Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Iam_TJ]

I've been concerned for some time at how difficult it is to securely manage the authentication, remote access, and firewall aspects of combined CPE modem/router devices, and the Zyxel devices in particular since I have several.

I'd prefer to have the VDSL modem separate from the rest of the functionality as was the case with the original Openreach HG612 modem. Unfortunately these combined devices usually have better performing xDSL chipsets.

As I'm currently planning a new installation with multiple incoming VDSL links I decided to spend some time thinking about how it might be possible to create the required isolation on an existing combined modem/router.

Essentially the PPP authentication, firewall, RA/PD/DHCP, and DNS would be done on another (fully open-source) Linux device (RasPi?) as if the modem/router were in bridged mode but on the LAN side the Ethernet ports and WiFi would be used as normal (rather than being redundant as is typical in bridge mode).

This would also allow easy implementation of a VPN server on the 'edge' to prevent ISPs snooping on/mangling/blocking traffic.

My experience with configuring local VLANs on the VMG8{9,3}24 devices made me realise there might be a way to do this by isolating the ATM/PTM interface on a VLAN connected to another device for PPP authentication, etc., and the LAN/WiFi side connected via another VLAN.

So, two questions:

• Has anyone attempted this on any combined modem/router device?
• Is anyone interested in this functionality if I developed a custom firmware?

[smf22]

Not entirely sure I follow, but I think what you're asking can be done based upon what's shown in ZyXEL VMG8324-B10A - Bridge Mode for FTTC.

I followed this recently and have a setup with a ZyXel VMG8924 in bridge mode connected to a Ubiquiti EdgeRouter-X. The ERX establishes the PPPoE session, is the firewall, DHCP server etc., with a number of VLANs for the private LAN, private WiFi, Guest WiFi etc. I connect a second port of the ZyXel to a spare port on the ERX so I can access the ZyXel via telnet, SSH etc., but also use its WiFi if so desired.

[Chunkers]

Would it be easier to just bridge your VMG* to pfSense / OPNsense or other router?  You can't use your VMG ethernet pojnts but lots of people have done this and software wise they offer pretty good security (from what I have seen)

You could also maybe try a router with an open-source firmware with better security and options like OpenWRT?

Sorry if I have completely missed the point.....

Chunks

[j0hn]

I use both my vmg8924/vmg1312 in bridge mode, only handling the vdsl connection.
My router does the PPP/DHCP/firewall/VLANS.
I'm sure that's how most Kitz users use their ZyXELs

[Chrysalis]

when the device is bridged it is on a different ip subnet, so not accessible from the lan/wifi unless a specific configuration allows it to be.

[Iam_TJ]

Not entirely sure I follow, but I think what you're asking can be done based upon what's shown in ZyXEL VMG8324-B10A - Bridge Mode for FTTC.

I followed this recently and have a setup with a ZyXel VMG8924 in bridge mode connected to a Ubiquiti EdgeRouter-X. The ERX establishes the PPPoE session, is the firewall, DHCP server etc., with a number of VLANs for the private LAN, private WiFi, Guest WiFi etc. I connect a second port of the ZyXel to a spare port on the ERX so I can access the ZyXel via telnet, SSH etc., but also use its WiFi if so desired.

This is interesting. The guide you link to describes the scenario I'm aiming for exactly! Thank-you.

My main aim is not to lose the router/WiFi, USB file/print server, USB 3G backup functionality.

I guess I couldn't see the wood for the trees; because I've always focused on the combined functionality and never messed about with it in Bridge mode, coupled with my experience of the bugs around configuring isolated VLANs that get saved across reboots, I assumed the configuration couldn't be saved and would need recreating manually after a reboot.

You've saved me many hours and days of re-inventing the solution