Go Back   DaemonForums > Miscellaneous > General Hardware

General Hardware General hardware related questions.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th May 2021
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,065
Default My Alix router is not directly connected to the Internet anymore.

Several years ago, our village got glass/optical fiber cable for Internet and TV.
One company laid he optical fiber cable, and we were free to choose between five Internet Service Providers.
At that time you could choose to have digital television through a set-up box, or select an option to keep your old coax cable television.

Because we don't watch television that much and because 40 channels was more than enough, we opted for the non-digital television. The TV signal arrived digitally to our house through IIRC a second optic fiber cable.
An adapter converted this digital TV signal to analog, that using a coax splitter, went to living room TV and a TV upstairs.
The Internet optical fiber cable through an Ethernet converter went to my Alix router. It used DHCP to get an IP address.

That worked well for several years. Our original ISP, Lijbrandt, was bought over by another Dutch ISP called Telfort and nothing changed for another couple of years.

Then Telfort decided to stop offering the analog TV signal and we had to switch to digital TV with a set-up box. And that meant renting two of these boxes.

What they did not tell us, that we could not have our OpenBSD PF router, the Alix, directly connected to the Internet anymore.
There is now one single appliance. an Experia 10, that provides WiFi, TV signal and Internet.

My solution was to turn off the WiFi, and connect the external NIC of the Alix to the Experia box.
That way I could keep my local ethernet LAN setup, a network as it is.

The external Alix NIC gets an IP from the Experia box, and continues doing Network Address Translation. Not to or from a 'real' IP anymore, but with a address that it receives from the Experia box as a dhclient.

My stand-alone WiFi access point is still connected to the second NIC of the Alix. My wired network still is on the third NIC.

Although I am now forced to do "Double NAT", I still can protect my wireless and wired network with OpenBSD's pf on the Alix.

How is the situation in your country? Can you still connect your router to the Internet, or are you, just like me, forced into doing "Double NAT"?
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 5th May 2021 at 03:08 AM. Reason: Clarify the Alix <-> Experia connection
Reply With Quote
  #2   (View Single Post)  
Old 5th May 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027

We now have a fiber optic cable into the building where I live; it was installed a few years ago. Once it was all set up I thought they were offering service over it, but that was false. It took probably more than a year before one could purchase ISP service on it. However, I don't use it.

It was only about 3 years ago that I switched from dial-up, when that became totally untenable for various reasons. So I went to DSL, 6 Mbps, which is serving well so far at a reasonable cost. My router is connected directly to the internet. Hopefully I can stick with this setup for a long time, as I dread the day when the ISP has to install some kind of WiFi/modem/router thing in the home.

Regarding the general situation in Canada, well, it is complex, but to over-simplify, the oligopoly of large internet providers (telecom and cable companies) are required by law to sell their service wholesale to smaller ISPs at regulated prices, who then re-sell it to compete with them.

One question: Have you noticed any trouble with double NAT? I remember reading somewhere that it can cause problems in some cases, but I forget the details.

Last edited by IdOp; 5th May 2021 at 03:25 AM.
Reply With Quote
  #3   (View Single Post)  
Old 5th May 2021
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,065

Here in the Netherlands the situation is similar.

The companies that own the physical infrastructure have to allow other parties access to their network. BTW here this also applies to the electrical grid, and the natural gas pipeline infrastructure.
But it is also strange, although the fiber optical cable network is run by an "infrastructure administrating company", part of this company is owned by the mother company of a major ISP.

Re: double NAT

Up to now have not experienced any issue with it. Several weeks ago I attended a couple of Zoom teleconferences / get togethers. I used my Lenovo tablet that connects with WiFi and experienced no problems. I don't use IPsec that usually is problematic with NAT traversal.
The following shows that FTP works

$ ftp -a ftp.nluug.nl

Connected to ftp.nluug.nl.
220-Welcome to the FTP archive of 
220-The Netherlands Unix Users Group (NLUUG).
220-This server is located in The Netherlands, Europe.
220-If you are abroad, please find an ftp site near you.
220-Most information on this site is mirrored.


331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.


ftp> get SHA256
local: SHA256 remote: SHA256
150 Opening BINARY mode data connection for SHA256 (709 bytes).
100% |*****************************************************************|   709       00:00    
226 Transfer complete.
709 bytes received in 0.19 seconds (3.56 KB/s)
ftp> quit
A quote from NAT - Issues and Limitations states that FTP can be problematic:

Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP, for example), sometimes with the assistance of an application-level gateway (see below), but fail when both systems are separated from the Internet by NAT. Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols.
As you can see it is not a problem here. But my Alix is using the OpenBSD built-in ftp proxy, that probably helps.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 5th May 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,915

I still use a pair of carp(4)ed Alix machines as a high-availability home router.

I have switched back and forth between two large US ISPs (Comcast, AT&T) over the last 10-15 years; most often due to moving my home. For residential service, both of them provide a single "dynamic" IPv4 address that almost never changes. And both allow this Internet address to be used without double-NAT. However, there are limitations for the one I'm using at the moment, AT&T: while it doesn't require double-NAT it does require provisioning their gateway to assign the local router to its own DMZ.

IPv6 is different between the two ISPs also. Comcast offered a /64 delegation and that worked well for me. AT&T offers SLAAC services, but I have not been able to delegate any addresses from that /64 for use by my internal networks.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using OpenBSD directly without a router bsd007 OpenBSD Security 21 2nd December 2017 03:19 PM
Routing/NAT problem setting up home wireless router on Alix board ritter_k OpenBSD General 11 17th November 2013 08:36 PM
PC Engines Alix 2d13 board J65nko General Hardware 3 20th January 2013 12:43 AM
Start only connected Nic at boot tolstoi NetBSD General 4 19th January 2012 01:49 AM
Connecting to internet via adsl router michaelrmgreen FreeBSD General 3 9th August 2009 12:29 PM

All times are GMT. The time now is 10:33 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick