As we already described in the previous blog, we are now connected to our company on the fiber optic network of the UPC.
Initially, putting this Internet router into operation is very easy: connect - switch on - connect to a notebook via WLAN - run through the wizard - done. So most households are actually very well served. But we want more.
But first you have to know that UPC configures the Connect Box with IPv6, this standard has its advantages but also its pitfalls. In order to be able to operate and address services such as web server, VPN or other behind the Connect Box in the classic sense, you have to contact the hotline and ask them to configure the Connect Box to IPv4. Only the hotline can do this, as we end users do not have access to it. Takes about 10 minutes including restarting the router. Of course, the assistant has to be run again afterwards, since the Connect Box has to be reconfigured like the first time.
From now on we would be ready to run web servers behind the Connect Box, but there are still a few points to consider:
1: Even if the Connect Box has its own firewall protection on board, we would like to operate our own firewall behind the Connect Box. We chose the ZyWall 110 so that we could also use the full bandwidth. In this configuration, the ZyWall's WAN interface is simply connected to one of the 4 LAN ports on the Connect Box. In the configuration of the ZyWall only the WAN connection has to be configured to DHCP. All devices that are now to be operated in our network are behind the LAN connection (P4) behind the firewall. We chose a 48-port 1GBit switch with an additional 4x 10GBit ports. We have configured this LAN port (P4) of the ZyWall to 192.168.100.1, which unfortunately led to problems. Why?
Our intention was to put an Internet router behind it with a separate firewall. This configuration is not ideal for performance reasons. Instead of the normal operation of the Connect Box, you could put it into bridge mode. In the instructions you will find a small note that in this bridge mode the Connect Box gets the IP address 192.168.100.1. In bridge mode, however, you have to do without the integrated telephone function. Wait a minute, the router's IP address has the same IP address as our firewall? This is not good. So left this bridge mode again and configured the Connect Box as a standard Internet router with IPv4 again. Nevertheless, our internet bitchy, in which our internet said goodbye at sporadic intervals.
So the phone was picked up again, we were lucky that we were connected to the second level at UPC with our problem. This nice gentleman explained to us that the Connect Box automatically activates the IP address of Bridge mode at regular intervals in normal mode, even if the Connect Box is not in Bridge mode at all. Oh, that's why we had an internet failure within short intervals. 2 devices with the same IP address in the same network, that doesn't work. The solution was to give the firewall an unused IP address, in our case 192.168.100.2. Disadvantage: The gateway had to be changed to 192.168.100.2 for all network devices, PCs, printers, etc. But the effort was worth it, since we have now implemented our network configuration according to plan.
The next step was to test the promised internet performance. We opted for the 600MBit package for 39.- per month (2 years) without frills.
So UPC keeps their promises.
Nice side effect:
Note: The Basic TV offer might not be enough for at home. but enough for the first in a company. This means that sporting events can be followed live in the shop.
From these steps, we are now able to commission web services behind the firewall. We tested a VPN server on a Synology, so that a VPN server can work in this constellation, 3 UDP ports have to be redirected to the corresponding device. A NAT with the UDP ports 500 (IKE), 1701 (L2TP) and 4500 (IKE NAT) must be set up in the firewall. In order for us to be able to reach the VPN server behind the firewall at all, these 3 ports must be entered in the UPC Connect Box under "Advanced settings - Security - Port forwarding. It is important to note that the IP address does not include the actual VPN server or other service but the IP address of the WAN interface of your firewall.
Of course, other web services can now also be added.
After a few stumbling blocks, it is worth taking the step of reconfiguring the Connect Box to IPv4 and operating a separate firewall behind it. Performance does not suffer and security is massively increased.