Routing problem in T-Mobile Thuis Network

  • 27 December 2021
  • 64 reacties
  • 1274 Bekeken

Reputatie 3

Hi,

Need some help here.

I build on 2 locations in the T-Mobile Thuis network a similar setup: a Zyxel VMG8825 T50 modem and a NAS connected, and all is configured exactly the same at both sides. The IP address belonging to the NAS-URL of each NAS, is updated via DDNS (Setup in both Zyxel) with NO-IP.

1.When I try to connect from Laptop-1 to NAS-2 from IP = 85.144.x.y (=Zyxel-1) it fails.
2.When I try to connect from Laptop-2 to NAS-1 from IP = 87.208.x.y (=Zyxel-2 it works fine.
3.When I try from any other non-T-Mobile Thuis access point, or via Wifi Hotspot on the Mobile Phone, it works just fine.
4.Resetting Zyxel-1 has no effect.
 

Observations:

1.No ping works on the T-Mobile Thuis network
2.Routing from 85.144.x.y to 87.208.x.y domain fails
3.Routing from 87.208.x.y to 85.144.x.y domain works fine.
 

Can anyone advise whether I made a mistake, or is it a T-Mobile Thuis network configuration issue ?

Eric


This topic has been closed for comments

64 reacties

Reputatie 3

@yalerta and @Boris    

Here you go. I followed your advise, and get still stuck, but much more specific in detail.

Reputatie 7
Badge +16

Hi @EricSatu, thanks for posting a clear picture of your setup, that definitely helps matters! 😊

If I understand your setup correctly, it appears as though you've tried to install two separate Zyxel T-50 modems in the same network configuration, with the only key exception being the separate NAS's in between, is that correct? If so, you can't have two Zyxels active via the same DHCP-server. You could however, plant a separate router behind the main Zyxel modem. Hope that setup works for you!

If i completely misinterpret your setup, please forgive me! 

@Pieter_B Perhaps you can be of more assistance than I can? Thanks in advance! 😄

Reputatie 3

@Jason and @Pieter B. 

There are 2 different locations or cities (2 subscriptions !) identically setup with a modem and NAS. One in T-Mobile Thuis domain 85.144.x.y and the other in 87.208.x.y.

Hope that clarifies, and I hope you have an idea to fix my issue.

Reputatie 7
Badge +16

Hi @EricSatu, thanks for the clarification! 

I'll ask for some help from one of our home-experts. My expertise isn't nearly broad enough regarding this subject, sorry!

@Pieter_B, @Hidden.nld and @Waqqas: kunnen jullie wellicht assistentie bieden? Alvast hartelijk dank! 😄

Reputatie 7
Badge +3

@EricSatu 

Are the ping problems both present when using the host name via NO_IP and the real IP of your home router?

Did you use telnet with port details or just ping without port the host / IP?

What does nmap -p  PORT IP report?

What does nmap IP (direct) or nmap HOSTNAME (via NO_IP) report?

What happens if you enable the ping response on the Zyxel-2, do you get a response from the router itself?

 

Reputatie 3

Thank you @Pieter_B 

On your first 2 questions I can say:

1: Ping never works, not on IP@, neither URL

2: I don’t use telnet

3: -, next week

4: -, next week

5: I don’t know how to enable the ping response on the Zyxel T50 modem. Can’t find the setting.

I’ll get back to you next week as I am not at home right now and can’t test any further.

Eric

Reputatie 3

@Pieter_B 

Hi Pieter. I have been away for a while, but my original problem still exists.

As in the original post, I can not access the NAS in another city.

I tried nmap but do not known how nmap works, maybe you can advise.  

I also do not know how to enable the ping response on the Zyxel-2.

Please support to get my issue fixed.

Reputatie 3

@Pieter_B 

Hi Pieter, I have played with nmap, maybe not as you suggested.

Port 200 = Access to Zyxel-2

Port 1443 = Access to NAS-2

Port 1001 = Webpage in NAS-2

Port 1501 = WebDav in NAS-2

  1. Access NAS-2 with Laptop connected via Zyxel-1 modem: Only port 200 works, i.e. access to Zyxel-2.
  1. Access NAS-2 with Laptop connected via Hot-Spot on Mobile Phone: All ports work as expected.

Any idea what is wrong here ? A T-Mobile configuration issue maybe ?

Regards, Eric

Reputatie 7
Badge +3

@EricSatu 

Hello again.

I see that some of the ports are maybe open, but NMAP can not determine its correct state.

See the basic info for scanning

filtered

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

 

What you can do when getting this message, deactivate the Port Forwarding on the target Zyxel and scan again. If it reports CLOSED, you know that if deactivated ports change the status, the problem could be on the direction of the NAS.

Reputatie 3

Thanks @Pieter_B I will test with other tools next week.

The nmap result matches with reality. If the bullet = RED for a specific port, it can not be accessed from a URL either. If the bullet = GREEN, it can be accessed !

Difference is the the network I access from. RED = accessed from Zyxel-1, GREEN = accessed via Mobile Phone Hotspot.

To me it is clear that there is something blocked between Zyxel-1 and Zyxel-2 in the T-Mobile Thuis network. Do you know who I can ask to have that checked ? 

Reputatie 7
Badge +3

@EricSatu 

Missed that a little bit that one picture was from a Hotspot connection and the other via the fixed line. Now i see you are testing the same IP twice.

It is indeed a little bit strange that a connection via a hotspot network (mobile network) has everything open, but over the fixed TMT line all are closed.

Feels like some kind of routing issue for now.

Reputatie 3

Hi @Pieter_B you got it right.

What or who can help me ? What do you recommend ?

Eric

Reputatie 7
Badge +3

@EricSatu 

Can you see what happens if you connect from Laptop-1 to NAS-1 via the DDNS service, you could see that as a remote hairpin.

And try to do the same on the other side with Laptop-2 to NAS-2.

But it would be nice it some network specs at TMT could also look into this, i do not know if moderator @Jason could be of any assistance on this?

NOTE: Moderators mostly try to respond in about 48 hours, maybe now after the weekend.

Reputatie 7
Badge +16

Hi @EricSatu, I'll try and ask one of our network specialists to come and take a gander, my limited knowledge won't be of much assistance to be honest! 😊

Thanks for your help and contributions @Pieter_B, hopefully one of our specialists can offer more clarity! 

Reputatie 3

Really appreciated @Jason any further information required ? Please let me know.

Thank you @Pieter_B , lets hope it can be fixed.

Reputatie 7
Badge +16

@TechRacing93 Sorry dat ik je zo brutaal tag in dit topic, maar ik heb met de specialisten gesproken en jouw naam komt vaker naar voren omdat jij nogal eens deskundig geholpen hebt in andere topics (evenals @Pieter_B hierboven en vaker doet natuurlijk)! 😊

Zou je hier jouw deskundige blik op willen laten schijnen, alsjeblieft?

@EricSatu You're very welcome, no further info is required at the moment. Thanks!

Reputatie 7
Badge +16

@EricSatu Can you send me a private message with both klantnummers, please (customer numbers)? Right now I can only find one connection, finding the second one would really help matters. Thanks in advance! 😉👍

@EricSatu

 

Could you please try the following from both internet connections and laptops ?!

→ Go to https://www.grc.com/default.htm

→ Click ShielsUP! which is under the “Hot Spots” title if you scroll down.

→ Click Proceed

→ Enter the port numbers 200,1443,1001,1501 in the white inputfield.

→ Click “User Specified Custom Port Probe”.

 

This will initiate a portscan from the IPv4 address your connecting from. I'm pretty sure you will see the ports on 87.208 will be shown with status “Stealth".

 

A routing issue will be impossible, reason? 

2.Routing from 85.144.x.y to 87.208.x.y domain fails

3.Routing from 87.208.x.y to 85.144.x.y domain works fine.

 

If from 85.144.x.y to 87.208.x.y fails, the same would have been the case the other way around.

 

Reputatie 3

@Gerrit078 

Hi Gerrit,

I did the ShieldsUP portscan as you suggested, and indeed the ports are in Stealth mode.

Port scan result at Zyxel-2

This is interesting, as the ports are accessible when I access via my Mobile Phone Hotspot as stated in an earlier post . . . .

It looks like a routing issue somewhere in the T-Mobile Thuis network. Internal port access originated from Zyxel-1 is blocked, however some external access is functioning, like from No-Ip and via Mobile Phone network (Tele2). 

The downside of using ShieldsUP! is that it only works when connected to the targeted network. Not on a remote network.

@Gerrit078

Hi Gerrit,

I did the ShieldsUP portscan as you suggested, and indeed the ports are in Stealth mode.

This is interesting, as the ports are accessible when I access via my Mobile Phone Hotspot as stated in an earlier post . . . .

Exactly as I expected…

I suspect that - when you were using your hotspot - your phone was still connected to your Wi-Fi connection. In that case the ports are indeed open because of local-loopback (NAT Loopback) is used.

Because of the loopback, ports are concidered as open ports when you test them locally. Not sure how to get this to work, it might be a conflict somewhere in the modem software so maybe a full software reset might solve the issue. It might be an idea to head over to the location where everything does work. Make screenshots of all pages and settings, and take them with you to the location where it doesn't work. A minor difference could cause this sort of issues as well.

 

By the way, to test it with the hotspot:

Disconnect your phone from the Wi-Fi network, turn hotspot on again, reconnect your laptop to your phone as a hotspot and test again. Then you will see again that the ports are stealth.

It looks like a routing issue somewhere in the T-Mobile Thuis network. Internal port access originated from Zyxel-1 is blocked, however some external access is functioning, like from No-Ip and via Mobile Phone network (Tele2). 

 

It's a conflict with the Zyxel, if it would have been a routing issue, you would not have seen port 200 open either. Besides that, it would have been impossible to reach the other target either. When A → B works but B → A doesn't… there's no routing issue, that's impossible.

 

@Gerrit078

targeted network. Not on a remote network.

Maybe there is a portscan tool online allowing remote IP's to be entered, but unfortunately I don't know any. I do however know the IP ending with 3, does have all those ports you mentioned open.

 

Reputatie 3

Hi @Gerrit078,

My phone has Wifi off when in Hotspot mode, as that is how it works in Samsung at least. 4G/LTE as a Wifi access point using the phone.

Long ago I have compared the settings in both Zyxel modems, they are identical.

Not much I can test anymore that I know of. Hopefully the T-Mobile Thuis team can find something in their configurations. There are many routers/servers in such a network, for various functions.

Anyway thank you for your suggestions, and if you get an idea, let me know.

Eric

 

My phone has Wifi off when in Hotspot mode, as that is how it works in Samsung at least. 4G/LTE as a Wifi access point using the phone.

 

To be honest, I can't remember I never had a Samsung smartphone that automaticly disconnected and turn off Wi-Fi when I enabled the Hotspot I always had to disable Wi-Fi manually.

 

Not much I can test anymore that I know of. Hopefully the T-Mobile Thuis team can find something in their configurations. There are many routers/servers in such a network, for various functions.

 

I doubt it, they will see that port 200 is open thus concider it not to be a routing issue. Perhaps they will concider the modem as not functioning properly and suggest a replacement. Let's hope @Jason will have a reply from the techs soon.

 

Reputatie 7

Hi @EricSatu and @Gerrit078, Jason and I took another look on this issue! One of our colleagues from a different department also took a look with us and everything looks perfect on our side. So it's hard to find the cause of this. We also checked your connection @EricSatu and it looks like the second Zyxel is online at the moment. Can you please let us know if everything works fine again? Fingers crossed! ☘

 

 

Reputatie 3

@Lisa @Pieter_B @Jason 

We hebben Zyxel-2 (Amsterdam) weer geconfigureerd en kunnen die weer remote accessen, maar dan alleen als ik via de hotspot van mijn telefoon werk.

Als ik via de Wifi van Zyxel-1 (Hilversum) probeer de Zyxel-2 te accessen, werkt dat nog steeds niet.

Er is dus nog niets veranderd, ik kan de NAS-2 dus nog steeds niet bereiken op het andere Zyxel-2 modem als ik via de Wifi op de Zyxel-1 modem werk . . . . . 

 

Reputatie 4

En als je het via gewoon een netwerkkabel probeert?

Heb je daarnaast in het modem aanpassingen aan de firewall gedaan, gebruik je bijv. ACL regels?

Sysinternals (tegenwoordig alweer een hele tijd van Microsoft) heeft een tooltje (psping) waarmee je poorten kunt pingen. Dus ipv alleen het ip-adres ook de bijbehorende poort. https://docs.microsoft.com/en-us/sysinternals/downloads/psping

Kan zijn dat je ping even aan moet zetten in de Zyxel. Dit doe je bij extern beheer.

Vinkje in de WAN kolom zetten en toepassen.

 

Overigens zie ik eigenlijk nergens de foutmelding die je krijgt, als je van L1 naar N2 gaat. Alleen dat deze faalt. Welke foutmelding krijg je?