I have recently signed up to 100mbit business broadband (with a single static IP address I think) and also have received the Hitron Router. I have read through the previous posts but to be honest don't fully understand the issues and how these will affect me.
I would be grateful for some assistance. I am using the virgin line as a failover line via a Draytek dual wan router. I would like to use port forwarding to access my server on the LAN. Will this be possible with the Hitron or am I screwed? If so, is there a workaround?
I've come across a customer that had a Hitron router installed with 5 static IPs. The VM engineer reconfigured their printer's IP address to one of the static IPs, so its now directly accessible on the Internet! In addition, he modified all the PCs so that they also had an IP address from the static range, plus their old IP from the private LAN range. The default GW is set to the public IP of the Hitron router. Luckily the PCs are not responding to port scans from the Internet, so guessing Windows Firewall is doing its job.
The setup is far from normal, as everything on the LAN that doesn't need to be accessed from the Internet should only have a private IP. It seems there is no NAT on the Hitron, and reading some of the posts on this thread suggests this is by design? Perhaps I've misunderstood that.
Is this the 'normal' configuration, or has the engineer made a boo-boo?
BTW, he did remove the customer's old Draytek 2910 when he turned on the new VM service. I thought that perhaps that could be reconnected to act as a firewall and NAT device if the Hitron can't do NAT, but some posts suggest this isn't possible until a firmware update is released to allow modem only mode?
Zach8 - no it was installed sometime in April. Why do you dream of a service with no NAT? In this case, having the customers devices set with public IP addresses poses a serious security risk - at the very least random port scans appear to be generating garbage output on the printer (50+ pages every other day), and at the very worst... well their data is no longer private and secure!
Only hardened devices should ever be given a public IP address, everything else should be hidden behind a Firewall on a private IP.
The customer has contacted VM business support, but was told to email them and expect a response within 72 hours. Nice!
Because, like many on this thread, I want to use the virgin service for business, I want them to supply a router and route me a subnet to present to my firewall so that I can maintain VLANs, NATs, logging, VPN's, QOS and... you know - normal stuff like what you would expect when you purchase a business broadband connection.
Instead I have a router which I can either have a flaky static IP natted, or a dodgy dynamic IP presented.
Zach8 - Seems there are different configurations in place. My customer appears to have a service with 5 static IPs and a no-NAT configuration. The engineer has reconfigured all the LAN devices and manually allocated an IP address from the static range to each device (it's a small office so 2-3 PCs and a printer). DHCP is not enabled (or not available on the Hitron?)
It would have been better if he had connected the Draytek and used that as a Firewall and configured NAT on there. But is that only possible if the Hitron is set to Modem only mode, which isn't supported when static IPs are used?
This customer doesn't need static IPs anyway, so not sure why he got them, a dynamic IP would have been fine.
Why do you dream of a service with no NAT? In this case, having the customers devices set with public IP addresses poses a serious security risk
You do know its been proven you can be a security risk even with NAT don't you? In fact NAT routers themselves have been known to have security risks and so then all your devices are compromised and thats just for starter there are way more security risks that NAT can not protect you from.
Really the problem is the user (to some degree) and sure you can bubble rap them but then something will break for something they want to do that maybe safe and you can blame the problem on the ones that find the security holes but good luck finding them as in the ones that use the security holes for what even means.