Fibre and Phone Broadband Routing IPv4 & IPv6 to home machines & servers: Hyperoptic Router Fixes

Our central London apartments have 1GB fibre connections with Hyperoptic which are reliable and fast. We get the speeds advertised, and at one our flats it is even a little faster. Ping is time 1ms. With such fast speeds, upload as fast as download, it is tempting to run servers at home and run a private cloud. The snag is the devices at home are not reachable from the internet using IPv4; the home routers are behind CGNAT, just as phone companies do in order to share the rationed IPv4 addresses and protect their network. You can pay Hyperoptic and other fibre companies extra each month for a fixed IPv4 address that is then reachable from the outside using IPv4. You may not need to. Better to use IPv6 anyway.

Home devices can be reached by IPv6 addresses from the internet which when calling from an IPv6 enabled network. IPv6 is fixed and we are given a whole reachable subnet. Then we can set the home router’s IPv6 filter; that is open pinholes or IPV6 filter rules to local devices’ IPV6 address and ports we want. We can now have multiple reachable devices from the internet and even using the same port, say port 443, as there is no address sharing (NAT).

There has been a snag using Hyperoptic routers, even their latest H3600 router when it comes to IPv6 routing. Many customers give up and buy their own routers. The Hyperoptic router manual has incorrect instructions for IPv6 filters. The first thing to note that the “LOW” firewall setting does not seem to affect IP4 blocks and port forwarding rules, but low does open all IPv6 devices on the LAN, so an open port of any device is reachable on the internet in IPv6 addresses. Not a good idea. But middle and high settings are fine, I set mine to high so all ports are closed unless defined by the filter rules.

Now adding filter rules was a pain, and it took me a day to realise why some rules worked and others did not. The IPv6 filter rule secret is NOT to declare the incoming port. It you put a number in there the rule is ignored.

Connection works from IPv6 enabled networks away from home. It does not always work from some workplaces or from many phones because still some ISPs still use IPv4 only routing. To solve this I use another server (my VPS) that has fixed IPv4 and IPv6 connections I use the VPS as a middle man to “cat” the connection from IPv4 to an IPv6 address. I can access home systems anywhere and can give my home machines domain names IPv4 and IPv6 with DNS entry. On this middle machine, a Linux site (a VPS) I use SOCAT command with the IP and ports I want like this:socat TCP4-LISTEN:9831,fork,su=nobody TCP6:[2a01:4b02:a40a:4b10:af9b:c59c:b1b8:2e7x]:2529. Connecting to MyVPSserver:9831 using IPv4, connects to my a home device on IPv6:2529. I run a VPN though it (SoftetherVPN). It’s magical (don’t forget to open the port on the middle server if needed). It is very fast, I do not notice any degradation. When using Myvpserver domain I set DNS A (IPv4) to the VPS server and DNS AAA (IPv6) direct to the home device IPv6 address.

As it happens I found that if you have two places with Hyperoptic fibre connections you can access the other by using the internal Hyperoptic IPv4 addresses that are given to their routers (in range). These internal Hyperoptic IPv4 addresses seem fixed. These IPs have not changed over multiple reboots.

The other approach to reach your server is to use a reverse SSH tunnel from home server to one with a fixed IP such as a VPS. Using a Softether VPN ( the easiest of VPNs to set up) we can have full access to the network. To automate this I use autossh, set up in /etc/rc.local rc.local is now depreciated but I find it easier.

autossh -M 0 -N -f -o “ServerAliveInterval 30” -o “ServerAliveCountMax 3” -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_mykey -R 50020:localhost:5555 user@mydomain -p 2526 & This connects the remote, behind the firewall machine (usually a Raspberry) Pi to my VPS SSH port 2526 using the key id_mykey. The VPS now has the the 50020 as a tunnel back to the remote machine’s Softether default port 5555. A Profile on Softether client on any device can be set to connect to mydomain port 50020 (if port open or localhost:50020 to tunnel the port via SSH)

I was also using the reverse tunnel to connect to a 4g router. This is a 4g dongle attached to Raspberry PI as part of a remote ham radio project. I have no space in London for antenna. I was to run Remote Rig though the tunnel but 4g latency was the problem.

Three Broadband 5G. Atrocious upload

Update on 5g Three Broadband (as was Relish broadband)

See 2015 blog on the 4g Three Boadband product

I get on the phone to dump Relish (Three Broadband), giving up the £30 a month contract after some years with them.  I was getting better connection and upload speeds on my phone.  My phone uses the same Three’s Network 4g or Vodafones’ 4g (it’s dual sim).  Setting my phone as a hotspot was better than using the Three home broadband hub. Time to give up on the 4g Relish (Three) home broadband hub.

Three Broadband then said 5g was now in my area, so I was sent the new Huawei 5g hub/router (over £350 to buy).  My testing went ahead using wired ethernet from hub to PC.

5g is only JUST available in my flat in only one spot, at an impossible to mount area within one bedroom.   Then it seemed that if I made any adjustments to the router firmware, such as change the LAN IP range, the router lost its ability to find the local 5G signal.  It would only find 5G tower after a hard reset.  That is all support would suggest.

Huawei H112-370.

The best 5g I got was with the hub router propped up on books in one precise spot was 100MB/s.   What was most disturbing was the fractional upload speed, best at 2.8Mbs.   Everywhere else in the flat is it the hub dropped down to 4g but at least that gave better upload speeds of 4-6Mb/s

Best with 5g:

Best 5g in area and 5g Area in our flat near window, pointing at local tower.

Three Broadband will not tell you what upload speeds to expect, talking rubbish that it depends on various factors, but those factors would also affect download speed, although I accept transmission power is lower from the hub. One the other hand power is needed for reception’s download handshaking so I would have thought factors affecting download would affect upload to the same extent. Perhaps 5g is more complex.

Three Broadband refuse to give any indication of an upload guide number, and simply state “it is not guaranteed”. That is all they will say.   Three Broadband’s refusal to give any technical details to users is something Ofcom should look into.  We should know what we are buying.  Upload speed and with latency are crucial factors for a useful broadband connection; download speed is just on factor and is a bigger number.  It is the only one they like to headline.  Funny that.

They probably refuse to quote any number because upload is deliberately throttled.   This was the case with their original Relish 4g hub (again this was never mentioned anywhere on their web site).  The best upload speed I got on 4g on Relish hub was 8MB/s despite downloads of up to 72Mb/s .   Most 4g SIMS in phones are pretty much synchronous, you get similar upload and download speeds unless the network is busy.   I gather some “5G” systems split upload and put upload back onto 4g.  Perhaps this is what Three does, but seems slower than when the hub is using 4g. All very odd.

The hub is not locked, so I was able to put my 4g Vodaphone SIM in the Huawei H112-370 hub this afternoon, a busy period in central London (things here speed up evenings and weekends).  This afternoon it gave 72Mb/s download and 20Mb/s upload.

Vodaphone 4g sim in the 5G hub. Note upload speed

Using 4g Vodaphone sim in the Huawei hub this busy afternoon in central London.

In the evenings on 4g phone sim I often get 98Mb/S with 70Mb/s upload, or uploads can even faster than download.

So I am sending back the Three Broadband 5g hub.   5G is hardly here at all, and upload speeds are atrocious.

5g here is giving 100Mb/s download with upload throttled to 2.8Mb/s, that upload speed is a fraction of what normal 4g offers.   There is no question that the better option is still 4g and is cheaper.  I plugged in a 4g USB modem into my Draytek router with a Smarty sim, which gives unlimited data, decent upload speeds at £20 a month no contract. Done deal while waiting for the block to get fibre installed.  Hyperoptic fibre cable is synchronous and we get at our other flat 700Mb/s up and down with low pings.  5G can wait because there are some nasty marketing practices bordering in fakery here. Deception of customers by deliberate omission, made worse an outright REFUSAL by support team to state the facts.

Gerry Bulger

Relish (Three) Broadband. A 4G Alternative to wired connections in London

Relish Broadband and Hyperoptic Broadband  Now

While everyone goes on about the countryside having poor broadband, it’s here in central London, EC1, that has terrible domestic broadband connections.   Here with BT or Sky the download speeds are never greater than 7mbs down and 700kbs up. There is no fibre here, no Virgin cable. Blocks of flats have real issues.

At last out block may yet get Hyperoptic broadband cabling.   We have this at our other apartment. Although fast is had similar issues.

When Relish Broadband came along offering high speed, up to 50mbs using  a dedicated 4G network in EC1 at only £20 a month unlimited use, I jumped at it.

Alas there is no free lunch.  Here is my list of Relish issues that Relish/Three broadband does not tell you, or is so hidden in small print that you will miss it.   Now that Three have taken over, nothing at all has changed:

  1.  You cannot put the Relsih 4G SIM in any other device than their hub/router (This is in their T&Cs). You cannot for example put in in a 4G dongle.
  2.  The router/hub is locked down. You cannot change much at all.
  3.  The Relish router/hub does offer dynamic IP name assignment with DYNDNS and others, but those will not work unless you buy a fixed IP address!
  4. As above you cannot reach your hub network from the internet because Relish uses CGNAT thus hiding you within their private network. To have normal home broadband you have buy an IP address; that is get the business package.
  5. The router/hub uses Network Translation (NAT) ONLY. The other options are greyed out, so you cannot set it to route the one IP address, and use the router as a modem, which I would much prefer to connect it on to a proper router.
  6. There were sudden drop outs in connection causing pauses. This problem persists but is now much less often after a firmware upgrade.
  7. No IPV6 support.  Does seem to be planned either!
  8. Asynchronous.  Upload speeds very poor, 4MBs 

At first the service was terrible and hardly worked at all, but I stuck with them. To be fair you can send the hub back and cancel the contract at no charge within a month, so you can test it out for free.  The help line advice was just to give up and send it back!  I wanted it to work. After six weeks the poor signal strength shot up and I was getting speeds of up to 60mbs down and 10mbs up. Almost Korean speeds.  During busy times, which here in is during the day, it can fall to as low as 8mbs down and 4Mbs up for short periods. Still, these speeds much better than Sky.  And it is unlimited.

Relish marketing have designed the package to be plug and play. That is all very well, but what REALLY annoys me it that there is no technical information page. It’s take it or leave it attitude.

They describe it as home broadband without wires, but the basic package is not. Their advertising is naughty, especially as there do not give any of the details on their web page of what the service actually is. There is no reason to hide the truth as it is still good value.

The base package is not home broadband as you cannot reach your home from the internet unlike all most wired services, except hyperoptic.  This could lead to other problems with games and any home cloud you have. Relish uses Carrier Grade Network Address Translation (CGNAT). In effect you are on their private internal network. You do not have a reachable IP address, so dyndns and similar services will not work. This is in effect double NAT. This does not seem to be necessary is IPV6 is coming along allowing everything and everybody to have an IP address. But CGNAT does act as a nasty block from the internet to your home device. Some might like this double firewall.

Hyperoptic are almost as bad as they too use CGNAT  so you cannot teach your 1Gbs router from the internet. So you had to buy the fixed IP4 address.  But at least with them IPV6 is now rolled out, so should not be necessary, but their router is clumsy handling it.  Hyperoptic is fast, low ping and SYNCHRONOUS !   £60pcm for full service and phone.

Hyperoptic today on Rasperrypi:   Download: 167.71 Mbit/s 
Upload: 226.71 Mbit/s

At the start I fought with Relish their terrible help lines, and to their credit they offered me a business IP address, so I can reach my router here. I now pay £30pcm no phone

I wish that these businesses they could have the courage to be more honest on their web pages about the product and give much more technical info.  They to sell their products as if a fridge.  You plug it in and forget.  For a business environment that’s not good enough. 

It’s still good value.  Its working pretty well, usually very fast but had the occasional drop-out, but that issues seems fixed.

Three Broadbnad, Relish is now stable (May 2019) useful and fast enough.  A few times it does drop to 6Mbs which is the TOP speed we get on our Sky/BT lines, but averaged 40Mbs.   Relish/Three still lacks IPv6 support and this is becoming an increasing problem.

Test Relish on Raspberry Pi  Relisj? Three:  Download: 33.08 Mbit/s Upload: 3.83 Mbit/s

I have two connections at at this apartment. Slow Sky (6Mbs), Broadband and Relish.   For me Sky Broadband is now the spare connection (failover) should Relish fail.  This is switch is automatic; The Draytek Vigor 2860 router I have does load balancing and failover.   Sky has IPv6. Three Relish does not. I cannot IPv6 at all use as default routing prefers IPv6, forcing the router to use the slower connection.