I’m not a big fan of the free-ish routers you get from your internet provider in Switzerland. Most devices are just cheap “crap devices” and they lack of any slightly advanced feature. Therefore I’m always going with a Ubiquiti Edge Router!

I like Ubiquti a lot, as I’ve experienced their devices as rock solid (more or less at least) and their software is quite nice. If you’re an Ansible user, you can also automate the whole configuration with it!

Internet providers in Switzerland

As mentioned before, internet providers in Switzerland often provide free routers or alike. And even if you decide to go with your own hardware, they often give you an ONT (Optical Network Terminal) for your fibre internet. Thus, usually you’ve to connect the provider’s ONT to the fibre port and your lovely router via Ethernet to the ONT.

This works as expected, but there’s a drawback. You’ve just one more device, one more layer of complexity, one more thing that can fail or malfunction from time to time. Trust me, I’ve been there and you don’t want to troubleshoot a FritzBox or alike!

So, if your router has an SFP interface, then you might want to connect it via fibre SFP directly to the fibre network of your internet provider. In Switzerland, there are a couple of them who allow you to do that.

iWay

I’m a bit biased and I always go with iWay, because:

  • They allow me to directly attach my fibre router officially (just mentioned “direct attached” on your registration)
  • Their customer service is friendly & responsive, as they immediately answer the phone and replying to support tickets very fast
  • Their support is remarkably good, never seen that on another Swiss internet provider so far

My hardware

This is the hardware I’m using to direct attach my router to the fibre network:

I think this hardware should work for most of the Swiss internet providers / OTO fibre connectors.

My configuration

Here’s what I had to configure to get the directly attached fibre router up & running with iWay.

Firmware update

Update the router firmware to version 1.10.8 or later. There are two reasons to update the firmware:

  • Security enhancements (of course)
  • Proper speed selection on the SFP port

Unfortunately, leaving the SFP port on auto negotation didn’t work for me, as the remote site (iWay or SAK) didn’t respond very well to it. The link didn’t want to come up. The old firmware only allowed me to set the port to 100/full. After the firmware update, I was able to select 1000/full and I immediately got a link up!

Interface configuration

On the Dashboard, configure the eth5 port as follows:

  • Enable: Check
  • Address: Use DHCP
  • MTU: 1500
  • Speed/Duplex: 1000/full (important, Auto negotiation won’t work)

 

The corresponding CLI commands are:

set interfaces ethernet eth5 address dhcp
set interfaces ethernet eth5 description WAN
set interfaces ethernet eth5 duplex full
set interfaces ethernet eth5 speed 1000

NAT

In the Firewall/NAT tab under Port Forwarding, configure the following settings to setup the correct routing:

  • WAN interface: eth5
  • LAN interface: (whatever your LAN interfaces are)

 

Also in the Firewall/NAT tab but under NAT, add a new Source NAT Rule to masquerade your outgoing traffic:

  • Description: AWAN masquerading
  • Enable: Check
  • Outbound Interface: eth5
  • Translation: Use Masquerade
  • Protocol: All Protocols

 

The corresponding CLI commands are:

set port-forward lan-interface switch0
set port-forward wan-interface eth5

set service nat rule 5000 description 'WAN masquerading'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth5
set service nat rule 5000 type masquerade

Test connectivity

You should now see a public IP address on the eth5 interface. To test the connectivty, you can do the following steps:

  • Run ping example.net from your shell
    • If that works, you’re ready to go
    • If that doesn’t work, continue to the next step
  • Run ping 1.1.1.1 from your shell
    • If that works but not the above, then you might want to check your DNS configuration
    • If that doesn’t work, continue to the next step
  • Ping 1.1.1.1 from the Edge Router (via WebUI on top right corner or via SSH)
    • If that works but not the above, then you might want to check your NAT rules
    • If that doesn’t work, check the WAN port configuration, your firewall or check with your internet provider

I’d recommend using own DNS or Cloudfare’s DNS servers (1.1.1.1 &1.0.0.1). You can also use Google’s DNS servers, but I’m not a big fan of Google collecting and correlating all your data!


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *