The Telstra Heartbeat
Update (Aug '06): Telstra have announced that the Heartbeat
system will be gradually retired over the next 9-12 months. See
Whirlpool
for more. While many people will still find the information on
this page relevant for the time being, those who are switched
over to the new system will find connecting now to be much the
same as for Optus Cable subscribers. (No username & password
required but Mac address can play a role. See tip
below.)
Note: Some people have reported getting regular dropouts after
being changed over to the new system by still running a login
client, so if you previously had a router working happily that
now has a bad case of dropping out, this may be why.
What is this "heartbeat"?
Telstra Cable uses an authentication system which
has been nicknamed “the heartbeat” which is similar in concept to
a “ ping”. Every five minutes or
so, a message is sent to your computer to see if you're still there.
Several applications like firewalls, Win98/ME ICS
and VPNs block this message, causing
the connection to drop out regularly.
Why does it exist?
Well there are plans to ditch it soon but originally
it was to enable separate usage statistics in a unique and pioneering
system of providing multiple dynamic IPs to a single customer. In
other words, it allowed people to have multiple, independent connections
using the one modem between several computers and maintain independent
usage statistics for each one.
Why does it cause disconnections?
Imagine it as if BigPond check every few minutes
to see if you're still there. If they don't see you, they assume
you're gone so they close the connection.
How does it work?
It's difficult to source accurate information, but from logging
and "packet sniffing" we believe it works similar to the
following scenario -
Phase1: Authentication. (TCP)
Client calls Heartbeat Server: "Hi, this is user:username
pass:encryptedpassword and if you want to talk
to me use port:portnumber".
Heartbeat Server responds: "G'day username, OK, I will
send heartbeat messages to port:number, please
respond to port:number"
Phase2: Heartbeat (at ~5 minute intervals). (UDP)
Heartbeat Server to client: (UDP) "Hey, you still there?".
Client to Heartbeat Server: (UDP) "Yep, of course I am,
shutup and quit hasslin' me."
How do I find out what
the IP address of the heartbeat is?
To discover the IP address of the heartbeat, which
is different for each state, open a command prompt window and type
ping dce-server. This will "resolve"
to the IP address you're looking for.
The Heartbeat also answers to a few different names. For example,
ping sm-server & login-server and you'll see it resolves to
the same address.
Note: You will not get replies to these pings, but that doesn't
matter. They will "resolve" to the IP address and that's
all we need.
Can I manually specify
a port for the heartbeat to use?
No. Well, not with Telstra's Launchpad anyway.*
However, there are alternate login clients.
See BPALogin
and OzXCable
(formerly Wincable, and now free!).
Most of us generally use port 5050.
*Update: Telstra have released a
new login client for BigPond Cable users, and this one is
suitable to use in this application. Unlike the old "Amicus
Launchpad", this new one (termed "BigPond Broadband
Cable Login") allows for specification of the port for the
Heartbeat, can run as a Windows NT Service, will auto connect
& reconnect with error logging, and integrates with the Usage
Meter Toolbar.
How do I stop Windows 98
& ME Internet Connection Sharing dropping out?
Windows 98 Second Edition and Millennium come with built-in Internet
Connection Sharing which put some sensible security measures in
place by default. Unfortunately, the security measures block the
port that the Heartbeat uses. This
patch will cure it. Apply it and reboot and your pain will be
gone.
How do I play on-line games with my Macintosh
on BigPond Cable?
You've probably discovered that something's chewing up the processor
so much that it's impossible to play on-line games. This too is
related to the Heartbeat and the way the Launchpad Login client
"listens" for it.
Thankfully, local genius Adrian Bourke has written an alternate
Login client that gets around this difficulty. Requires at least
OS 9. See BPALogin
for Macs and Jamie
Curmi's Launch for Mac OSX.
Another solution is to purchase a Router
with a built-in login client.
How do I configure my firewall
so that I stop getting kicked off?
You need to tell your firewall that the Heartbeat
is "friendly" and to trust it. As a general rule of thumb,
use the above method to determine the IP address
of the Heartbeat and add it to your Firewall's configuration as
a trusted address. No specifying of ports is necessary with this
method. Opening ports is like unlocking doors for anyone to use,
whereas specifying just the Heartbeat's IP address is giving only
it authority to come in. Examples -
And so, you get the idea for the others...
An example of how to set a
firewall rule for the Heartbeat.
For a quick example of how to set up a firewall with a Heartbeat
rule, we'll choose
Sygate Personal Firewall. as one of the best choices amongst
the plethora of available products. And besides, it's free (The
Pro one isn't. Choose the Home version further down the page.)
Once you've downloaded and installed it, you'll need to reboot.
On reboot, you'll get a few warnings about certain programs
trying to access the net.
If you know what these are, tick the box to "remember
this" and click "yes". If you're unsure what it
is, don't tick the remember box and click "no". You
can always change your mind about it later by right-clicking the
task bar icon and selecting "applications".
A basic list of applications should look like this
To allow the heartbeat, double click the task bar icon, select
tools and advanced rules.
Select "add" and on the general tab name it heartbeat
and tick the "allow" box
On the "hosts" tab select IP address and put in your
state's dce-server IP address
(See the ping command above)
In the end it should look like this
Finally, go back to the main window and select tools and options.
Select the Network Neighbourhood tab and make sure both boxes
for Network Neighbourhood settings are NOT ticked for the
adaptor that accesses the Internet.
They will both need to be ticked for your internal adaptor.
As a final test to make sure you've got it right, go to Sygate's
Security Scan section and do as many tests as you like. They
should all show "blocked" or at least "closed".
To make sure you've got the heartbeat right, go to The
Basement and run the live stream for at least 20mins or so.
It shouldn't drop out (unless their site is swamped, which it is
sometimes). Alternatively shoutcast
has live audio feeds.
How do I configure Windows
XP's built-in firewall?
Windows XP has a built in firewall which will exhibit
five minute drop outs due to the Telstra Heartbeat. The firewall
can be disabled, but as with other Firewalls, all that is needed
is to "allow" the heartbeat. Thanks to Andrew Trevitt,
this is how it's done.
Get rid of the Telstra Launchpad* and download BPALogin from
sourceforge
When installing, choose the "Standard Program"**
and enter your username & password.
Set the port to 5050
Now, go to your Control Panel
Choose "Network and Dial-Up Connections"
Right-click and select Properties of the Adaptor plugged
into the modem.
Go to the Advanced Tab.
Tick the box that says "Protect my Computer..."
Click the Settings button.
Click "Add"
In description put "Heartbeat".
Type in the network name of your PC. (Right-click "MyComputer"
and select "Properties" and "Computer Name"
if you don't know what it is.)
External port 5050.
Internal port 5050.
Set as UDP.
*Update: Telstra have released a
new login client for BigPond Cable users, and this one is
also suitable to use in this application. Unlike the old "Amicus
Launchpad", this new one (termed "BigPond Broadband
Cable Login") allows for specification of the port for the
Heartbeat, can run as a Windows NT Service, will auto connect
& reconnect with error logging, and integrates with the Usage
Meter Toolbar.
 **To
Run BPALogin as a Service, follow the instructions on the
Windows 2000 Guide.
How do I stop my VPN from
dropping out?
Here are four methods to get around the Heartbeat
with a VPN (in order of my preference)
-
Option 1. Don't run the login client on the same PC as
the VPN client.
This can be achieved by running one of the various connection
sharing methods mentioned elsewhere on this site or by purchasing
a router with a built-in login client for BigPond Cable.
Download RouteAdd and run it prior
to connecting to the VPN. This will adjust the routing table
to allow the Heartbeat to pass through.
Be sure to select the correct Ethernet Adaptor if you have
more than one installed.
RouteAdd will not permanently change your PC's routing table and
will have to be re-executed each time the PC is rebooted and you
wish to use the VPN. To set the route permanently, see Option
3 below.
Note: Routeadd was originally authored with a huge VB
Runtime installer which doesn't appear to be needed. I tried
it on all windows versions from ME - XP and it worked flawlessly
without it so I haven't included it with this download.
If you can't get RouteAdd to run, I can email the installer
to you. (It is about 1.2mB.) However, if the program runs ok
without any errors but doesn't cure your dropout problem then
something else is causing the problem. Some proprietary VPN
clients just aren't compatible with the Heartbeat no matter
what you do and the best option for these is to install a Router
which includes a built-in login client for Telstra cable and
support for pass-through of a VPN client.
Bryn Davies sent me the following applescript which should
achieve the same thing as RouteAdd for Macintosh OSX users -
on run
set SERVER to "dce-server"
(* Get the IP of DCE-SERVER *)
set dceIP to do shell script "host " & SERVER & " | tail -1
| cut -d' ' -f4"
(* Get the Gateway *)
set dceGW to do shell script "route get " & dceIP & " | grep
gateway: | cut -d':' -f2 | cut -c2-"
(* Formulate and execute the Route *)
set routeCommand to "route -n add -host " & dceIP & " " &
dceGW & " 255.255.255.255"
display dialog "About to execute route command: " & routeCommand
(* A little white lie, we also execute a route deletion first.
*)
do shell script "sh -c " & quoted form of ("route -n delete
-host " & dceIP & ";" & routeCommand) with administrator privileges
end run
Option 3: Set a permanent route.
Warning!
I'm highly concerned about adding this info and strongly recommend
that you consult a professional if it seems like gobbledigook.
Get this wrong and nothing will work anymore! (It is
fixable though.)
Ok, you've been warned. Now this is how it's done-
ping dce-server while connected
to cable but not your VPN as above .
Write down the IP address that it "resolves"
to. e.g. 61.9.xxx.xx
Use the ROUTE command to establish a permanent route to
the dce-server. Open a command prompt and type -
route -p add xx.x.xxx.xx
mask 255.255.255.255 yyy.yy.yyy.y
x = The heartbeat IP
as above (that you wrote down)
y = The gateway IP of your Internet
Connection. Win98/ME - .
Windows 2000 - .
To check it's entered, open a command prompt window and type
route print and you should
see your entry at the bottom, underneath the table, called "persistent
routes".
If you do stuff it up or it doesn't work, you will need
to type route -f in a command prompt
window to get rid of it again and then release and renew your
IP, or reboot your PC.
Note: Windows 98 will lose this permanent route on reboot.
To get around it, copy the text below and paste into notepad, remembering
to change the x & y values as above, and then save it as
" heartbeat.bat" and store it in your startup folder.
@echo off
route -p add xx.xxx.xxxx.xx
mask 255.255.255.255 yyy.yy.yyy.y
exit
Option 4 : For the Windows 2000 VPN client, u ncheck
the option "use default gateway" in the advanced area of the
properties.
Go to Control Panel and select Network & Dial Up Connections
Right-click and select Properties of the VPN connection.
Select the Networking tab
Click TCP/IP and Properties
Click the Advanced button
Select the General tab
Note:
It is highly advisable to run a decent firewall in these
circumstances, and consult your System Administrator about your
actions.
Update: Chris reports that his solution for his Nortel
VPN client dropping out behind his Linksys Router was fixed
by disabling the "Keep Alive" option in the Nortel
VPN configuration (not on the Router).
What rules do I need for a Router?
There are three objectives necessary to both connect
to Bigpond Cable and then maintain the connection -
1. A valid (WAN) IP address must be obtained
from Telstra's Servers
2. A valid login to Telstra must be achieved
3. The Login client must respond to the Heartbeat
Below are general details of how to achieve this
for Routers both with and without built-in Login clients for Telstra's
Heartbeat.
For a Router with a Built-in Login Client
Update (Aug '06): Telstra have announced that the Heartbeat
system will be gradually retired over the next 9-12 months. See
Whirlpool
for more. While many people will still find the information on
this page relevant for the time being, those who are switched
over to the new system will find connecting now to be much the
same as for Optus Cable subscribers. (No username & password
required but Mac address can play a role. See tip
below.)
Note: Some people have reported getting regular dropouts after
being changed over to the new system by still running a login
client, so if you previously had a router working happily that
now has a bad case of dropping out, this may be why.
First, there are several brands on the market that already
have a built-in login client for Bigpond Cable. Your best option
is to source one of these, as any price difference from other
brands is negligible and it is a more elegant way to go. Watch
out for some overseas and lesser known brands and models that
mention having a "Heartbeat" login, as these may still
not be compatible. Some ISPs in other countires also have a
Heartbeat authentication system (eg Roadrunner, Toshiba) but
Telstra's is totally unique and these other Heartbeat logins
won't work. I recommend sticking with the brands and models
mentioned in my reviews as having
a built-in login for Telstra cable as these have a proven history
and I'll make mention if there are reports of instability or
any other problems.
Be aware that with all Routers (even the ones with proven
ability), at least one person in ten will have difficulties
achieving the initial connection. This happens with all brands
and models in all locations around Australia regardless. Actual
dud products are fairly rare. It's just a Telstra thing and
it's only a temporary problem that can be worked around.
1. First, before unplugging anything
in order to connect your new Router, download the latest Firmware
version even if it's a Beta*.
2. Then, logout of Bigpond. If you don't do this,
the previous login gets stuck open at BigPond's end and can take
15 - 30 mins before it'll allow the Router to login. Also, make
sure the software login client is disabled from running at
Startup (or even better, uninstalled) and it is never used
again as long as you're using the Router's built-in client.
Running a software client at the same time as the Router's built-in
client will cause regular dropouts and drive you nuts! Also check
that no other PCs on the Network have login clients installed.
3. Follow the Router manual to configure your PCs and login
to the browser Interface to configure the Router.
4. Choose the Telstra Cable/Heartbeat connection type and
enter your BigPond username & password.
5. If it allows you to specify a "login server"
address, use the applicable one for your state at http://ozcableguy.com/dns.asp#bpadns
6. Save the settings and wait. It won't always connect
straight away for everyone and may need to wait on stuff to reorganise
at BigPond's end. This will usually happen within an hour, but
can take up to 24 in some (extremely rare) circumstances.
7. To monitor what's happening, open a Command Prompt Window
by clicking Start > Run > Type "Command" >
Click "OK" >
Type "ping 144.135.18.10 -t" > press enter.
If it's not connected you'll get replies saying " Request
Timed Out".
If the Router is off-line or rebooting you'll get replies saying
" Destination unreachable"
When it has connected you'll get replies saying " Reply
from 144.135.18.10: bytes=32 time=22ms TTL=248" or something
like that.
Hit Control-C to stop the pings.
If it hasn't connected straight away, go away,
do something else and check back on it every 15 mins or so to
see if you're getting replies. If you're still getting nothing after
an hour, double check your username & password, update the Router
to that latest version you downloaded before you plugged it in and
try again for another hour. If it hasn't connected within 24 hours,
it's not going to, so your next option is to set it up using the
instructions for Routers without login clients below. Some people
think that running a software client defeats the purpose of having
a Router but I disagree. The Router still provides all the Security
& Internet Connection Sharing features, and using BPALogin with
a Port Map is the way we used to do it before anyone thought about
creating a built-in login client for a Router on BigPond. It is
a tried & tested method that in some situations has proven to
be a more reliable way to go.
Manufacturer guides:
D-Link have a walk-through here.
For Draytek go here.
For Netgear products go here.
(PDF)
Tip: In a lot of cases,
it may help things along by "spoofing" the mac
address of the old Network Card that was connecting to Telstra
beforehand. (Note: This technique also works on Optus Cable if you're
having trouble connecting)
To find this Mac address, see http://ozcableguy.com/glossary.asp#mac
Write it down and then find a section in the Router that allows
you to specify a Mac address for the WAN port and copy it there.
(Note: Some Routers allow various fiddling with Mac addresses on
LAN ports and this is not what we're looking for here. It must be
referred to as WAN or Internet and not LAN or Local.)
Warning:
If you do decide to spoof the Mac address of a previous router or
network card, one thing you don't want to happen is for the old
router or network card to end up plugged into the same ISP at the
same time. So if you decide to sell or give away the old one, make
sure you get the new router working on its default Mac address first
(it will usually connect by itself with the default Mac address
if you just plug it in and leave it for a while per above).
For a Router without a Built-in Login Client
Below is the short and long versions of how to set
up a Router without a built-in Login client for Telstra Cable
in order to achieve these objectives.
The Short Version -
1. Download BPALogin
from Sourceforge and set the port to 5050.
2. Install it on a PC with a static IP e.g. 192.168.0.100
3. Set appropriate gateways and DNS search orders to the
Router's IP e.g. 192.168.0.1
4. Configure the Router to obtain an IP from a DHCP Server
5. Create a port map in the Routers configuration on port
5050 back to the PC running BPALogin (eg 192.168.0.100)
The Long Version -
Update: Telstra have released a
new login client for BigPond Cable users, and this one is
also suitable to use in this application. Unlike the old "Amicus
Launchpad", this new one (termed "BigPond Broadband
Cable Login") allows for specification of the port for the
Heartbeat, can run as a Windows NT Service, will auto connect
& reconnect with error logging, and integrates with the Usage
Meter Toolbar.
2. Log off from Telstra before
you pull any leads out
3. Plug the Cable modem into the Router
and the Router into your PC (or wireless)
4. Configure your PC per the Router's
manual and then log into it through Internet Explorer using its
IP address (as should be mentioned in the manual along with its
default username & password) and set it to use an automatic
(DHCP) ISP connection type without a username and password. This
may be referred to as a Cable modem or Dynamic IP connection type
and various other terms that essentially mean the same thing.
(PPPoE/A etc and Static IP type connections will not work.)
5. The Router should have a Status section
somewhere. Find it and see if it has a valid WAN (Internet) IP
address.
A "valid" IP address should be one within the ranges
mentioned at http://ozcableguy.com/dns.asp#bpaip
If it shows 0.0.0.0 or blank or 169.x.x.x, go away for 15-30 mins
and check again.
If it's still the same we may have to "spoof" the mac
address of the old Network Card that was connecting to Telstra
beforehand.
To find this Mac address, see http://ozcableguy.com/glossary.asp#mac
Write it down and then find a section in the Router that allows
you to specify a Mac address for the WAN port and copy it there.
(Note: Some Routers allow various fiddling with Mac addresses
on LAN ports and this is not what we're looking for here. It must
be referred to as WAN or Internet and not LAN or Local.)
If your Router doesn't allow you to specify a Mac address on the
WAN port, just leave it plugged in for a day or so and it should
be right after Telstra's Routers have a chance to reset and accept
the new device. You can try calling the Helpdesk to request a
manual reset to speed this process up but be prepared in case
you get someone who doesn't know (and/or doesn't want to know)
what you're talking about.
6. Check the Router's WAN Status again.
If still no valid IP address, try turning the Cable modem off
for a minute or so, then back on, reboot the Router and check
again.
7. Hopefully by now you have a valid IP
address, so try to connect with BPALogin.
If it won't connect (See http://ozcableguy.com/cable.asp#171
for its status symbols), see the spoofing section in point 5 above.
Otherwise just leave it go for a few hours and come back and check
again every 30mins or so. (It's amazing how many times I've seen
things start to work properly all by themselves if left alone
for a while)
If you get errors in your login client log files
about not being able to find the login server or similar (using
Telstra's login client these will usually be represented as " 2033E
The authentication host or the network is unavailable.")
add "XXX.bigpond.net.au" as a domain suffix (where XXX is your
state - nsw, vic, qld, sa, wa etc) to the TCP/IP settings on your
PC. (Pics - win98/ME .
Win2K )
8. Next to prevent regular time-outs by
the Heartbeat we need to create a rule to allow the Heartbeat
to pass through the Router's Firewall. These rules are usually
termed "Port Forwarding" or "Virtual Servers".
9. First we need to assign a Static IP
address to the PC running BPALogin. Determine the DHCP
Range assigned by the Router. (This will be mentioned somewhere
in the Router's manual or configuration settings.) We need to
set an IP address outside that range but inside the same subnet
range.
For example, the Router's IP address may be 192.168.0.1
and it's DHCP Range may be 192.168.0.2 - 192.168.0.50.
The whole IP Address range goes from x.x.x.1 to x.x.x.255.
So in this case we would choose an IP address of say 192.168.0.100
which is outside the Router's DHCP range, but still in the same
IP range.
To do this, open the TCP/IP properties of your Network Card in
Control Panel > Networking and choose "Specify an IP address".
Windows will fill in the Subnet for you in most cases.
The Gateway address is the Router's IP address. eg 192.168.0.1
Fill in the DNS addresses and DNS suffix per http://ozcableguy.com/dns.asp#bpadns
Leave all other settings with however Windows put them by default
Note: An alternate option to this is to tell the Router
to always give a certain Mac address (on the LAN) the same IP
address, but not all Routers have this option.
10. Log back into the Router now and go
to the Forwarding or Virtual Server section to create the Firewall
Rule.
Call it Heartbeat,
Incoming Port 5050,
Outgoing Port 5050,
Protocol UDP (if you have the option),
IP address per point 9 (eg 192.168.0.100) and you should be laughing.
Note: If your Router uses the "Virtual Server" method,
the principle is the same but the terminology is different. Create
a new or custom Virtual Server, call it Heartbeat on UDP Port
5050. Then add this new Virtual Server to the IP address per point
9.
An alternate method (if it's not convenient to
always use the same PC for BPALogin) is to install BPALogin on
each PC but set it to a different port on each PC and then
create a Virtual Server rule for each PC.
Eg PC1 192.168.0.100 might use port 5050 in BPALogin, so this
rule would be added to the Router. -
Heartbeat - Inside Port 5050 - Outside Port 5050 - IP Address
192.168.0.100
PC2 192.168.0.101 would have BPALogin using another port like
5060 and have another rule in Router -
Heartbeat2 - Inside Port 5060 - Outside Port 5060 - IP address
192.168.0.101
And so on.
This method isn't as reliable because as each subsequent PC connects
and logs onto Telstra, the Heartbeat will then start responding
on the new port and time out on the first. This won't cause a
dropout but it will fill the BPALogin logs up with error messages.
I have done a more specific examples for Linksys
Router here, SMC Routers here and D-Link
DI804s here.
"Big Red" added more detail specific to Billion 6404VP
& 6404VGP routers in
this Whirlpool
forum post.
Note: BPALogin can alternatively be installed as a service
on Win2K, NT and XP.
For instructions on this go here.
Installing it as a Service allows the connection to run in the background
while the PC is in standby.
Be aware that there is no visible indication that it is running
when installed like this apart from via the task manager or Administrative
Tools in the Control Panel. Errors are logged to the Windows Event
Viewer.
The Telstra supplied Launchpad login client is unsuitable
in this circumstance as it doesn't allow us to specify a port
No for the Heartbeat, but If you're stuck with using it, there
is usually a "default" or "DMZ" port mapping on most routers which
lets you forward all ports that have not been specifically mapped.
It's a security risk to the station on the default IP, and you
should really run a software firewall on that box if you're going
to use it. Far better to use a router with a built-in login client
or a client that lets you specify the local port.
See the hardware
page to find out more about Routers. |
