Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




33 posts

Geek


# 175876 14-Jul-2015 16:31
Send private message

My Snap Fibre is being installed as we speak and is expected to be running at the start of next week. I have the FritzBox 7490 router.

My setup consists on a server cabinet with all the houses CAT 6 lines running out of it with a 24 port gigabit switch. I also have couple of HP Proliant servers in there hosting various bandwidth intensive applications. 

For my Fibre setup I wanted to have a more robust and secure setup so I thought about running a Pfsense Firewall on an old HP DC7800 SFF which has 4GB of ram and a Core 2 Duo processor which should not draw too much power. 

The plan was to run an ethernet cable out of the Chorus ONT into the Pfsense box and then the LAN out of the Pfsense into my 24 port switch. Then from there I would run cables to the multiple access points around the house etc. This is where my issue is, I require a phone line and want to use the included Snap Plus VOIP which you are required to use the FritzBox as the ATA, my idea was to turn off the DHCP and run it as a dumb access point and the VOIP modem which will be connected to my switch. 

I am wondering if someone has done something similar and what settings are required so I can use the FritzBox as a Wifi Access point and VOIP modem only.

Create new topic
811 posts

Ultimate Geek
+1 received by user: 282

Trusted

  # 1343246 14-Jul-2015 19:04
Send private message

Can't remember exactly what the option is called, however I can confirm that this is possible.

IIRC it's something along the lines of "connect through an existing internet connection" under the internet connection set up.



33 posts

Geek


  # 1343254 14-Jul-2015 19:12
Send private message

Lorenceo: Can't remember exactly what the option is called, however I can confirm that this is possible.

IIRC it's something along the lines of "connect through an existing internet connection" under the internet connection set up.


Thats what I thought however when I click that button the option to have the "Required" username and password option disappears. I figured I'd need that to  login to the Snap VOIP server.


 
 
 
 


3800 posts

Uber Geek
+1 received by user: 1703

Subscriber

  # 1343293 14-Jul-2015 20:34
Send private message

The username and password is just for the PPP interface. The fritz box just needs to be reachable by Snap via TR069 and they will then auto configure the VOIP.





What does this tag do
1013 posts

Uber Geek
+1 received by user: 218

Subscriber

  # 1343336 14-Jul-2015 21:02
Send private message

I'm a big fan of reducing points of failure when looking for 'more robust'
i.e. just using the Fritz, or I'm considering switching to a Ubiquiti EdgeRouter Lite (for no other reason than I'm interested to play)
My Fritz has been online for 141 days, and that would have been much higher if I had it plugged into UPS

Then again if you've got a bigger UPS nothing wrong with pfSense



33 posts

Geek


  # 1343416 14-Jul-2015 23:19
Send private message

jnimmo: I'm a big fan of reducing points of failure when looking for 'more robust'
i.e. just using the Fritz, or I'm considering switching to a Ubiquiti EdgeRouter Lite (for no other reason than I'm interested to play)
My Fritz has been online for 141 days, and that would have been much higher if I had it plugged into UPS

Then again if you've got a bigger UPS nothing wrong with pfSense


I agree with you. I have two large APC UPS's so backup power isn't an issue... I've been wanting to give Pfsense a try on a larger home network such as mine and I wouldn't mind ditching the FritzBox even though I hear it's a very robust router... But I have to use it for the VOIP Phone line.



33 posts

Geek


  # 1343417 14-Jul-2015 23:21
Send private message

Aredwood: The username and password is just for the PPP interface. The fritz box just needs to be reachable by Snap via TR069 and they will then auto configure the VOIP.


What is the PPP Intercace used for in relation to the FritzBox and any issues caused by disabling it?

440 posts

Ultimate Geek
+1 received by user: 95


  # 1343420 15-Jul-2015 01:12
One person supports this post
Send private message

VOIP SIP is tricky to run behind a firewall as the content of SIP packets (not just the headers) contain IP addresses and SIP does not work if they are your internal IP addresses.  So putting your FritzBox behind your NAT firewall does not work, unless you do a very tricky setup.  I have managed to get it working - Snap and the FritzBox both seem to not know that the FritzBox is not directly connected to Snap.  VOIP works just as it does when the FritzBox is directly connected to the ONT, and Snap does its TR-069 auto configuration update every day - I can see it happening in the FritzBox log.  I can plug my FrtizBox into the ONT and run it without changing its config and then plug it in again behind my routers and it is just as happy there.  But this setup currently takes two routers to do it - I am using two Ubiquiti EdgeRouter Lite (ERL) boxes.  It also requires a static external IPv4 address.  The key thing is that the FritzBox (mine is a 7390) needs its WAN interface to have the static IP address that Snap has assigned me (203.86.202.190) - that makes it create the correct data in the VOIP packets and the TR-069 config data.  So here is how I am doing it.

My main ERL is connected to the ONT via PPPoE on VLAN 10 on its eth0 port and runs my network on its eth1 and eth2 ports.  On eth2, I have my "Inner" subnet (10.0.2.0/24) where most of my devices are, and on eth2 I have my "Outer" subnet (10.0.1.0/24), a DMZ where I have my Internet servers.  On its eth0 PPPoE VLAN 10 connection to Snap, the main ERL gets the 203.86.202.190 address, and as that address is a direct connection, any packets with that address as a destination address will be routed to that interface, so it is not possible to send packets with that address through that ERL to the 7390.  So I have DNAT rules transforming the packets for the 7390 to use the address of 10.0.1.247.  The SIP port for the 7390 is UDP port 5060, its RTP ports (for the actual VOIP packets carrying the phone traffic) are UDP ports 7080-7109.  The 7390 also needs to be able to talk to Snap on port 8089 for TR-069 protocol so they can configure it, so that port also needs to be treated the same way as the VOIP ports.  So there are DNAT rules and firewall rules for all those ports.  Here are the relevent bits of my main ERL config.boot file (I hope I have not missed anything):

firewall {
    group {
        port-group Fritz-external-TCP {
            port 5060
            port 8089
            port 471
        }
        port-group Fritz-external-UDP {
            port 5060
        }
        port-group RTP-ports-UDP {
            description "VOIP RTP ports"
            port 7078-7109
        }
        port-group VOIP-ports-UDP {
            description "UDP ports for VOIP: sip and RTP"
            port 5060
            port 7078-7109
        }
    }
    name RB-Outside-Outer {
        rule 1000 {
            action accept
            description "Accept UDP VOIP ports"
            destination {
                group {
                    port-group VOIP-ports-UDP
                }
            }
            log enable
            protocol udp
        }
        rule 1200 {
            action accept
            description "Accept TCP for the Fritz!Box external ports"
            destination {
                address 10.0.1.247
                group {
                    port-group Fritz-external-TCP
                }
            }
            protocol tcp
        }
        rule 1300 {
            action accept
            description "Accept UDP for the Fritz!Box external ports"
            destination {
                address 10.0.1.247
                group {
                    port-group Fritz-external-UDP
                }
            }
            protocol udp
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat disable
    lan-interface eth1
    lan-interface eth2
    rule 15 {
        description "FritzBox sip"
        forward-to {
            address 10.0.1.247
        }
        original-port 5060
        protocol udp
    }
    rule 18 {
        description "FritzBox TR-069 (for Snap management)"
        forward-to {
            address 10.0.1.247
        }
        original-port 8089
        protocol tcp
    }
}
protocols {
    static {
        route 10.0.1.247/32 {
            next-hop 10.0.1.248 {
            }
        }
    }
}
service {
    nat {
        rule 1 {
            description "VOIP RTP ports"
            inbound-interface pppoe0
            inside-address {
                address 10.0.1.247
            }
            log enable
            protocol udp
            source {
                group {
                    port-group RTP-ports-UDP
                }
            }
            type destination
        }
        rule 9000 {
            description "Masquerade outbound traffic"
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
}
zone-policy {
    zone Z-Outer {
        default-action drop
        from Z-Outside {
            firewall {
                name RB-Outside-Outer
            }
        }
        interface eth1
}

Note that I am using a zone type firewall, not the standard sort of firewall.  There may be some redundant bits in that config - I have not gone over it properly to check for that since I got it working.

My second ERL is connected to the Outer network with its eth0 port as 10.0.1.248 and a secondary address of 10.0.1.247.  It is not doing NAT, just plain routing.  It runs a PPPoE server on eth2 VLAN 10, which the 7390 is connected to.  The PPPoE server is set up to emulate what Snap's PPPoE server does for my main ERL's connection to them.  It gives the 7390 the same static external IP address as Snap gives my main ERL: 203.86.202.190, so the 7390 thinks it is directly connected to Snap and sets up the VOIP as though that was the case.  The second router's 10.0.1.247 address is used to represent the 203.96.202.190 address when the packets the 7390 needs are going through the rest of the network to it.  Normal packets for this router are received on its eth0 10.0.1.248 address, and all the packets it receives on its eth0 10.0.1.247 address are the one that need to be sent to the 7390.  Packets with the 10.0.1.247 address get translated using DNAT rules so that they once again have their original 203.86.202.190 destination address again.  That means the packets are now identical to the same packet as received by the main ERL.  Since that address is present in this router as the address for the 7390, they get sent to the 7390.  Packets from the 7390 with the source address 203.86.202.190 are sent out to the main ERL, which sends them on to the Internet.  Here is the full config.boot file from the second ERL, with my login details obscured:

interfaces {
    ethernet eth0 {
        address 10.0.1.248/24
        address 10.0.1.247/24
        duplex auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
        vif 10 {
            description "PPPoE VLAN for FritzBox"
            mtu 1500
        }
    }
    loopback lo {
    }
}
protocols {
    rip {
        interface eth0
        interface pppoes0
        interface eth2.10
        redistribute {
            static {
            }
        }
    }
    ripng {
        interface eth0
        interface pppoes0
        redistribute {
            static {
            }
        }
    }
}
service {
    dns {
    }
    gui {
        https-port 443
    }
    nat {
        rule 100 {
            description "Incoming packets with address 10.0.1.247 are for fritz"
            destination {
                address 10.0.1.247
            }
            inbound-interface eth0
            inside-address {
                address 203.86.202.190
            }
            type destination
        }
        rule 5100 {
            description "Outgoing packets from fritz on 203.86.202.190 are to be sent with address 10.0.1.247"
            outbound-interface eth0
            outside-address {
                address 10.0.1.247
            }
            source {
                address 203.86.202.190
            }
            type source
        }
    }
    pppoe-server {
        access-concentrator SNAPDSL-AKL
        authentication {
            local-users {
                username ***********@snap.net.nz {
                    password ****************
                    static-ip 203.86.202.190
                }
            }
            mode local
        }
        client-ip-pool {
            start 203.86.202.190
            stop 203.86.202.191
        }
        dns-servers {
            server-1 10.0.1.2
            server-2 10.0.2.4
        }
        interface eth2.10
        service-name Fritz-PPPoE
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    domain-name jsw.gen.nz
    gateway-address 10.0.1.251
    host-name erlt
    login {
        user ubnt {
            authentication {
                encrypted-password ********
            }
            level admin
        }
    }
    name-server 10.0.1.2
    name-server 10.0.2.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec disable
        ipv4 {
            forwarding disable
            pppoe disable
            vlan disable
        }
        ipv6 {
            forwarding disable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://ftp.nz.debian.org/debian/
            username ""
        }
        repository wheezy-security {
            components main
            distribution wheezy/updates
            password ""
            url http://security.debian.org
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Pacific/Auckland
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.0.4783374.150622.1534 */

I have the eth2 port of my 7390 connected to my switch on my Inner network on the address 10.0.2.250 - the 7390 is configured for that as a static IP address and to not do DHCP.  That allows the Fritz Apps on my Android phone and VOIP software run on the Inner subnet to connect to the 7390 and use it for VOIP.

All of that config is the sort of thing any modern Linux box can do using its firewall software (the ERLs are Debian Wheezy based).  If you want to use this setup, you need two routers, which I fortunately had as I had bought a second ERL as a backup device.  But you could just have that second router to be another Linux running in a virtual machine (eg using VirtualBox) which was able to talk on two ethernet ports of the same Linux box that runs the main router.

What I really would like to be able to do is condense the setup to all run in the one main ERL, but I am not sure if that is possible without writing some software to keep the 203.86.202.190 address isolated somehow.  I intend to experiment with that when I find the time.  I am open to suggestions.

 
 
 
 




33 posts

Geek


  # 1345562 16-Jul-2015 15:51
Send private message

Thanks for your help. I'll post a reply on Tuesday when my Fibre install is completed.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32


Epson launches new 4K Pro-UHD projector technology
Posted 1-Jun-2019 15:26


Lenovo and Qualcomm unveil first 5G PC called Project Limitless
Posted 28-May-2019 20:23


Intel introduces new 10th Gen Intel Core Processors and Project Athena
Posted 28-May-2019 19:28


Orcon first to trial residential 10Gbps broadband
Posted 28-May-2019 11:20


Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.