alaska65

Just for the sake of completeness, if anyone else has this requirement of blocking the LAN for the Synology VPN and comes across this post:

When using OpenVPN in the Synology VPNServer, you can specify whether the clients are allowed to have access to the server lane segment or not. ‘Allow clients to access server LAN’ is disabled by default (DSM 5.2)

This would mean that all the ‘tinkering’ wouldn’t have been necessary - but the implemented solution also has some new great advantages 🙂

For home applications, Sophos has a bootable ISO ‘Sophos UTM Home Edition’ which creates a nice UTM solution with a lot of possibilities from a PC with 2 network cards. If you don’t want to/can’t use a PC or don’t have a PC virtualized, you can also use an entry-level version of Sophos. Solve UTM 110/120 and a free home license and install it on the box. This means you have web access, spam/phishing email filters, VPN, but also 10 licenses for Endpoint included - these licenses include the complete virus scanner for the PC/MAC/Android. The license allows networks with up to 50 IP addresses. That should usually be enough.

Due to the lack of ALLIP here in the village, I don’t yet have access to an IB (with or without +). I use a Fritzbox myself and am happy with it so far. But I want a TriplePlay provider and now I have to work out the various solutions.

My question goes along the same lines as asked above:

Does the IB have no way of defining a Anschluss as a DMZ, which means I can essentially put my UTM box completely out there and thus put the WAN Anschluss of the internal LAN ‘directly’ on the Internet -> so the UTM would offer all security-relevant and VPN options and serve my home network behind it.

Above we talked about VLAN10:

Does all Swisscom traffic come in separate VLANs? So telephony, TV and Internet in 3 separate VLANs? That would be important for understanding from time to time and if that is the case, you would have to set the package size to 1492 in the home network gateway in order to do the repacking on the high-performance devices. If the data streams were separated, I would not be able to use a DMZ solution, for example, without establishing a separate VLAN - only for S-TV - on the internal LAN. This wouldn’t really be a problem with centrally routed cables.

It would be nice to get some background information.

@user109 Logically, Mikrotik is something other than a ’people’s router’ from Swisscom.

How many already know what VRRP is - and even fewer need it.

I’m assuming that in this case you have attached the router behind the IB (as a DSL modem) as a DMZ and are just looping everything through? I don’t have an IB yet because I’ve been more than happy with the Fritz.Box so far (yes, except for the extremely late int. FirmWare versions).

However, the decision for me is cable or DSL because our village saint thinks we have fiber optic - but only keep it open for the cable provider. I’m currently gathering information to find out what the better way is for the household. Hence the question as to whether you have put everything in the DMZ.

The functionality with the new firmware of the IB goes quite far for private users - especially since my son can now happily attach his internal SIP telephones directly to it. Personally it would be more helpful to me if I could bind the SIP credentials directly to my Asterisk. But that is another topic.

@Anonymous Correct! This is what builders and e-planners are discussing.

It makes no sense that a central area in apartments is still so rarely planned for an access point. The fact that the Swisscom glass connections end in the fuse box is also impractical, especially since all of the boxes so far haven’t even had space for clean patching and a central switch/firewall.

I’ve already rewired several apartments and it’s not always easy. The glass extensions simply shouldn’t have the plug on them yet otherwise you won’t be able to get them through the channels.

But as I said, that’s something other people should discuss. It’s a bit like SmartHome - everyone wants it and no one wants to pay.

Stupid question but why shouldn’t this work with IB? It has DynDNS, a DMZ and what is missing?

Apart from the fact that I personally use and prefer Synology with its cloud options

Completely different question - from experience:

Is your wiring cabinet covered with a metal door, as is usually the case?

My colleague also had this and we replaced it with a plastic door for around 30 CHF and there were no more problems. Most of the time they are metal doors that are stable and cheap - but they massively shield the WiFi signal from spreading.

Just knock on the door - or better yet, use a magnet. Leave the door open as a test and you will quickly notice what changes that makes. There are also great apps for smartphones to make the signal strength of the WiFi in the apartment a little more visible.

PS: Keep the metal door and store it in a dry place. Not every apartment owner likes the exchange - all apartments are the same.

The page mentioned doesn’t exist?