@Roger G Thank you! I sent you a PM with the wiring diagram so we can talk about the same thing. I’ll get back to you as soon as I get further… but it’ll take a while… it’s not exactly around the corner 😉

@Roger G, thank you very much for the quick and competent information :-), despite the somewhat many questions [sorry]
Of course it’s cool that you immediately found out the two addresses and apparently looked at them. Really a great service, I would like that from the “normal” SC support - thank you!

I learned (at least) two things:

1. that there is apparently also a speed check in KuZe, which indicates the configured speed under “At your address” and the maximum possible download under “Faster Internet” and this shows a much more real value than the “availability check”.

2. that I now have to take care of the last few meters (from UP to IB2) again. I would like to find the 0.4mm cable and replace it cleanly. I will do this at both locations, but I have to ask for your patience for 2-3 weeks until I have it. @Werner Your tip was obviously good, thank you too!

I’ll get in touch as soon as I’m at both locations.
But I still have one (hopefully) final question, how can I have the “Pflästerli” removed again and go to g.fast so that a higher speed is automatically stabilized again (i.e. not always less speed, but also more when it Technically possible again)?

Many greetings and have a nice evening

@Werner

Many thanks for your response. The in-house installation (AK to RJ45) is already carried out with U72 without any further branch and is only approx. 5-6m long anyway. The approximately 265 m long, 50-year-old underground cable between the DSLAM and the house AK is probably much worse. (Total attenuation approx. 18 dB / SRA: approx. 5.7 - 7.5 dB).

Hello

I have two connections in two locations. Both have unexplained variations in the available speed (throughput). Both locations are connected with (FTTS) Fiber to the Street.

Connection 1 in Sa…

Cu cable length between mCAN/DSLAM and house connection approx. 40m

The Swisscom availability check indicates a maximum of 200/50 Mb/s at this address. The synchronization speed (according to Internet-Box 2 – diagnosis) is effectively 418/94 Mb/s with G.Fast, which is many times higher. With the Internet M subscription at this location I can easily and reliably achieve a measured 213/92 Mb/s. So so far everything is fine. I just don’t understand why Swisscom’s availability check shows a much lower performance, especially since it has only been displayed this low for about 3 months. Previously, around 380/100 was displayed, which would be about correct.

Question 1 therefore, why has the availability check been showing an obviously completely wrong speed for months?

Connection 2 in Vb…

Cu cable length between mCAN/DSLAM and house connection approx. 265m (!)

The availability check shows 100/32 here. In March 2020 I received a letter from Swisscom “Personal information about the performance of your connection”, “Surf faster now! Up to 200 Mbit/s possible”.

Effectively it’s much worse. The synchronization speed is displayed in the Internet-Box 2 with G.Fast 65/15 Mb/s or with VDSL2 94/43 Mb/s. However, the values ​​are quite fluctuating. Since the performance here is so low, I only have an Internet S subscription, where I achieve a measured 50/42.

Question 2, here too the values ​​from the availability check or the SC letter do not correspond to reality at all, why?

Question 3, setting the protocol used to VDSL2 instead of G.Fast results in higher speed, probably because the Cu cable is simply too long for G.Fast. Why does Swisscom switch back to G.Fast every few weeks and I have to laboriously ask Level 1 and Level 2 support to switch the protocol back to VDSL2 in order to at least achieve 50/43?

Question 4, why is it that after rebooting the Internet Box 2 with VDSL2, a synchronization speed of approx. 120/50 Mb/s is achieved, which then drops to 94/43 Mb/s over several days, even though there is practically no CRC data? Errors (0-2) occur?

Question 5, how can I get a fundamentally higher speed here so that I can at least take advantage of an M subscription?

It would be really cool if the SC moderators, for example @Roger G, could take a look at this. I would be happy to provide the exact information via PM.

Yes, exactly, my DDNS settings say “Auto” and it works. This means that the USG “publishes” the actual public IP to dyndns. resp. The USG notices when this changes and then sends the information to dyndns.org, of course with the outgoing public IP address, so dyndns registers the new address.

But since I use the “old” USG 20 and 50, L2TP no longer works for me. Apparently this would work with the new USG40 or 60. However, I’m now debating whether I should get this or the Fortinet FG-60E. Does anyone have experience with this? The application is statefull firewall, IDP and VPN (site-to-site with IPsec and client-to-site with L2TP over IPsec), as well as segmentation (LAN, DMZ, guest,…) ikl. DNS and DHCP servers.

Greetings and good news to everyone

Nenadertaler

I don’t want to tell you how things are going with my VPN solutions now that both locations are equipped with the new Internetbox2.

Site to Site VPN with IPsec (Zyxel USG 20 and USG 50)

Runs stably with the previous configuration!

Client to Site VPN with L2TP over IPsec (Zyxel USG 20 / 50)

Doesn’t run! I suspect a NAT traversal problem.

With the old Centro routers, the IP forwarding function worked without any problems. I haven’t changed anything in the config of the USG and the clients (so far). Does anyone have an idea how to get this working again?

For information again. The Zyxel USG are behind the Internetbox2. On the Internetbox2 I have so-called. DMZ function directs all ports to the USG (which also gets a fixed IP address from the Internet box). Swisscom TV and guest WLAN are accessed directly on or from the Internet box. Behind the Zyxel USG is the private (protected) LAN and a DMZ. The VPNs should all terminate in the private LAN behind the USG. The IP addresses are of course different, the Internet box on the 192.168.1.1 and behind the USG are 10.0.0.1 - 10.0.50.1 and 10.2.0.1 - 10.2.50.1 networks respectively.

The public IP is published via Dyndns from the USG. The IPv6 firewall is switched off on the Internet box as a precaution. CGNAT is not activated by Swisscom, so I have a normal IPv4 address. The VPN function provided by the Internetbox2 is of no use to me, as it then terminates in front of my private network and I therefore cannot access the applications, drives, NAS,… that are in the private LAN.

Would be glad for help with L2TP issue. @Anonymous

Greetings

Neanderthals

@Dodooo Sorry, I only saw your question now, but I can assure you that P2P VPN (IPsec) still runs smoothly and stably over the old Centro Grande.

Unfortunately, the time is getting closer and closer when I will have to switch to an Internet box due to the discontinuation of ISDN. I now have two questions about this:

1. Is there any news about the timing and functions of the new Internet-Box plus? Especially of course functions like P2P VPN or IP forwarding?

2. Useful solutions for Internet Box and P2P VPN with e.g. Zyxel USG? or experience whether something like this works with the DMZ function, for example?

I am grateful for your help.

Greetings

Neanderthals

@CHfish

Thanks for the detailed suggestion. Doesn’t sound easy… I’ve done it with Zyxel USG’s so far. Unfortunately, it should also be noted that I still have Cu at both locations, i.e. VDSL (so there’s nothing about just plugging SFP into the router). So just with IP forwarding?

Thanks for the clear answers.

What alternatives do I have as a private customer to do site-to-site VPN (network-network not client-network)?

Specifically, I currently have this in operation between my home and my holiday apartment. This has been working smoothly for years. But if I finally have to switch to VoIP in 2017 (ISDN and POTS will be switched off) I should have an alternative. The Internet box is ideal because it has the DECT base station integrated. But how do I then solve the VPN issue?

Greetings

Neanderthals

Hello

…and when will IP forwarding (IP passthroug / 1:1 NAT) come so that a site-to-site VPN (IPsec) can be done again via Zyxel USG? I’m still waiting for this function so that I can finally switch from the ISDN VDSL router (Motorola7347-84) and CentroPiccolo (Motorola 7640-47) to the internal box with DECT (VoIP).

Greetings

Neanderthals

Thank you, I think we are now in agreement, the Internet box still does not offer a bridge/IP passthrough/1:1 NAT mode.

So now the question arises, are there users who still have IPsec and/or LT2P and/or SSL VPN connections with Zyxel USGs running stably for days and weeks without the USG knowing the public IP address on the WAN port . And if so, how these users configured it. I’m happy to hear your advice on this - thank you!

Because both threads already existed… but there were and are different answers in them. It’s still not clear to me whether it will work or not…

Thanks,

I don’t want to make calls over the VPN connection, so performance and QoS shouldn’t be an issue.

I just want to know whether the VPN tunnel can be established and maintained or not. So far I have received different answers. Some write that it’s working for them and others (like you) say that it’s not working. What should I believe now? There has to be a clear answer.

---

@GianniBern wrote:

Do you want to use the IB on both sides? Or just one? What is the intended goal design?

---

Hello GianniBern

Thanks for your answer.

Target design:

Replacing ISDN telephony (at home) or analog telephony (holiday apartment) with VoIP with Swiscom InternetBoxes at both locations, as I like the functions of HD telephones such as. Type “Arosa” would have. As I understand it, this requires the InternetBox as a DECT base station.

Swisscom TV should continue to work at the “holiday apartment” location.

However, the existing site-to-site VPN (IPsec) via Zyxel USG-50 or USG-20 should still be possible. Temporary VPNs with L2TP or SSL that terminate on the Zyxel USG should also work.

This currently works without any problems via the Swisscom ISDN VDSL router (Motorola7347-84) and CentroPiccolo (Motorola 7640-47), each with IP forwarding switched on (IP passthroug / 1:1 NAT). My concern or question now is whether I can get it working again with the InternetBoxes, or do I have to stick with the “old” Swisscom “modems”?

Greetings

Neanderthals

Hello

Thank you very much for your answers.

@a.jaeger72

I would like to use the DECT function DECT base station of the InternetBox, e.g. for using the current HD-IP telephones e.g. the Arosa type, which only works together with the InternetBox. In any case, Swisscom writes: “The HD-Phone Arosa only works on a landline connection (IP) with the Swisscom Internet-Box .”

As a business customer I don’t get an InternetBox, apart from that I’m a private customer. My site-to-site VPN (IPsec) is about the connection between the house and the holiday apartment.

@VTX

Are you sure that IP forwarding (1:1 NAT) is no longer needed for a permanent site-to-site VPN based on IPsec with Zyxel USG 20 and 50? Then it should work with the InternetBox, right?

Greetings

Neanderthals

Hello Gianni

Thanks for the quick reply. Of course I have the current FW 3.30 (7) on it. The external IP is displayed on the WAN interface (logical, because I forward it). Are you absolutely sure that this is no longer necessary? I previously had problems with a CentroGrande, which also couldn’t do this function. So I want to be sure before I order something new.

The DMZ will hardly help because, as far as I know, only ports (not even all) can be forwarded to a specific internal IP address, but not the external IP address.

Greetings

Neanderthals

Hello

Ask; Is there anything new on this question? I’m also waiting for the IP forwarding function on the InternetBox. I need this for the P-P VPN which terminates on firewalls.

Background: Currently P-P VPN with Zyxel USG, VDSL router and Centro Pccolo as well as ISDN. If ISDN is no longer available, I will probably have to switch to VoIP, then I need the InternetBox if I want to use all the functions of IP telephony, but how do I then do P-P VPN to permanently connect my two locations?

I’m looking forward to the solution.

Greetings

Neanderthals

Hello

I would like to go back to the original question “Is it possible to connect two Internet boxes (1x house A, 1x house B) directly via VPN?” come back.

I currently also have a VPN connection between two locations with Zyxel USG50 and USG20. This works wonderfully, but I don’t have InternetBoxes for VDSL termination but rather the “old” VDSL routers or Centro Piccolo.

As far as I know, you need the IP forwarding functions for the VPN. With this function, the external, public IP address is passed on from the modem to the Zyxel USG. As far as I know, this function is not available on the new InternetBox, so I’m wondering how you got it to work without this function?

NB: I don’t have any licenses for the UTM functions either, AV runs on all clients anyway, in private environments the anti-spam and content filter are not necessary, if only IDP.

Greetings

---

@SamuelD wrote:

Hello everyone,

towards the end of March we expect a firmware upgrade that will fix some of your problems. As already mentioned, a firmware downgrade is possible as a short-term and not ideal solution.

Kind regards,

SamuelD

---

Hello Samuel

Of course it would be exciting to know whether the problems that make IPsec tunnels impossible or hindered will be solved in the FW. By the way, the tunnel is sometimes built and “holds”. But once it is closed, it can no longer be rebuilt. Sometimes traffic through the tunnel works, sometimes not. Therefore not usable!

What would be the disadvantages of a downgrade (“non-ideal solution”)?

Why does a FAULTY firmware only take months to improve, but that should happen within days? We just want the previous functions back.

Greetings

neo

Hello

I’m currently having a problem with an iPsec P2P VPN between a Centro Grande (6.02.02) and Motorola Netopia 7357-84 (7.8.5r5).

Both VDSL routers run in IP passthrough configuration. Behind each is a ZyWall USG 50 or 20 which creates the iPsecVPN P2P tunnel. Both ZyWalls also have L2TP configured and both report their IP via DynDns.

Sometimes the IPsec P2P VPN tunnel is established but no host behind it can be reached (not even with ping).

L2TP works perfectly on the ZyWall with the Motorala Netopoia, but never with the Zywall behind the Centro Grande.

I have already checked the VPN iPsec configurations numerous times and cannot find any errors.

I can’t shake the feeling that with the IP forward (IP passthrough) on the Centro Grande with 6.02.02. something is wrong. Does anyone have similar experience or even an idea for a solution?

Greetings neo