VPN over WiMAX

We live on a boat which has lots of upside but broadband connectivity isn’t one of them. As it turns out, our marina has WiFi but it is sufficiently unreliable that we needed another solution. I wish there was a Starbucks hotspot across the street – actually there is one within a block but we can’t quite pick up the signal even with an external antennae (Syrens).

WiFi would have been a nice solution but didn’t work so we decided to go with WiMAX. We have used ClearWire for over a year on the boat and, generally, it has worked acceptably well. Not nearly as fast as WiFi but better than 3G cellular. Recently ClearWire changed its name to Clear and “upgraded” the connectivity technology to full WiMAX. Unfortunately, the upgrade substantially reduced the coverage area, has been fairly unstable, and the Customer support although courteous and friendly is so far away from the engineering team that they basically just can’t make a difference no matter how hard they try.

We decided we had to find a different solution. I use AT&T 3G cellular with tethering and would have been fine with that as a solution. It’s a bit slower than Clear but its stable and coverage is very broad. Unfortunately, the “unlimited” plan we got some years ago is very limited to 5Gig/month and we move far more data than that. I can’t talk AT&T into offering a solution so, again, we needed something else.

Sprint now has a WiMAX service that offers good performance (although they can be a bit aggressive on throttling) and they have fairly broad coverage in our area and are expanding quickly (Sprint announces seven new WiMAX markets). Sprint has the additional nice feature on some modems where, if WiMAX is unavailable, it transparently falls back to 3G. The 3G service is still limited to 5Gig but, as long as we are on WiMAX a substantial portion of the month, we’re fine.

The remaining challenge was Virtual Private Networks (VPN) over WiMAX can be unstable. I really wish my work place supported Exchange RPC over HTTP (one of the coolest Outlook/Exchange features of all time). However, many companies believe that Exchange RPC over HTTP is insecure in that it doesn’t’ require 2 factor authentication. Ironically, many of these companies allow Blackberries’ and iPhones to access email without 2 factor auth. I won’t try to explain why one is unsafe and the other is fine but I think it might have something to do with the popularity of iPhones and Blackberries with execs and senior technical folks :-).

In the absence of RPC over HTTP, logging into the work network via VPN is the only answer. My work place uses Aventail but there are a million solutions out there. I’ve used many and love none. There are many reasons why these systems can be unstable, cause blue screens, and otherwise negatively impact the customer experience. But one that has been driving me especially nuts is frequent dropped connections and hangs when using the VPN over WiMAX. It appears to happen more frequently when there is more data in flight but to lose a connection every few minutes is quite common.

It turns out the problem is the default MTU on most client systems is 1500 but the WiMAX default is often smaller. It should still work and just be super inefficient but it doesn’t. For more details see http://www.amazon.com/Sierra-Wireless-Overdrive-Mobile-Hotspot/dp/B0032JTPMK.

To check Vista MTUs:

netsh interface ipv4 show subinterfaces

To change the MTU to 1400:

netsh interface ipv4 set subinterface “your vpn interface here” mtu=1400 store=persistent

I’m using an MTU of 1400 with Sprint and its working well. Thanks to Kitz.co.uk for the easy MTU update. If you are having flakey VPN support especially if running over WiMAX, check your MTU.

–jrh

James Hamilton, Amazon Web Services

1200, 12th Ave. S., Seattle, WA, 98144
W:+1(425)703-9972 | C:+1(206)910-4692 | H:+1(206)201-1859 |
james@amazon.com

H:mvdirona.com | W:mvdirona.com/jrh/work | blog:http://perspectives.mvdirona.com

6 comments on “VPN over WiMAX
  1. Great hearing from you Sudipta. And, yes, it is the same boat. Some early pictures from the yard are posted here: http://blog.mvdirona.com/2009/07/20/InteriorProgress.aspx and more recent shots are up at: http://blog.mvdirona.com/2010/03/23/ShakedownCruiseNisquallyFlats.aspx.

    Thanks for the kind words on the blog and I’ll see you the next time I’m over at MSR.

    –jrh
    jrh@mvdirona.com

  2. Nick, thanks for all the pointers. I’m sure you are right that Exchange RPC over HTTPS is a poor performing app but avoiding a VPN is worth every byte wasted. I love it.

    Thanks for the pointer to the KB article as well.

    –jrh
    jrh@mvdirona.com

  3. gorgeous boat James! isn’t this the one which was being built in china and you had visited last year and posted some photos of the ship while it was being built?

    by the way, i learn new things from your blog everyday. great stuff!

  4. Nick Fiekowsky says:

    James,

    A handful of points from a network performance obsessive.

    Exchange RPC over HTTP is very convenient but, at least as late as Exchange 2007, an extraordinarily poor-performing network app.

    I don’t use WiMax but your MTU issue sounds like the carriers rely on PPPoE. It may make more sense in this context for access control than it did with DSL in the ’90s.

    Some WAN optimization vendors (Riverbed for one) offer desktop clients thta work with their data center appliances. This can squeeze far more throughput from the available bandwidth. Outlook-Exchange traffic accelerates extraordinarily well.

    If you use IE 8 or Firefox, browser tuning in Vista / Windows can make a difference in high-latency configurations such as WiMax. Easy diagnostic test – browse a set of sites with Chrome, then with Firefox. Chrome fully leverages TCP Autotuning, while IE 8 & Firefox do not. If Chrome is faster, then apply the RegEdits in KB947239. Despite mis-labeling it DOES apply to both Windows 7 & Vista.

    Probably don’t have to remind you that x64 versions of the OS, with generous memory – 4 GByte or more – help ensure that TCP & WinSock (AFD) have all the real memory they want for buffers.

    Nick Fiekowsky

  5. Thanks Alan.

    Sprint and Clear may indeed use the same towers. The Sprint modem makes coverage issues less noticeable in that WiMAX coverage area problems are masked by transparently falling back to 3G celluar. Clear has also been battling service outage issues of late.

    –jrh

  6. James:

    A good friend and RF guru had the chance to spec some prototype Wimax Yagis and was stunned at the increase in throughput and reduction in S/N and BER. Quote, "I’ve hardly ever seen a system where the fringe can deliver as well with the right beam focus delivering sufficient carrier recovery".

    I don’t know the vendors he was testing, but he said they are releasing consumer quality directional multielement yagis.

    Isn’t Sprint and Clearwire delivered over the same exact towers and data radio?

Leave a Reply

Your email address will not be published. Required fields are marked *