"Hikari Premium" CTU and VPN Issues

[FG Lurker]

I just changed my office from vanilla ADSL to NTT West's Hikari Premium Manson (HPM for short) service. The reason for this post is to help anyone else who might be making the same change but for whatever reason needs their own firewall (and not NTT's equipment) to be assigned the global IP.

HPM comes with a VDSL "modem" and a CTU which works like a router. This means that the CTU is getting the public IP and not my BSD firewall, and of course meant that VPN connections to the firewall had no chance of succeeding. I hoped that I would be able to change the CTU from a router to a bridge but there was no obvious way to do this. There is also no VPN passthrough option on the CTU.

This morning I did a bit of digging around on the web and it is possible to change the way the CTU works in such a way that my firewall gets the IP and the CTU just sits there invisibly, essentially turning it into a bridge.

In your browser on the CTU configuration page this is what needs to be done:
1) Disable the CTU's firewall
2) Turn on the CTU's PPPoE service option
3) Disable (or just delete) all the ISP login settings in the CTU
4) Save the CTU settings

Once the above is done you can configure your own firewall/router to connect to your provider via PPPoE as if the CTU was not there. Your firewall will be assigned the global IP and you can access it remotely for VPN or other uses. You may need to reduce your firewall's WAN MTU to around 1438 due to the additional overhead, just experiment to see what level avoids packet fragmentation and increases VPN stability.

I hope this helps someone! I now have a dirt cheap connection that gets 50Mbps down and about 25Mbps up. Not as fast as a dedicated hikari connection would be but much faster than ADSL was and more than fast enough for my new VPN requirements.

[Coligny]

Once the above is done you can configure your own firewall/router to connect to your provider via PPPoE as if the CTU was not there. Your firewall will be assigned the global IP and you can access it remotely for VPN or other uses. You may need to reduce your firewall's WAN MTU to around 1438 due to the additional overhead, just experiment to see what level avoids packet fragmentation and increases VPN stability.

Yup, be extra carefull with the fucked up NTT MTU requirement. Only company on this planet to do this kind of shit. Any misconfiguration will randomly make you fall into an MTU blackhole. Some website works purfectly then some other stop responding or you just reach a default apache 'this site is not configured' page.

Even after trying nearly anything on the book I still cant reach scale4x4RC anymore after a router upgrade...

[FG Lurker]

Yup, be extra carefull with the fucked up NTT MTU requirement. Only company on this planet to do this kind of shit. Any misconfiguration will randomly make you fall into an MTU blackhole. Some website works purfectly then some other stop responding or you just reach a default apache 'this site is not configured' page.

Even after trying nearly anything on the book I still cant reach scale4x4RC anymore after a router upgrade...

You can adjust the size of your MTU if you know what size you need. It's pretty easy to find out the size you need as well actually. From a Windows command prompt try this:

ping -f -l 1450 yahoo.com

If you get fragmentation errors reduce the packet size from 1450 in blocks of ten (1440, 1430, etc) until you find a number that gives you something like this:

Code: Select all

C:\>ping -f -l 1380 yahoo.com

Pinging yahoo.com [209.191.93.53] with 1380 bytes of data:

Reply from 209.191.93.53: bytes=1380 time=170ms TTL=48
Reply from 209.191.93.53: bytes=1380 time=171ms TTL=48
Reply from 209.191.93.53: bytes=1380 time=170ms TTL=48
Reply from 209.191.93.53: bytes=1380 time=172ms TTL=48

Ping statistics for 209.191.93.53:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 170ms, Maximum = 172ms, Average = 170ms

Once you have the largest MTU that you can use from your computer you should use DrTCP to make the adjustment. You will see a screen like this:



From the drop-down list choose the network adapter you use to access the 'net. Don't mess with other adapters!! Once you have the correct adapter, enter your MTU size in the MTU field. Save the settings. Reboot your computer and it should work fine!

MTU problems are not a Japan-only thing. Windows' MTU is set up for Ethernet networks. When you use PPPoE to authenticate your high speed connection there is some overhead involved in that. If you have specialized IPv4 to IPv6 encapsulation going on (like Hikari Premium) then there will be some more overhead. It all adds up and can easily lead to packet fragmentation and sites not working properly.