guybrush82

546 would be the local port not the sender port.

Has no address been configured as a gateway on the LAN?

Then you just have to do a bit of trial and error.

You can also try with a config like this. Simply with prefix 56 and not 52!

You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?

D9088C67-1900-42F6-A4D1-3C4EE8ECBCE3.png

8B00E3A1-5F8B-459A-886C-32A41F89ABD4.jpeg

Show original language (German)

    @Tux0ne

    > You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?

    No, that’s not clear to me, just to out myself as an IPv6 noob. 🙈😄

    And I imagined it would be somehow easier with the IPv6 thing.

    Actually, I would only want to use IPv6 out of interest anyway, but I have no problem switching it off if (from what I read here) many providers (including Swisscom) still make it more complicated than necessary.

    Because I’m still a little bit ambitious, I’d like to make a few more attempts.

    And to get closer to the diagnosis: No, no IPv6 address has been configured on the internal (LAN) interface.

    The DHCP server doesn’t run on the firewall either, it’s outsourced to internal servers behind it and isn’t configured for IPv6 (if that were necessary), or I see here that RAs seem to be part of the DHCP6 server.

    However, before I approach the I Pv6 configuration of local clients, I would like to have the part on the router working correctly.

    Show original language (German)

    Tux0ne Even with all the additional options, the WAN interface only has a fe80:: address, which probably corresponds to the link-local and indicates that a “real” IPv6 address is not even obtained. 😞

    Screenshot 2021-05-30 at 17.45.53.png

    Show original language (German)

    Thank you for your answers from various sides. I still have to do a little bit of my homework. But this becomes more than just complicated with IPv6, as many things as you have to / should / can take into account. A real jumble of possibilities. This also means that 90% of current home network supervisors will lose the complete overview with IPv6 😄 unless you have a lot of time.

    But I still have to read up on certain services. I’m familiar with the electronics compendium but I haven’t finished it yet.

    “Anyone who manually assigns a global IPv6 address to every network participant in the home network or company network is doing something wrong:”

    I will certainly look into this statement in more detail and test it out and read it. That’s exactly the crux of the whole thing.

    The rest related Performance and security are different topics and are negligible in the first step because the basic principle must be clear first. This is followed by safety and finally performance.

    I’ll find out what SLAAC and autoconfiguration mean. Thank you for the information.

    Of course I’m still interested in the settings for the Pfsense. But I haven’t decided yet which Internet will accompany me in the future. But that will still take 2 months until all the cables are in and everything is connected. So I still have time and I still have to order the hardware and evaluate it. But you can see that I’m not the only one and I’m glad 🙂.

    Show original language (German)
    a month later

    Silvia Hagen’s books are very good, but unfortunately no longer completely up to date. Sure, the basics of IPv6 are still valid, but a lot has happened in the last few years in terms of practical implementation/concepts .

    Show original language (German)
    6 days later

    XGS-PON 10/10 Giga has been available since yesterday. Now I thought the following:

    Ordering Hybrid7 P2MP, the Zyxel AX7501-B0 is also included, which I set in bridge mode. After that comes my Pfsense and there I have my dynamic WAN IPv4? This does not mean an internal address of the Zyxel modem.

    Simple question, so I would like a simple answer: works or doesn’t work!

    We’re leaving out IPv6 for now. I can configure that later. I just want to have my WAN IP directly on the PFsense, if that’s not possible then I’ll have problems.

    I’m a bit confused because of statements like this that I’ve already received:
    10G via PPPOE is extremely CPU intensive. Where we actually have direct darkfiber/FTTH, 10G is just routed, PPPOE requires a lot more CPU, and then I only get complaints because it peaks at 2,3,4GBIT/s depending on the situation. We currently do not give a 10G guarantee on BBCS.

    My next question:

    Hybrid7 P2MP runs via PPPOE, the Zyxel modem does the registration and then simply forwards everything to the Pfsense? Is there really still that kind of performance? Calculation problems?

    @Tux0ne + @Werner

    Show original language (German)

    Yes, if the Zyxel router is in bridge mode, the downstream device receives the public IP.

    If the Zyxel is in bridge mode, the downstream router does the registration. If the Zyxel is in router mode, it logs in and with IPv4 you can only do NAT on the downstream router.

    Yes, PPPoE is a bit more computationally intensive.
    Even 10GE requires strong hardware for pfsense. Whether DHCP or PPPoE doesn’t matter now. Depending on whether you only do NAT and FW. IDS is another story again.

    You can look up approaches to what is needed and what is possible from the Netgate Appliances. There are some that reach almost 10GE.

    Does init7 now also offer the “10GE” via XGS PON? That was still limited to 1GE. Have you adjusted the connections and contracts?

    Show original language (German)

    @Tux0ne wrote:

    Already 10GE requires strong hardware for pfsense. Whether DHCP or PPPoE doesn’t matter now. Depending on whether you only do NAT and FW. IDS is another story again.

    You can look up approaches to what is needed and what is possible at Netgate Appliances. There are some that reach almost 10GE.


    If you want to use your own, self-selected hardware for the firewall with 10Gbit/s or faster Internet connections, you should take a look at the website:

    [https://michael. Stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/](https://michael. Stapelberg.ch/posts/2021-07-10 -linux-25gbit-internet-router-pc-build/)

    be inspired. This self-selected hardware is ideally operated with a self-installed Linux or vanilla FreeBSD without web interface bells and whistles like pfSense, OPNsense, IPFire. If you are interested in Linux or vanilla FreeBSD as an operating system for your own hardware firewall, you should continue reading here:

    [https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/vpn-mit-16-kleinen-ausenstellen-t18781.html#p106335] (https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/vpn-mit-16-kleinen-ausenstellen-t18781.html#p106335)

    [https://www.lancom-forum.de/aktuelle-lancom-router-serie-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750] (https://www.lancom-forum.de/aktuelle-lancom-router-serie-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750)

    Be careful when using IPerf3 for data throughput measurements in the range > 1 GBit/s. The CPU very quickly becomes a bottleneck at data transfer rates > 1 GBit/s:

    https://github.com/esnet/iperf/issues/289

    [https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf3/](https://fasterdata.es.net/performance-testing/network-troubleshooting-tools /iperf/multi-stream-iperf3/)

    In the range > 1 Gbit/s, the information and tuning tips should generally be found under:

    https://fasterdata.es.net/

    be taken into account.

    And always keep TuxOne’s statement in mind:

    You know what. 10gps is currently for the ton. My 95th percentile is 18mbps at a 1Gbps Anschluss and that’s probably very high! Peering, low latency, availability and reliability, these are important and not a speed post that does nothing.

    Source: [https://www.tuxone.ch/2021/01/4-nullen-und-die-reisschussel.html](https://www.tuxone.ch/2021/01/4-nullen-und- die-reiskugel.html)

    Therefore, the choice of connection technology for the Internet connection should be based on:

    [https://community.swisscom.ch/t5/Mobile/Wifi-Calling-scheint-nicht-zu-funktionieren/m-p/662138#M8881](https://community.swisscom.ch/t5/Mobile/Wifi- Calling-doesn’t-seem-to-work/m-p/662138#M8881)

    the order listed => AON before PON!

    Show original language (German)

    I recommend using standardized and very common open source products such as pfSense or OPNsense that have been specifically developed for use as a firewall, router, next gen firewall, IDS/IPS, VPN gateway, etc. Just pay attention to the instructions and manuals from Netgate (https://docs.netgate.com/pfsense/en/latest/) respectively. pfSense (https://docs.opnsense.org/). The OPNsense and pfSense communities are in no way inferior to any tinkering solutions with iptables. If every user configures a router on their favorite Linux, this won’t work out well. Too many configuration errors can lead to security problems. The FreeBSD or HardenedBSD base of OPNsense and pfSense has also been specially hardened for use as a firewall appliance. They are standardized, commercially supported and very common products that I can recommend to every “advanced user”. The web interface in particular makes the configuration intuitive and reduces possible pitfalls and errors.

    OPNsense and pfSense can also be virtualized. I have been running both solutions in a Proxmox VE cluster for years. The suggested optimization measures in the documentation ([https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html](https://docs.netgate.com/pfsense/en/latest /recipes/virtualize-proxmox-ve.html)) should be noted. I also achieve a virtualized routing performance of 10 Gbit/s among the various VLANs. The 1 Gbit/s data rate of my UPC Business Internet 1000 DOCSIS 3.1 WAN uplink is reached.

    For CLI lovers: If you are looking for a high-performance software router on “off the shelf” hardware, Netgate also offers TNSR ([https://www.tnsr.com/](https://www.tnsr. com/)) found it. TNSR does not have a WebUI, but can only be configured via the CLI. The barriers to entry are greater, but the performance with the same hardware is better than with pfSense. TNSR is also free for home users.

    If you are looking for dedicated hardware, you will find it at Netgate (https://www.netgate.com/appliances). The devices can be ordered via Contria GmbH (https://www.contria.ch/) in Langenthal. The company also has very competent support and good sales advice.

    Show original language (German)

    Thank you very much for the answers. Of course, I realize that I hardly need the entire line. Yes, I have already virtualized Pfsense running on an Esxi but that is a bit risky because if the Esxi no longer runs etc. I am offline.

    I will therefore take official hardware from Netgate (https://shop.netgate.com/products/7100-max-pfsense). As already described, I will not use a firewall, which may be ultimately good or the opposite and run it on a self-made box without a GUI for the simple reason: I still want to live 😉.

    @Tux0ne-> Yes Init 7 offers XGS-PON with 10 Giga.

    Show original language (German)

    @Anonymous wrote:

    Thank you very much for the answers. Of course, I realize that I hardly need the entire line. Yes, I have already virtualized Pfsense running on an Esxi but that is a bit risky because if the Esxi no longer runs etc. I am offline.

    I will therefore take official hardware from Netgate (https://shop.netgate.com/products/7100-max-pfsense) . As already described, I will not use a firewall, which may be ultimately good or the opposite and run it on a self-made box without a GUI for the simple reason: I still want to live 😉.

    @Tux0ne-> Yes Init 7 offers XGS-PON with 10 Giga.


    Well, during the last (unsuccessful) hypervisor upgrade from Proxmox 6.4 to 7.0, the WAF was briefly in the “basement” for 3 hours. I have now ordered a Netgate 6100 from Contria GmbH. This means I can approach the next upgrade with “a little” more peace of mind. Oh no.. the DNS and DHCP server from Univention still runs on the Proxmox cluster 😆, luckily redundant with my Synology DS.

    Show original language (German)

    I still find the 6600 attractive for up to 10GE. I’m still thinking about ordering these. But init7 is behind schedule with the expansion of their POPs. So don’t rush. I’m unlikely to build 25GE for now. I still think that’s too uneconomical vs. useful. Or with tnsr you can also do this with x86. However, there are still a lot of features missing as a pfSense replacement.

    The advantage of pfSense is that you can run everything on one machine.

    VPN in all flavors again with Wireguard (experimental).

    Adblock including relatively good DoH block with pfblocking

    DNS resolver, routing, fw, etc. it’s all there one way or another.

    I see the purpose of VM already. You can also virtualize pfSense.

    But to let all instances such as VPN, resolver, blocking, etc. run everything separately. Well, many POF. You can do it. But it’s more of a craft.

    Show original language (German)
    22 days later

    Things are slowly moving forward and the decision is getting closer. There should be another offer from Swisscom but via the SME department. Apparently you really want to keep me as a customer then I can lower the price at the end “haha”.

    Now for the technical:

    Centro Business 2.0

    • Activate PPPoe then tap port 1 behind which comes the Pfsense
    • TV can be attached to port 2-4

    As far as I know, that would work and would be the only way at Swisscom. Of course, the prerequisite is that you become an SME customer. A decision will be made in the next few weeks as to whether this is the way forward, otherwise there will be Fiber 7 with P2MP via XGS-PON.

    Have I misunderstood something about the possible Swisscom solution?

    Show original language (German)

    I think your option @Anonymous is great, what could be nicer than having PPPoe, then please build PPPoe with MTU 1500byte, or set the int of the PF (where the PPP traverses) to 1508Byte so that the PPP header goes through without problems.
    if this solution will be yours then with the static /48 v6…..

    So my choice would be… @Tux0ne would certainly agree with me, wouldn’t you 🙂

    Show original language (German)

    Swisscom Network Engineer IP+ AS3303,

    and I personally also find the HW from [https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/](https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount /) great, for example [https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/ANR-DNV3N3-8C](https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/ANR- DNV3N3-8C) my personal favorite which is also in the rack at home….

    Show original language (German)

    Swisscom Network Engineer IP+ AS3303,

    So I “know” both Chris. So Hybrid7 not directly. But that’s also PPPoE.
    Both work too. And I use both. One in business, the other private.

    People like to have a nice time at home. I won’t say anything more 😉

    But PPPoE with inOne KMU or SBCON can be done like this. [https://www.tuxone.ch/2016/10/pppoe-passthrough-mit-swisscom-my-kmu.html](https://www.tuxone.ch/2016/10/pppoe-passthrough-mit- swisscom-my-kmu.html)

    Show original language (German)

    @ChristianEb

    I still knew the hardware from https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/. not. But I think I’ll go with official Netgate hardware. I’m just not sure how much power I need to have to get as close as possible to 10 giga. Netgate told me that there won’t be any new hardware for the next 2 months, but I suspect so, so I’ll just wait and see.

    I would have the option of internet backup via cable network, so I’m also wondering whether that’s necessary or how many outages there are at Swisscom😃.

    Show original language (German)