the config, with IE, over ethernet, with
nothing else connected apart from the Draytek 120 modem, can be
extremely slow, with some screens taking tens of seconds to appear. I
cannot see why it should be anything other than totally instant. It's
not as if they are re-flashing the ROM when transitioning from one
screen to another...
Graham J
2011-10-22 15:10:19 UTC
Permalink
Post by Peter
Post by Gordon Henderson
Post by Peter
So there is something pretty drastic that's wrong.
I have spent nearly 2 days on this fcucking thing but I don't have
anybody to help me, so unless some amazing suggestion turns up I will
send it back, and try to find a spare Draytek 2900 on Ebay (again).
I'm guessing that the existing 2900 still works OK and you're just
looking for a backup...
I am looking for something that
1) can be replaced if it packs up (currently there are no 2900s on
Ebay)
2) does an SSL VPN for remote connections (GPRS/3G networks often
don't support PPTP)
3) is more reliable than the Draytek, whose site-site IPSEC VPN
function crashes fairly regularly (and I have an SMS-triggered power
cycling thingy in the office to fix this remotely ;)) THIS is the most
irritating thing. It is always fixed by power cycling only the router
at the dialing end of the VPN. If it doesn't dial out, even going into
its config and dialing out manually (clicking on the VPN Dial button)
won't work.
[ snip ]

Did you discuss this here a while back?

I've seen this occasionally. At one end the router thinks the VPN is
up, at the other end it thinks it's down. So the "down" end can't
restart the VPN.

But stopping and restarting the VPN at the "up" end always works.

I therefore suggested you configure the remote router so you can have
management access. That way you can confirm the nature of the fault,
and stop/restart the VPN or reboot the router as necessary.

OK so it might be a tad difficult to automate ...
--
Graham J
Peter
2011-10-22 15:15:18 UTC
Permalink
Post by Graham J
I therefore suggested you configure the remote router so you can have
management access. That way you can confirm the nature of the fault,
and stop/restart the VPN or reboot the router as necessary.
OK so it might be a tad difficult to automate ...
One can do remote admin on the Drayteks, via port 443, but there are
some bugs in that department.

One was that a certain password always worked (drayteker I believe)
and the other was that if you disabled remote admin it still worked
afterwards (!!) so the only way to disable it was to port forward port
443 to an internal IP on which nothing is listening... (which is what
we did).

That last solution is OK so long as you don't actually want to port
forward p443 to anything on the inside... so you cannot run an HTTPS
server of any sort, perhaps (not sure about that; we haven't tried
that yet).
The Natural Philosopher
2011-10-22 15:59:25 UTC
Permalink
Post by Peter
Post by Graham J
I therefore suggested you configure the remote router so you can have
management access. That way you can confirm the nature of the fault,
and stop/restart the VPN or reboot the router as necessary.
OK so it might be a tad difficult to automate ...
One can do remote admin on the Drayteks, via port 443, but there are
some bugs in that department.
One was that a certain password always worked (drayteker I believe)
and the other was that if you disabled remote admin it still worked
afterwards (!!) so the only way to disable it was to port forward port
443 to an internal IP on which nothing is listening... (which is what
we did).
That last solution is OK so long as you don't actually want to port
forward p443 to anything on the inside... so you cannot run an HTTPS
server of any sort, perhaps (not sure about that; we haven't tried
that yet).
Dunno if this is helpful, but I've been very impressed with my Billion
router..

Does apparently do VPN, though of what type I cannot say.

Never had occasion to care enough..

Lost of features but BOY is the UI a mess.. still mostly you only set
them up once and then the bits you need a lot you learn.

I chose it in preference to a Draytek because..um..it looked more
businesslike and less styled and they were the only two with built in
VOIP->POTS support.

Only time it locked up on me was during a thunderstorm..
Graham J
2011-10-22 19:22:56 UTC
Permalink
Post by Peter
Post by Graham J
I therefore suggested you configure the remote router so you can have
management access. That way you can confirm the nature of the fault,
and stop/restart the VPN or reboot the router as necessary.
OK so it might be a tad difficult to automate ...
One can do remote admin on the Drayteks, via port 443, but there are
some bugs in that department.
One was that a certain password always worked (drayteker I believe)
and the other was that if you disabled remote admin it still worked
afterwards (!!) so the only way to disable it was to port forward port
443 to an internal IP on which nothing is listening... (which is what
we did).
That last solution is OK so long as you don't actually want to port
forward p443 to anything on the inside... so you cannot run an HTTPS
server of any sort, perhaps (not sure about that; we haven't tried
that yet).
There is an alternative option. Under System Maintenance >> Management
you specify an access list, to include the IP address you want to manage
it from. OK so you can only specify 3 addresses, and if you don't have
a static IP at your managment site you have a problem, which I suggest
you resolve.

You also tick the box to "Enable management from the internet".

I use this technique extensively, and I fid it very reliable.

Ceratainly much easier than leaning to configure a Sonicwall.
--
Graham J
Angus Robertson - Magenta Systems Ltd
2011-10-22 13:23:00 UTC
Permalink
Post by Peter
However overall the data speeds are very low. Downloading a 50MB
file from ZEN's own ISP space runs at 30kbytes/sec via the Sonicwall
It's unlikely to be the Sonicwall at fault, I get good downloads from
Virgin Media at good speed:

Total bytes downloaded 49.6M, duration 0:08, average speed 5.62M/sec

The different TZxxx models do have different throughputs, the TZ100 is the
cheapest and slowest, but should do 3.5M/sec, on FTTC and cable.
Post by Peter
This Sonicwall box appears to be a piece of fcucking crap which only
complete full time boffins can understand
Sonicwall products are aimed at businesses, and they offer training courses
in using them. The software in the TZxxx series is essentially the same as
the Enterprise models with numerous features you will probably never need,
which is why there is a major learning curve.

Angus
Peter
2011-10-22 13:29:35 UTC
Permalink
Post by Angus Robertson - Magenta Systems Ltd
Post by Peter
However overall the data speeds are very low. Downloading a 50MB
file from ZEN's own ISP space runs at 30kbytes/sec via the Sonicwall
It's unlikely to be the Sonicwall at fault, I get good downloads from
Total bytes downloaded 49.6M, duration 0:08, average speed 5.62M/sec
The different TZxxx models do have different throughputs, the TZ100 is the
cheapest and slowest, but should do 3.5M/sec, on FTTC and cable.
What kind of misconfiguration could cause this very slow performance?

One cannot change the MTU in the PPPOE mode.

I do still suspect it is a bug in the PPPOE area, which probably gets
rarely tested.
Gordon Henderson
2011-10-22 14:45:50 UTC
Permalink
Post by Peter
Post by Angus Robertson - Magenta Systems Ltd
Post by Peter
However overall the data speeds are very low. Downloading a 50MB
file from ZEN's own ISP space runs at 30kbytes/sec via the Sonicwall
It's unlikely to be the Sonicwall at fault, I get good downloads from
Total bytes downloaded 49.6M, duration 0:08, average speed 5.62M/sec
The different TZxxx models do have different throughputs, the TZ100 is the
cheapest and slowest, but should do 3.5M/sec, on FTTC and cable.
I've built Linux based routers out of some really slow systems -
e.g. 100MHz Pentiums - that was capable of routing 3 x 100Mb interfaces,
although the slowers box I have currently is a 500MHz Geode routing 2
x 100Mb Interfaces as well as doing firewalling and NAT and PPPoE.

But I've no idea what processors are used in some of the lower-end
routers these days. Built to a budget I suspect...
Post by Peter
What kind of misconfiguration could cause this very slow performance?
One cannot change the MTU in the PPPOE mode.
There might be a reason for that - one is that PPP encapsulation need a
few bytes over Ethernet, so the Ethernet frame size of 1500 bytes must
be reduced by 4 bytes to 1496. This shouldn't be an issue - although
some ISPs don't handle fragmentation and you might need to clamp the
MSS to MTU-40.
Post by Peter
I do still suspect it is a bug in the PPPOE area, which probably gets
rarely tested.
Are they based on Linux, or some proprietary system?

Another router you might want to look at is the Microtik ones - they
seem cheap and cheerful at the low-end anyway - certianly under £100.

Or, what I'm about to try is an ADSL line card directly into a Linux
box. They're not cheap though )-:

Gordon
alexd
2011-10-22 18:29:22 UTC
Permalink
Post by Gordon Henderson
Post by Angus Robertson - Magenta Systems Ltd
The different TZxxx models do have different throughputs, the TZ100 is
the cheapest and slowest, but should do 3.5M/sec, on FTTC and cable.
I've built Linux based routers out of some really slow systems -
e.g. 100MHz Pentiums - that was capable of routing 3 x 100Mb interfaces,
although the slowers box I have currently is a 500MHz Geode routing 2
x 100Mb Interfaces as well as doing firewalling and NAT and PPPoE.
One key difference is that they do more than NAT and packet filtering -
there's inspection, content filtering, antivirus, etc in there, which all
have an impact on throughput. But only if they're switched on, which I doubt
the OP has.
Post by Gordon Henderson
But I've no idea what processors are used in some of the lower-end
routers these days. Built to a budget I suspect...
Cavium Octeon, a 64-bit MIPS implementation.
Post by Gordon Henderson
Are they based on Linux, or some proprietary system?
It's based on VxWorks.
Post by Gordon Henderson
Another router you might want to look at is the Microtik ones - they
seem cheap and cheerful at the low-end anyway - certianly under £100.
Might as well use Vyatta if you're going to use Mikrotik.
Post by Gordon Henderson
Or, what I'm about to try is an ADSL line card directly into a Linux
There are some DSL-router-on-a-PCI-card affairs that emulate [or even are] a
common ethernet chip from the host's point of view. Don't know if they're
any good, but they were cheaper than just-DSL card when I looked. I assume
this is because a router SoC is cheaper than a DSL-PCI interface.
--
<http://ale.cx/> (AIM:troffasky) (***@ale.cx)
19:21:07 up 36 days, 34 min, 5 users, load average: 0.12, 0.24, 0.33
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King
Gordon Henderson
2011-10-22 19:29:29 UTC
Permalink
Post by alexd
Post by Gordon Henderson
Or, what I'm about to try is an ADSL line card directly into a Linux
There are some DSL-router-on-a-PCI-card affairs that emulate [or even are] a
common ethernet chip from the host's point of view. Don't know if they're
any good, but they were cheaper than just-DSL card when I looked. I assume
this is because a router SoC is cheaper than a DSL-PCI interface.
I've seen them, but I think they basically act as a PPPoA <-> PPPoE
bridge - much the same as the Vigor 120 - however I have a particular
issue with that, so am trying to eliminate the PPPoE part and get my
router to talk PPPoA directly.

http://linitx.com/product/12607

Reassuringly expensive, but if it works for my application it'll be
OK for the long run.

Gordon

Angus Robertson - Magenta Systems Ltd
2011-10-22 15:56:00 UTC
Permalink
Post by Peter
What kind of misconfiguration could cause this very slow
performance?
Since you've not listed the X1 WAN interface, specifically the 'Settings
Acquired via PPPoE' panel, nor shown any trace routes via ADSL, can not say.
Post by Peter
I do still suspect it is a bug in the PPPOE area, which probably
gets rarely tested.
Maybe, but it works fine for me with a Vigor 120 with SonicOS Enhanced
5.8.0.2-37o, and earlier. Also, BT FTTC/VDSL2 uses PPPoE so it will be
widely used as more people upgrade from ADSL.

I get downloads of 1M/sec on ADSL2+ via the Sonicwall.

Angus
Peter
2011-10-22 16:46:08 UTC
Permalink
Post by Angus Robertson - Magenta Systems Ltd
Post by Peter
What kind of misconfiguration could cause this very slow
performance?
Since you've not listed the X1 WAN interface, specifically the 'Settings
Acquired via PPPoE' panel, nor shown any trace routes via ADSL, can not say.
Too late now, but the values looked just fine. Same as the other
router. The IP was right, as were the two ZEN nameservers. There are
only a few values in there. It was just like this
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7456

I did some traceroutes but could not understand them, and also they
would have contained confidential data so I could not have posted them
here.
Post by Angus Robertson - Magenta Systems Ltd
Post by Peter
I do still suspect it is a bug in the PPPOE area, which probably
gets rarely tested.
Maybe, but it works fine for me with a Vigor 120 with SonicOS Enhanced
5.8.0.2-37o, and earlier. Also, BT FTTC/VDSL2 uses PPPoE so it will be
widely used as more people upgrade from ADSL.
I get downloads of 1M/sec on ADSL2+ via the Sonicwall.
The thing is that I have configured countless routers, and this
portion of the functionality "should just work". There is little or no
config to tweak in that area.

However only two routers I have installed use PPPoE on the WAN
interface: the Draytek 2900, and this TZ100.

In the end something went wrong with the router. Every time I clicked
on any of the config buttons (e.g. X0 config) it put up a login
screen, which took me back to the beginning...
alexd
2011-10-22 18:20:43 UTC
Permalink
Post by Peter
What kind of misconfiguration could cause this very slow performance?
MTU is the obvious one that springs to mind.
Post by Peter
One cannot change the MTU in the PPPOE mode.
I do still suspect it is a bug in the PPPOE area, which probably gets
rarely tested.
You could try another DSL router instad of the Draytek 120 and test it with
double NAT to eliminate PPPoE as the source of the problem.

Do you see packet loss to the LAN IP of the Sonicwall? If there's some kind
of packet loss issue then pretty much everything is going to suck.
--
<http://ale.cx/> (AIM:troffasky) (***@ale.cx)
19:14:13 up 36 days, 27 min, 5 users, load average: 0.41, 0.16, 0.29
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King
Peter
2011-10-22 19:20:32 UTC
Permalink
Post by alexd
Post by Peter
What kind of misconfiguration could cause this very slow performance?
MTU is the obvious one that springs to mind.
That's what I thought but if you set the TZ100 to PPPoE then the MTU
value is fixed.

The slowdown was dramatic - not something explainable by firewall
features etc. 30kbytes/sec is about 1/20 of even the ADSL downlink
speed I get with the Draytek.
Post by alexd
Post by Peter
One cannot change the MTU in the PPPOE mode.
I do still suspect it is a bug in the PPPOE area, which probably gets
rarely tested.
You could try another DSL router instad of the Draytek 120 and test it with
double NAT to eliminate PPPoE as the source of the problem.
I could have, sure. I have an old D-Link 300, but that would be a
retrograde step. The 300 has other issues, like it needs a router
configured with its MAC # (or maybe the other way round).
Post by alexd
Do you see packet loss to the LAN IP of the Sonicwall? If there's some kind
of packet loss issue then pretty much everything is going to suck.
No dropped packets I could see in the logs, but then how would I know?
But you are talking about a simple ethernet connection there. If
packets were lost there, it is probably a hardware issue.

It is possible this router was duff.
The Natural Philosopher
2011-10-21 23:39:25 UTC
Permalink
Post by Peter
Post by Ghostrecon
after the modem has connected and the router gets its wan i/p do you get
primary dns as 212.23.3.100 and 212.23.6.100 ?.
Yes, I see those allocated by ZEN's DHCP server.
Post by Ghostrecon
what i/p's can you ping I assume its only the router i/p
I can ping various external IPs.
But URLs time out. I have tried a few which I know one can ping; quite
a number of well known sites don't respond to pings.
routing works.
DNS does not.

check DNS/DHCP settings.
Gordon Henderson
2011-10-21 19:23:04 UTC
Permalink
Post by Ghostrecon
Post by Peter
Any suggestions would be much appreciated.
In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.
Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.
I'd have thought for the modem it should be
PPPoA (vcmux)
wan I/p - obtain automatically
vci 38 vpi 0
The modem is, but the link between the modem and router is PPPoE.

Probably some confusion as the "120" is also a Draytek device. The 2900
is a Draytek with an Ethernet WAN port.

I do this regularly, but not with Sonicwalls, but directly into Linux
based routers.

And, oddly enough, some exchanges will work with the modem set to
PPPoE... I had one recently where the Vigor 120 was set to PPPoE and it
was working, but being disconnected once an hour like clockwork...

Gordon
Ghostrecon
2011-10-21 20:01:45 UTC
Permalink
Post by Gordon Henderson
Post by Ghostrecon
Post by Peter
Any suggestions would be much appreciated.
In the Draytek I have PPPOE enabled, with username and password set up
as appropriate (for ZEN), PPP is set to PPP/CHAP.
Under WAN IP network settings I have "specify an IP address" with an
IP address of 0.0.0.0 with a 0.0.0.0 subnet mask (which doesn't sound
right) but the "obtain automatically" which is the other option is
UNchecked. But this works.
I'd have thought for the modem it should be
PPPoA (vcmux)
wan I/p - obtain automatically
vci 38 vpi 0
The modem is, but the link between the modem and router is PPPoE.
Probably some confusion as the "120" is also a Draytek device. The 2900
is a Draytek with an Ethernet WAN port.
I do this regularly, but not with Sonicwalls, but directly into Linux
based routers.
And, oddly enough, some exchanges will work with the modem set to
PPPoE... I had one recently where the Vigor 120 was set to PPPoE and it
was working, but being disconnected once an hour like clockwork...
Gordon
yes it does work with pppoe encapsulation sometimes -

I was just trying to get the basic modem/isp connection to zen before
worrying about connection to the router ie breaking down the problem into
bite sizes....
--
(º•.¸(¨*•.¸ ¸.•*¨)¸.•º)
<.•°•. Nik .•°•.>
(¸.•º(¸.•¨* *¨•.¸)º•.¸)
Loading...