How to make the most of a 1.15Gbps (Gig1) Virgin Media ISP

ChuckMountain

New Member
Nov 6, 2019
24
1
3
I have just upgraded my ISP to the latest Virgin Media (VM) offering which gives just over 1.1Gbps/50Mbps connection speeds.

The supplied router comes with 4 x 1 gigabit ports as well as WiFi 5? It does not have a 10Gbe connection and it can be operated in Modem Only mode that would limit it to one port.

A single connection direct to the router tops out at around the 930Mbps or so mark in line with expectations.

I am the point where I am considering upgrading parts of my core network to 10Gbps and would ideally like to have the full bandwidth available from my ISP. I realise it might not be possible to do it for one client but across a number of them, I should not be losing 200+Mbps.

Anybody solved a similar problem and got any advice to pass on, please?

Initial thoughts are:

1) Upgrade my current Dual WAN router to a different model capable of the desired throughput (my current one bottlenecks at around 700Mbps). Leave the VM in normal mode with 2 connections to it one to each WAN port. The Dual WAN router could then use link aggregation back to a main switch across 2 x 1 gigabit links
2) Build a custom Pfsense firewall (or similar) with 2 x 1 gigabit connections and 1 x 10 gigabit connection, with the 2 x 1 gigabit connections connected to VM router and the 10 gigabit back to a 10gigabit core switch
3) Don't think I can achieve more than 930Mbps in modem only mode?
4) Segment the network up a bit more so that I have multiple smaller switches\VLANs to spread the load across the 4 x 1 gigabit ports on the VM router but then normal internal LAN traffic would be competing with Internet traffic - I lose control over my network that way.

Any other options or ideas I should consider?
 

altmind

Active Member
Sep 23, 2018
167
56
28
What is the type of internet connection that VM provides? If its docsis, I doubt it will run on the advertised rate.

What do you use for a router? Do you need a router at all or single default gw on a switch may be enough?
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
Thanks for the reply, it’s Docsis 3.1 which for VM is an upgrade on their previous one of 3.0. The previous ISP supplied router the super hub 3 would hit its limit of up to 550Mbps depending on the service you bought. VM usually run at 10% higher than their advertised speed.

According to SamKnows which runs software directly on the modem upstream of the switch it hits 1.1Gbps so on the face of it appears to be working as advertised.

Why do you think it wouldn’t run at the speed out of interest?

The supplied Virgin Media Super Hub 4 as it is branded appears to be an Arris TG3492LG-VMB and unfortunately this cannot be replaced due to the restrictions from the ISP. Even I was able to obtain a suitable equivalent one they don’t let cloned MAC address modems on the network as far as I know.

It is configured with a poor consumer orientated website so has very limited options available and most people that want more control put it in modem only mode and use a better router.

My other router is a Linksys LRT224 which is ok but is not capable of the throughput of the speeds so definitely needs to be replaced if going down that route. It worked fine previously though when I was on the 350Mbps service.

I am happy not to have a second router as that would prevent any issues around double NAT etc. but it was just an option that I was considering. At the moment my main switch won’t route between VLANs (Dlink DGS-1210-28P) so I do some routing capabailities. I have a guest VLAN and am considering some more. If I did drop the router I am still not convinced about the firewall features on the ISP router hence also considering that option.

I am open to any ideas though really, hence the post :)
 

ppiixx

New Member
May 8, 2017
9
1
3
41
I have the same service from Virgin and I don't think there is a easy way to do what you want.

You would have to deal with the pain of double NAT plus the complexity of multi-wan where both the wan links are to the same IP address and MAC.

Might be simplest to just throw some devices onto the Hub's wifi and accept that wired devices will have to cope with only 1 gigabit.

If your guest VLAN doesn't need access to your LAN then connecting that to another port on the Virgin Hub is a option.
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
I have the same service from Virgin and I don't think there is a easy way to do what you want.

You would have to deal with the pain of double NAT plus the complexity of multi-wan where both the wan links are to the same IP address and MAC.

Might be simplest to just throw some devices onto the Hub's wifi and accept that wired devices will have to cope with only 1 gigabit.

If your guest VLAN doesn't need access to your LAN then connecting that to another port on the Virgin Hub is a option.
I have a separate WiFi setup using UniFi AC Pros so don't want to enable the VM router.

I tried the guest LAN via the Linksys router and only traffic through that so it could route correctly but then you end up being able to route back into the internal network via the VM router :( . I don't think the VM supports VLANs so wouldn't necessarily work if just plugged the guest network in directly.
 

ppiixx

New Member
May 8, 2017
9
1
3
41
How is the VM router routing from the guest network to your internal network? You can't even add routes onto it can you?

Are your internal and guest networks sharing a subnet?

If you have something like:

<Internal Network 192.168.2.1/24> <Your Router> (NAT to 192.168.0.2) <--> VM Router port

<Guest Network 192.168.3.1/24> <Your Guest Router> (NAT to 192.168.0.3) <--> VM Router port

Then there is no access between internal and guest.

But you end up with double NAT between both networks and the Internet.

You could work around that a little by placing your internal network router into the Virgin DMZ.
 
Last edited:
  • Like
Reactions: ChuckMountain

ChuckMountain

New Member
Nov 6, 2019
24
1
3
How is the VM router routing from the guest network to your internal network? You can't even add routes onto it can you?

Are your internal and guest networks sharing a subnet?

If you have something like:

<Internal Network 192.168.2.1/24> <Your Router> (NAT to 192.168.0.2) <--> VF Router port

<Guest Network 192.168.3.1/24> <Your Guest Router> (NAT to 192.168.0.3) <--> VF Router port

Then there is no access between internal and guest.

But you end up with double NAT between both networks and the Internet.

You could work around that a little by placing your internal network router into the Virgin DMZ.
By VF Router did you mean the VM Router or the Linksys one?

At the moment I have a default VLAN 1 on a 192.168.0.0/24 subnet and guest on VLAN 10 on a 192.168.10.0/24 subnet which gets guests from an SSID that's a guest network on Unifi. (No additional UniFi guest settings other than tagging as VLAN 10)

The old way (which I have it currently configured as) is if I set it up with my UniFi connected to a tagged switch port on the DLink. The other tagged port goes out to the Linksys which happily routes both out to a WAN connection. DHCP is handled via DHCP relay with my server providing guest IPs for that subnet and that works fine. Routing between guest VLAN 10 and VLAN 1 is disabled on the Linksys and this works ok too.

I haven't tried both directly to the VM as I wasn't sure it would support the VLAN 10 one. I will try but I am not sure it would route it anyway.

If I try going direct to the switch with one VLANs and the other via the internal router then the VM router kindly routes between the two subnets :( I did try restricting the subnet of the WAN but it then took an extra hop via the router to route. Also placed in the DMZ and that seemed to allow access still which was a bit concerning. I didn't try the latter much.
 

ppiixx

New Member
May 8, 2017
9
1
3
41
oops yes VM router not VF router.

I don't understand how the VM router is routing between the two subnets for you. Can you explain the network a little more?

The VM router only knows about a single subnet and doesn't appear to have any way of adding routes to other networks that I can see.

What subnet is configured on the VM router?
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
The VM Router is configured as the default gateway on my VLAN 1 network on 192.168.0.1 (it's own DHCP and WiFi is disabled).

Other than the DMZ setting there is very little you can change on it.

Before the upgrade, I had the Super Hub 3 set up in modem only mode. In that case the modem assigns itself 192.168.100.1 address. It's the same with the SH4.

If I plumb a device directly into the SH4 with a IP address on a different subnet it will not afaik route out to the Internet.

So I need to plumb another router if both VLANs go through it and they are on different subnets then it shouldn't route.

However, if I have guest VLAN 10 192.168.10.0/24 on my Linksys router, and request a 192.168.0.x address, its default Internet gateway is 192.168.0.1 so will route to that the VM SH4. When it gets to the switch element of the SH4 that will route directly to the device in question which is the problem.
 

ppiixx

New Member
May 8, 2017
9
1
3
41
If the guest VLAN is on 192.168.10.0/24 then what is assigning it a address from 192.168.0.0/24?

You don't appear to have any separation between your internal and guest VLANs.

The VM router only knows about 192.168.0.0/24 so any device talking to it would either need to be in that range or NATted into that range.

The VM router doesn't support:
  • Link Aggregation
  • 10Gig or Multigig
  • VLANs or subnets
  • Static routes
So your options are:
  1. Router mode with the VM wifi enabled. (The default they expect you to use)
  2. Modem mode and whatever network config you want but limit of 1 gig.
  3. Router mode with multiple devices plugged into the VM router on a flat network. (Gets you the full speed spread over multiple devices but could be a bottleneck for your lan as you said)
  4. Router mode with multiple routers behind it each plugged into their own port on the VM router and NATting onto the VM router network. (kind of horrible)
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
If the guest VLAN is on 192.168.10.0/24 then what is assigning it a address from 192.168.0.0/24?
The DHCP server is a Windows 2019 server with a scope defined for that subnet 192.168.10.0/24 (as well as the main one 192.168.0.0/24) the Linksys router is permitting DHCP relay to the server from the 192.168.10.0/24

You don't appear to have any separation between your internal and guest VLANs.
Yes I do there are no routes defined in the old provisioning way. Unless you mean something else?

The VM router only knows about 192.168.0.0/24 so any device talking to it would either need to be in that range or NATted into that range.
Yes the Linksys router will be natting the guest into the VM router

The VM router doesn't support:
  • Link Aggregation
  • 10Gig or Multigig
  • VLANs or subnets
  • Static routes
So your options are:
  1. Router mode with the VM wifi enabled. (The default they expect you to use)
  2. Modem mode and whatever network config you want but limit of 1 gig.
  3. Router mode with multiple devices plugged into the VM router on a flat network. (Gets you the full speed spread over multiple devices but could be a bottleneck for your lan as you said)
  4. Router mode with multiple routers behind it each plugged into their own port on the VM router and NATting onto the VM router network. (kind of horrible)
Yes agree, but thinking an option 5 with dual (or more) wans will work. I suspect though I won't be able to route to the VM super hub config pages in this manner. It does appear to work ok with the Linksys in this configuration although it cannot handle the throughput. On the hunt for something that will and doesn't mind the MAC address being the same on each WAN port...
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
How does traffic from a 192.168.0.0/24 address in the guest VLAN reach the internal VLAN?
The guest LAN isn't 192.168.0.0/24 it is 192.68.10.0/24. The only traffic that is allowed is DHCP requests from the guest VLAN to the internal VLAN but even that is relayed from the Linksys to the DHCP server.
 

ppiixx

New Member
May 8, 2017
9
1
3
41
ok, but earlier you said "if I have guest VLAN 10 192.168.10.0/24 on my Linksys router, and request a 192.168.0.x address, its default Internet gateway is 192.168.0.1" so it sounded like your guest VLAN was getting assigned addresses on your internal VLAN.

Back to option 5.

You could probably do something really horrible with virtual machines so that you have:

a Main router with the (10gig?) lan interface
2 or more 'external' virtual routers which have 1gig physical interfaces wired directly to ports on the Virgin router.

Virtual links between the main router and the 'external' routers.

That gets around the duplicate MAC problem.

You still have the double NAT problem. You could DMZ one of the external routers and fiddle with things so machines that need inbound connections always go via that router.

But this is getting pretty damn weird and a machine that could do this and route over a gig isn't going to be cheap :)

How much do you want to spend?
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
ok, but earlier you said "if I have guest VLAN 10 192.168.10.0/24 on my Linksys router, and request a 192.168.0.x address, its default Internet gateway is 192.168.0.1" so it sounded like your guest VLAN was getting assigned addresses on your internal VLAN.
By “its default gateway” I meant the Linksys router wan gateway is 192.168.0.1, not the guest device. In the absence of another defined static route the guest device’s request would end up at the VM router which would know how to route to 192.168.0.0/24

Back to option 5.

You could probably do something really horrible with virtual machines so that you have:

a Main router with the (10gig?) lan interface
2 or more 'external' virtual routers which have 1gig physical interfaces wired directly to ports on the Virgin router.

Virtual links between the main router and the 'external' routers.

That gets around the duplicate MAC problem.

You still have the double NAT problem. You could DMZ one of the external routers and fiddle with things so machines that need inbound connections always go via that router.

But this is getting pretty damn weird and a machine that could do this and route over a gig isn't going to be cheap :)

How much do you want to spend?
I was thinking along a similar line but maybe bundling a pfsense vm and running on my server. Might be easier to do as a proof of concept even if I then need to build out to a dedicated box.

Incidentally the Linksys would allow me to run two connections to the VM SH4 and load balance it.
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
So my latest thoughts are a pfSense custom build or one of the premade boxes but that was approaching the best part of $1,000 for one with a 10gigabit port which I wanted to hook up to my network backbone.

I then saw the Mikrotik RB4011 which has a SFP+ port which at a $199 price point seems to do the trick. However, the vulnerabilities concern me and the amount of time. To work though I would have to it behind the ISP router anyway as it cannot be replaced :(

Anybody got any comments?
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
Ok so anybody that is interested managed to bond 2 connections to the SH4 in a Mikrotik router with a 10Gb port to the rest of my network.



Seems to behave itself ok but still need a little bit more tweaks :)
 

Paramonos

New Member
Mar 9, 2020
4
0
1
ChuckMountain: Just run into this problem myself and stumbled onto your thread. I don't quite understand how you're able to bond 2 LAN's from the SH4 on the Mikrotik router without the SH4 supporting LACP. By bonding, do you mean something like LAGG Load Balance on pfsense? Could you please elaborate?
 

ChuckMountain

New Member
Nov 6, 2019
24
1
3
I am not sure how the SH4 is working behind the scenes because of the limited GUI from it.

What I have found is that you can bond in both regular mode and modem only mode and get the same results as above. However, at the moment modem only mode appears to revert to a single connection (for downloads anyway) after a period of time (24 hours?). I am not sure if the same applies in regular mode or not as haven't had chance to test if yet.

I don't know if the load balanced round robin approach is the same as LAGG Load Balance on pfsense or not.

How are you getting on with it?
 

Paramonos

New Member
Mar 9, 2020
4
0
1
ATM I have a dedicated ASUS RT-AC5300 connected to the SH4 (via 1 Gig Lan) and an ASUS RT-AC88U in media mode connect to the 5300 on the 5GHz, 80MHz band and then the my main PC connected to the AC88U via gig lan. Although the router is telling me that I'm connected to the 5300 at around 1500 mbps on download speeds I'm 'only' managing around 75 MB/s. If I connect directly to the SH4 by lan I getting 95 MB/S (ish) which is the 1 gig lan limit. So now I'm trying to figure out how to get the 1.2 (ish) mbps out of the SH4 and transmit via wifi to the PC. My thinking atm is to get a AX88U with link aggregation WAN and use WiFi 6 back to the PC at around 2300 mbps. If I set this to 160 Mhz and leave have it dedicated back to the PC, it should elimitate to WiFi as the bottleneck. So now I need to figure out how to bond two of the four Lan ports on the SH4 to the WAN link aggregated ports on the AX88U. Without LACP on the SH4 - this is a pain, but I think either i) get a dedicated pfsense system with 4 gig ports and use 2 of the ports using Load Balancing from the SH4 and set the other 2 up as LACP bonded ports to the AX88U or ii) use the Microtek 4011 in a similar way where 2 ports are used back to the SH4 in balance rr (or round robin) mode and send 2 other in link aggregation back to the AX88U.