Router ROUTER and again RoUtEr :D

First of all, thank you @POGO 1104 for the quick feedback.
Considering that I have an IB3, I am grateful for all the reports of experiences with the new IB4.
If the IB4 really runs better than the 3 series then it would be worth an upgrade, because I know the MikroTik routers well.
Operating it via console is also no problem and the Mikrotik routers really offer everything I need to tinker with. Something like a MikroTik RB5009 would be great.

Thanks also to you @r00t for the quick feedback.
I first thought of something along the lines of an integrated service router with an SFP module on XGS-PON but apparently that doesn’t work at all or did I misunderstand something?

With the IB3, the throughput is actually enough for my big tower.
My Aorus Z590 Pro AX board has exactly one 2.5Gbit port and so I’m currently making full use of the IB3 (at least the RJ45 ports of the IB3).
The only difference is that I can’t fully utilize the NAS’s network card. Theoretically, it can handle 12 GB with 3 network adapters, each 2×1GB and 1×10Gb, although that only works with NVME read/write cache and enough RAM (I already have cache. 512GB Samsung Drive should be enough, RAM is on the way). Your idea would then come into play with the IB4 or with a bridge.

I’ve wanted to create a DMZ for a long time but I haven’t quite figured out why the IB3 then opens all the ports. Then I would have to set up the firewall on the NAS again even though it’s already running on the IB3 and actually I urgently need the DMZ. because my NAS can be accessed openly on the network via DDNS and port forwarding.
If only the necessary ports are activated, I aim for the comfortable protection of a DMZ 🙂)))
Of course I changed all the ports and didn’t use standard ports, but the dynamic ones in the range from 49K. Nevertheless, there is always an uncomfortable feeling.
Especially when Polish IP addresses try to access the NAS via SSH protocol…

You mentioned that some use a: Nokia XS-010X-Q.
After extensive research, I have now read that the Zyxel PM7300 is also on the BBCS equipment list. So that would also be a possibility.
But there’s no such thing as a router with a direct SFP+ module connected to the Swisscom Fiber network?
I would have imagined something like the MikroTik RB5009UPr+S+IN (mikrotik-store.eu) and then directly to the glass socket But if Swisscom says it’s not supported, it would still be worth the risk to me.
But if that’s not compatible anyway, then I’ll just connect the MikroTik to an IB4, then I can slowly save myself having to research the SFP modules 🙂) The thing with the router and switch is actually a requirement, so I don’t want to just do that Use a “router bridge”, but actually connect a switch-capable router directly to the Swisscom line.

Hi @r00t.

You already know the list 😉. And so far I haven’t seen an SFP+ module that is approved on XGS-PON without the note “currently supported only <insert swisscomkiste>”. @user109 please shout out if I just said crap.

---

Yes, unfortunately the list does not offer such an option, so I would really have to get the IB4 if I wanted the 10GBit WAN port.

Uh - so you have a WAN workload that would do more? If you’re just interested in increasing the LAN speed, then you’re looking for a 10G switch to connect the clients to. Then the traffic from the NAS to the PC goes directly via the switch, without a router (nothing needs to be routed)

---

That’s right, now I’m just realizing that I don’t have any device that is actually capable of a workload of 10 Gbit/s externally. My Lenovo laptop usually runs via WiFi and I always need that for vocational school. This is currently the device that generates the most workload from the outside of the NAS.
If the WLAN allows it, I can shovel my system image backups onto the NAS at around 500 MBit/s and that is light years away from 10 GBit/s.
And the rest of my family only uses the NAS as a storage box anyway, so 1GBit would be enough.
At most a couple of smartphones access it from outside…

Thanks @r00t for the valuable input, I probably wouldn’t have thought of it myself. 😄

Internally the whole thing looks different again.
A switch is definitely needed, would it be possible to manage VLANs with just one switch or does the router also have to be able to do this so that it also works externally.

So maybe a 10GBit switch is really enough for me.

ATTENTION: the “DMZ” mode does not isolate your device. The only thing it does is forward any incoming traffic that does not hit its NAT table to the defined device. I would rather call it an “Exposed Host” or “Bastion Host on the LAN”. This (unfortunately) has nothing to do with DMZ in the sense of “isolation from the LAN”.

This “bridge mode for the poor” is suitable for a firewall behind the IB so that you only have to do port forwarding etc. once - but completely unsuitable for a NAS. For the NAS, please only open the ports that you absolutely need. Personally, I only use port forwarding - namely the one to my WireGuard server. This way you can greatly limit the potential attack surface.

---

Thank God I never activated this but always do individual port forwarding. 😎

Do you mean the Wireguard VPN? I’m on the open network with the NAS because of the extremely low data throughput with the IB4’s VPN.

Well, technically speaking, every IB and Fritzbox is a router - so yes 😉. But you can’t just slide an SFP+ module into any router, that’s the way it is.

---

Yes, I was hoping that there would be a way to connect such a fancy Mikrotik directly, but well maybe that will happen at some point. 🙏

---

@andiroid wrote:

Great discussion. Valuable information. No unnecessary dogmas. 🥇

@Yoda420 Be sure to tell us about your experiences with your specific implementation. 👍

-Andiroid

👽

---

Absolutely great feedback and great input. I will definitely test my setup and share the results and experiences here in the thread.

---

@POGO 1104 wrote:

---

@Yoda420 wrote:

First of all, thank you @POGO 1104 for the quick feedback.
Considering that I have an IB3, I am grateful for all reports of experiences with the new IB4.

---

The IB4 is actually a drilled out IB3, except that it has a built-in XGS-PON SFP and that it has a 10GB LAN port. In terms of software, there are no differences between IB3 and IB4.

But as I read between the lines above, the 2.5GB port on the IB3 is enough for you, then you can stay with the IB3.

Only if you want to “push” more than 2.5GBit on the WAN side do you need the IB4 and of course the Internet L subscription (and of course a server outside on the WWW that has a transfer rate of more than 2.5GB/s.. ..)

---

So far I only need half a gigabit from the outside… It’s just my laptop backed up to the NAS and the network adapter on my Lenovo L13 is light years away from 10GBits. I’m noticing more and more that I don’t need a 10Gbit WAN port because no more than 1Gbit comes into the internal network from the outside.

---

@Yoda420 I think Mikrotik has an SFP with XGS-Pon, but it is not supported by the OLT (Huawei) in the Swisscom headquarters.

Since the data is shared by all participants on the OLT, the SHA 256 encryption must work, otherwise you will have problems with all connection participants on the OLT.

Every participant session is SHA 256 encrypted.

That’s why it’s important that the parts are certified by the BBBCS.

---

Brilliant, but how does the addressing work? How does the ISP know which router to address if we also share the IPs? Does this happen with the MAC address? Theoretically, you’re in a network from the ISP with the external IP? Questions after questions… 😅

I would recommend using a Nokia Bridge.

Pure access without any fuss.

I have a CRS326-24S+2Q+RM home with Synology RS1619xs+ with 2x glass 10 Gbit/s connection.

I am very satisfied with the switch, which can be used very flexibly either as Cooper 10Gbit/s or 10Gbit/s Fiber or as a router. Dual boot capable.

---

That’s exactly what I was thinking of: CRS326-24S+2Q+RM but first in the direction of the router.
But I have now realized that I really only need the switch to achieve full speed in the internal network. From the outside, I only secure my laptop via WLAN, so 10GBits is a bit oversized.

---

With AWS nodes in Zurich I can achieve a maximum of 1 Gbit/s with the NAS.

If I were to set up direct access to AWS for a few tons, the data throughput would also be 10 Gbit/s.

---

Man nooo, mannnnn, I don’t even need a 10Gbit fiber optic subscription.
I would really like to use the full speed in the internal network with my Windows test server and my workstation tower.

@user109 @POGO 1104 @andiroid @r00t

Thanks guys for the valuable feedback.

I’ll probably get a MikroTik router/switch for now and then see if I even need the 10Gbit port of the IB4. However, based on the facts, I assume that I will definitely not need the IB4/third-party router.

LG
Yoda

Hi @user109

@Yoda420 if you want to know how XGS-PON works, there is a 200 page document from the ITU, but I can’t remember where in this forum.

I found it, see link below:

[https://community.swisscom.ch/t5/Internet-general/XGS-PON-Glasfibro-Wie-funktioniert-die-Rationierung/td-p/772106](https://community.swisscom.ch/t5 /Internet-general/XGS-PON-fiber-optic-how-does-rationing-work/td-p/772106)

---

Thank you for picking out the paper.
I’ll look at it gratefully, I’m really amazed at how it works.

---

Just this much:

IP’s are not shared, I believe that the ONT (XGS-PON clients) have an ID on the splitter (wavelength multiplex) and the session is assigned to each other on the OLT (server (internet machine)) using ID and SHA 256 encryption can be. No session has priority, but rather they are processed according to the backbone bandwidth using the session time slot procedure. The OLT are connected with a maximum of 2× 10 Gbit/s.

A maximum of 64 participants are connected per port.

A port card has 16 ports.

As you can see, XGS-PON is a very complex technology, so everything has to fit together.

Yes, I’m probably completely wrong in my assumption, I didn’t even know that there was such a complexity behind it.
Well, it’s no wonder when you consider the amount of data that has to be moved back and forth, given the number of participants in the network…

---

Even if the Freddy (Fiber7 (Nerd ISP)) offers 40 Gbit/s, you will hardly find a connection on the web that supports it.

The speed test server always shows you the booked speed nicely, but what can I do with it???

It’s just like you’re driving a Lambo in a 30-zone and everyone is admiring you, what a great car you have and you’re happy that you have it. But you don’t have any practical use.

That is exactly my goal, to expand my network so that it is optimized, the example with the Lambo absolutely corresponds to my situation.
I have my 10GB Fiber subscription.
The subscription is great, feels good and the speed test shows exactly the expected throughput, but there is no question of practical use of the subscribed capacity.

Unless you do the sciatic grip for a few tons per month.

A typical chicken egg problem.

When 1 Gbit/s fiber was introduced, there were hardly any connections that were faster than 200 Mbit/s.

---

The sciatic grip is too large for my home use scenario… 😉
But the idea is very tempting. By the sciatic grip you probably mean the fixed Anschluss right? ^^

With that in mind, thank you very much for your input and have a very pleasant week. 😊

LG
Yoda

@user109

What the heck is Direct Connect from AWS?
It sounds as if all the traffic is then routed directly to the customer by the ISP… Holy chestnuts going through documentation again🙌