OTish: Best free network manager- replace ClearOS? Maybe pfSense?

No. The new router will expect to be the primary gateway and will need to pick up its IP address using DHCP from the ISP.

Now you might be able to replace it with something home brewed, but dont expect any support from the ISP if you do.

What you need to do is create a network on your side of the supplied router and then use that as a sort of no mans land, and put your home brew router between that and the machines you are serving

so OpenReach thing ->New Router -> ClearOS Nic 1 -> Clear OS Nic 2--> internal switch.

That will give you a vanilla interface that the ISP expects and can support, and allow you to do what you like behind the clearOS

No need to run NAT on the second router.

Let the main one take care of all that.

It would simply *never arrive* as there are no public routes for private networks

< it would come in on your

If it did come in, but it cant.

And it all has to be routed through the public internet, which only knows one public address of your router - the '22.33.44.55' in your example,

The way to set this up is to have the immediate local side of the router at 192.168.0.x and e.g set a default route un that router to tell it that the way to 192.168.100.x is via the clearos NIC1 i.e.192.168.0.10 for example

Clearos doesn't need NAT - it is simply routing between 192.168.0.0 and e.g. 192.168.1.0 networks.

Provided the main router recognises that source addresses on te

192.168.1.0 network are something it can reach via the NIC interface 192.168.0.10 on the clearos, it will happily set up proxy NAT ports for them.

That is, any number of machines on different networks can be NATTED by the main router as long as it knows that they exist on valid networks connected directly or indirectly to its LAN interface.

You merely need to set up STATIC routes in it, pointing to the NIC IP address of whatever router connects the main router to that network

All the subsidiary router needs to do is DHCP, since that doesn't propagate across networks. It uses Ethernet broadcast, not IP as such. And it also needs to ROUTE via the router LAN address, so port forwarding needs to be on an a static default route pointing to the main router be set up

So on the main router

Disable DHCP server Retain DHCP client for WAN IP address from ISP. Enable NAT. Add static route to private network via clearos machine

On clearos machine,

set up static addresses to the 192.168.0.0 network and 192.168.1.0 network set up static default route to the Router LAN address set up DHCP server to deal with the 192.168.1.0 network. use the clearos

192.186.1.x interface as the default route to be handed out via dhcp set up DNS to be whatever - ISPs DNS server, maybe the router LAN address, or even the clearos box itself if its running a DNS server enable port forwarding so it can route, if this is not on by default

Yes it is FTTP via OR

So my thinking (largely more to understand how it works) was that if I connect ClearOS Nic 1 directly to this ONT Ethernet port and set it to use DHCP would that NIC then get and Internet IP address from the ISP (e.g. your 22.33.44.xx). ClearOS would then act as the router with the NIC 2 then connected to my 192.168.0.xxx, acting as the internal DHCP server etc. In this setup I wouldn't need the ISP's router - except for the VoIP stuff of course.

I don't really use the landline other than my alarm system. I was told that since the ISP router permits a normal phone to be connected to the router and "converted to VoIP" this may still work.

This is the setup I currently have. Not sure how NAT works in my setup. I assume ClearOS just leaves this to the ISP router when in Bridge mode but not sure TBH nor how to find out.

Yes understand that bit. My "logic" was more about if the router/ it's firewall was compromised then it would allow hackers in but my ClearOS setup with dual NIC had a hardware barrier (because of the dual NIC) stopping it. I think from the various comments above, my logic was not correct as the router has a "dual NIC" anyway (WAN and LAN) and the ClearOS software is akin to the Router software so in essence the 2 setups are the same. It then just boils down to how sophisticated the software is for my needs.

<snip>

Mmmm if it does log in like the ADSL one does then I guess that probably scuppers my theory about not needing the ISP router and using ClearOS instead as not sure it supports that.

That is the million dollar question :) All I use at the moment is really DHCP and DNS. I tie devices to static IP addresses and also give them sensible names (e.g. LoungeTV) etc. In the current setup, the backup running takes a huge chunk of my small upload speed and tends to impact other devices so in theory being able to limit that would be good but.... I never did it and the new FTTP would be ample I suspect so maybe not needed.

Fair point but assume that would be the case if I used any router other than the one they provided? When I get support from EE (current provider) they are able to "log in" to my router to get info etc.

Yes this is exactly my current setup (not sure how the potential double NAT situation works in this setup though as per comments above). In my mind I need the router currently to do all the ADSL stuff but if the ONT exposed an Ethernet interface was thinking maybe I don't *need* it hence my questions above.

Sorry not quite sure what you mean by this. Using your subnets, the current setup I have is...

ISP Router (192.168.0.0) -> Clear OS NIC 1 (192.168.0.1) -> Clear OS NIC 2 (192.168.100.0) [DHCP server serves 192.168.100.xxx addresses to all devices] -> switch (192.168.100.1)

There is nothing else on the 192.168.0.xx subnet.

Looking at this PC, the ClearOS server has given it 2 DNS servers, 192.168.100.0 (so assume ClearOS then routes anything on 192.168.0.xxx to the other NIC) and 8.8.8.8 (Google DNS - which is the primary DNS set up on the ISP router so assume ClearOS has passed this on)

Not sure what ClearOS does re: NAT

If I understand your point correctly, I believe I have achieved this by setting the DNS server on downstream routers (i.e. the various ones around the house I use as Wifi hotspots) by setting their DNS server to be 192.168.100.0

Yep this is same as current setup

Assume this is done by default in the EE router as can;t see it has the ability to switch it on/ off

Not sure what you mean by this. Is this to enable port routing from internet to internal (192.168.100.xx) IP addresses? I haven't got this set up in the current setup (at least that I know of)

yep that's how it is currently

again not sure what this does. As I recall (couldn't find it in the ClearOS UI for some reason) on ClearOS NIC 1, I have set up the DNS server to be the ISP router. i.e. if it knows nothing about it forward to the ISP router to deal with

yep although ClearOS also seems to send out the primary DNS from the ISP router

I think I have the latter?

Well to be honest most ISPs will support a fair number of well known routers.

Look there is nothing to stop you stepping off the 'well supported, like everyone else does it' platform provided you understand the consequences.

You can roll your own twin NIC router and do everything you need on it and simply sell the EE router on Ebay.

What you will have to do on it, is set the WAN up using login credentials with PPPOE - just as you would with ADSL - and with DHCP to get the IP address and nameserver and default route for that interface from your ISP.

Then you need to set up static IP address for the router LAN interface, and a DHCP server attached to that interface, and a NAT setup to allow internal machines internet access.

Then because you will now have VOIP client *inside* the network, you need to set up VOIP and STUN servers and stuff like that which I simply cant advise on, because I let my router do all that.

And you will need to buy some form of VOIP phone or server, and get EE to release their VOIP login credentials, or use a different VOIP service.

Now I *could* probably do all that, I have the technical background, but it would probably take me several days. When I used a draytek router I phoned tech support at IDnet and they told me the very few things I needed to do to connect via fibre. Took 30 minutes.

It's a sort of 'do you feel lucky today, punk' sort of scenario. I didnt feel lucky. I have a box designed to do all that and make it easy for support and its perfectly capable as it happens of doing probably everything you want.

In short you probably dont need a home brew solution at all. Or if you do, stick it behind the supplied router where the problems are less.

That's why I recommend you keep the supplied router and monkey around behind it to create your internal networks.

Duplicating all its functionality is quite a lot of work

But if you want to do it, you can of course.

I think you can even get PC cards with telephone interfaces and run your own VOIP

I would simply replace/reprogram the ADSL router and leave everything as it is then.

Trying to put clearos UPstream of the ISP router is opening a large can of worms, not to say pandoras box.

You then need to handle NAT, PPPoe, VOIP, DHCP client and probably DNS proxy on the ClearOs

If you need to ask, you probably can't.

He can use ClearOS for PPPOE but there are a couple of snags. I did the same with CentOS, probably unwisely. He will need to alter the config to use a kernel module for pppoe processing as the user-space code is too slow for FTTP. And if ClearOS uses an old version of rp-pppoe he will probably need to change the whole network to an MTU of 1492 or recompile rp-pppoe with some editing.

Yeah when I heard above it was an ethernet connection from the ONT I hadn't realised it was still PPPoe and needed authenticating etc. So all in all definitely not worth getting rid of the new Vodafone router. Question is now whether it is worth keeping ClearOS (or replacement) or just use the router.

You certainly don't need the ISPs router (I did not request one with my FTTP, and just connected the ONT directly to the WAN2 socket on my Draytek, with that WAN configured as a PPPoE connection.

The more doubtful bit is why use your own router (ClearOS) *and* the ISPs router?

It sounds rather like the ISPs basic router will do all you need then.

DHCP and some IP address reservations are supported on most.

I have a ONT and a Vodafone Router. The latter also has a POTS ATA socket on it.

I set up a Pi Hole and a Pi VPN and a Ubiquiti wifi network

I disabled DCHP, DNS and IP v6 in the VF router.

So the Pi hole now handles DNS + DHCP

The Pi VPN handles wireguard connections to all my mobile devices when they are using public wifi.

The Ubiquitis have a custom IP whitelist.

My next step is to add a Edge Edgerouter X so then I can set up a DMZ, a Wifi net for the ipads/iphones, a wired net and one for IoT / media streamers attached to TV sets.

well I didn't expect it to be THAT bad. But it does reinforce my point. It wont be an easy ride, but using a supplied router will be.

Depends on whether you want to play with lots of networks and firewalls and so on.

For educational purposes do it.

For simply arriving at a solid secure network that 'just works' and has some ISP support, don't touch it

I've got a NATTED network with public SSH and HTTPS connections to a server on it.

I haven't checked to see if its being attacked by ratware, but its never been compromised. Despite having several holes in its firewall - but then I am on a fixed public IP address so can set simple firewall rules.

The thing that cases most unwanted network traffic is Skype :-)

I couldn't find the ability to reserve IP addresses nor add names but will take a closer look as it may be hidden somewhere in the menus - or I was not looking properly :)

It's generally under 'DHCP configuration'

You should have the ability to:

(a) Restrict DHCP to a limited range of addressed so you can set static addresses in the unused range and/or (b) Issue DHCP addresses based on the clients MAC address.

Normally names are pushed to the server from the *client*. So in cartoon form the client does an *Ethernet* broadcast saying I am called 'fred' and my MAC addess is xx:yy:aa:bb:cc and the DHCP server responds with a message to 'xx:yy:aa:bb:cc' saying here's an IP address, netmask, default route, and DNS you can use for the following period. If it has an entry for 'xx:yy:aa:bb:cc' it will issue that IP address, otherwise it's round robin from the pool of allowable IP addresses

The router will store the clients name IP address and Mac address and lease time, so has the *potential* if its doing DNS proxying, to also be able to tell you on what IP address 'fred' resides.,

Thanks..... On ClearOS you can also map name to IP address so can then give the device a different name. E.g. those where you can't specify a hostname (e.g. FireTV stick or the TV etc.). Not really a massive issue if I can't do it TBH as only really use it to easily see what devices are connected in ClearOS.