Introduction
I’ve been through many network designs over the years and pretty much every UK ISP. A great design I settled on for business grade VDSL connections was by utilising a separate router on the front end with firewall behind. How so with PPPoE without an ugly double NAT situation, I hear you ask? Well read on, as this is exactly what this post is about.
Solution
The trick that can be used here is that the same IPv4 address can exist on multiple router interfaces. One of the best UK ISP’s out there is Zen. They offer a static IPv4 address by default and a /48 IPv6 prefix. You are able to take them up on their offer though of a /29 IPv4 prefix which will allow this design to be implemented. The PPPoE interface will be assigned a static address from your /29 block however it will actually be a /32 assignment. The first physical Ethernet interface is used to run the PPPoE session to the VDSL modem. A secondary physical Ethernet interface can then be used for the untrust prefix. I also added a third interface on my router as an IoT WLAN which can be achieved using VLAN interfaces if your router only has two physical Ethernet interfaces however I won’t go into details here.
So how does this look in practice:
The WAN interface is therefore a /32 whilst the untrust is using the same address but a /29 mask. You can then utilise all of the remaining IP addresses in your /29 prefix on your firewall or even implement failover firewalls which is a topic for another blog post. IPv6 is considerably easier as there is no shortage of address space. Zen will assign a dedicated /64 prefix on the WAN side and will route your /48 to you. The obvious configuration is to use the first available /64 from your /48 prefix as your untrust but of course technically you may use whichever prefix you’d like.
This enables you to put in a more leased line style internet service but using a pretty common VDSL connection. Ideally I’d like to see the UK move to FTTP on a larger scale to increase bandwidth, however considering the UK is lagging behind with internet infrastructure, this is a solid setup that will last until better circuits are readily available.