I intend to change my Internet provider. So far the firewall has been working behind the ISP router. The ISP router was not in BRIDGE mode and the Internet access was working as a double NAT. I will note that everything works fine without any problems. My question right now is whether it is worth using the router from the new Internet provider and configuring it in bridge mode or should I set the firewall as the main and only router and without the isp router?
Can IPFIRE even work as a main router?
Yes it can and it should. That is how I am using it.
My ISP has a fibre connection to the building and has installed a RJ45 Ethernet port in which I just plug in my IPFire Mini Appliance. No extra stuff, no cheap hardware and broken software in between.
I can reach 1.1.1.1 in around 0.9ms.
4 Likes
Is PPPoE vLAN enabled supported? Some ISP require this setup for WAN/Red
This is where IPFire works best.
I suggest having IPFire as close to the edge as possible, but on the edge is best.
Double NATs or ISPās which use CG-NAT add additional hops out to where the internet is.
As @ms said itās pretty common to get <1ms pings to cloudflareās DNS with IPFire. Even with the additional security and features that IPFire brings.
And itās free. But you should donate.
Thanks,
A G
4 Likes
Once upon a time I purchased my own xDSL modem and replaced the one provided by the ISP so I guess this is the same approach?
Thing is my ISP owns the box via which I receive the signal. It is a CPE (Customer Premises Equipment) Optical Network Terminal which is owned by the network provider, which in my case is not the same as the ISP.
Looks something like this:
and has the Fibre slot on the rear:
So connecting that Fibre cable directly to my IPFire box- bypassing the above mentioned equipment - is actually recommended?
The ISP box is 10 years old and I did ask about an upgrade/replacement but my ISP told me it would be same-same since they are very basic.
Also I lack a Fibre jack in my IPFire server, so I guess I need some kind of adapter from Fibre to RJ45.
But, again, totally doable and also recommended.. ?
The two fibre based ISPās that I have used have both provided a mode converter box which converts the optical signals into Ethernet signals. I then just plug in my IPFire into that mode converterās rj45 socket and am able to directly connect6 with my Public IP.
I have the ISPās provided white box stored in my attic in its cardboard box.
In The Netherlands the ISPās are not allowed to prevent you from using your own firewall/router but they only have to provide you with the barest minimum of information for how to connect.
Your picture looks like your ISP has combined a mode converter with a white box router/firewall.
Check if you can put that into bridge mode.
You can buy those. I have had one from Optcore and I believe TP-Link also have them.
You just need to find out if you need a single mode or multi mode fibre connection on the converter but I think the colour of the connector tells you which you have. They come in Green or Blue but I canāt, off the top of my head, remember which is which.
EDIT:
Sorry, it is not the connector colour, it is the cable colour.
Yellow is single mode, blue, green and orange are three slightly different types of multi mode cable.
So just look at the colour of the fibre pigtail going into your box.
Mine are yellow, so single mode.
3 Likes
Internet access can have many techniques. The ISP or network provider should support you with a device that converts its tranport medium to plain Ethernet.
This device should be in property of this provider, IMO. The provider sells you internet access with a given speed. He is responsible to supply this and therefore is interested in a functioning HW.
This HW depends on transmission technique. Mostly it is a modem, many routers emulate this with ābridge modeā.
With the medium access device belonging to the provider, it is important to locate the router/firewall function in client-owned device. The owner of a device can configure it and I donāt want that my ISP shapes my firewall, possibly by blocking some sites.
I know this is theory. But the practical solution should be oriented by this.
BR,
Bernhard
1 Like
Had an opportunity to talk to my ISP about this. Very good talk, interested guy, tech savvy and also interested in ācustomā home solutions. It is wonderful when you hit it up with the right personality in a customer support callā¦
In any case while understanding me wanting to put the fiber directly in to my IPFire box, he was reluctant. There should be nothing to actually stop me from doing it, but from his point of view he could not really give a concrete opinion, since him and Telenor, the provider, only supplies data access and for the infra as such, the boxes, one has to get in touch with another provider, the ones responsible for the fiber and connectivity, which in my case would be Telia, similar to Deutsche Telekom providing the fiber and copper for ISPās in Germany.
So, looking for approval is not that easy, just doing it and later apologize seems a quicker way. 
How is your contract exactly defined? What delivers your ISP where?
May be an additional way of argumentation.
My ISP, for example, delivers a certain bandwidth at the ethernet interface. To accomplish they usually supply you with a DOCSIS router. But you can switch it in bridge mode, which is nearly identical to a dumb DOCSIS modem.
This solution has its advantages and disadvantages.
The IpFire is behind an additional filtering device. In the event of a connection malfunction, the ISP is responsible for the entire connection.
You donāt need to run a PPPoE session on the IpFire if one is required. If the IpFire is connected directly without an ISP device, you use less power.
Generally, I think itās possible to connect the IpFire without the ISP device. The only requirement is the appropriate physical interface.
I had to look up things.
A DOCSIS seems to be short for Data Over Cable Service Interface Specification, which is used for coaxial connections via Cable TV providers.
(Yes there are those in Sweden as well, but I never used any, went from xDSL to Fiber)
So it does not seem relevant to the matter.
Up to that device, yes. It is not responsible for any connections after that device.
And it is exactly that I am - slowly - figuring out, namely skipping the ISP device and connecting the provided Fiber directly to my IPFire Router. Having said that I also looked up what I might need in order to do so, and considering I have no SFP port in that server I would need an additional SFP NIC or a converter.
Oh, and no PPOE.