I currently use a 50 Mbit/s / 10 Mbit/s VDSL plan from O2 (Telefonica) to connect to the internet. The plan includes a FritzBox 7490 which might be okay for the average user but did not allow me to configure more sophisticated networks.
Freifunk circumvents this problem by connecting each node to a gateway outside of Germany through a VPN. I do trust the people who operate the Freifunk network in my city but nonetheless the device can still be compromised by a malicious attacker from within the Freifunk network. Therefore I wanted to seperate my home network into virtual LANs using 802.1q.
Also I do not trust devices that are configured, updated and rebooted remotely by any manufacturer, in this case AVM GmbH. How do I know they are not flashing a firmware that is able to do deep packet inspection? It’s all closed source!
So I bought a rather cheap hardware platform that features two Gigabit NICs - one will be used for the PPPoE uplink to an Allnet ALL126AS2 VDSL2 modem and the other one is a trunked link to a managed switch which serves as an “port expander”. The internal VLAN configuration will maybe be explained in another article.
First I needed to configure the modem for my connection.
VDSL2->Profile Config section I selected
Also one should check that the device is in
OpenBSD PPPoE Config
As previously stated, the first NIC will be used for the PPPoE
connection. Since the chip is a Realtek 8168, the interface name
This file brings up
O2 (Telefonica) is in most parts of Germany only a reseller of VDSL2 products by Deutsche Telekom. I did not pay attention in school, is that capitalism or socialism? This is the reason why you need to experiment to find the correct VLAN for your connection.
I simply used my laptop running Arch Linux and
find the correct VLAN. You should try VLAN IDs 7,8,11,12,13 for
Telefonica connections. If you end up with 7 or 8, you know that in
reality you are using a T-DSL (Deutsche Telekom) connection.
Once you know the VLAN you can create a file similar to this one:
Only the PPPoE config is now missing:
1 2 3 4 5 6
After a reboot or
sh /etc/netstart the PPPoE connection should
Secure your device before connecting to the internet:
- Enable pf (always use protection, kids!)
- limit sshd to your internal network, disallow root, disallow password authentification