著者: Simon 日付: To: Devuan ML 題目: Re: [DNG] What are you using for a firewall/router
onefang <onefang_devuan@???> wrote:
>> In the past, I’ve run a Debian box (pre-systemd) and Shorewall.
>> However, Shorewall is fundamentally linked to iptables which has been replaced by nftables. AIUI there are no plans to rewrite it for nftables, so for now it carries on using the iptables compatibility layer to take iptables commands.
>>
>> At some point I’ll be needing to consider alternatives ...
>
> I'm in the same position, using Shorewall and soon to be considering
> nftables based alternatives. "Just use plain nftables" is on the table.
Indeed, with a bit of thought and learning it’s possible to do it at that level. But, for the benefit of those who haven’t worked with Shorewall, that abstracts things in such a way that you can do complicated things in a much nicer way - without abstracting to the point where features start becoming impossible to use.
altoid via Dng <dng@???> wrote:
>> ... using a basic (ISP supplied) router which "has it´s issues".
>
> I am/will soon be be more or less in the same situation ie: ISP
> supplied fibre link router which, as far as I know, cannot be
> replaced by another one.
>
> Without going off topic, I'd appreciate your briefly commenting on
> what your options are.
That depends a lot on your ISP.
Here in the UK, many ISPs are fairly relaxed - you can use their router (preferred option) in which case things will mostly “just work”, or you can bring your own and put the details in (typically CHAP & PPP for xDSL connections). Some though don’t allow that and won’t supply the connection details. But if you are allowed to use your own router, once you have the connection details (CHAP username & password), you can either use a router with built in modem, or a standalone modem and a router with ethernet connection - the latter can easily be a generic Linux/FreeBSD/${other_favourite} with suitable network & firewall config (done a few of those with Debian & Shorewall).
Those using cable connections typically have to use the ISP provided equipment because it’s not a P-P link, it’s a shared medium and it needs all the equipment to behave properly for things to work smoothly. To an extent that’s still the case with fibre as they share a single fibre between multiple end users using frequency and/or time multiplexing (i.e. different colours of light and/or breaking things up into multiple time slots for the different end users) - and again, if the end equipment doesn’t behave then it can take out the service for multiple users.
Here in the UK we’re in the middle of a massive rollout of fibre with the incumbent physical service provider for most people, BT OpenReach (BTOR). Their service uses TDM to put up to 32 users on one fibre - so it’s mandatory to use their NTE (network terminating equipment) which is just a fibre-copper ethernet converter with a bit of “smarts” to play nicely in the shared network. So as with xDSL above, you can plug whatever router you want into it and configure it as you want - subject to your ISP letting you have the credentials.
As a slight detour ... Here in the UK, the majority of us are served by BTOR who have the ducts, poles, cables, etc between the exchange buildings and end users. They don’t provide any services, those are provided by others who rent the infrastructure from BTOR on a line by line basis - e.g. I’m currently (until my contract expires) with Plusnet, Plusnet provide the internet part up to some interchange with BTOR, BTOR provide the cable to my house, the analogue phone service, the VDSL service, the backhaul for the data as far as the interconnect with Plusnet.
There are other providers, and some of those (especially the smaller ones) tend to provide a fibre per end user.
And of course, in some areas there’s a cable service - the biggest being Virgin Media (or Vermin as some call them as they have a mixed reputation for customer service).
So for many of us, it’s simply a case of hooking up a modem (for xDSL) and running PPPoE on your Linux box, or using the physical provider’s fibre-copper converter and hooking up an ethernet connection to that (I don’t know yet what protocol layers they use).
If you are in a position where you have to use the provider’s equipment, there are several sub options.
I believe Virgin cable routers can be put into modem mode. This means they do no processing/filtering/mangling on your IP packets, and you plug your own router into that and configure as required. Other providers may have something similar.
If modem mode isn’t an option, then there is still hope.
You can just plug another router into the ISP one - but then you have two levels of NAT, and IPv6 could be interesting. The ISP router is still doing NAT, and still controlling traffic - you may be able to tell it to just forward all inbound traffic to one IP (that of your own router) and open up the firewall - that makes things a bit easier but there’s still two levels of NAT.
Or, you could configure your router to not do NAT. That relies on being able to tell the ISP router to route all traffic for (say) 192.168.123.0/24 via your router and use 192.168.123.0/24 internally (still (say) 192.168.1.0/24) on the ISP’s router), the ISP router still does NAT, but you don’t add your own layer.
Hmm, I didn’t plan on that being so long, but I hope it covers what you wanted to know !
Martin Steigerwald <martin@???> wrote:
> Actually I think VoIP is a huge big complex mess.
Yes and no - a lot of the mess is down to “not so good” implementations !
> My ISDN phone with
> answering machine just worked out of the box. And I wonder why it appears
> to be a good idea to anyone to provide phone services through the same
> network as the Internet. Before I at least had a chance to have working
> phone on internet breakages.
You are not alone in questioning that. But it is the way we are going.
During the early days of FTTP trials with BT in the UK, they actually split the voice side out at the NTE - so you had a fibre coming into a box, and on the side of the box was an ethernet port for your internet and a phone port for your phone. Behind the scenes, they did something like VLAN to keep them separate - and with them controlling both ends it made it reliable (and the early units also had space for some batteries to keep the phone working for an hour or two if the power was off).
Now it’s just a plain ethernet IP service, and you provision your own voice (if you want it). Many ISPs will provide their own routers and hide all the complexity from customers - so you buy your service from ${ISP}, plug your computers into the ethernet ports (or WiFi) and your phone into the phone port, and it “just works”.
Fibre should be more reliable. One of the reasons for us ditching the copper and going (notionally) all fibre is that it’s cheaper to maintain and more reliable. But as you say, there’s an element of “all eggs in one basket”.