After nearly 10 years, I’m finally back on fiber and with my favorite internet provider Init7!
At the end of 2022, a company in service of Swisscom installed fiber connections in the cellar of the building I’m living in. Getting any information on the timeline of the availability was however quite a frustrating journey. I tried to get information from the company that installed the fiber connections, from my landlord, from Swisscom, from Init7, from the EWZ, from the EKZ, and from the city. None of them could give me any information and everyone just pointed to a different company that should know about it. Then, early September, I saw a van from another fiber installation company around the area and after running the internet checkers again, it finally showed that starting October I could order fiber.
Low and behold here we are and I have Fiber7 in my home again, but this time not “just” symmetrical 1Gbps, but symmetrical 10Gbps! No, I don’t need that speed, but there’s no price difference between 1Gbps and 10Gbps, so…
Why Init7?
This isn’t sponsored or anything, I just really like the company’s values. They stand for net neutrality, have fair peering policies – even if some seem to heavily disagree -, don’t shy away from pointing out and reporting malpractices of the biggest (and monopolistic) ISP in Switzerland and winning the case. And finally, they have an awesome backbone, where I don’t have to leave their network when communicating with something across the great lake.
Free Router Choice
Init7 also gives people free choice on the router side. Given the 10Gbps, I wanted something that gets kind of close, while still being consumer friendly – I don’t have a server room to put large and noisy equipment. As such I went with the MikroTik RB5009UG+S+IN, which offers 10Gbps switching, a 2.5Gbps port – which is the fastest speed any of my devices currently support – and seven 1Gbps ports, and since I didn’t want another power supply for my Ubiquiti Wifi access point, I got the version with PoE (Power over Ethernet).
Configuration
It runs RouterOS, which still feels slightly familiar, but has changed a lot since 2014. As such it took me a few minutes to find my way around the web panel again.
Unfortunately, there’s no configuration provided by Init7 for this router model, but we can have a peek at the configuration provided for a different MikroTik router running RouterOS. Additional we can use Michael Stapelbeg’s blog post for some more insights and of course the excellent MikroTik wiki.
Making It Work
Note: If you feel uncertain of your changes and fear misconfiguring everything, remember two things:
- You can do a factory reset at any point in time. The configuration is lost, but you should be able to start from a non-broken configuration.
- You can enable Safe Mode, which if the router becomes inaccessible will reset the configuration. Though be aware when making configuration changes (e.g. changing the device’s IP) which makes your router inaccessible, that change will also be reverted. So do make sure to save other changes beforehand and disable Safe Mode for such changes.
By default the MikroTik router runs a DHCP server and hands out leases for 192.168.88.1/24. Port 1 is configured for WAN and the rest is configured for LAN and connected as a bridge. Plugging in on port 2-8 will give you an IP and you can connect to 192.168.88.1 in your browser. The default password is provided with the device and you’re prompted to change it after the first login.
The first step is to update the router firmware, as to ensure that we’re running the latest version. For that I could just plug-in my existing network to port 1 and it get access to the internet. Then a quick update check under System > Update. After that, I isolate the router again from the other network, ready for reconfiguration.
Next we want to use the SFP port for the WAN and use port 1 on the LAN side:
- Remove the SFP port from the bridge
- In the interface lists
- Change the SFP port to the WAN list
- Change port 1 to the LAN list
- Add port 1 to the bridge
- Change the DHCP client to the SFP port
Now, you should be able to insert the fiber cable into the SFP port, get a public IP and browse the internet via Init7!
Making It Right
It’s recommended to change the default admin user to something else, by adding a new user with full access and then deleting the default user. You’re required to relog after that change.
I want my network to live on 192.168.1.1/24, as such I change the IP pool (IP > Pools) to 192.168.1.50-254. Then we also need to change the DHCP server network to 192.168.1.0/24 with the gateway set to 192.168.1.1 and whatever DNS server you prefer – I’m using my local Pi-hole instance.
Next, the router, i.e. our gateway, should also have the IP that we’ve just set. Change it to 192.168.1.1/24 with the network 192.168.1.0.
Wait for the network change to take effect or force an update by plugging into a different port. Then reconnect to the router on the new IP.
Finally we want to disable services that we aren’t using, such as telnet, ftp, etc. Make sure to at least keep the ssh, winbox or www service, so you continue to have access to the routers configuration.
The MikroTik wiki also lists a bunch of additional changes that you may want to consider to secure your router further.
Make It Fast Route
Depending on what services you’re running in your network, you may want to ensure that traffic is getting to the right place.
Port Forwarding
If you run a webhost or other services which need access from the vast internet, you can configure a so called port forwarding. If you’re used to other routing software, you might try to set up a forward firewall rule, but as port forwarding is part of the NAT it is listed in a separate tab next to the other firewall rules in RouterOS.
Over the past 10 years, there seems to have been some changes to the recommended approach to solving this, as such one no longer needs to specify the public IP address, but one can use the IP lists WAN entry as input interface.
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 in-interface-list=WAN action=dst-nat to-address=192.168.1.10 to-ports=80
add chain=dstnat protocol=tcp dst-port=443 in-interface-list=WAN action=dst-nat to-address=192.168.1.10 to-ports=443
In plain English this means, that all traffic on the WAN input interface list with the destination port 80/443, should have their destination “NAT-ed” to 192.168.1.10 on port 80/443.
NAT Hairpin / Loopback
When you try to access your own public IP address or call a domain that points to your public address from within the same network, you run into an interesting situation with your router, as the source traffic isn’t coming from the WAN interface, so your configured dst-nat rules don’t apply, but you’re also not going anywhere external, as the IP is assigned to your own router.
That’s where we need some special rules, which is referred to as NAT Hairpin or NAT Loopback . We essentially allow the internal traffic hitting the public IP to be rerouted to another host within the network.
First we create a new IP/address list, so we have the public IP address in one place in case it needs to be updated. You can of course replace PUBLIC with any other term.
/ip firewall address-list add list=PUBLIC address <IP>
Next we add two rules to redirect the traffic from the router to the destination host via a masquerade action.
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 out-interface-list=LAN action=masquerade
add chain=dstnat dst-address-list=PUBLIC action=dst-nat to-address=192.168.1.10
In plain English this means:
- Any traffic from within the network (
src-address) should have their IP addresses rewritten (masquerade) and be forwarded to the destination address on all theLANoutput interfaces. - Any traffic destined for the
PUBLICaddress list should have the destination changed to192.168.1.10.
Speeeeeed
There’s just something about hitting those 100+MiB/s download speeds. 🤩
New router, new provider and new speed record!
Congratulation!