OTish: Best free network manager- replace ClearOS? Maybe pfSense?

24 views
Skip to first unread message

leen...@yahoo.co.uk

unread,
Sep 26, 2021, 4:12:47 AMSep 26
to
Hi All,

I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.

I am getting FTTP installed next week so thought I would take the opportunity to re-look at the network setup whilst I am at it. My version of ClearOS requires a full rebuild to upgrade anyway so thought I would look at what the best is these days.

After a bit of Googling, pfSense seems to be the most popular but was wondering if anyone here had any views on pfSense vs ClearOS or indeed any alternative suggestions? I don't know what router I am getting with the install so maybe these days the routers are good enough and should scrap the external network manager - although I do like the idea of the internal and external networks being on separate subnets with a hardware/ physical separation (maybe a security expert might say this makes no real difference?).

Also, any suggestions on good newsgroups I should post to instead who focus on these sorts of things?

Thanks again

Lee.

The Natural Philosopher

unread,
Sep 26, 2021, 6:05:57 AMSep 26
to
On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
> Hi All,
>
> I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.

>
> Also, any suggestions on good newsgroups I should post to instead who focus on these sorts of things?

certanly not this one.


Possibly one with 'networking' in its name

But why not simply get a router that manages all that?

--
Renewable energy: Expensive solutions that don't work to a problem that
doesn't exist instituted by self legalising protection rackets that
don't protect, masquerading as public servants who don't serve the public.

Theo

unread,
Sep 26, 2021, 6:51:12 AMSep 26
to
uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a
crosspost...

I suppose the real question is: what do you want your 'network manager' to
do?

Any router will handle DHCP, DNS, NAT. How do you handle wifi - is that a
separate AP/mesh setup? Do you have requirements on top of what a consumer
router would provide?

IMX a good reason for a DIY router is because the one you have can't handle
the internet bandwidth, which is more common with cable and FTTP setups.
The issue tends to be that the router CPU is too poor to handle routing
tasks like lots of connections being made at once.

https://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/
gives some of the motivation behind using a mini PC for this which has
'PC' class hardware rather than the single-core 400MHz MIPS you got in
consumer routers. Jim Salter has a number of 'DIY router' articles on Ars
that benchmark his DIY build over consumer alternatives, which are worth
reading.

Your old PC is almost certainly going to take a lot more power than one of
those, so your running costs will be a lot higher than even a mini PC
solution. On the other hand, internet bandwidth has been rising slower than
router performance - these days routers can be more like a cheap smartphone
- eg quad 1.5GHz ARM cores which is a lot more horsepower than the single
400MHz MIPS. So the window in which using a 'PC' rather than a 'router'
seems to be closing.

On the other hand, if you want full control a proper OS is attractive,
especially if your ISP or a Netgear/etc router is too restrictive. A middle
ground would be to look at OpenWRT or dd-wrt or some of the other router
distros - you get to run these on a traditional low power router platform (a
reflashed Netgear or TP-Link or even an old ISP router if it has suitable
specs, although you can run them on PCs too) while giving you more control.

A suggestion: a cheap and simple entry point to this world is the BT Homehub
5 reflashed with OpenWRT. These can be bought preconfigured for about £20
on ebay (search 'homehub 5 openwrt'). The wifi on these is mediocre
(although good for its time) but otherwise it's a solid OpenWRT router, if
not the newest. That gives you a chance to play with OpenWRT on such a
platform, and if you don't like it you've only wasted £20. You'd probably
burn that in a few months of power of your old PC router.

Theo

leen...@yahoo.co.uk

unread,
Sep 26, 2021, 7:29:00 AMSep 26
to
Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.

My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?

thanks

Lee.

Pancho

unread,
Sep 26, 2021, 8:17:15 AMSep 26
to
On 26/09/2021 11:51, Theo wrote:
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network. I have my broadband router on it's own subnet on one
>> NIC of my ClearOS PC and then the internal network on a separate subnet on
>> the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory
>> virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it. My version
>> of ClearOS requires a full rebuild to upgrade anyway so thought I would
>> look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or indeed any
>> alternative suggestions? I don't know what router I am getting with the
>> install so maybe these days the routers are good enough and should scrap
>> the external network manager - although I do like the idea of the internal
>> and external networks being on separate subnets with a hardware/ physical
>> separation (maybe a security expert might say this makes no real
>> difference?).
>>
>> Also, any suggestions on good newsgroups I should post to instead who
>> focus on these sorts of things?
>
> uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a
> crosspost...
>

pfSense is OK. I've been using it for many years. If you have a PC with
a dual NIC you can test it in a Virtual Machine.

People say OpenWRT is good. I would try it, but I have a working pfSense
set up and it is too much effort to change. i.e. pfSense doesn't annoy
me enough for the effort of a change.

leen...@yahoo.co.uk

unread,
Sep 26, 2021, 8:24:03 AMSep 26
to
Thanks Pancho - I was in a similar position with ClearOS in that it works fine and didn't have a reason to change it until now:). Do you use pfSense in a similar way to my use of ClearOS? Re: OpenWRT I thought that was only to replace the OS on the routers themselves as opposed to act as a separate network manager?

Thanks

Lee.

John Rumm

unread,
Sep 26, 2021, 9:03:58 AMSep 26
to
On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
> Hi All,
>
> I have been using ClearOS on an old PC for many years to manage my
> internal network. I have my broadband router on it's own subnet on
> one NIC of my ClearOS PC and then the internal network on a separate
> subnet on the other NIC. ClearOS then manages all the network, DHCP,
> DNS, in theory virus scan/ malware protection etc. etc.
>
> I am getting FTTP installed next week so thought I would take the
> opportunity to re-look at the network setup whilst I am at it. My
> version of ClearOS requires a full rebuild to upgrade anyway so
> thought I would look at what the best is these days.
>
> After a bit of Googling, pfSense seems to be the most popular but was
> wondering if anyone here had any views on pfSense vs ClearOS or
> indeed any alternative suggestions?

Not with respect to oClearOS Vs pfSense, but I would normally go for a
business class COTS router rather than running a whole PC just as a
router for even a fairly sophisticated home network. The difference in
cost of electricity alone will be significant.

> I don't know what router I am
> getting with the install

Depends a bit on what you ordered, and who is supplying the FTTP.
However in most cases the feature set will usually be fairly basic.

> so maybe these days the routers are good
> enough and should scrap the external network manager - although I do
> like the idea of the internal and external networks being on separate
> subnets with a hardware/ physical separation (maybe a security expert
> might say this makes no real difference?).

Typically if running IP V4, then the router will be running NAT and a
firewall anyway. The two "sides" of it are on separate networks.
Disabling access to any configuration and management from the WAN side
is also a good idea in most cases.

Ultimately much depends on what facilities you need. For example do you
need external VPN access to your home network? The ability to run
multiple subnets internally? VLAN support? Failover to a backup WAN
connection? Load balancing? etc.

Also how much are you prepared to spend? (routers etc are more pricey at
the moment than usual sue to the current semiconductor shortages and
other constraints). So things that were £200 last year are £300+ this year!


--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

Pancho

unread,
Sep 26, 2021, 9:40:46 AMSep 26
to
I don't really understand what you meant by broadband router on it's own
subnet. I don't understand what a network manager is?

My pfSense has the WAN interface on its own NIC and a LAN interface on
another NIC. I have a LAN subnet, 192.168.0.xxx. But the WAN is just the
IP my ISP gives me

pfSense routes between the two, and a few VPN tunnels. That is the
separation of the WAN and LAN. You will always need something to route
between the two networks, WAN/LAN. I have always thought of two NIC's as
hardware separation, it means everything has to go through pfSense.



leen...@yahoo.co.uk

unread,
Sep 26, 2021, 10:43:29 AMSep 26
to
I have my ISP supplied router on my "outward facing" subnet 192.168.A.xxx with the router itself set to a fixed IP address on that subnet and DHCP and Wifi switched off. The only thing that is connected to the ISP router is my ClearOS PC on NIC 1 - this NIC has a fixed IP address on the same 192.168.A.xxx subnet. The other NIC has a fixed IP address on the "internal" subnet (192.168.B.xxx). Everything in the house is then on this "internal" subnet (192.168.B.xxx) including the various wifi routers (fixed IP addresses, DHCP turned off, pointing to ClearOS for DNS etc.). The ClearOS PC then provides all the network services - DHCP, DNS, some level of virus/ malware protection etc.

So essentially a device on my internal network has the following route to the internet...

device -> local Wifi router -> house switch -> ClearOS all of this on 192.168.B.xxx
and then....

ClearOS -> ISP Router -> internet all this on 192.168.A.xxx

If by "But the WAN is just the IP address my ISP gives me" you mean that the NIC gets it's IP address from your ISP router (assuming it has DHCP switched on) as opposed to your internet facing IP address then I think the macro level setup is the same just that I have further restricted access.

Thanks

Lee.

Theo

unread,
Sep 26, 2021, 11:56:58 AMSep 26
to
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> Thanks both. The main appeal for me with the PC route is that there is
> hardware separation between my internal and external networks which seems
> more secure to me than a pure software firewall if I went down the router
> space. ClearOS also gives a lot better logging/ metrics that my routers -
> unsure what OpenWRT provides.

I'm not sure what you mean about a 'pure software firewall'. The PC with
two NICs is using software to route from one NIC to the other. It doesn't
have a hardware firewall.

A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN)
are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on
the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1
as LAN and VLAN#2 as WAN.

Then it sees a packet coming in on VLAN#2 and decides whether or not to
route it to VLAN#1. Depending on the SoC there may be a bit of NAT
acceleration in there, but it's mostly all software, just like the dual-NIC
case.

As far as the OS is concerned it has two network ports, which are enforced
by the VLAN tagging in the switch (ie hardware). An attacker coming in on
VLAN#2 can't forge the VLAN tag to make their traffic look like it came from
VLAN#1, because the tags are all internal and not sent over the wire.
So unless the OS sets up the VLANs in a broken way (in which case it
wouldn't work) it's effectively two NICs.

With a replacement router OS you can control the port<->VLAN mappings, so
you can decide to have 5 different isolated networks if you want. To do
that on a PC would require a 5 port NIC or an external VLAN tagged switch.

OpenWRT has some packages for logging etc. They aren't installed by default
(due to having to fit on routers with small amounts of flash) - I haven't
tried them.

> My house is all wired with cat6 so either have the end devices connected
> via Ethernet or via a series of other wifi routers dotted around the house
> to give coverage. For these routers, whilst I was at it, I was thinking
> about whether it is worth flashing these with OpenWRT (if the routers are
> supported)?

It could be worth a go. I have a HH5a as the main router, and a Ubiquiti AP
for wifi, both flashed with OpenWRT. Both have a port configured to export
VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I
have multiple wifi networks configured, one for each VLAN. That means I
have a 'IoT junk never going near the internet' wifi network which routes
back to the firewall config on the main OpenWRT router. It's a bit more
fiddly setting this up than if it was integrated into the main router, but
then I can place the AP in a better location.

Theo

SH

unread,
Sep 26, 2021, 2:30:43 PMSep 26
to
On 26/09/2021 14:03, John Rumm wrote:
> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network.  I have my broadband router on it's own subnet on
>> one NIC of my ClearOS PC and then the internal network on a separate
>> subnet on the other NIC.  ClearOS then manages all the network, DHCP,
>> DNS, in theory virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it.  My
>> version of ClearOS requires a full rebuild to upgrade anyway so
>> thought I would look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or
>> indeed any alternative suggestions?
>
> Not with respect to oClearOS Vs pfSense, but I would normally go for a
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.


+1

Have a look at Edgemax or Ubiquiti

e.g:

https://www.4gon.co.uk/ubiquiti-edgemax-edgerouter-x-erx-p-6433.html

or

https://www.4gon.co.uk/ubiquiti-unifi-security-gateway-router-usg-p-6271.html




>> I don't know what router I am
>> getting with the install
>
> Depends a bit on what you ordered, and who is supplying the FTTP.
> However in most cases the feature set will usually be fairly basic.

Some routers will allow direct connection to the ONT allowing you to
throw away the ISP supplied router. However, you will need to get the
vlan number, username and PWD from the ISP to put into your router.


>> so maybe these days the routers are good
>> enough and should scrap the external network manager - although I do
>> like the idea of the internal and external networks being on separate
>> subnets with a hardware/ physical separation (maybe a security expert
>> might say this makes no real difference?).
>
> Typically if running IP V4, then the router will be running NAT and a
> firewall anyway. The two "sides" of it are on separate networks.
> Disabling access to any configuration and management from the WAN side
> is also a good idea in most cases.

+1

> Ultimately much depends on what facilities you need. For example do you
> need external VPN access to your home network? The ability to run
> multiple subnets internally? VLAN support? Failover to a backup WAN
> connection? Load balancing? etc.

I have Wireguard running here for all mobiles connecting back home via
public wifi.

I also have a Pi Hole to filter out the unwanted trackers and ads.

I also have a Ubiquiti Network manager for teh Ubiquiti access points I
use for Wi Fi.


> Also how much are you prepared to spend? (routers etc are more pricey at
> the moment than usual sue to the current semiconductor shortages and
> other constraints). So things that were £200 last year are £300+ this year!

+1

The Ubiquiti and Edgemax have not risen much in price.

Another brand to look at is Meraki.


John Rumm

unread,
Sep 26, 2021, 2:37:41 PMSep 26
to
On 26/09/2021 19:30, SH wrote:
> On 26/09/2021 14:03, John Rumm wrote:
>> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>>> Hi All,
>>>
>>> I have been using ClearOS on an old PC for many years to manage my
>>> internal network.  I have my broadband router on it's own subnet on
>>> one NIC of my ClearOS PC and then the internal network on a separate
>>> subnet on the other NIC.  ClearOS then manages all the network, DHCP,
>>> DNS, in theory virus scan/ malware protection etc. etc.
>>>
>>> I am getting FTTP installed next week so thought I would take the
>>> opportunity to re-look at the network setup whilst I am at it.  My
>>> version of ClearOS requires a full rebuild to upgrade anyway so
>>> thought I would look at what the best is these days.
>>>
>>> After a bit of Googling, pfSense seems to be the most popular but was
>>> wondering if anyone here had any views on pfSense vs ClearOS or
>>> indeed any alternative suggestions?
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>
>
> +1
>
> Have a look at Edgemax or Ubiquiti

Yup, they make decent enough kit (Ubiquity especially). I tend to go for
Draytek, but mostly because I have loads of it already installed.

Pancho

unread,
Sep 26, 2021, 5:53:32 PMSep 26
to
On 26/09/2021 14:03, John Rumm wrote:

>
> Not with respect to oClearOS Vs pfSense, but I would normally go for a
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.
>

Why pay for a business class router? Even 10 years ago the open source
router firmware (e.g. Tomato) was very good, with all the features of
"business class" routers. Install it on a cheap router and you have
something to compete with a business router for a fraction the price.

I only run pfSense, because 6 or 7 years ago, I couldn't get a standard
router (arm based) to drive OpenVPN tunnels at 100+ Mb/s.

The PC I run pfSense on is only 6 watts, Intel Celeron based.

John Rumm

unread,
Sep 26, 2021, 9:20:18 PMSep 26
to
On 26/09/2021 22:53, Pancho wrote:
> On 26/09/2021 14:03, John Rumm wrote:
>
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>>
>
> Why pay for a business class router?

In my case because I want something that will work "out of the box", and
I can swap out in a hurry if required.

Also most SOHO routers lack things like VPN encryption acceleration
hardware, and I need lots of LAN to LAN nailed up VPNs.

> Even 10 years ago the open source
> router firmware (e.g. Tomato) was very good, with all the features of
> "business class" routers. Install it on a cheap router and you have
> something to compete with a business router for a fraction the price.

I am supplying business customers, and they appreciate that the cost of
the router is not really significant in the grand scheme of things
(especially when they will typically spend the same on a couple of
months of dual redundant broadband service as they will for the router)

> I only run pfSense, because 6 or 7 years ago, I couldn't get a standard
> router (arm based) to drive OpenVPN tunnels at 100+ Mb/s.
>
> The PC I run pfSense on is only 6 watts, Intel Celeron based.

Yup there are some low power PCs about, but typically they are things
that you need to spec and buy specifically for the task - they are not
usually the cast off desktop that no one in the office wants because it
takes 90 seconds to load Excel! So that does add to the cost of using
one as a router.

leen...@yahoo.co.uk

unread,
Sep 28, 2021, 2:40:23 AMSep 28
to
Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?

leen...@yahoo.co.uk

unread,
Sep 28, 2021, 2:55:05 AMSep 28
to
Now I have the FTTP router, it wasn't what I was expecting. I assumed it would be equivalent to an ADSL router where you connect the ADSL one side and the LAN connects to the other. So I assumed the fibre would connect to it somewhere and it would expose Ethernet ports for the LAN. With this one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be for an ADSL connection and a different one labelled "WAN" which seems to be like an Ethernet port but connects to whatever OpenReach installs (which I assume converts the optical fibre to Ethernet?). So wonder now whether in my setup in theory whether I need to even have the new router?

Having said that, the router has a couple of phone ports which it says will enable me to connect my normal phones to it and it will "convert" then to the Voip line Vodafone are providing. So irrespective of the above, I will need the phone bit but does maybe ask the question as to whether I could/ should put the new router after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router -> internal switch.

As you can probably tell, I don't know how this whole FTTP stuff works under the covers and suspect I am still missing something in my network knowledge :)

thanks in advance for you help.

Lee.

P.S. still not sure how to get my replies to appear on the other NG this was cross posted to so will cut and paste it :)

Theo

unread,
Sep 28, 2021, 4:55:30 AMSep 28
to
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> would be equivalent to an ADSL router where you connect the ADSL one side
> and the LAN connects to the other. So I assumed the fibre would connect
> to it somewhere and it would expose Ethernet ports for the LAN. With this
> one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> for an ADSL connection and a different one labelled "WAN" which seems to
> be like an Ethernet port but connects to whatever OpenReach installs
> (which I assume converts the optical fibre to Ethernet?). So wonder now
> whether in my setup in theory whether I need to even have the new router?

Let's unpick this a bit.

Vodafone offer two products:
FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes
- it comes in via your normal telephone line. That's what the 'INTERNET'
port is for.

FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box
with the fibre going in and an ethernet port to attach to your router.
That goes into the WAN port on your router.

It is likely you'll be doing the second. But what comes over the ethernet
port is the 'WAN' - you don't have a firewall and you get a single IPv4
address. You could plug in a single PC but it would be unprotected from
attackers.

> Having said that, the router has a couple of phone ports which it says
> will enable me to connect my normal phones to it and it will "convert"
> then to the Voip line Vodafone are providing. So irrespective of the
> above, I will need the phone bit but does maybe ask the question as to
> whether I could/ should put the new router after the ClearOS box. i.e.
> OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router ->
> internal switch.

If you need the phone bit you either:
a) use their router
or
b) extract the SIP credentials out of them to use with a your own VOIP
adapter.

Good luck with b). People have tried that with BT and got nowhere.
That means if you want to use their VOIP service you have to use their
router. If you want to use your own router I'd recommend porting your phone
number to a third party VOIP provider so you're free of this lockin.

You can put your own router *after* the Vodafone box but then you'll have
double NAT. Which is bad, but I've been running it for a while (out of
laziness) and it's been fine as long as you don't want to run outward-facing
services. However you'd only do this if you wanted something their
router didn't offer.

In answer to your other post, internet and local traffic aren't mixed on
interfaces. Your local traffic might be 192.168.0.x, which is assigned to
the router's 'LAN' interface. Your public IP might be assigned by your ISP
to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
assigned to your 'WAN' interface. The interfaces aren't connected, ie if
the internet tried to send a packet to 192.168.0.x it would come in on your
WAN port but there would be no means for it to reach your LAN port and so it
would get thrown away. It is not a 'party line' arrangement where anyone
apart from the router can pick up internet traffic: it all has to be relayed
through the router, which is subject to your firewall rules.

> P.S. still not sure how to get my replies to appear on the other NG this
> was cross posted to so will cut and paste it :)

Sigh, Google Groups :(

Theo

Pancho

unread,
Sep 28, 2021, 5:36:34 AMSep 28
to
On 28/09/2021 07:40, leen...@yahoo.co.uk wrote:

> Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?
>

The problem with VLAN's is that all the switches in your LAN need to be
able to handle them. I can't think of many home LAN questions where VLAN
is the answer.


Pancho

unread,
Sep 28, 2021, 5:43:13 AMSep 28
to
On 28/09/2021 09:55, Theo wrote:
> If you want to use your own router I'd recommend porting your phone
> number to a third party VOIP provider so you're free of this lockin.
>

+1. Port landline phone number to third party VOIP provider. I've
happily used Sipgate basic for many years. A wireless DECT VOIP base
station costs about £50. I was happy to get £90 off the cost of
broadband when they introduce SOGEA, i.e. dropped telephone line rental
from my broadband landline change.

When Open-Reach fitted FTTP at a friend's house they asked if she needed
a phone, I think they were offering to keep the existing copper phone
line. I very clearly said she didn't want the telephone. They seemed
keen on providing it. I didn't look to see what they actually did.

> You can put your own router *after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.

I think in general it is safer to have one WAN/LAN firewall and
understand what the rules mean.

John Rumm

unread,
Sep 28, 2021, 6:35:20 AMSep 28
to
On 28/09/2021 07:40, leen...@yahoo.co.uk wrote:
Its worth noting that multiple subnets and VLANs are not the same thing,
although can share some characteristics. Some routers support multiple
subnets but not necessarily VLANs. So having things split onto different
subnets makes it more difficult for someone on a PC to reach other bits
of the network, but not impossible - since you can have multiple IP
addresses attached to one NIC and it can be on more than one subnet at a
time, or you can issue an explicit routing instruction to allow it to
access another subnet. VLANs give a much more robust segregation, that
can't be routed around in the same way.

> In my setup I have the usual router firewall and the
> ClearOS firewall to breach. Having said that, if someone got into my
> external subnet (i.e. 192.168.A.xxx - the one with just my router and
> the ClearOS NIC) and tried to get to devices on my internal subnet
> (192.168.B.xx) then I was assuming ClearOS will stop that but maybe
> it just routes it?

It would not know how to route something originating from "outside" to
"inside" unless you have setup a default routing instruction, or created
port forwarding rules.

John Rumm

unread,
Sep 28, 2021, 7:01:08 AMSep 28
to
Your typical broadband router is really a bunch of things in the same
box - a modem, a router, and a network switch.

> So I assumed
> the fibre would connect to it somewhere and it would expose Ethernet
> ports for the LAN.

Some can be like that, but its more common to have the "modem" bit (i.e.
Optical Network Terminal (ONT)) as a separate box, that presents its
main interface on ethernet. That expects you establish a connection to
the ISP using PPPoE (Point to Point Protocol over Ethernet)

> With this one (Vodafone THG3000) it has a port
> labelled "INTERNET" which seems to be for an ADSL connection and a
> different one labelled "WAN" which seems to be like an Ethernet port
> but connects to whatever OpenReach installs (which I assume converts
> the optical fibre to Ethernet?). So wonder now whether in my setup
> in theory whether I need to even have the new router?

Many (most probably) customer's will use the supplied router and find
the user experience much the same as that on ADSL/FTTC etc (except
faster and more reliable).

> Having said that, the router has a couple of phone ports which it
> says will enable me to connect my normal phones to it and it will
> "convert" then to the Voip line Vodafone are providing. So
> irrespective of the above, I will need the phone bit but does maybe
> ask the question as to whether I could/ should put the new router
> after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 ->
> Clear OS Nic 2 -> New Router -> internal switch.

You may have difficulty getting that setup depending on how flexible the
new router is when it comes to configuring how its WAN interface works.

The ethernet on the ONT is probably presenting a PPPOE connection. So
the router that connects to it needs to be configured to feed you login
credentials for the ISP to that to start the connection. Once that is
done, you basically have what is in effect a very fast single "dial up"
style connection to the internet.

To make that useful for a network you then need a router (with all the
usual firewall, and NAT capabilities).

So if you want to slip another router in between the ONT and the
supplied router, you will need to either configure it to fit the
expectations of the other bits of kit, or alter the configuration of the
other bits of kit to allow for it being there.

What facilities of the clearOS box do you actually need/use that are not
provided by the supplied router?

> As you can probably tell, I don't know how this whole FTTP stuff
> works under the covers and suspect I am still missing something in my
> network knowledge :)

Its not dissimilar from the way cable modem (DOCSIS) setups are usally
configured.

> P.S. still not sure how to get my replies to appear on the other NG
> this was cross posted to so will cut and paste it :)

With a decent newsreader:

http://wiki.diyfaq.org.uk/index.php/Newsgroup_access_tips

The Natural Philosopher

unread,
Sep 28, 2021, 9:40:10 AMSep 28
to
On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
> whether I could/ should put the new router after the ClearOS box.
> i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> -> internal switch.

No. The new router will expect to be the primary gateway and will need
to pick up its IP address using DHCP from the ISP.

Now you might be able to replace it with something home brewed, but dont
expect any support from the ISP if you do.

What you need to do is create a network on your side of the supplied
router and then use that as a sort of no mans land, and put your home
brew router between that and the machines you are serving

so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2-->
internal switch.

That will give you a vanilla interface that the ISP expects and can
support, and allow you to do what you like behind the clearOS


--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

The Natural Philosopher

unread,
Sep 28, 2021, 9:41:30 AMSep 28
to
On 28/09/2021 09:55, Theo wrote:
> You can put your own router*after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.

No need to run NAT on the second router.

Let the main one take care of all that.

--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s
agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”

Paul Krugman

The Natural Philosopher

unread,
Sep 28, 2021, 10:03:05 AMSep 28
to
On 28/09/2021 09:55, Theo wrote:
> In answer to your other post, internet and local traffic aren't mixed on
> interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> the router's 'LAN' interface. Your public IP might be assigned by your ISP
> to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> the internet tried to send a packet to 192.168.0.x

It would simply *never arrive* as there are no public routes for private
networks

< it would come in on your
> WAN port but there would be no means for it to reach your LAN port and so it
> would get thrown away.

If it did come in, but it cant.

> It is not a 'party line' arrangement where anyone
> apart from the router can pick up internet traffic: it all has to be relayed
> through the router, which is subject to your firewall rules.

And it all has to be routed through the public internet, which only
knows one public address of your router - the '22.33.44.55' in your
example,

The way to set this up is to have the immediate local side of the router
at 192.168.0.x and e.g set a default route un that router to tell it
that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10
for example

Clearos doesn't need NAT - it is simply routing between 192.168.0.0 and
e.g. 192.168.1.0 networks.

Provided the main router recognises that source addresses on te
192.168.1.0 network are something it can reach via the NIC interface
192.168.0.10 on the clearos, it will happily set up proxy NAT ports for
them.

That is, any number of machines on different networks can be NATTED by
the main router as long as it knows that they exist on valid networks
connected directly or indirectly to its LAN interface.

You merely need to set up STATIC routes in it, pointing to the NIC IP
address of whatever router connects the main router to that network

All the subsidiary router needs to do is DHCP, since that doesn't
propagate across networks. It uses Ethernet broadcast, not IP as such.
And it also needs to ROUTE via the router LAN address, so port
forwarding needs to be on an a static default route pointing to the main
router be set up

So on the main router

Disable DHCP server
Retain DHCP client for WAN IP address from ISP.
Enable NAT.
Add static route to private network via clearos machine

On clearos machine,

set up static addresses to the 192.168.0.0 network and 192.168.1.0 network
set up static default route to the Router LAN address
set up DHCP server to deal with the 192.168.1.0 network. use the clearos
192.186.1.x interface as the default route to be handed out via dhcp
set up DNS to be whatever - ISPs DNS server, maybe the router LAN
address, or even the clearos box itself if its running a DNS server
enable port forwarding so it can route, if this is not on by default

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 2:19:56 AMSep 29
to
On Tuesday, 28 September 2021 at 09:55:30 UTC+1, Theo wrote:
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> > Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> > would be equivalent to an ADSL router where you connect the ADSL one side
> > and the LAN connects to the other. So I assumed the fibre would connect
> > to it somewhere and it would expose Ethernet ports for the LAN. With this
> > one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> > for an ADSL connection and a different one labelled "WAN" which seems to
> > be like an Ethernet port but connects to whatever OpenReach installs
> > (which I assume converts the optical fibre to Ethernet?). So wonder now
> > whether in my setup in theory whether I need to even have the new router?
> Let's unpick this a bit.
>
> Vodafone offer two products:
> FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes
> - it comes in via your normal telephone line. That's what the 'INTERNET'
> port is for.
>
> FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box
> with the fibre going in and an ethernet port to attach to your router.
> That goes into the WAN port on your router.
>

Yes it is FTTP via OR

> It is likely you'll be doing the second. But what comes over the ethernet
> port is the 'WAN' - you don't have a firewall and you get a single IPv4
> address. You could plug in a single PC but it would be unprotected from
> attackers.

So my thinking (largely more to understand how it works) was that if I connect ClearOS Nic 1 directly to this ONT Ethernet port and set it to use DHCP would that NIC then get and Internet IP address from the ISP (e.g. your 22.33.44.xx). ClearOS would then act as the router with the NIC 2 then connected to my 192.168.0.xxx, acting as the internal DHCP server etc. In this setup I wouldn't need the ISP's router - except for the VoIP stuff of course.

> > Having said that, the router has a couple of phone ports which it says
> > will enable me to connect my normal phones to it and it will "convert"
> > then to the Voip line Vodafone are providing. So irrespective of the
> > above, I will need the phone bit but does maybe ask the question as to
> > whether I could/ should put the new router after the ClearOS box. i.e.
> > OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router ->
> > internal switch.
> If you need the phone bit you either:
> a) use their router
> or
> b) extract the SIP credentials out of them to use with a your own VOIP
> adapter.
>
> Good luck with b). People have tried that with BT and got nowhere.
> That means if you want to use their VOIP service you have to use their
> router. If you want to use your own router I'd recommend porting your phone
> number to a third party VOIP provider so you're free of this lockin.
>

I don't really use the landline other than my alarm system. I was told that since the ISP router permits a normal phone to be connected to the router and "converted to VoIP" this may still work.

> You can put your own router *after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.

This is the setup I currently have. Not sure how NAT works in my setup. I assume ClearOS just leaves this to the ISP router when in Bridge mode but not sure TBH nor how to find out.

>
> In answer to your other post, internet and local traffic aren't mixed on
> interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> the router's 'LAN' interface. Your public IP might be assigned by your ISP
> to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> the internet tried to send a packet to 192.168.0.x it would come in on your
> WAN port but there would be no means for it to reach your LAN port and so it
> would get thrown away. It is not a 'party line' arrangement where anyone
> apart from the router can pick up internet traffic: it all has to be relayed
> through the router, which is subject to your firewall rules.

Yes understand that bit. My "logic" was more about if the router/ it's firewall was compromised then it would allow hackers in but my ClearOS setup with dual NIC had a hardware barrier (because of the dual NIC) stopping it. I think from the various comments above, my logic was not correct as the router has a "dual NIC" anyway (WAN and LAN) and the ClearOS software is akin to the Router software so in essence the 2 setups are the same. It then just boils down to how sophisticated the software is for my needs.

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 2:28:53 AMSep 29
to
<snip>

>
> The ethernet on the ONT is probably presenting a PPPOE connection. So
> the router that connects to it needs to be configured to feed you login
> credentials for the ISP to that to start the connection. Once that is
> done, you basically have what is in effect a very fast single "dial up"
> style connection to the internet.

Mmmm if it does log in like the ADSL one does then I guess that probably scuppers my theory about not needing the ISP router and using ClearOS instead as not sure it supports that.

>
> To make that useful for a network you then need a router (with all the
> usual firewall, and NAT capabilities).
>
> So if you want to slip another router in between the ONT and the
> supplied router, you will need to either configure it to fit the
> expectations of the other bits of kit, or alter the configuration of the
> other bits of kit to allow for it being there.
>
> What facilities of the clearOS box do you actually need/use that are not
> provided by the supplied router?

That is the million dollar question :) All I use at the moment is really DHCP and DNS. I tie devices to static IP addresses and also give them sensible names (e.g. LoungeTV) etc. In the current setup, the backup running takes a huge chunk of my small upload speed and tends to impact other devices so in theory being able to limit that would be good but.... I never did it and the new FTTP would be ample I suspect so maybe not needed.

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 2:32:49 AMSep 29
to
On Tuesday, 28 September 2021 at 14:40:10 UTC+1, The Natural Philosopher wrote:
> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
> > whether I could/ should put the new router after the ClearOS box.
> > i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> > -> internal switch.
> No. The new router will expect to be the primary gateway and will need
> to pick up its IP address using DHCP from the ISP.
>
> Now you might be able to replace it with something home brewed, but dont
> expect any support from the ISP if you do.

Fair point but assume that would be the case if I used any router other than the one they provided? When I get support from EE (current provider) they are able to "log in" to my router to get info etc.
>
> What you need to do is create a network on your side of the supplied
> router and then use that as a sort of no mans land, and put your home
> brew router between that and the machines you are serving
>
> so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2-->
> internal switch.

Yes this is exactly my current setup (not sure how the potential double NAT situation works in this setup though as per comments above). In my mind I need the router currently to do all the ADSL stuff but if the ONT exposed an Ethernet interface was thinking maybe I don't *need* it hence my questions above.

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 3:02:22 AMSep 29
to
On Tuesday, 28 September 2021 at 15:03:05 UTC+1, The Natural Philosopher wrote:
> On 28/09/2021 09:55, Theo wrote:
> > In answer to your other post, internet and local traffic aren't mixed on
> > interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> > the router's 'LAN' interface. Your public IP might be assigned by your ISP
> > to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> > assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> > the internet tried to send a packet to 192.168.0.x
> It would simply *never arrive* as there are no public routes for private
> networks
> < it would come in on your
> > WAN port but there would be no means for it to reach your LAN port and so it
> > would get thrown away.
> If it did come in, but it cant.
> > It is not a 'party line' arrangement where anyone
> > apart from the router can pick up internet traffic: it all has to be relayed
> > through the router, which is subject to your firewall rules.
> And it all has to be routed through the public internet, which only
> knows one public address of your router - the '22.33.44.55' in your
> example,
>
> The way to set this up is to have the immediate local side of the router
> at 192.168.0.x and e.g set a default route un that router to tell it
> that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10
> for example

Sorry not quite sure what you mean by this. Using your subnets, the current setup I have is...

ISP Router (192.168.0.0) -> Clear OS NIC 1 (192.168.0.1) -> Clear OS NIC 2 (192.168.100.0) [DHCP server serves 192.168.100.xxx addresses to all devices] -> switch (192.168.100.1)

There is nothing else on the 192.168.0.xx subnet.

Looking at this PC, the ClearOS server has given it 2 DNS servers, 192.168.100.0 (so assume ClearOS then routes anything on 192.168.0.xxx to the other NIC) and 8.8.8.8 (Google DNS - which is the primary DNS set up on the ISP router so assume ClearOS has passed this on)

>
> Clearos doesn't need NAT - it is simply routing between 192.168.0.0 and
> e.g. 192.168.1.0 networks.

Not sure what ClearOS does re: NAT
>
> Provided the main router recognises that source addresses on te
> 192.168.1.0 network are something it can reach via the NIC interface
> 192.168.0.10 on the clearos, it will happily set up proxy NAT ports for
> them.
>


> That is, any number of machines on different networks can be NATTED by
> the main router as long as it knows that they exist on valid networks
> connected directly or indirectly to its LAN interface.
>
> You merely need to set up STATIC routes in it, pointing to the NIC IP
> address of whatever router connects the main router to that network

If I understand your point correctly, I believe I have achieved this by setting the DNS server on downstream routers (i.e. the various ones around the house I use as Wifi hotspots) by setting their DNS server to be 192.168.100.0
>
> All the subsidiary router needs to do is DHCP, since that doesn't
> propagate across networks. It uses Ethernet broadcast, not IP as such.
> And it also needs to ROUTE via the router LAN address, so port
> forwarding needs to be on an a static default route pointing to the main
> router be set up
>
> So on the main router
>
> Disable DHCP server
> Retain DHCP client for WAN IP address from ISP.

Yep this is same as current setup

> Enable NAT.
Assume this is done by default in the EE router as can;t see it has the ability to switch it on/ off

> Add static route to private network via clearos machine
Not sure what you mean by this. Is this to enable port routing from internet to internal (192.168.100.xx) IP addresses? I haven't got this set up in the current setup (at least that I know of)


>
> On clearos machine,
>
> set up static addresses to the 192.168.0.0 network and 192.168.1.0 network
yep that's how it is currently
> set up static default route to the Router LAN address
again not sure what this does. As I recall (couldn't find it in the ClearOS UI for some reason) on ClearOS NIC 1, I have set up the DNS server to be the ISP router. i.e. if it knows nothing about it forward to the ISP router to deal with

> set up DHCP server to deal with the 192.168.1.0 network. use the clearos
> 192.186.1.x interface as the default route to be handed out via dhcp
yep although ClearOS also seems to send out the primary DNS from the ISP router

> set up DNS to be whatever - ISPs DNS server, maybe the router LAN
> address, or even the clearos box itself if its running a DNS server
> enable port forwarding so it can route, if this is not on by default

I think I have the latter?

The Natural Philosopher

unread,
Sep 29, 2021, 6:16:42 AMSep 29
to
On 29/09/2021 07:32, leen...@yahoo.co.uk wrote:
> On Tuesday, 28 September 2021 at 14:40:10 UTC+1, The Natural
> Philosopher wrote:
>> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
>>> whether I could/ should put the new router after the ClearOS
>>> box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 ->
>>> New Router -> internal switch.
>> No. The new router will expect to be the primary gateway and will
>> need to pick up its IP address using DHCP from the ISP.
>>
>> Now you might be able to replace it with something home brewed, but
>> dont expect any support from the ISP if you do.
>
> Fair point but assume that would be the case if I used any router
> other than the one they provided? When I get support from EE
> (current provider) they are able to "log in" to my router to get info
> etc.

Well to be honest most ISPs will support a fair number of well known
routers.

Look there is nothing to stop you stepping off the 'well supported, like
everyone else does it' platform provided you understand the consequences.

You can roll your own twin NIC router and do everything you need on it
and simply sell the EE router on Ebay.

What you will have to do on it, is set the WAN up using login
credentials with PPPOE - just as you would with ADSL - and with DHCP to
get the IP address and nameserver and default route for that interface
from your ISP.

Then you need to set up static IP address for the router LAN interface,
and a DHCP server attached to that interface, and a NAT setup to allow
internal machines internet access.

Then because you will now have VOIP client *inside* the network, you
need to set up VOIP and STUN servers and stuff like that which I simply
cant advise on, because I let my router do all that.


And you will need to buy some form of VOIP phone or server, and get EE
to release their VOIP login credentials, or use a different VOIP service.

Now I *could* probably do all that, I have the technical background, but
it would probably take me several days. When I used a draytek router I
phoned tech support at IDnet and they told me the very few things I
needed to do to connect via fibre. Took 30 minutes.

It's a sort of 'do you feel lucky today, punk' sort of scenario.
I didnt feel lucky. I have a box designed to do all that and make it
easy for support and its perfectly capable as it happens of doing
probably everything you want.

In short you probably dont need a home brew solution at all. Or if you
do, stick it behind the supplied router where the problems are less.

That's why I recommend you keep the supplied router and monkey around
behind it to create your internal networks.

Duplicating all its functionality is quite a lot of work

But if you want to do it, you can of course.

I think you can even get PC cards with telephone interfaces and run your
own VOIP

--
Microsoft : the best reason to go to Linux that ever existed.

The Natural Philosopher

unread,
Sep 29, 2021, 6:21:53 AMSep 29
to
I would simply replace/reprogram the ADSL router and leave everything
as it is then.

Trying to put clearos UPstream of the ISP router is opening a large can
of worms, not to say pandoras box.

You then need to handle NAT, PPPoe, VOIP, DHCP client and probably DNS
proxy on the ClearOs

If you need to ask, you probably can't.




--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

Roger Hayter

unread,
Sep 29, 2021, 8:37:16 AMSep 29
to
On 29 Sep 2021 at 11:16:37 BST, "The Natural Philosopher"
He can use ClearOS for PPPOE but there are a couple of snags. I did the same
with CentOS, probably unwisely. He will need to alter the config to use a
kernel module for pppoe processing as the user-space code is too slow for
FTTP. And if ClearOS uses an old version of rp-pppoe he will probably need to
change the whole network to an MTU of 1492 or recompile rp-pppoe with some
editing.

--
Roger Hayter

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 8:44:06 AMSep 29
to
Yeah when I heard above it was an ethernet connection from the ONT I hadn't realised it was still PPPoe and needed authenticating etc. So all in all definitely not worth getting rid of the new Vodafone router. Question is now whether it is worth keeping ClearOS (or replacement) or just use the router.

John Rumm

unread,
Sep 29, 2021, 9:08:00 AMSep 29
to
On 29/09/2021 07:28, leen...@yahoo.co.uk wrote:
> <snip>
>
>>
>> The ethernet on the ONT is probably presenting a PPPOE connection.
>> So the router that connects to it needs to be configured to feed
>> you login credentials for the ISP to that to start the connection.
>> Once that is done, you basically have what is in effect a very fast
>> single "dial up" style connection to the internet.
>
> Mmmm if it does log in like the ADSL one does then I guess that
> probably scuppers my theory about not needing the ISP router and
> using ClearOS instead as not sure it supports that.


You certainly don't need the ISPs router (I did not request one with my
FTTP, and just connected the ONT directly to the WAN2 socket on my
Draytek, with that WAN configured as a PPPoE connection.

The more doubtful bit is why use your own router (ClearOS) *and* the
ISPs router?

>> To make that useful for a network you then need a router (with all
>> the usual firewall, and NAT capabilities).
>>
>> So if you want to slip another router in between the ONT and the
>> supplied router, you will need to either configure it to fit the
>> expectations of the other bits of kit, or alter the configuration
>> of the other bits of kit to allow for it being there.
>>
>> What facilities of the clearOS box do you actually need/use that
>> are not provided by the supplied router?
>
> That is the million dollar question :) All I use at the moment is
> really DHCP and DNS. I tie devices to static IP addresses and also
> give them sensible names (e.g. LoungeTV) etc. In the current setup,
> the backup running takes a huge chunk of my small upload speed and
> tends to impact other devices so in theory being able to limit that
> would be good but.... I never did it and the new FTTP would be ample
> I suspect so maybe not needed.

It sounds rather like the ISPs basic router will do all you need then.

DHCP and some IP address reservations are supported on most.

SH

unread,
Sep 29, 2021, 9:47:16 AMSep 29
to
I have a ONT and a Vodafone Router. The latter also has a POTS ATA
socket on it.

I set up a Pi Hole and a Pi VPN and a Ubiquiti wifi network

I disabled DCHP, DNS and IP v6 in the VF router.

So the Pi hole now handles DNS + DHCP

The Pi VPN handles wireguard connections to all my mobile devices when
they are using public wifi.

The Ubiquitis have a custom IP whitelist.

My next step is to add a Edge Edgerouter X so then I can set up a DMZ, a
Wifi net for the ipads/iphones, a wired net and one for IoT / media
streamers attached to TV sets.


The Natural Philosopher

unread,
Sep 29, 2021, 9:48:51 AMSep 29
to
well I didn't expect it to be THAT bad.
But it does reinforce my point. It wont be an easy ride, but using a
supplied router will be.


--
“Some people like to travel by train because it combines the slowness of
a car with the cramped public exposure of 
an airplane.”

Dennis Miller

The Natural Philosopher

unread,
Sep 29, 2021, 9:56:06 AMSep 29
to
On 29/09/2021 13:44, leen...@yahoo.co.uk wrote:
> On Wednesday, 29 September 2021 at 11:21:53 UTC+1, The Natural
> Philosopher wrote:

>> I would simply replace/reprogram the ADSL router and leave
>> everything as it is then.
>>
>> Trying to put clearos UPstream of the ISP router is opening a large
>> can of worms, not to say pandoras box.
>>
>> You then need to handle NAT, PPPoe, VOIP, DHCP client and probably
>> DNS proxy on the ClearOs
>>
>> If you need to ask, you probably can't.
>>
> Yeah when I heard above it was an ethernet connection from the ONT I
> hadn't realised it was still PPPoe and needed authenticating etc. So
> all in all definitely not worth getting rid of the new Vodafone
> router. Question is now whether it is worth keeping ClearOS (or
> replacement) or just use the router.
>

Depends on whether you want to play with lots of networks and firewalls
and so on.

For educational purposes do it.

For simply arriving at a solid secure network that 'just works' and has
some ISP support, don't touch it

I've got a NATTED network with public SSH and HTTPS connections to a
server on it.

I haven't checked to see if its being attacked by ratware, but its never
been compromised. Despite having several holes in its firewall - but
then I am on a fixed public IP address so can set simple firewall rules.

The thing that cases most unwanted network traffic is Skype :-)

leen...@yahoo.co.uk

unread,
Sep 29, 2021, 1:16:07 PMSep 29
to
I couldn't find the ability to reserve IP addresses nor add names but will take a closer look as it may be hidden somewhere in the menus - or I was not looking properly :)

The Natural Philosopher

unread,
Sep 29, 2021, 1:58:33 PMSep 29
to
On 29/09/2021 18:16, leen...@yahoo.co.uk wrote:
> I couldn't find the ability to reserve IP addresses nor add names but
> will take a closer look as it may be hidden somewhere in the menus -
> or I was not looking properly:)

It's generally under 'DHCP configuration'

You should have the ability to:

(a) Restrict DHCP to a limited range of addressed so you can set static
addresses in the unused range and/or
(b) Issue DHCP addresses based on the clients MAC address.

Normally names are pushed to the server from the *client*.
So in cartoon form the client does an *Ethernet* broadcast saying I am
called 'fred' and my MAC addess is xx:yy:aa:bb:cc and the DHCP server
responds with a message to 'xx:yy:aa:bb:cc' saying
here's an IP address, netmask, default route, and DNS you can use for
the following period. If it has an entry for 'xx:yy:aa:bb:cc' it will
issue that IP address, otherwise it's round robin from the pool of
allowable IP addresses


The router will store the clients name IP address and Mac address and
lease time, so has the *potential* if its doing DNS proxying, to also be
able to tell you on what IP address 'fred' resides.,



--
It’s easier to fool people than to convince them that they have been fooled.
Mark Twain


leen...@yahoo.co.uk

unread,
Sep 29, 2021, 5:04:29 PMSep 29
to
Thanks..... On ClearOS you can also map name to IP address so can then give the device a different name. E.g. those where you can't specify a hostname (e.g. FireTV stick or the TV etc.). Not really a massive issue if I can't do it TBH as only really use it to easily see what devices are connected in ClearOS.
Reply all
Reply to author
Forward
0 new messages