cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
  • The questioner has marked this post as solved.

Hardware firewall for Swisscom Internetbox 3?

mpro
Level 3
3 of 10

Can anyone recommend a hardware firewall to connect to an Internetbox 3?
I am not sure the builtin firewall of IB3 is secure enough.

ACCEPTED SOLUTION 1

Accepted Solutions
Black Mamba
Level 3
4 of 10

@mpro 

 

thanks for the contribution

 

if need to add protective sofas, look at Zyxel Cisco Ubiquiti Netgear ...

Security Firewall // Zyxel

Cisco Secure Firewall - Cisco

Ubiquiti - UniFi® Security Gateway

NETGEAR: Networking Products Made For You

9 Comments 9
mpro
Level 3
1 of 10

I live outside of Lausanne and I have an Internet-Box 3 router connected to Swisscom by G.fast technology. Our building has fiber optics (FTTC) and a Huawei MicroCAN box, installed in the basement, that delivers the fiber optics signal over the older copper wires that carried the older VDSL2.
I am on an Internet L subscription in 500/100.
For about 1 year now (just before the lockdown win March 2020), my router has been going down unexpectedly 2 or 3 times a day (the LED goes red and forces me to switch the box off and on).


Three Swisscom technicians came to my home one after the other to troubleshoot the issue. The router was replaced with a new Internet-Box 3. My copper line network was analyzed, in the apartment and in the building. No errors were detected. A Swisscom technician wanted to swap temporarily, for troubleshooting purposes, my connection port on the MicroCAN of the building but the last available port of the G.fast MicroCAN cabinet is defective (!). 

They reduced the speed, implemented several profiles, changed the signal-to-noise ratio, 6/6, 9/9, 15/15, etc.. to no avail.


Ultimately, a technician had managed to stabilize the line at a Signal to Noise Ratio of 6.3/6.4 for several months from May 2020 to the end of January 2021.

 

I had no interruptions for several months and my router remained stable from May 2020 to the end of January 2021.

 

Since February 4, 2021, it started to go down again: 2 or 3 interruptions per day (the router's LED turns red and I have to switch it off and on again or do a reset; to no avail).

The interruptions always take place at a time when internet traffic is fairly active, e.g. 11:30, 14:00, 14:30, 17:00, 19:20, 21:00. No interruptions in the evening after 22:30 or in the morning.

 

The problem is that the Swisscom technicians do not detect any errors on their side and my support case is stuck at level 2. They would need further data to be able to escalate to level 3 support.

 

Apparently, my neighbors have no problems! However, since the MicroCAN G.fast cabinet, installed in the basement, has no port available, we cannot test on another port.

 

If a Swisscom technician or a network savvy has any idea or suggestion, you are most welcome.

 

 

Black Mamba
Level 3
2 of 10

@mpro 

 

> Apparently, my neighbors have no problems! However, since the MicroCAN G.fast cabinet, installed in the basement, has no port available, we cannot test on another port.

 

perform a port swap test on the MicroCAN G.fast cabinet the one used by an understandable neighbor

after a few days this will allow to know if the port of the MicroCAN G.fast cabinet is the source of the problem

 

another option would be to install the Beta Version of the Router Firmware (11.03.30)

it is very stable and available for Internet Box 3 on the link in German

Aktualisierung der Internet-Box Firmware - Hilfe | Swisscom

if this does not change anything, it is always possible to revert to the Current Version

Aktuelle Firmware für Internet-Box 3 (November 2020) 11.01.30

Black Mamba
Level 3
4 of 10

@mpro 

 

thanks for the contribution

 

if need to add protective sofas, look at Zyxel Cisco Ubiquiti Netgear ...

Security Firewall // Zyxel

Cisco Secure Firewall - Cisco

Ubiquiti - UniFi® Security Gateway

NETGEAR: Networking Products Made For You

mpro
Level 3
5 of 10

Thanks to Black Mamba, I now have the choice of several firewall hardware solutions for my IB3.

Cf. thread https://community.swisscom.ch/t5/Router-Hardware/Hardware-firewall-for-Swisscom-Internetbox-3/m-p/67...

 

I am considering purchasing a Zyxel USG Flex. However, I am completely lost when it comes to connecting physically the 2 devices together, namely, Swisscom IB3 and the Zyxel Firewall and configuring IB3's interface.

 

To my IB3, I have 3 physical ethernet connections, 1 to my Apple Mini, 1 to my Epson printer and 1 to my WAN Box 2 (connected to Swisscom TV and to a gigabit switch).

I also have multiple WIFI devices. All the NAT address translation is done by automatic DHCP in the IB3.

 

Cf. the photo below. Currently, the Internet port of IB3 (purple) is G.Fast connection. In October, we will have 10 Gbit/s and the purple plug will be replaced with a fiber optics plug.

 

How do I connect the Zyxel USG (or other) to the IB3?

 

I have LAN1 and LAN2 ports available.

 

I would like to have the WAN (internet) traffic to be filtered by the Zyxel Firewall but I'd like to keep the NAT in the IB3.

How do you configure the IB3? Is it with a Static Route?

 

Thanks for detailing the steps because I am really lost with this.

 

IB3 with WAN and Ethernet portsIB3 with WAN and Ethernet ports

 

 

 

Tchris
Level 3
6 of 10

well, it's marked as "solved", but the "solution" seems to be for an earlier question.

 

Sorry …this is very looooooong.

 

My two (very old, now retired) Zyxel USG just about fire-walled 100 Mbps …turning on other Unified Threat Management (“UTM”) stuff dropped throughput down to ~20 Mbps. 

 

My current firewall is specced for 1 Gbps WAN …but I only get ~300 Mbps from Swisscom so cannot verify this spec in practice.

 

Fire-walling 10 Gbps WAN needs serious hardware! 

Check the specs: not a lot of “consumer” stuff can handle 10 Gbps throughput. The biggest Zyxel Flex I can find on the web (the 700) claims 5.4 Gbps firewall (only) throughput, dropping to 1.3 Gbps with the UTM stuff running. 

 

Check out Zyxel annual licence costs for the UTM add-ons before you buy. Ask yourself if the UTM stuff is actually useful in a world moving to https, and whether you want to add complication with a proxy so the firewall can actually see what is in the encrypted traffic.

 

Back to connecting your firewall.

 

IB cannot be bridged: you will always “enjoy” its router function whether you want it or not.

 

The extreme option is to abandon the Swisscom IB in favour of a 3rd party device (keeping the IB available for when Swisscom support needs to intervene …they won’t accept any complaint from you if you are behind a 3rd party device).

 

The delicate option is to config the IB so that your firewall is DMZ.

 

If you choose either of the above options, your firewall will will need careful configuration if you don’t want to get pwned.

 

The mystery option it to run your firewall as a “transparent” fire-wall (if it is capable): “mystery” for me because I have never bothered to look into “transparent” firewalls.

 

The lazy option is Double-NAT: 

inelegant - possibly;

breaks online games - maybe;

breaks accessing local services from outside - probably;

Easy as falling off a log - certainly!

I’ve run double-NAT for more than three decades and am perfectly happy …it just works.

 

If you are new to fire-walling and you don’t run externally available services and you are not a manic gamer, go for double-NAT as follows:

 

IB runs LAN (192.168.1.0/24 for example) as usual

IB talks LAN to TV-set-top-box (wired if possible)

IB wifi OFF if set-top-box is wired °

IB talks DECT to phones (if you have Swisscom HD phones).

IB talks (wired) to your (client-isolation capable) Access Point for guest/IoT.

Set your firewall WAN port to e.g. 192.168.1.200 (reserve this address in IB DHCP table).

Firewall gets NATted-WAN (wired only, please!) from IB and then adds its own NAT ( = double NAT).

Firewall serves DHCP to protected LAN/VLAN clients.

…your firewall connects exactly as your Mac Mini currently connects to one of the IB LAN  ports.

 

DMZ setup is the same except you tell IB that your firewall is the DMZ ...essentially telling IB to forward all inbound (good & bad) to firewall.

 

You might want to think about your backbone — given a dozen clients expecting to enjoy the 10 Gbps connect, a 1 Gbps shared wire might get crowded. 

My net’s pinch-point is firewall to structured-cabling patch-panel — I use 10 Gbps for that connection.

 

Consider adding (free) pfSense to your list of firewall candidates.

This link

https://drakeor.com/2021/04/14/setting-up-pfsense-as-a-router/

is the story of someone setting up pfSense on old hardware and achieving 6 Gbps throughput.

pfSense can do pretty much everything the commercial stuff does and there are zero licence costs.

If you have spare cash, Netgate will happily sell you a pre-configured 10 Gbps pfSense appliance (they have no presence in CH, I got mine shipped from a UK dealer).

 

If you do decide to try pfSense, I can strongly recommend adding the (free, of course) pfBlockerNG-devel package …it stomps on around half a million tracking/phone-home attempts a month on my little net. It also stomps on adverts.

 

Chris

 

 

° Its just me - I have always hated ISP-provided WiFi gear, and my first configuration step is to turn it OFF.

Edited
IloveIB
Level 3
7 of 10

There is no need for an additional firewall. You think that it adds additional security? Definitely no. Just marketing. If you have security issues or concerns then you should start with your devices in your home network AND teach the users how to behave.

 

From a firewall perspective the IB3 is more than enough. 

It is so funny that people believe they can add security and control by adding more

and more devices. Sorry to say.

Früher Arbeit, heute Hobby.
Tchris
Level 3
8 of 10

@IloveIB You are, of course, entitled to your opinion.

It should not surprise you that my opinion differs.

 

Swisscom IB “firewall” can block unsolicited INBOUND connections. 

And?

 

For sure, blocking unsolicited inbound is a good and necessary thing.

Just about every modern ISP modem/router can do that.

My firewall adds a second layer of the same, plus some other stuff that I find useful.

 

Around 4 million scam/malware/tracker/phone-home/advertising sites are blocked OUTBOUND.

 

A few dozen military/government sites are blocked OUTBOUND (I don’t know if NSA, FSB, SVR or their Chinese equivalents have anything interesting on their sites in a language I can read, but I prefer not to have my public IP-address showing up in their logs).

 

DNS, NTP, etc are blocked OUTBOUND and redirected to the firewall’s DNS, NTP, etc servers that use MY choice of external providers.

 

When my grandchildren are a little older, firewall will be tweaked to block porn, violence, and other undesirable sites.

 

I could add geographic blocks (not 100% effective with TOR, VPN, botnets, IP-addresses being bought & sold). I could add IDS/IDP (not effective for HTTPS without a proxy to shed the encryption) …and a whole slew of other stuff that I have not yet bothered with. ALL of it FREE.

 

NetAdmin & Private LANs are completely isolated from each other.

 

Guest & IoT LANs are outside the firewalled zone, these devices cannot talk to NetAdmin or Private devices, and cannot talk to each other (they use the IB unsolicited inbound firewall of course).

 

IB firewall does that?

 

One of the big-name supermarket chains in Switzerland has two ways to login to online shopping: loyalty card or e-mail address. Does IB tell you that one of those two logins launches three 3rd-party trackers?

Is it a security issue that 3+1 companies record my purchase of a six-pack of beer and a bunch of bananas: No!

Obviously I must tell the supermarket what I’m purchasing, but have I agreed to provide this information to these three 3rd-parties: No!

 

My firewall blocks over 500,000 unwanted OUTGOING connections every month without getting in the way of any legitimate activities. My modest 300/100 Mbps internet connection is marginally faster for all users when advert requests to the internet are redirected to a one pixel web page on my firewall, and trackers drop dead.

 

Is my firewall a waste of money? NO — its FREE if you can repurpose an old PC, and only a few hundred frs for new hardware if you can’t!

 

Is my firewall a waste of time? NO — 5 minutes “admin” each month, unless it blocks something that I might be persuaded to allow …the allow fix is one-click quick …persuading me takes much longer.

 

I switch to polycarbonate-lens spectacles at the shooting range: they won’t stop a bullet; but they will stop an errant ejected case — some folk may judge this pointless or overcautious …it just happens to be my choice. 

Adding a firewall is pretty similar — you can’t stop a determined state entity, you can’t protect a truly stupid user, but…

 

Shorts & t-shirt /or/ full leathers when riding a Harley?

Google /or/ DuckDuckGo searches?

Zuckerberg /or/ not?

…so many choices!

 

Chris

mpro
Level 3
9 of 10

@IloveIB 

@Tchris 

 

I didn't go for an additional hardware firewall.  I kept the firewall rules of IB3 on 'strict', and so did I for all my other MacOS X  devices.

 

I went for a software VPN solution (Multi-Hop) combined with AdGuard and another ad-blocking scheme.

 

This is working well so far, and it reduces tracking and phishing attempts.

 

I agree with the fact that using your brainware and common sense is the best safeguard.

 

I have been on the web for well over 30 years when we had to launch pppd scripts on Linux to connect to the web with Lynx then Mosaic, using a modem that made a screeching noise that scared the hell out of my cat 😉

I have had the time to witness the course of deceit mechanisms contrived by the most savvy geeks.

 

However, new users or non-techies like my wife, are not aware of all the tricks of the trade.

Indeed, teaching users is key but it takes a long long time to learn the proper mechanisms so that they become second nature.

 

Thanks for your input.

 

 

Black Mamba
Level 3
10 of 10

@mpro 

 

thanks for the feedback

 

very wise choices and decisions 👍

Back to top