Messages

XGS-PON ONT prices are a lot higher than GPON ONTs. They often draw a lot more power, as well. As long as you do not have a rate > 1 Gbps, you can use a GPON ONT, because XGS-PON is mostly downwards-compatible. In Germany, there are only a few ISPs who already offer XGS-PON - we sometimes use to call it "digital diashora".

In theory, one could have up to 2.5 Gbps downstream over plain GPON, BTW.

https://www.amazon.de/Telekom-Glasfaser-Schwarz-Ethernet-Anschluss/dp/B0FJ8CCY1L

https://www.playox.de/telekom-glasfaser-modem-2b-lan-port-lc-anschluss-2-gbit/s-bandbreite-schwarz-40824527-n2008265932

[set of IPs]

We have to discriminate some things here. When you look at my NAT rules here (which of course address NTP, not DNS), you will notice three parts vital parts:

1. The interfaces to which the NAT rule should apply. This determines for which of your networks this rule applies. You are free to choose here and that also works for me when I only specify some interfaces.

2. The range of destination IPs and ports that will match. This will be ! (i.e. NOT) "This Firewall", which means: every OTHER DNS server than the firewall itself (regardless of which subnet IP you are referring to) - so it matches any request that does not directly use your firewall, so any external DNS server. Here, it is O.K. to use the set of IPs "This Firewall" to indicate an exclusion. The port would be 53 (DNS) instead of 123 (NTP).

3. The destination IP and port that the request will be redirected to. This must be a single IP, so the set "This Firewall" is plain wrong. You must give a specific target here and you want these requests handled by your firewall, thus, you use 127.0.0.1 to indicate it. The port for DNS also is 53.

[set]

What does a redirect IP of "This Firewall" even mean? "This firewall" is the set of all adresses the firewall has.

Use an explicit IP like 127.0.0.1 and it will work.

Billiger wird nicht mehr

Doch: https://www.amazon.de/HSIPC-Firewall-Appliance-Router-i226-V/dp/B0CP1VZRG7 - dort kostet es mit RAM und Platte soviel wie bei ipu-system ohne.

 

You should talk to them directly, but I would think they want it covered, because when that breaks outside your house for whatever reason (e.g. vandalism), it is their obligation to fix it.

The ballpark for such things is 30-50€, as I already wrote. The Leox LXT-010H-D should work for Telekom, because they use VLANs (I still was unable to get it to work for DG). It costs ~31€. The Telekom Glasfaser Modem 2b is ~40€ and that should work with Telekom for sure...

Really? Interesting. Both M-Net and Deutsche Glasfaser give you one. Either way, they are dirt cheap (30-50€). I just bought an LXT-010H-D from wisp.pl and that also has 2.5 Gbps.

I would doubt that - unless you mix tagged and untagged traffic on the same physical interface and the rule somehow applies to you camera VLAN as well. You can look at /tmp/rules.debug to convince yourself of what gets thrown at pf.

P.S.: If you did the same as here, namely to redirect to "This Firewall": try 127.0.0.1 instead. Details matter.

[want]

No. Not at all.

1. The ONT is normally provided at no cost from the provider. Unlike with DSL modems, ISPs actually want you to use their equipment, because they say that it makes their infrastructure more stable. Know that you still share an OLT port with other customers.

2. The fibre cabling ends at the ONT. So it is your choice on where you locate it (provided that you actually get FTTH, not FTTB, where this is a whole different story). From there, you need ethernet cabling to the WAN port of your router. The provider does not care about the in-house cabling with FTTH, that is your problem. Usually, the fibre ends somewhere in your basement with the ONT directly connected via a short fiber stretch near it. Thus, it is your choice: If you have existing ethernet cabling that leads to the ONT, then you use it. If not, you can either install ethernet abling or install a longer fibre cable (which is really cheap) from the box to your ONT (which you place with your router).

There are multiple options available, for GPON and XGS-PON, this will always be single-mode fibre, usually with SC/APC or LC/APC ends, depending on sockets. Huawei has an interesting option for single-mode cables that you can glue to the wall and that are pratically invisible (you can actually put paint on those):

https://www.youtube.com/watch?v=ls26PPutDMc

Those were developed for FTTR, but can also be used for this purpose.

"Track Interface" is legacy now - what you probably want is now called "Identity Association". See: https://docs.opnsense.org/manual/interfaces.html

AFAIR the IPv6 changes were referenced in the 26.1 release notes, also.

In that case, you should create a bug report on github for the plugin: https://github.com/opnsense/plugins/issues

Use the "native" DynDNS backend - there are two Hetzner DNS variants - the old "legacy" and the new one.

Du schriebst "die eine IP". Bei mir hat der NTP-Server in jedem VLAN eine andere.

Das mache ich natürlich auch so (ebenso für den NTP-Server) - mit der Bemerkung wollte ich nur auf das Copy&Paste-Problem eingehen - eine einzige IP geht auch.

Die Zeiten, wo ein passiv gekühlter Mini-PC mit N1x0 mit 16 GByte RAM, 256 GByte NVME und 4x I226-V für <300€ zu haben waren, sind wohl vorbei.

If that is two different IPs from different subnets on WiFi and ethernet, then I guess your claim that there is no active DHCP server on the wired network is false. Setting DNS to port 0 may disable the actual DNS service for DNSmasq, but that does not say anything about what IP any DHCP server announces for the DNS service.