Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OTish: Best free network manager- replace ClearOS? Maybe pfSense?
101 views
Skip to first unread message
leen...@yahoo.co.uk
Sep 26, 2021, 4:12:47 AM9/26/21
to
Hi All,
I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.
I am getting FTTP installed next week so thought I would take the opportunity to re-look at the network setup whilst I am at it. My version of ClearOS requires a full rebuild to upgrade anyway so thought I would look at what the best is these days.
After a bit of Googling, pfSense seems to be the most popular but was wondering if anyone here had any views on pfSense vs ClearOS or indeed any alternative suggestions? I don't know what router I am getting with the install so maybe these days the routers are good enough and should scrap the external network manager - although I do like the idea of the internal and external networks being on separate subnets with a hardware/ physical separation (maybe a security expert might say this makes no real difference?).
Also, any suggestions on good newsgroups I should post to instead who focus on these sorts of things?
Thanks again
Lee.
I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.
I am getting FTTP installed next week so thought I would take the opportunity to re-look at the network setup whilst I am at it. My version of ClearOS requires a full rebuild to upgrade anyway so thought I would look at what the best is these days.
After a bit of Googling, pfSense seems to be the most popular but was wondering if anyone here had any views on pfSense vs ClearOS or indeed any alternative suggestions? I don't know what router I am getting with the install so maybe these days the routers are good enough and should scrap the external network manager - although I do like the idea of the internal and external networks being on separate subnets with a hardware/ physical separation (maybe a security expert might say this makes no real difference?).
Also, any suggestions on good newsgroups I should post to instead who focus on these sorts of things?
Thanks again
Lee.
The Natural Philosopher
Sep 26, 2021, 6:05:57 AM9/26/21
to
On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
> Hi All,
>
> I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.
>
> Hi All,
>
> I have been using ClearOS on an old PC for many years to manage my internal network. I have my broadband router on it's own subnet on one NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.
>
> Also, any suggestions on good newsgroups I should post to instead who focus on these sorts of things?
certanly not this one.
Possibly one with 'networking' in its name
But why not simply get a router that manages all that?
--
Renewable energy: Expensive solutions that don't work to a problem that
doesn't exist instituted by self legalising protection rackets that
don't protect, masquerading as public servants who don't serve the public.
Theo
Sep 26, 2021, 6:51:12 AM9/26/21
to
crosspost...
I suppose the real question is: what do you want your 'network manager' to
do?
Any router will handle DHCP, DNS, NAT. How do you handle wifi - is that a
separate AP/mesh setup? Do you have requirements on top of what a consumer
router would provide?
IMX a good reason for a DIY router is because the one you have can't handle
the internet bandwidth, which is more common with cable and FTTP setups.
The issue tends to be that the router CPU is too poor to handle routing
tasks like lots of connections being made at once.
https://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/
gives some of the motivation behind using a mini PC for this which has
'PC' class hardware rather than the single-core 400MHz MIPS you got in
consumer routers. Jim Salter has a number of 'DIY router' articles on Ars
that benchmark his DIY build over consumer alternatives, which are worth
reading.
Your old PC is almost certainly going to take a lot more power than one of
those, so your running costs will be a lot higher than even a mini PC
solution. On the other hand, internet bandwidth has been rising slower than
router performance - these days routers can be more like a cheap smartphone
- eg quad 1.5GHz ARM cores which is a lot more horsepower than the single
400MHz MIPS. So the window in which using a 'PC' rather than a 'router'
seems to be closing.
On the other hand, if you want full control a proper OS is attractive,
especially if your ISP or a Netgear/etc router is too restrictive. A middle
ground would be to look at OpenWRT or dd-wrt or some of the other router
distros - you get to run these on a traditional low power router platform (a
reflashed Netgear or TP-Link or even an old ISP router if it has suitable
specs, although you can run them on PCs too) while giving you more control.
A suggestion: a cheap and simple entry point to this world is the BT Homehub
5 reflashed with OpenWRT. These can be bought preconfigured for about £20
on ebay (search 'homehub 5 openwrt'). The wifi on these is mediocre
(although good for its time) but otherwise it's a solid OpenWRT router, if
not the newest. That gives you a chance to play with OpenWRT on such a
platform, and if you don't like it you've only wasted £20. You'd probably
burn that in a few months of power of your old PC router.
Theo
leen...@yahoo.co.uk
Sep 26, 2021, 7:29:00 AM9/26/21
to
My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?
thanks
Lee.
Pancho
Sep 26, 2021, 8:17:15 AM9/26/21
to
On 26/09/2021 11:51, Theo wrote:
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network. I have my broadband router on it's own subnet on one
>> NIC of my ClearOS PC and then the internal network on a separate subnet on
>> the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory
>> virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it. My version
>> of ClearOS requires a full rebuild to upgrade anyway so thought I would
>> look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or indeed any
>> alternative suggestions? I don't know what router I am getting with the
>> install so maybe these days the routers are good enough and should scrap
>> the external network manager - although I do like the idea of the internal
>> and external networks being on separate subnets with a hardware/ physical
>> separation (maybe a security expert might say this makes no real
>> difference?).
>>
>> Also, any suggestions on good newsgroups I should post to instead who
>> focus on these sorts of things?
>
> uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a
> crosspost...
>
pfSense is OK. I've been using it for many years. If you have a PC with
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network. I have my broadband router on it's own subnet on one
>> NIC of my ClearOS PC and then the internal network on a separate subnet on
>> the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory
>> virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it. My version
>> of ClearOS requires a full rebuild to upgrade anyway so thought I would
>> look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or indeed any
>> alternative suggestions? I don't know what router I am getting with the
>> install so maybe these days the routers are good enough and should scrap
>> the external network manager - although I do like the idea of the internal
>> and external networks being on separate subnets with a hardware/ physical
>> separation (maybe a security expert might say this makes no real
>> difference?).
>>
>> Also, any suggestions on good newsgroups I should post to instead who
>> focus on these sorts of things?
>
> uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a
> crosspost...
>
a dual NIC you can test it in a Virtual Machine.
People say OpenWRT is good. I would try it, but I have a working pfSense
set up and it is too much effort to change. i.e. pfSense doesn't annoy
me enough for the effort of a change.
leen...@yahoo.co.uk
Sep 26, 2021, 8:24:03 AM9/26/21
to
Thanks
Lee.
John Rumm
Sep 26, 2021, 9:03:58 AM9/26/21
to
On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
> Hi All,
>
> I have been using ClearOS on an old PC for many years to manage my
> internal network. I have my broadband router on it's own subnet on
> one NIC of my ClearOS PC and then the internal network on a separate
> subnet on the other NIC. ClearOS then manages all the network, DHCP,
> DNS, in theory virus scan/ malware protection etc. etc.
>
> I am getting FTTP installed next week so thought I would take the
> opportunity to re-look at the network setup whilst I am at it. My
> version of ClearOS requires a full rebuild to upgrade anyway so
> thought I would look at what the best is these days.
>
> After a bit of Googling, pfSense seems to be the most popular but was
> wondering if anyone here had any views on pfSense vs ClearOS or
> indeed any alternative suggestions?
Not with respect to oClearOS Vs pfSense, but I would normally go for a
>
> I have been using ClearOS on an old PC for many years to manage my
> internal network. I have my broadband router on it's own subnet on
> one NIC of my ClearOS PC and then the internal network on a separate
> subnet on the other NIC. ClearOS then manages all the network, DHCP,
> DNS, in theory virus scan/ malware protection etc. etc.
>
> I am getting FTTP installed next week so thought I would take the
> opportunity to re-look at the network setup whilst I am at it. My
> version of ClearOS requires a full rebuild to upgrade anyway so
> thought I would look at what the best is these days.
>
> After a bit of Googling, pfSense seems to be the most popular but was
> wondering if anyone here had any views on pfSense vs ClearOS or
> indeed any alternative suggestions?
business class COTS router rather than running a whole PC just as a
router for even a fairly sophisticated home network. The difference in
cost of electricity alone will be significant.
> I don't know what router I am
> getting with the install
However in most cases the feature set will usually be fairly basic.
> so maybe these days the routers are good
> enough and should scrap the external network manager - although I do
> like the idea of the internal and external networks being on separate
> subnets with a hardware/ physical separation (maybe a security expert
> might say this makes no real difference?).
firewall anyway. The two "sides" of it are on separate networks.
Disabling access to any configuration and management from the WAN side
is also a good idea in most cases.
Ultimately much depends on what facilities you need. For example do you
need external VPN access to your home network? The ability to run
multiple subnets internally? VLAN support? Failover to a backup WAN
connection? Load balancing? etc.
Also how much are you prepared to spend? (routers etc are more pricey at
the moment than usual sue to the current semiconductor shortages and
other constraints). So things that were £200 last year are £300+ this year!
--
Cheers,
John.
/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/
Pancho
Sep 26, 2021, 9:40:46 AM9/26/21
to
subnet. I don't understand what a network manager is?
My pfSense has the WAN interface on its own NIC and a LAN interface on
another NIC. I have a LAN subnet, 192.168.0.xxx. But the WAN is just the
IP my ISP gives me
pfSense routes between the two, and a few VPN tunnels. That is the
separation of the WAN and LAN. You will always need something to route
between the two networks, WAN/LAN. I have always thought of two NIC's as
hardware separation, it means everything has to go through pfSense.
leen...@yahoo.co.uk
Sep 26, 2021, 10:43:29 AM9/26/21
to
So essentially a device on my internal network has the following route to the internet...
device -> local Wifi router -> house switch -> ClearOS all of this on 192.168.B.xxx
and then....
ClearOS -> ISP Router -> internet all this on 192.168.A.xxx
If by "But the WAN is just the IP address my ISP gives me" you mean that the NIC gets it's IP address from your ISP router (assuming it has DHCP switched on) as opposed to your internet facing IP address then I think the macro level setup is the same just that I have further restricted access.
Thanks
Lee.
Theo
Sep 26, 2021, 11:56:58 AM9/26/21
to
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> Thanks both. The main appeal for me with the PC route is that there is
> hardware separation between my internal and external networks which seems
> more secure to me than a pure software firewall if I went down the router
> space. ClearOS also gives a lot better logging/ metrics that my routers -
> unsure what OpenWRT provides.
I'm not sure what you mean about a 'pure software firewall'. The PC with
> Thanks both. The main appeal for me with the PC route is that there is
> hardware separation between my internal and external networks which seems
> more secure to me than a pure software firewall if I went down the router
> space. ClearOS also gives a lot better logging/ metrics that my routers -
> unsure what OpenWRT provides.
two NICs is using software to route from one NIC to the other. It doesn't
have a hardware firewall.
A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN)
are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on
the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1
as LAN and VLAN#2 as WAN.
Then it sees a packet coming in on VLAN#2 and decides whether or not to
route it to VLAN#1. Depending on the SoC there may be a bit of NAT
acceleration in there, but it's mostly all software, just like the dual-NIC
case.
As far as the OS is concerned it has two network ports, which are enforced
by the VLAN tagging in the switch (ie hardware). An attacker coming in on
VLAN#2 can't forge the VLAN tag to make their traffic look like it came from
VLAN#1, because the tags are all internal and not sent over the wire.
So unless the OS sets up the VLANs in a broken way (in which case it
wouldn't work) it's effectively two NICs.
With a replacement router OS you can control the port<->VLAN mappings, so
you can decide to have 5 different isolated networks if you want. To do
that on a PC would require a 5 port NIC or an external VLAN tagged switch.
OpenWRT has some packages for logging etc. They aren't installed by default
(due to having to fit on routers with small amounts of flash) - I haven't
tried them.
> My house is all wired with cat6 so either have the end devices connected
> via Ethernet or via a series of other wifi routers dotted around the house
> to give coverage. For these routers, whilst I was at it, I was thinking
> about whether it is worth flashing these with OpenWRT (if the routers are
> supported)?
for wifi, both flashed with OpenWRT. Both have a port configured to export
VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I
have multiple wifi networks configured, one for each VLAN. That means I
have a 'IoT junk never going near the internet' wifi network which routes
back to the firewall config on the main OpenWRT router. It's a bit more
fiddly setting this up than if it was integrated into the main router, but
then I can place the AP in a better location.
Theo
SH
Sep 26, 2021, 2:30:43 PM9/26/21
to
On 26/09/2021 14:03, John Rumm wrote:
> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network. I have my broadband router on it's own subnet on
>> one NIC of my ClearOS PC and then the internal network on a separate
>> subnet on the other NIC. ClearOS then manages all the network, DHCP,
>> DNS, in theory virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it. My
>> version of ClearOS requires a full rebuild to upgrade anyway so
>> thought I would look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or
>> indeed any alternative suggestions?
>
> Not with respect to oClearOS Vs pfSense, but I would normally go for a
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.
+1
> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>> Hi All,
>>
>> I have been using ClearOS on an old PC for many years to manage my
>> internal network. I have my broadband router on it's own subnet on
>> one NIC of my ClearOS PC and then the internal network on a separate
>> subnet on the other NIC. ClearOS then manages all the network, DHCP,
>> DNS, in theory virus scan/ malware protection etc. etc.
>>
>> I am getting FTTP installed next week so thought I would take the
>> opportunity to re-look at the network setup whilst I am at it. My
>> version of ClearOS requires a full rebuild to upgrade anyway so
>> thought I would look at what the best is these days.
>>
>> After a bit of Googling, pfSense seems to be the most popular but was
>> wondering if anyone here had any views on pfSense vs ClearOS or
>> indeed any alternative suggestions?
>
> Not with respect to oClearOS Vs pfSense, but I would normally go for a
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.
Have a look at Edgemax or Ubiquiti
e.g:
https://www.4gon.co.uk/ubiquiti-edgemax-edgerouter-x-erx-p-6433.html
or
https://www.4gon.co.uk/ubiquiti-unifi-security-gateway-router-usg-p-6271.html
>> I don't know what router I am
>> getting with the install
>
> Depends a bit on what you ordered, and who is supplying the FTTP.
> However in most cases the feature set will usually be fairly basic.
throw away the ISP supplied router. However, you will need to get the
vlan number, username and PWD from the ISP to put into your router.
>> so maybe these days the routers are good
>> enough and should scrap the external network manager - although I do
>> like the idea of the internal and external networks being on separate
>> subnets with a hardware/ physical separation (maybe a security expert
>> might say this makes no real difference?).
>
> Typically if running IP V4, then the router will be running NAT and a
> firewall anyway. The two "sides" of it are on separate networks.
> Disabling access to any configuration and management from the WAN side
> is also a good idea in most cases.
> Ultimately much depends on what facilities you need. For example do you
> need external VPN access to your home network? The ability to run
> multiple subnets internally? VLAN support? Failover to a backup WAN
> connection? Load balancing? etc.
public wifi.
I also have a Pi Hole to filter out the unwanted trackers and ads.
I also have a Ubiquiti Network manager for teh Ubiquiti access points I
use for Wi Fi.
> Also how much are you prepared to spend? (routers etc are more pricey at
> the moment than usual sue to the current semiconductor shortages and
> other constraints). So things that were £200 last year are £300+ this year!
The Ubiquiti and Edgemax have not risen much in price.
Another brand to look at is Meraki.
John Rumm
Sep 26, 2021, 2:37:41 PM9/26/21
to
On 26/09/2021 19:30, SH wrote:
> On 26/09/2021 14:03, John Rumm wrote:
>> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>>> Hi All,
>>>
>>> I have been using ClearOS on an old PC for many years to manage my
>>> internal network. I have my broadband router on it's own subnet on
>>> one NIC of my ClearOS PC and then the internal network on a separate
>>> subnet on the other NIC. ClearOS then manages all the network, DHCP,
>>> DNS, in theory virus scan/ malware protection etc. etc.
>>>
>>> I am getting FTTP installed next week so thought I would take the
>>> opportunity to re-look at the network setup whilst I am at it. My
>>> version of ClearOS requires a full rebuild to upgrade anyway so
>>> thought I would look at what the best is these days.
>>>
>>> After a bit of Googling, pfSense seems to be the most popular but was
>>> wondering if anyone here had any views on pfSense vs ClearOS or
>>> indeed any alternative suggestions?
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>
>
> +1
>
> Have a look at Edgemax or Ubiquiti
Yup, they make decent enough kit (Ubiquity especially). I tend to go for
> On 26/09/2021 14:03, John Rumm wrote:
>> On 26/09/2021 09:12, leen...@yahoo.co.uk wrote:
>>> Hi All,
>>>
>>> I have been using ClearOS on an old PC for many years to manage my
>>> internal network. I have my broadband router on it's own subnet on
>>> one NIC of my ClearOS PC and then the internal network on a separate
>>> subnet on the other NIC. ClearOS then manages all the network, DHCP,
>>> DNS, in theory virus scan/ malware protection etc. etc.
>>>
>>> I am getting FTTP installed next week so thought I would take the
>>> opportunity to re-look at the network setup whilst I am at it. My
>>> version of ClearOS requires a full rebuild to upgrade anyway so
>>> thought I would look at what the best is these days.
>>>
>>> After a bit of Googling, pfSense seems to be the most popular but was
>>> wondering if anyone here had any views on pfSense vs ClearOS or
>>> indeed any alternative suggestions?
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>
>
> +1
>
> Have a look at Edgemax or Ubiquiti
Draytek, but mostly because I have loads of it already installed.
Pancho
Sep 26, 2021, 5:53:32 PM9/26/21
to
On 26/09/2021 14:03, John Rumm wrote:
>
>
> Not with respect to oClearOS Vs pfSense, but I would normally go for a
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.
>
Why pay for a business class router? Even 10 years ago the open source
> business class COTS router rather than running a whole PC just as a
> router for even a fairly sophisticated home network. The difference in
> cost of electricity alone will be significant.
>
router firmware (e.g. Tomato) was very good, with all the features of
"business class" routers. Install it on a cheap router and you have
something to compete with a business router for a fraction the price.
I only run pfSense, because 6 or 7 years ago, I couldn't get a standard
router (arm based) to drive OpenVPN tunnels at 100+ Mb/s.
The PC I run pfSense on is only 6 watts, Intel Celeron based.
John Rumm
Sep 26, 2021, 9:20:18 PM9/26/21
to
On 26/09/2021 22:53, Pancho wrote:
> On 26/09/2021 14:03, John Rumm wrote:
>
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>>
>
> Why pay for a business class router?
In my case because I want something that will work "out of the box", and
> On 26/09/2021 14:03, John Rumm wrote:
>
>>
>> Not with respect to oClearOS Vs pfSense, but I would normally go for a
>> business class COTS router rather than running a whole PC just as a
>> router for even a fairly sophisticated home network. The difference in
>> cost of electricity alone will be significant.
>>
>
> Why pay for a business class router?
I can swap out in a hurry if required.
Also most SOHO routers lack things like VPN encryption acceleration
hardware, and I need lots of LAN to LAN nailed up VPNs.
> Even 10 years ago the open source
> router firmware (e.g. Tomato) was very good, with all the features of
> "business class" routers. Install it on a cheap router and you have
> something to compete with a business router for a fraction the price.
the router is not really significant in the grand scheme of things
(especially when they will typically spend the same on a couple of
months of dual redundant broadband service as they will for the router)
> I only run pfSense, because 6 or 7 years ago, I couldn't get a standard
> router (arm based) to drive OpenVPN tunnels at 100+ Mb/s.
>
> The PC I run pfSense on is only 6 watts, Intel Celeron based.
that you need to spec and buy specifically for the task - they are not
usually the cast off desktop that no one in the office wants because it
takes 90 seconds to load Excel! So that does add to the cost of using
one as a router.
leen...@yahoo.co.uk
Sep 28, 2021, 2:40:23 AM9/28/21
to
leen...@yahoo.co.uk
Sep 28, 2021, 2:55:05 AM9/28/21
to
Having said that, the router has a couple of phone ports which it says will enable me to connect my normal phones to it and it will "convert" then to the Voip line Vodafone are providing. So irrespective of the above, I will need the phone bit but does maybe ask the question as to whether I could/ should put the new router after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router -> internal switch.
As you can probably tell, I don't know how this whole FTTP stuff works under the covers and suspect I am still missing something in my network knowledge :)
thanks in advance for you help.
Lee.
P.S. still not sure how to get my replies to appear on the other NG this was cross posted to so will cut and paste it :)
Theo
Sep 28, 2021, 4:55:30 AM9/28/21
to
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> would be equivalent to an ADSL router where you connect the ADSL one side
> and the LAN connects to the other. So I assumed the fibre would connect
> to it somewhere and it would expose Ethernet ports for the LAN. With this
> one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> for an ADSL connection and a different one labelled "WAN" which seems to
> be like an Ethernet port but connects to whatever OpenReach installs
> (which I assume converts the optical fibre to Ethernet?). So wonder now
> whether in my setup in theory whether I need to even have the new router?
Let's unpick this a bit.
> Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> would be equivalent to an ADSL router where you connect the ADSL one side
> and the LAN connects to the other. So I assumed the fibre would connect
> to it somewhere and it would expose Ethernet ports for the LAN. With this
> one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> for an ADSL connection and a different one labelled "WAN" which seems to
> be like an Ethernet port but connects to whatever OpenReach installs
> (which I assume converts the optical fibre to Ethernet?). So wonder now
> whether in my setup in theory whether I need to even have the new router?
Vodafone offer two products:
FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes
- it comes in via your normal telephone line. That's what the 'INTERNET'
port is for.
FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box
with the fibre going in and an ethernet port to attach to your router.
That goes into the WAN port on your router.
It is likely you'll be doing the second. But what comes over the ethernet
port is the 'WAN' - you don't have a firewall and you get a single IPv4
address. You could plug in a single PC but it would be unprotected from
attackers.
> Having said that, the router has a couple of phone ports which it says
> will enable me to connect my normal phones to it and it will "convert"
> then to the Voip line Vodafone are providing. So irrespective of the
> above, I will need the phone bit but does maybe ask the question as to
> whether I could/ should put the new router after the ClearOS box. i.e.
> OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router ->
> internal switch.
a) use their router
or
b) extract the SIP credentials out of them to use with a your own VOIP
adapter.
Good luck with b). People have tried that with BT and got nowhere.
That means if you want to use their VOIP service you have to use their
router. If you want to use your own router I'd recommend porting your phone
number to a third party VOIP provider so you're free of this lockin.
You can put your own router *after* the Vodafone box but then you'll have
double NAT. Which is bad, but I've been running it for a while (out of
laziness) and it's been fine as long as you don't want to run outward-facing
services. However you'd only do this if you wanted something their
router didn't offer.
In answer to your other post, internet and local traffic aren't mixed on
interfaces. Your local traffic might be 192.168.0.x, which is assigned to
the router's 'LAN' interface. Your public IP might be assigned by your ISP
to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
assigned to your 'WAN' interface. The interfaces aren't connected, ie if
the internet tried to send a packet to 192.168.0.x it would come in on your
WAN port but there would be no means for it to reach your LAN port and so it
would get thrown away. It is not a 'party line' arrangement where anyone
apart from the router can pick up internet traffic: it all has to be relayed
through the router, which is subject to your firewall rules.
> P.S. still not sure how to get my replies to appear on the other NG this
> was cross posted to so will cut and paste it :)
Theo
Pancho
Sep 28, 2021, 5:36:34 AM9/28/21
to
On 28/09/2021 07:40, leen...@yahoo.co.uk wrote:
> Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?
>
The problem with VLAN's is that all the switches in your LAN need to be
> Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?
>
able to handle them. I can't think of many home LAN questions where VLAN
is the answer.
Pancho
Sep 28, 2021, 5:43:13 AM9/28/21
to
On 28/09/2021 09:55, Theo wrote:
> If you want to use your own router I'd recommend porting your phone
> number to a third party VOIP provider so you're free of this lockin.
>
+1. Port landline phone number to third party VOIP provider. I've
> If you want to use your own router I'd recommend porting your phone
> number to a third party VOIP provider so you're free of this lockin.
>
happily used Sipgate basic for many years. A wireless DECT VOIP base
station costs about £50. I was happy to get £90 off the cost of
broadband when they introduce SOGEA, i.e. dropped telephone line rental
from my broadband landline change.
When Open-Reach fitted FTTP at a friend's house they asked if she needed
a phone, I think they were offering to keep the existing copper phone
line. I very clearly said she didn't want the telephone. They seemed
keen on providing it. I didn't look to see what they actually did.
> You can put your own router *after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.
understand what the rules mean.
John Rumm
Sep 28, 2021, 6:35:20 AM9/28/21
to
On 28/09/2021 07:40, leen...@yahoo.co.uk wrote:
although can share some characteristics. Some routers support multiple
subnets but not necessarily VLANs. So having things split onto different
subnets makes it more difficult for someone on a PC to reach other bits
of the network, but not impossible - since you can have multiple IP
addresses attached to one NIC and it can be on more than one subnet at a
time, or you can issue an explicit routing instruction to allow it to
access another subnet. VLANs give a much more robust segregation, that
can't be routed around in the same way.
> In my setup I have the usual router firewall and the
> ClearOS firewall to breach. Having said that, if someone got into my
> external subnet (i.e. 192.168.A.xxx - the one with just my router and
> the ClearOS NIC) and tried to get to devices on my internal subnet
> (192.168.B.xx) then I was assuming ClearOS will stop that but maybe
> it just routes it?
"inside" unless you have setup a default routing instruction, or created
port forwarding rules.
John Rumm
Sep 28, 2021, 7:01:08 AM9/28/21
to
box - a modem, a router, and a network switch.
> So I assumed
> the fibre would connect to it somewhere and it would expose Ethernet
> ports for the LAN.
Optical Network Terminal (ONT)) as a separate box, that presents its
main interface on ethernet. That expects you establish a connection to
the ISP using PPPoE (Point to Point Protocol over Ethernet)
> With this one (Vodafone THG3000) it has a port
> labelled "INTERNET" which seems to be for an ADSL connection and a
> different one labelled "WAN" which seems to be like an Ethernet port
> but connects to whatever OpenReach installs (which I assume converts
> the optical fibre to Ethernet?). So wonder now whether in my setup
> in theory whether I need to even have the new router?
the user experience much the same as that on ADSL/FTTC etc (except
faster and more reliable).
> Having said that, the router has a couple of phone ports which it
> says will enable me to connect my normal phones to it and it will
> "convert" then to the Voip line Vodafone are providing. So
> irrespective of the above, I will need the phone bit but does maybe
> ask the question as to whether I could/ should put the new router
> after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 ->
> Clear OS Nic 2 -> New Router -> internal switch.
new router is when it comes to configuring how its WAN interface works.
The ethernet on the ONT is probably presenting a PPPOE connection. So
the router that connects to it needs to be configured to feed you login
credentials for the ISP to that to start the connection. Once that is
done, you basically have what is in effect a very fast single "dial up"
style connection to the internet.
To make that useful for a network you then need a router (with all the
usual firewall, and NAT capabilities).
So if you want to slip another router in between the ONT and the
supplied router, you will need to either configure it to fit the
expectations of the other bits of kit, or alter the configuration of the
other bits of kit to allow for it being there.
What facilities of the clearOS box do you actually need/use that are not
provided by the supplied router?
> As you can probably tell, I don't know how this whole FTTP stuff
> works under the covers and suspect I am still missing something in my
> network knowledge :)
configured.
> P.S. still not sure how to get my replies to appear on the other NG
> this was cross posted to so will cut and paste it :)
http://wiki.diyfaq.org.uk/index.php/Newsgroup_access_tips
The Natural Philosopher
Sep 28, 2021, 9:40:10 AM9/28/21
to
On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
> whether I could/ should put the new router after the ClearOS box.
> i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> -> internal switch.
No. The new router will expect to be the primary gateway and will need
> i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> -> internal switch.
to pick up its IP address using DHCP from the ISP.
Now you might be able to replace it with something home brewed, but dont
expect any support from the ISP if you do.
What you need to do is create a network on your side of the supplied
router and then use that as a sort of no mans land, and put your home
brew router between that and the machines you are serving
so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2-->
internal switch.
That will give you a vanilla interface that the ISP expects and can
support, and allow you to do what you like behind the clearOS
--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."
The Natural Philosopher
Sep 28, 2021, 9:41:30 AM9/28/21
to
On 28/09/2021 09:55, Theo wrote:
> You can put your own router*after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.
No need to run NAT on the second router.
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.
Let the main one take care of all that.
--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s
agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”
Paul Krugman
The Natural Philosopher
Sep 28, 2021, 10:03:05 AM9/28/21
to
On 28/09/2021 09:55, Theo wrote:
> In answer to your other post, internet and local traffic aren't mixed on
> interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> the router's 'LAN' interface. Your public IP might be assigned by your ISP
> to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> the internet tried to send a packet to 192.168.0.x
It would simply *never arrive* as there are no public routes for private
> interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> the router's 'LAN' interface. Your public IP might be assigned by your ISP
> to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> the internet tried to send a packet to 192.168.0.x
networks
< it would come in on your
> WAN port but there would be no means for it to reach your LAN port and so it
> would get thrown away.
> It is not a 'party line' arrangement where anyone
> apart from the router can pick up internet traffic: it all has to be relayed
> through the router, which is subject to your firewall rules.
knows one public address of your router - the '22.33.44.55' in your
example,
The way to set this up is to have the immediate local side of the router
at 192.168.0.x and e.g set a default route un that router to tell it
that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10
for example
Clearos doesn't need NAT - it is simply routing between 192.168.0.0 and
e.g. 192.168.1.0 networks.
Provided the main router recognises that source addresses on te
192.168.1.0 network are something it can reach via the NIC interface
192.168.0.10 on the clearos, it will happily set up proxy NAT ports for
them.
That is, any number of machines on different networks can be NATTED by
the main router as long as it knows that they exist on valid networks
connected directly or indirectly to its LAN interface.
You merely need to set up STATIC routes in it, pointing to the NIC IP
address of whatever router connects the main router to that network
All the subsidiary router needs to do is DHCP, since that doesn't
propagate across networks. It uses Ethernet broadcast, not IP as such.
And it also needs to ROUTE via the router LAN address, so port
forwarding needs to be on an a static default route pointing to the main
router be set up
So on the main router
Disable DHCP server
Retain DHCP client for WAN IP address from ISP.
Enable NAT.
Add static route to private network via clearos machine
On clearos machine,
set up static addresses to the 192.168.0.0 network and 192.168.1.0 network
set up static default route to the Router LAN address
set up DHCP server to deal with the 192.168.1.0 network. use the clearos
192.186.1.x interface as the default route to be handed out via dhcp
set up DNS to be whatever - ISPs DNS server, maybe the router LAN
address, or even the clearos box itself if its running a DNS server
enable port forwarding so it can route, if this is not on by default
leen...@yahoo.co.uk
Sep 29, 2021, 2:19:56 AM9/29/21
to
On Tuesday, 28 September 2021 at 09:55:30 UTC+1, Theo wrote:
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> > Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> > would be equivalent to an ADSL router where you connect the ADSL one side
> > and the LAN connects to the other. So I assumed the fibre would connect
> > to it somewhere and it would expose Ethernet ports for the LAN. With this
> > one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> > for an ADSL connection and a different one labelled "WAN" which seems to
> > be like an Ethernet port but connects to whatever OpenReach installs
> > (which I assume converts the optical fibre to Ethernet?). So wonder now
> > whether in my setup in theory whether I need to even have the new router?
> Let's unpick this a bit.
>
> Vodafone offer two products:
> FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes
> - it comes in via your normal telephone line. That's what the 'INTERNET'
> port is for.
>
> FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box
> with the fibre going in and an ethernet port to attach to your router.
> That goes into the WAN port on your router.
>
Yes it is FTTP via OR
> leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
> > Now I have the FTTP router, it wasn't what I was expecting. I assumed it
> > would be equivalent to an ADSL router where you connect the ADSL one side
> > and the LAN connects to the other. So I assumed the fibre would connect
> > to it somewhere and it would expose Ethernet ports for the LAN. With this
> > one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be
> > for an ADSL connection and a different one labelled "WAN" which seems to
> > be like an Ethernet port but connects to whatever OpenReach installs
> > (which I assume converts the optical fibre to Ethernet?). So wonder now
> > whether in my setup in theory whether I need to even have the new router?
> Let's unpick this a bit.
>
> Vodafone offer two products:
> FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes
> - it comes in via your normal telephone line. That's what the 'INTERNET'
> port is for.
>
> FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box
> with the fibre going in and an ethernet port to attach to your router.
> That goes into the WAN port on your router.
>
> It is likely you'll be doing the second. But what comes over the ethernet
> port is the 'WAN' - you don't have a firewall and you get a single IPv4
> address. You could plug in a single PC but it would be unprotected from
> attackers.
> > Having said that, the router has a couple of phone ports which it says
> > will enable me to connect my normal phones to it and it will "convert"
> > then to the Voip line Vodafone are providing. So irrespective of the
> > above, I will need the phone bit but does maybe ask the question as to
> > whether I could/ should put the new router after the ClearOS box. i.e.
> > OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router ->
> > internal switch.
> If you need the phone bit you either:
> a) use their router
> or
> b) extract the SIP credentials out of them to use with a your own VOIP
> adapter.
>
> Good luck with b). People have tried that with BT and got nowhere.
> That means if you want to use their VOIP service you have to use their
> router. If you want to use your own router I'd recommend porting your phone
> number to a third party VOIP provider so you're free of this lockin.
>
> You can put your own router *after* the Vodafone box but then you'll have
> double NAT. Which is bad, but I've been running it for a while (out of
> laziness) and it's been fine as long as you don't want to run outward-facing
> services. However you'd only do this if you wanted something their
> router didn't offer.
>
> In answer to your other post, internet and local traffic aren't mixed on
> interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> the router's 'LAN' interface. Your public IP might be assigned by your ISP
> to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> the internet tried to send a packet to 192.168.0.x it would come in on your
> WAN port but there would be no means for it to reach your LAN port and so it
> would get thrown away. It is not a 'party line' arrangement where anyone
> apart from the router can pick up internet traffic: it all has to be relayed
> through the router, which is subject to your firewall rules.
leen...@yahoo.co.uk
Sep 29, 2021, 2:28:53 AM9/29/21
to
<snip>
>
> The ethernet on the ONT is probably presenting a PPPOE connection. So
> the router that connects to it needs to be configured to feed you login
> credentials for the ISP to that to start the connection. Once that is
> done, you basically have what is in effect a very fast single "dial up"
> style connection to the internet.
Mmmm if it does log in like the ADSL one does then I guess that probably scuppers my theory about not needing the ISP router and using ClearOS instead as not sure it supports that.
>
> To make that useful for a network you then need a router (with all the
> usual firewall, and NAT capabilities).
>
> So if you want to slip another router in between the ONT and the
> supplied router, you will need to either configure it to fit the
> expectations of the other bits of kit, or alter the configuration of the
> other bits of kit to allow for it being there.
>
> What facilities of the clearOS box do you actually need/use that are not
> provided by the supplied router?
That is the million dollar question :) All I use at the moment is really DHCP and DNS. I tie devices to static IP addresses and also give them sensible names (e.g. LoungeTV) etc. In the current setup, the backup running takes a huge chunk of my small upload speed and tends to impact other devices so in theory being able to limit that would be good but.... I never did it and the new FTTP would be ample I suspect so maybe not needed.
>
> The ethernet on the ONT is probably presenting a PPPOE connection. So
> the router that connects to it needs to be configured to feed you login
> credentials for the ISP to that to start the connection. Once that is
> done, you basically have what is in effect a very fast single "dial up"
> style connection to the internet.
>
> To make that useful for a network you then need a router (with all the
> usual firewall, and NAT capabilities).
>
> So if you want to slip another router in between the ONT and the
> supplied router, you will need to either configure it to fit the
> expectations of the other bits of kit, or alter the configuration of the
> other bits of kit to allow for it being there.
>
> What facilities of the clearOS box do you actually need/use that are not
> provided by the supplied router?
leen...@yahoo.co.uk
Sep 29, 2021, 2:32:49 AM9/29/21
to
On Tuesday, 28 September 2021 at 14:40:10 UTC+1, The Natural Philosopher wrote:
> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
> > whether I could/ should put the new router after the ClearOS box.
> > i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> > -> internal switch.
> No. The new router will expect to be the primary gateway and will need
> to pick up its IP address using DHCP from the ISP.
>
> Now you might be able to replace it with something home brewed, but dont
> expect any support from the ISP if you do.
Fair point but assume that would be the case if I used any router other than the one they provided? When I get support from EE (current provider) they are able to "log in" to my router to get info etc.
> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
> > whether I could/ should put the new router after the ClearOS box.
> > i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router
> > -> internal switch.
> No. The new router will expect to be the primary gateway and will need
> to pick up its IP address using DHCP from the ISP.
>
> Now you might be able to replace it with something home brewed, but dont
> expect any support from the ISP if you do.
>
> What you need to do is create a network on your side of the supplied
> router and then use that as a sort of no mans land, and put your home
> brew router between that and the machines you are serving
>
> so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2-->
> internal switch.
Yes this is exactly my current setup (not sure how the potential double NAT situation works in this setup though as per comments above). In my mind I need the router currently to do all the ADSL stuff but if the ONT exposed an Ethernet interface was thinking maybe I don't *need* it hence my questions above.
> What you need to do is create a network on your side of the supplied
> router and then use that as a sort of no mans land, and put your home
> brew router between that and the machines you are serving
>
> so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2-->
> internal switch.
leen...@yahoo.co.uk
Sep 29, 2021, 3:02:22 AM9/29/21
to
On Tuesday, 28 September 2021 at 15:03:05 UTC+1, The Natural Philosopher wrote:
> On 28/09/2021 09:55, Theo wrote:
> > In answer to your other post, internet and local traffic aren't mixed on
> > interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> > the router's 'LAN' interface. Your public IP might be assigned by your ISP
> > to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> > assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> > the internet tried to send a packet to 192.168.0.x
> It would simply *never arrive* as there are no public routes for private
> networks
> < it would come in on your
> > WAN port but there would be no means for it to reach your LAN port and so it
> > would get thrown away.
> If it did come in, but it cant.
> > It is not a 'party line' arrangement where anyone
> > apart from the router can pick up internet traffic: it all has to be relayed
> > through the router, which is subject to your firewall rules.
> And it all has to be routed through the public internet, which only
> knows one public address of your router - the '22.33.44.55' in your
> example,
>
> The way to set this up is to have the immediate local side of the router
> at 192.168.0.x and e.g set a default route un that router to tell it
> that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10
> for example
Sorry not quite sure what you mean by this. Using your subnets, the current setup I have is...
> On 28/09/2021 09:55, Theo wrote:
> > In answer to your other post, internet and local traffic aren't mixed on
> > interfaces. Your local traffic might be 192.168.0.x, which is assigned to
> > the router's 'LAN' interface. Your public IP might be assigned by your ISP
> > to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's
> > assigned to your 'WAN' interface. The interfaces aren't connected, ie if
> > the internet tried to send a packet to 192.168.0.x
> It would simply *never arrive* as there are no public routes for private
> networks
> < it would come in on your
> > WAN port but there would be no means for it to reach your LAN port and so it
> > would get thrown away.
> If it did come in, but it cant.
> > It is not a 'party line' arrangement where anyone
> > apart from the router can pick up internet traffic: it all has to be relayed
> > through the router, which is subject to your firewall rules.
> And it all has to be routed through the public internet, which only
> knows one public address of your router - the '22.33.44.55' in your
> example,
>
> The way to set this up is to have the immediate local side of the router
> at 192.168.0.x and e.g set a default route un that router to tell it
> that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10
> for example
ISP Router (192.168.0.0) -> Clear OS NIC 1 (192.168.0.1) -> Clear OS NIC 2 (192.168.100.0) [DHCP server serves 192.168.100.xxx addresses to all devices] -> switch (192.168.100.1)
There is nothing else on the 192.168.0.xx subnet.
Looking at this PC, the ClearOS server has given it 2 DNS servers, 192.168.100.0 (so assume ClearOS then routes anything on 192.168.0.xxx to the other NIC) and 8.8.8.8 (Google DNS - which is the primary DNS set up on the ISP router so assume ClearOS has passed this on)
>
> Clearos doesn't need NAT - it is simply routing between 192.168.0.0 and
> e.g. 192.168.1.0 networks.
>
> Provided the main router recognises that source addresses on te
> 192.168.1.0 network are something it can reach via the NIC interface
> 192.168.0.10 on the clearos, it will happily set up proxy NAT ports for
> them.
>
> That is, any number of machines on different networks can be NATTED by
> the main router as long as it knows that they exist on valid networks
> connected directly or indirectly to its LAN interface.
>
> You merely need to set up STATIC routes in it, pointing to the NIC IP
> address of whatever router connects the main router to that network
If I understand your point correctly, I believe I have achieved this by setting the DNS server on downstream routers (i.e. the various ones around the house I use as Wifi hotspots) by setting their DNS server to be 192.168.100.0
> Provided the main router recognises that source addresses on te
> 192.168.1.0 network are something it can reach via the NIC interface
> 192.168.0.10 on the clearos, it will happily set up proxy NAT ports for
> them.
>
> That is, any number of machines on different networks can be NATTED by
> the main router as long as it knows that they exist on valid networks
> connected directly or indirectly to its LAN interface.
>
> You merely need to set up STATIC routes in it, pointing to the NIC IP
> address of whatever router connects the main router to that network
>
> All the subsidiary router needs to do is DHCP, since that doesn't
> propagate across networks. It uses Ethernet broadcast, not IP as such.
> And it also needs to ROUTE via the router LAN address, so port
> forwarding needs to be on an a static default route pointing to the main
> router be set up
>
> So on the main router
>
> Disable DHCP server
> Retain DHCP client for WAN IP address from ISP.
Yep this is same as current setup
> All the subsidiary router needs to do is DHCP, since that doesn't
> propagate across networks. It uses Ethernet broadcast, not IP as such.
> And it also needs to ROUTE via the router LAN address, so port
> forwarding needs to be on an a static default route pointing to the main
> router be set up
>
> So on the main router
>
> Disable DHCP server
> Retain DHCP client for WAN IP address from ISP.
> Enable NAT.
Assume this is done by default in the EE router as can;t see it has the ability to switch it on/ off
> Add static route to private network via clearos machine
>
> On clearos machine,
>
> set up static addresses to the 192.168.0.0 network and 192.168.1.0 network
> set up static default route to the Router LAN address
again not sure what this does. As I recall (couldn't find it in the ClearOS UI for some reason) on ClearOS NIC 1, I have set up the DNS server to be the ISP router. i.e. if it knows nothing about it forward to the ISP router to deal with
> set up DHCP server to deal with the 192.168.1.0 network. use the clearos
> 192.186.1.x interface as the default route to be handed out via dhcp
> set up DNS to be whatever - ISPs DNS server, maybe the router LAN
> address, or even the clearos box itself if its running a DNS server
> enable port forwarding so it can route, if this is not on by default
The Natural Philosopher
Sep 29, 2021, 6:16:42 AM9/29/21
to
On 29/09/2021 07:32, leen...@yahoo.co.uk wrote:
> On Tuesday, 28 September 2021 at 14:40:10 UTC+1, The Natural
> Philosopher wrote:
>> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
>>> whether I could/ should put the new router after the ClearOS
>>> box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 ->
>>> New Router -> internal switch.
>> No. The new router will expect to be the primary gateway and will
>> need to pick up its IP address using DHCP from the ISP.
>>
>> Now you might be able to replace it with something home brewed, but
>> dont expect any support from the ISP if you do.
>
> Fair point but assume that would be the case if I used any router
> other than the one they provided? When I get support from EE
> (current provider) they are able to "log in" to my router to get info
> etc.
Well to be honest most ISPs will support a fair number of well known
> On Tuesday, 28 September 2021 at 14:40:10 UTC+1, The Natural
> Philosopher wrote:
>> On 28/09/2021 07:55, leen...@yahoo.co.uk wrote:
>>> whether I could/ should put the new router after the ClearOS
>>> box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 ->
>>> New Router -> internal switch.
>> No. The new router will expect to be the primary gateway and will
>> need to pick up its IP address using DHCP from the ISP.
>>
>> Now you might be able to replace it with something home brewed, but
>> dont expect any support from the ISP if you do.
>
> Fair point but assume that would be the case if I used any router
> other than the one they provided? When I get support from EE
> (current provider) they are able to "log in" to my router to get info
> etc.
routers.
Look there is nothing to stop you stepping off the 'well supported, like
everyone else does it' platform provided you understand the consequences.
You can roll your own twin NIC router and do everything you need on it
and simply sell the EE router on Ebay.
What you will have to do on it, is set the WAN up using login
credentials with PPPOE - just as you would with ADSL - and with DHCP to
get the IP address and nameserver and default route for that interface
from your ISP.
Then you need to set up static IP address for the router LAN interface,
and a DHCP server attached to that interface, and a NAT setup to allow
internal machines internet access.
Then because you will now have VOIP client *inside* the network, you
need to set up VOIP and STUN servers and stuff like that which I simply
cant advise on, because I let my router do all that.
And you will need to buy some form of VOIP phone or server, and get EE
to release their VOIP login credentials, or use a different VOIP service.
Now I *could* probably do all that, I have the technical background, but
it would probably take me several days. When I used a draytek router I
phoned tech support at IDnet and they told me the very few things I
needed to do to connect via fibre. Took 30 minutes.
It's a sort of 'do you feel lucky today, punk' sort of scenario.
I didnt feel lucky. I have a box designed to do all that and make it
easy for support and its perfectly capable as it happens of doing
probably everything you want.
In short you probably dont need a home brew solution at all. Or if you
do, stick it behind the supplied router where the problems are less.
That's why I recommend you keep the supplied router and monkey around
behind it to create your internal networks.
Duplicating all its functionality is quite a lot of work
But if you want to do it, you can of course.
I think you can even get PC cards with telephone interfaces and run your
own VOIP
--
Microsoft : the best reason to go to Linux that ever existed.
The Natural Philosopher
Sep 29, 2021, 6:21:53 AM9/29/21
to
as it is then.
Trying to put clearos UPstream of the ISP router is opening a large can
of worms, not to say pandoras box.
You then need to handle NAT, PPPoe, VOIP, DHCP client and probably DNS
proxy on the ClearOs
If you need to ask, you probably can't.
--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”
Herbert Spencer
Roger Hayter
Sep 29, 2021, 8:37:16 AM9/29/21
to
On 29 Sep 2021 at 11:16:37 BST, "The Natural Philosopher"
He can use ClearOS for PPPOE but there are a couple of snags. I did the same
with CentOS, probably unwisely. He will need to alter the config to use a
kernel module for pppoe processing as the user-space code is too slow for
FTTP. And if ClearOS uses an old version of rp-pppoe he will probably need to
change the whole network to an MTU of 1492 or recompile rp-pppoe with some
editing.
--
Roger Hayter
with CentOS, probably unwisely. He will need to alter the config to use a
kernel module for pppoe processing as the user-space code is too slow for
FTTP. And if ClearOS uses an old version of rp-pppoe he will probably need to
change the whole network to an MTU of 1492 or recompile rp-pppoe with some
editing.
--
Roger Hayter
leen...@yahoo.co.uk
Sep 29, 2021, 8:44:06 AM9/29/21
to
John Rumm
Sep 29, 2021, 9:08:00 AM9/29/21
to
On 29/09/2021 07:28, leen...@yahoo.co.uk wrote:
> <snip>
>
>>
>> The ethernet on the ONT is probably presenting a PPPOE connection.
>> So the router that connects to it needs to be configured to feed
>> you login credentials for the ISP to that to start the connection.
>> Once that is done, you basically have what is in effect a very fast
>> single "dial up" style connection to the internet.
>
> Mmmm if it does log in like the ADSL one does then I guess that
> probably scuppers my theory about not needing the ISP router and
> using ClearOS instead as not sure it supports that.
You certainly don't need the ISPs router (I did not request one with my
> <snip>
>
>>
>> The ethernet on the ONT is probably presenting a PPPOE connection.
>> So the router that connects to it needs to be configured to feed
>> you login credentials for the ISP to that to start the connection.
>> Once that is done, you basically have what is in effect a very fast
>> single "dial up" style connection to the internet.
>
> Mmmm if it does log in like the ADSL one does then I guess that
> probably scuppers my theory about not needing the ISP router and
> using ClearOS instead as not sure it supports that.
FTTP, and just connected the ONT directly to the WAN2 socket on my
Draytek, with that WAN configured as a PPPoE connection.
The more doubtful bit is why use your own router (ClearOS) *and* the
ISPs router?
>> To make that useful for a network you then need a router (with all
>> the usual firewall, and NAT capabilities).
>>
>> So if you want to slip another router in between the ONT and the
>> supplied router, you will need to either configure it to fit the
>> expectations of the other bits of kit, or alter the configuration
>> of the other bits of kit to allow for it being there.
>>
>> What facilities of the clearOS box do you actually need/use that
>> are not provided by the supplied router?
>
> That is the million dollar question :) All I use at the moment is
> really DHCP and DNS. I tie devices to static IP addresses and also
> give them sensible names (e.g. LoungeTV) etc. In the current setup,
> the backup running takes a huge chunk of my small upload speed and
> tends to impact other devices so in theory being able to limit that
> would be good but.... I never did it and the new FTTP would be ample
> I suspect so maybe not needed.
DHCP and some IP address reservations are supported on most.
SH
Sep 29, 2021, 9:47:16 AM9/29/21
to
socket on it.
I set up a Pi Hole and a Pi VPN and a Ubiquiti wifi network
I disabled DCHP, DNS and IP v6 in the VF router.
So the Pi hole now handles DNS + DHCP
The Pi VPN handles wireguard connections to all my mobile devices when
they are using public wifi.
The Ubiquitis have a custom IP whitelist.
My next step is to add a Edge Edgerouter X so then I can set up a DMZ, a
Wifi net for the ipads/iphones, a wired net and one for IoT / media
streamers attached to TV sets.
The Natural Philosopher
Sep 29, 2021, 9:48:51 AM9/29/21
to
But it does reinforce my point. It wont be an easy ride, but using a
supplied router will be.
--
“Some people like to travel by train because it combines the slowness of
a car with the cramped public exposure of an airplane.”
Dennis Miller
The Natural Philosopher
Sep 29, 2021, 9:56:06 AM9/29/21
to
On 29/09/2021 13:44, leen...@yahoo.co.uk wrote:
> On Wednesday, 29 September 2021 at 11:21:53 UTC+1, The Natural
> Philosopher wrote:
>> I would simply replace/reprogram the ADSL router and leave
>> everything as it is then.
>>
>> Trying to put clearos UPstream of the ISP router is opening a large
>> can of worms, not to say pandoras box.
>>
>> You then need to handle NAT, PPPoe, VOIP, DHCP client and probably
>> DNS proxy on the ClearOs
>>
>> If you need to ask, you probably can't.
>>
> Philosopher wrote:
>> I would simply replace/reprogram the ADSL router and leave
>> everything as it is then.
>>
>> Trying to put clearos UPstream of the ISP router is opening a large
>> can of worms, not to say pandoras box.
>>
>> You then need to handle NAT, PPPoe, VOIP, DHCP client and probably
>> DNS proxy on the ClearOs
>>
>> If you need to ask, you probably can't.
>>
> Yeah when I heard above it was an ethernet connection from the ONT I
> hadn't realised it was still PPPoe and needed authenticating etc. So
> all in all definitely not worth getting rid of the new Vodafone
> router. Question is now whether it is worth keeping ClearOS (or
> replacement) or just use the router.
>
Depends on whether you want to play with lots of networks and firewalls
> hadn't realised it was still PPPoe and needed authenticating etc. So
> all in all definitely not worth getting rid of the new Vodafone
> router. Question is now whether it is worth keeping ClearOS (or
> replacement) or just use the router.
>
and so on.
For educational purposes do it.
For simply arriving at a solid secure network that 'just works' and has
some ISP support, don't touch it
I've got a NATTED network with public SSH and HTTPS connections to a
server on it.
I haven't checked to see if its being attacked by ratware, but its never
been compromised. Despite having several holes in its firewall - but
then I am on a fixed public IP address so can set simple firewall rules.
The thing that cases most unwanted network traffic is Skype :-)
leen...@yahoo.co.uk
Sep 29, 2021, 1:16:07 PM9/29/21
to
The Natural Philosopher
Sep 29, 2021, 1:58:33 PM9/29/21
to
On 29/09/2021 18:16, leen...@yahoo.co.uk wrote:
> I couldn't find the ability to reserve IP addresses nor add names but
> will take a closer look as it may be hidden somewhere in the menus -
> or I was not looking properly:)
It's generally under 'DHCP configuration'
> I couldn't find the ability to reserve IP addresses nor add names but
> will take a closer look as it may be hidden somewhere in the menus -
> or I was not looking properly:)
You should have the ability to:
(a) Restrict DHCP to a limited range of addressed so you can set static
addresses in the unused range and/or
(b) Issue DHCP addresses based on the clients MAC address.
Normally names are pushed to the server from the *client*.
So in cartoon form the client does an *Ethernet* broadcast saying I am
called 'fred' and my MAC addess is xx:yy:aa:bb:cc and the DHCP server
responds with a message to 'xx:yy:aa:bb:cc' saying
here's an IP address, netmask, default route, and DNS you can use for
the following period. If it has an entry for 'xx:yy:aa:bb:cc' it will
issue that IP address, otherwise it's round robin from the pool of
allowable IP addresses
The router will store the clients name IP address and Mac address and
lease time, so has the *potential* if its doing DNS proxying, to also be
able to tell you on what IP address 'fred' resides.,
--
It’s easier to fool people than to convince them that they have been fooled.
Mark Twain
leen...@yahoo.co.uk
Sep 29, 2021, 5:04:29 PM9/29/21
to
0 new messages