Home ISPs that provide /29 subnet (with or without a fee)

Hi,

I was wondering if people could suggest residential ISPs that offer a /29 subnet (FTTP)

Unfortunately it seems it's a dying option.

Zen:
No longer offer it at all for home users. You have to switch to a business package. The equivalent package to the top home FTTP is £15 more a month (with VAT), and then it's £6 more a month for the IP block, making the cost a whopping £21 a month more (and presumably having to sign a new contract too)

Aquiss:
Stopped offering it in April. They hope to offer it in Q4 again, but at a whopping £25 a month. Not affordable I'm afraid.

A&A:
(I haven't spoken to them but based on the website) do offer it, on request, no mention of fee on the website, but the equivilant package to the others (1gbps down unlimited data) is £85, a £30 increase over Zen and Aquiss prices. Also not affordable.

I'm very disappointed, does anyone know of other ISPs?

Edited by tidycosty (Thu 15-Aug-24 10:54:15)

Understandable given the monetary value and rarity of IPv4 these days, /29 deffo doesnt fall into typical consumer use either.

You trying to mix budget and enthusiast together which will be hard to do I think.

If your budget is only £50 month, is there not a way you can handle this with NAT?

Otherwise an option might be the business L2TP from AAISP on top of another ISP. £15 month so saving of a tenner over other options.

Speed capped at 600Mb/s. Single static IPv4, IPv6 block, plus additional /29 block of IPv4 available on request.

AAISP tells you about the IPv4 blocks and that there is no charge at the top of the page for their home broadband services.

"An additional block of four or eight IPv4 address is available upon request at no extra cost, contact our sales team"

https://www.aa.net.uk/broadband/home1/

Do be prepared to justify why you need a block though...

Back when there were more IPv4 addresses left it was just an area on their control panel to add your optional /29 or /30 block (you just had to tick a box confirming you'd read the rules and fill in for each IP what you were using it for).

Use the A&A L2TP service or start reverse proxying/using Tailscale/Cloudflare Tunnel etc. The requirement for a /29 can be worked around in a lot of situations.

I expect Cerberus do. I used to have a /30 included as part of my FTTPoD service from them, but I've since migrated to Aquiss and now only have a single IPv4 address.

The solution I have adopted is to use IPv6, and share my single static public IPv4 address between all servers. On the router I forward a bunch of IPv4 ports to a container which is running sniproxy to handle all inbound TLS services.

sniproxy reads the Server Name Indication (SNI) at the start of a TLS negotiation, and forwards the traffic to the IPv6 address of the server with the same name. In the DNS for each server I list an AAAA record pointing directly at the server, and an A record pointing at my single public IPv4 address.

The net result is: if I connect inbound to my network from an IPv6-enabled network it just goes end-to-end. If I connect from an IPv4-only network then it goes via the proxy. This all happens transparently. The proxy doesn't decrypt any traffic and doesn't need any certificates. I think haproxy can do this too, by the way.

Setting this up is a one-time job, saves you money, and gives you a lot wider choice of ISP. But it does require some networking and container know-how.

Also, you don't *need* to deploy any IPv6 for this - you can have the proxy forward to private IPv4 addresses inside your network. It's just I like the idea of bypassing the proxy when it's not needed.

What's the difference between all these subnets? Is lower better?

I do this actually for incoming services (as in I use ipv4 with looking at the SNI name to route traffic) - the issue was that I wanted to create a high availability pfsense cluster, and the only official supported way to do this is for each pfsense instance to have it's own ipv4 address, and then a shared ipv4 address for the actual WAN traffic.

I've resorted to setting this up an unofficial way that only one pfsense instance has internet connectivity (as they have to use the one ip), it's not ideal but it does work.

Edited by tidycosty (Tue 03-Sep-24 15:16:47)

The reasoning for this was to set up a pfsense ha cluster which needs 3 ipv4 addresses, otherwise, like you said, NAT works fine

Hmm, that depends then on exactly how the upstream connectivity is provided (PPPoE or IPoE)

If it's PPPoE then Googling turns up this:
https://forum.netgate.com/topic/135904/configure-an-...

If it's IPoE, you might get away with configuring private IPs for the pfSense WAN interfaces, and use the public IP address for the CARP VIP only. But I've not tried that.

Note that even if your ISP gives you a /29 subnet, you'd still need a router to route that subnet, so you've moved your SPOF from the firewalls to the upstream router (and ultimately if the service is coming over a single cable, that's the SPOF). But it is nice to be able to failover between pfSense boxes for seamless upgrades.

Edited by candlerb (Tue 03-Sep-24 15:59:47)