LAN internet access issues with new fibre connection

Forums › New Zealand Broadband › LAN internet access issues with new fibre connection

Contrary

5 posts

Wannabe Geek

#289921 9-Oct-2021 11:02

Hi, I have recently upgraded my DSL connection to UFB and now have trouble accessing the internet from my wired network. My expectation was the ONT and new router (NF18MESH) combination would be drop-in replacements for the DSL modem, but this hasn't been the case.

My wired network is a separate subnet connected to the router via a Linux gateway. The router subnet is 192.168.1.0/24 and the wired 10.10.10.0/24. The Linux gateway has a NIC on each network (192.168.1.10 and 10.10.10.10). Wireless devices connected to the router can access the internet, as can wired devices when I connect them directly to the router. The Linux gateway can access the internet itself, but other machines connected via the Linux gateway cannot.

With the DSL connection I only had to configure a static route on the modem to route 10.10.10.0/24 to the Linux gateway via 192.168.1.10. The same static route has been applied on the fibre router.

My ISP is Slingshot and fibre provider is Enable.

I'm unsure where to go looking. Is there something fundamentally different with a UFB setup? Any pointers appreciated.

Thanks,
Dave

Spyware

3761 posts

Uber Geek

Lifetime subscriber

#2792147 9-Oct-2021 11:26

Are you running NAT on linux box?? Otherwise add static route to router 10.10.10.0 255.255.255.0 gw 192.168.1.10

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

aseni

52 posts

Master Geek

#2792151 9-Oct-2021 11:30

Can you ping the UFB router from the LAN to make sure the static route is working?

I suspect the router is not doing NAT for the 10.10.10.0/24 subnet. In this case you should see the traceroute stopping at the router internal interface.

It might be easier to connect the Linux box directly to the ONT and place the UFB router in the LAN side in bridge mode to use it just as an access point...

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2792157 9-Oct-2021 11:46

I don't understand why you've got the Linux box here. Is this running a normal firewall operating system? Any way you can connect via DHCP on VLAN 10 on it?

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2792162 9-Oct-2021 11:56

As mentioned most likely issue is a lack of a static route on the ISP's router.

And also as mentioned what's the requirement for the router on the Linux box.

Cyril

Edit, can you access devices in the 192 subnet on the ISP's router from the 10. Network

yitz

2075 posts

Uber Geek

#2792174 9-Oct-2021 12:46

+1 to the first two responses it doesn't sound like your Linux gateway is doing NAT (maybe you do not intend for double NAT).

Your previous DSL router was probably NATing all traffic from the LAN side whereas the new Netcomm NF18 is only doing NAT for 192.168.1.0/24 and not for 10.10.10.0/24.

I recall there are settings like "second IP Address and Subnet Mask for LAN interface" on Netcomms but they may only be preset configs for a specific purpose (may even be hard coded to 192.168.2.0/24) just like there are presets for guest Wi-Fi networks.

Contrary

5 posts

Wannabe Geek

#2792324 9-Oct-2021 16:37

Thanks everyone for your responses. I'll try to cover off all the questions at once.

I'm not doing NAT on the Linux box. I'm hoping to avoid double NAT as I understand this can have some disadvantages.

There is a static route for 10.10.10.0/24 via 192.168.1.10 on the ISP router. This appears to be working as I can ping the ISP router (192.168.1.1) from inside the LAN (i.e. from devices beyond the Linux box).

Traceroutes from inside the LAN stop at the ISP router (192.168.1.1), so lack of NAT for the 10.10.10.0/24 subnet is looking likely. I haven't found anything on the ISP router that provides control over NAT at this level.

The Linux box is my home server running Ubuntu server and providing various services for the LAN (DHCP, DNS, file server, media server, etc). It also acts as a wireless access point for the LAN (using hostapd). It has been convenient to funnel traffic though the Linux server in the past (was running netflow for example), although I'm open to other suggestions.

My thinking was that I would provide a DMZ using the ISP router's LAN (the 192.168.1.0/24 subnet), and then have a separate network (10.10.10.0/24) with the Linux box able to manage access in and out of this network. The DMZ would contain guest WIFI (via the ISP router) and any other devices I want to keep off the LAN. I'm also doing this to an extent just to tinker and learn.

@yitz - there is a "Configure the second IP Address and Subnet Mask for LAN interface" option on the NF18MESH. This allows an IP address and subnet mask to be entered. I'm unsure whether that offers anything in my current setup (with the Linux gateway/router at least)?

In terms of options, I also have a managed switch (Netgear GS724T) which is currently only used for basic switching. I believe this might allow for some VLAN based approaches to providing isolated networks?

I have attached a diagram (not updated for UFB). Is there a way to make this existing structure work with the NF18MESH? Are there better ways to structure this?

Thanks,
Dave

Mehrts

1063 posts

Uber Geek

Trusted

#2792332 9-Oct-2021 16:58

Sounds unnecessarily complicated to be honest.

I'd put your current computer set up directly downstream from the ONT, and only run pfsense on it (if you're not already?). This takes care of all your networking needs, including guest networks, VLANs, DHCP, DNS etc.

For file server duties, it would be best practice to have this located on separate hardware located anywhere in your LAN.

To access anything within your LAN remotely, simply set up a remote access VPN between pfsense and whatever devices you'd like to use while out and about.

Pfsense is very powerful & stable, and not terribly hard to learn & understand.

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

Spyware

3761 posts

Uber Geek

Lifetime subscriber

#2792335 9-Oct-2021 17:01

As above or replace the NF18 with a Mikrotik.

Contrary

5 posts

Wannabe Geek

#2792359 9-Oct-2021 18:32

Thanks Mehrts & Spyware. I'm not running pfsense - everything is hand-rolled currently (although provisioned via Ansible). I'll do some reading on pfsense.

Regarding the Mikrotik, would that allow greater control over NAT than the NF18?

Thanks,
Dave

yitz

2075 posts

Uber Geek

#2792365 9-Oct-2021 18:42

If you're feeling like a bit of a masochist and potentially want to get the Netcomm working you could read the following thread... this is based on older hardware model not sure if the same options are there or even if it would work the same really...

https://www.geekzone.co.nz/forums.asp?forumid=81&topicid=145361&page_no=2#1299447

Or as above.. time for a refresh.

And, yes I would think so I've been able to set up Mikrotik with two LAN IP ranges behind NAT internet connection in the past.

Do you have a fibre landline with Slingshot running on the Netcomm?

Contrary

5 posts

Wannabe Geek

#2792393 9-Oct-2021 20:28

Thanks yitz. Never been one to take the easy option, so I'll take a look over that thread.

I'm using the copper for my landline still as it didn't work when I first tried plugging into the router. I expect to switch to fibre landline at some point, but for now the copper continues to work.

Dave

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2792404 9-Oct-2021 21:10

Your setup is very messy and actually rather insecure. I'd never have a single server doing both fileserver + routing duties.

Yes, there are far better ways of doing it. With a Mikrotik (I use a RB4011) you can have multiple VLAN's running on it having your Ubuntu box as just that, a server with your Mikrotik handling proper routing (no, you don't put your Ubuntu box in the way, you let your Mikrotik handle this). This will simplify things and also make things easier to manage.

The Mikrotik will replace your Netcomm and your Linux box for routing. You ideally want a smart switch to handle VLAN's and a wireless access point like a Grandstream GWN7630 - both wireless networks can be broadcast from that access point via VLAN tagging, you can have devices on either VLAN and your Ubuntu box is then not a router. Also you'll get far better performance doing it this way.

Lastly, considering your guest network as per the above diagram is WiFi only the Netcomm can actually broadcast a guest network meaning you can just use it for your main network too removing the need of having your Ubuntu box doing routing duties at all.

But seriously, remove your Ubuntu box from routing duties. This is absolutely not needed in either scenario.

Contrary

5 posts

Wannabe Geek

#2792517 9-Oct-2021 23:26

Thanks for the advice Michael. Seems I have some reading to do.

Dave