Who's getting hyperfibre?

Forums › New Zealand Broadband › Who's getting hyperfibre?

1 | ... | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | ... | 33

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2625443 22-Dec-2020 12:34

Hi, what IP address is your USG getting, if its in 100.64.0.0/10 then its on CG-NAT, note this is the IP on the DHCP or pppoe interface of the USG, not the reported IP address as seen outside.

Cyril

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2625444 22-Dec-2020 12:34

@ruch33 Protip - even if SSH is on another port it'll still get brute forced (check your auth log and I bet you'll find thousands of brute-force attempts) - enforcing SSH Keys and disabling password auth as well as enabling fail2ban is the only way to go if you want to expose this to the internet. I ultimately recommend setting up Wireguard VPN for this - check out PiVPN: https://www.pivpn.io/

But yes, the "gamer" plan is the only way to go if you want to expose services to the internet.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

ruch33

21 posts

Geek

#2625446 22-Dec-2020 12:41

cyril7:

Hi, what IP address is your USG getting, if its in 100.64.0.0/10 then its on CG-NAT, note this is the IP on the DHCP or pppoe interface of the USG, not the reported IP address as seen outside.

Cyril

I get 10.10.*.* address on WAN interface of the USG.

ruch33

21 posts

Geek

#2625448 22-Dec-2020 12:42

michaelmurfy:

@ruch33 Protip - even if SSH is on another port it'll still get brute forced (check your auth log and I bet you'll find thousands of brute-force attempts) - enforcing SSH Keys and disabling password auth as well as enabling fail2ban is the only way to go if you want to expose this to the internet. I ultimately recommend setting up Wireguard VPN for this - check out PiVPN: https://www.pivpn.io/

But yes, the "gamer" plan is the only way to go if you want to expose services to the internet.

Thanks, and understood. I already have username/password disabled. The SSH daemon only runs when I'm testing something, it's stopped most of the time.

noroad

949 posts

Ultimate Geek

Trusted

#2625451 22-Dec-2020 12:50

ruch33:

Just got connected in Lower Hutt via MyRepublic, Nokia ONT came in Bridged mode by default, which doesn't allow logging in or use of 1G ports. Had to connect to 10G port and set USG to get dynamic IP. Works. Successfully reached speed up to 1G which is the highest line speed with USG. Can't wait for UDM Pro.

Some sort of firewall must be built in to Nokia ONT as all my custom ports are blocked, can still access the security cameras, but no applications. Anyone come across that before?

In bridge mode the ONT is a layer2 device, it is not in any way aware of layer3 protocols on the customer transport side. All firewalling is the responsibility of the customer router in bridge mode. So, no in bridge mode the Nokia ONT is not blocking anything at all.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2625453 22-Dec-2020 12:51

michaelmurfy:
@ruch33 MyRepublic use CG-NAT by default - the exception to this rule is on their "Gamer" plans which simply include a Static IP. This means that any services you're port-forwarded to won't work.

Also, if you're port forwarding to security cameras or other IoT devices this is a massive security risk and without a doubt these devices will likely be compromised by now.

This. Check you are not behind the CGNAT.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2625462 22-Dec-2020 13:18

freitasm:
michaelmurfy:

@ruch33 MyRepublic use CG-NAT by default - the exception to this rule is on their "Gamer" plans which simply include a Static IP. This means that any services you're port-forwarded to won't work.

Also, if you're port forwarding to security cameras or other IoT devices this is a massive security risk and without a doubt these devices will likely be compromised by now.

This. Check you are not behind the CGNAT.

Hi I asked that and he says he has a private address, not a CG-NAT private, so it will definitely be behind NAT but seems MR use private for CG-NAT [rolls eyes]

Cyril

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2625463 22-Dec-2020 13:22

cyril7:

freitasm: This. Check you are not behind the CGNAT.

Hi I asked that and he says he has a private address, not a CG-NAT private, so it will definitely be behind NAT but seems MR use private for CG-NAT [rolls eyes]

Cyril

Why follow standards... that takes effort!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

ruch33

21 posts

Geek

#2625520 22-Dec-2020 15:39

Just switched to the gamer plan with MyRepublic and everything appears to be working as expected. Here's a screenshot from my PC, obviously restricted by the 1G link for now.

redhoodie

10 posts

Wannabe Geek

#2625558 22-Dec-2020 16:23

Hmmm, I've just tried plugging in directly to the 10G RJ45 port on the ONT, and aren't getting 4000/4000 like some.
I tried switching out the ethernet cable and SFP+ RJ45 module, to see if they were the culprit with no joy.

Fast.com is giving me better numbers than speedtest.net.
I'll hit up Orcon and see if its something on theirs/chorus' end.

fast.com

Tel1nz

6 posts

Wannabe Geek

#2626599 24-Dec-2020 23:38

Hi folks,
I switched from Vodafone cable to Orcon Hyperfibre, install completed and tested ok for internet connection on the 22nd Dec. Not seeing the 4GB speeds others have reported, but still nearly 2GB/s down and over 2GB/s up - queried with Orcon on 22nd and still waiting for a reply (not holding my breath, obviously). It's way faster then the 600MB/s I was getting from the cable modem though, so I was happy with that.

BUT: Now that the family's all come home, it's rather turned to custard. I run my main PC as a media server (video, music, photos) and it's on the 10G port of the Nokia ONT. Gets great internet speed, but I'm having major issues accessing it from my plex server and the kids / wife's laptops. Symptoms:

1. nslookup fails for all local devices - "ontdevice.lan can't find redactedpc: non-existent domain." The ONT is serving as dhcp and dns server, but I can't find any settings for dns in the pathetic console under the "userAdmin" login. It seems to be running dns ok, but it looks like it's not recording reverse lookups for the devices it's handed out addresses for.

I could map smb via IP address as a holiday workaround, but:

2. the DHCP settings are all display-only. I can't change the internal address range (not a fatal issue, but annoying,) and I can't set static addresses - the fields are there but you can't enter anything into them.

I'm going to hope everything renews to the same addresses over the holiday period and still use mapping by IP address, but does anyone know how to set IP ranges and set reservations on the Nokia ONT?

cheers,

Terry

redhoodie

10 posts

Wannabe Geek

#2626606 25-Dec-2020 00:50

Tel1nz:
2. the DHCP settings are all display-only. I can't change the internal address range (not a fatal issue, but annoying,) and I can't set static addresses - the fields are there but you can't enter anything into them.

I'm going to hope everything renews to the same addresses over the holiday period and still use mapping by IP address, but does anyone know how to set IP ranges and set reservations on the Nokia ONT?

Apparently this stuff is getting unlocked in a firmware release/update early next year (in the replies a few pages back); I’m holding out for it too.

You could always just run everything though another router. (Though double NAT can be annoying)

noroad

949 posts

Ultimate Geek

Trusted

#2626623 25-Dec-2020 07:53

cyril7:

Hi, what IP address is your USG getting, if its in 100.64.0.0/10 then its on CG-NAT, note this is the IP on the DHCP or pppoe interface of the USG, not the reported IP address as seen outside.

Cyril

Except, MR's CGN is not set up correctly using the 10.64 block...