Router/Firewall home lab build for my dumb ISP very picky rules

Playing about with “the good stuff” is fun though!

Was just an idea, turns out you would need a rackmount appliance to handle 10Gbit on a single interface (at least from Sophos).

2 Likes

YOLO all the way I guess. I love it.

Well. I already have some of " the good stuff" on the server side, kinda old ( E5 v2, v3 and up is double the price on SH market ) but I don’t run all of them 24/7 because I’m away from home ( reason why I like VPN functionality) . And about rackmount… I wana DIY a supper sketchy "rack " ( rails move around $120 a set and racks, boy oh boy).

The point I was trying to make (which I didn’t do an excellent job on) is that not every router can run bridge mode (it depends on if the firmware of the router has that option; a few months ago, We tried @Shadowbane and I to help a fellow forum member avoid a Double Nat situation. The result was he would need to reflash his router’s firmware to get the ability to enable bridge mode, he couldn’t figure out how he could attach the Pfsense device to the ONT, and his ISP refused to do whatever was needed on their end. The only success we had in trying to help this fellow forum member was putting the Wan interface of the Pfsense computer directly on the internet. Still, he wanted to replace his ISP-provided device with the Pfsense server, which couldn’t be done for some reason. Unfortunately, we don’t have any way of validating his statements.

Oh, I got it. His situation is really grim, if it as he said. In my case, for under 1Gbe, if you want to go with your own hardware, it installs a box that convert fiber to RJ45 and for 2.5 and 10Gbe it comes with a “wifi router”. For example this at 10Gbe and the technician would assist you if you don’t know how to put it in bridge mode if you can’t handle it. Only limitation is the fact that you need the ONT as they call it, because the conversion from SFP+ to RJ45 needs to do the software handshake with the ISP distribution equipment. Word on the street is that some will try to sniff the packets send and use a custom GPON transceiver, but that, for now at least, is a far dream.

Anyway,I don’t want to throw shade on the person you’ve tried to help, but his story is a bit… off, from my point of view.

1 Like

If it allows static routes i think in theory you can set your isps ip to one to like 10.10.0.0/16 and set your own to 10.10.1.0/24 then just have a static route
(for the record i could be Totally 100% wrong still super rusty network wise so a confirmation or a denial would be appreciated) so you don’t need to double nat

I figured it was; I told his story to explain what I met by my statement about bridge mode. I am finding this thread very interesting, and I want to encourage you to let us know how it goes. I would be very interested in learning more, especially about the installation. That is, if you are willing to share.

1 Like

Well, I’ve done some research about that. In my corner of world, due the fact any plan offered by any ISP is cheap and right now, they are making it so that it runs over fiber, no more coaxial (MoCA i think it is called) and some say that they might run out of IPs (?).

Anyway, they use PPPoE, which dynamically assign IPs. For static IPs you need to pay a premium so they were kind enough, to offer Dynamic DNS for free.

Oh I’m definitely down for sharing and I’ll try to do that. But right now, I need to sort some things out, and let the things settle, so it might take a while until I can do a followup. I hope no more than 2 months.

thats unrelated 10.10.1.0/24 is a private subnet not a public one your pretty much always going to have 1 nat this would be the one at the isp modem for your private network not theirs dynamic ip isnt a problem for this since your public ip is dynamic not your private( unless you want your network to be spicy)

Oh, yeah. I was so focused on the PPPoE stuff that I’ve read between the lines and now makes more sense ( I’m used more with 172.16.x.x and 192.1.x.x and forgot about about 10.10.x.x). For sure that I’m gonna “banish” it on a different subnet. I want to be able to forget it’s IP (as in not messing with it after final configuration) :rofl:.

What is probably happing is your ISP provider is running out of Public (internet facing) IP version 4 addresses. Each ISP is assigned a specific block of Public IP version 4 address; when that runs out of version 4 IP address, they have two choices either switch to CNAT or only offer IP version 6 address to their new customers.

I don’t know for sure, but it sounds like your ISP is already using CNAT or something similar because I have heard that a company can’t give you one public-facing static IP for free and offer Dynamic DNS for free; they are using CNAT or something like it. My current ISP is using CNAT; I probably could get one static IP address, but when Shadowbane and I switched from Cincinnati Bell to Spectrum, we were trying to lower our telephone bill.

That’s exactly what they are doing.

They are offering free DDNS based on your PPPoE credentials for sure. The reason I know that is because they have pdf instructions on how to configure it to be able to access your wifi camera.

But any way. That is a head ache for another time, after I make the bloody thing work :grimacing:

1 Like

Oh I wasn’t thinking of putting a router in a VM on 3600, …but you could do that too, I guess.

I’d do a bare metal router, and maybe put some stuff in VMs or containers on it, like pihole or adguard, or caddy, or nginx.

@risk if @CronosMade decided to virtualize his router, couldn’t he install Proxmox on bare metal and then virtualize whatever router software he chooses to use?

He/She/They can do what he/she/they wants :slight_smile: … router in a VM would definitely work, but I think you get more opportunities for things to go wrong on a box that does a lot of things, than on a box that does fewer.

So, if all you need is a router, maybe some basic DHCP and DNS on a VLAN or two, some iptables/nftables/pftables… I wouldn’t really bother with any of the VM stuff.

Best bet is to find a way around the ISP provided router, if it’s a standard ethernet connection (SFP connector) it’s highly likely you can, it may just require some detective work to get the right vlan / PPPoE details (Wireshark is your friend)

If you can provide some photos of the router (blur out any serial numbers or MAC addresses) I’m sure someone here can advise you on a good network card to work with the connection you have.

If the media from the ISP is fiber, most likely it will require an SFP port that can handle PON standards, and that may not be easy.
Which ISP/country are we talking about anyway ?

It is SFP+. And I don’t need those. Especially if it is for bridge mode. They give away the credentials since 2004, when wifi wasn’t a thing yet, in case you wanted to change the PC that was connected to.

It’s a XGPON module. But that is the easy part. The word on the street is that, they use a special handshake when the connection is made with some device on their side, that allows connection to enthernet and it is made from the modem box. Now, I don’t know how much of that is true, because it is a slow process to get this service ATM. Some folks said that are going to try some funny things after they get their equipment :rofl:

not from Spain tho =)))