|
|
Hi,
I was wondering if people could suggest residential ISPs that offer a /29 subnet (FTTP)
Unfortunately it seems it's a dying option.
Zen:
No longer offer it at all for home users. You have to switch to a business package. The equivalent package to the top home FTTP is £15 more a month (with VAT), and then it's £6 more a month for the IP block, making the cost a whopping £21 a month more (and presumably having to sign a new contract too)
Aquiss:
Stopped offering it in April. They hope to offer it in Q4 again, but at a whopping £25 a month. Not affordable I'm afraid.
A&A:
(I haven't spoken to them but based on the website) do offer it, on request, no mention of fee on the website, but the equivilant package to the others (1gbps down unlimited data) is £85, a £30 increase over Zen and Aquiss prices. Also not affordable.
I'm very disappointed, does anyone know of other ISPs?
Edited by tidycosty (Thu 15-Aug-24 10:54:15)
|
|
|
Understandable given the monetary value and rarity of IPv4 these days, /29 deffo doesnt fall into typical consumer use either.
You trying to mix budget and enthusiast together which will be hard to do I think.
If your budget is only £50 month, is there not a way you can handle this with NAT?
Otherwise an option might be the business L2TP from AAISP on top of another ISP. £15 month so saving of a tenner over other options.
Speed capped at 600Mb/s. Single static IPv4, IPv6 block, plus additional /29 block of IPv4 available on request.
|
|
|
AAISP tells you about the IPv4 blocks and that there is no charge at the top of the page for their home broadband services.
"An additional block of four or eight IPv4 address is available upon request at no extra cost, contact our sales team"
https://www.aa.net.uk/broadband/home1/
Do be prepared to justify why you need a block though...
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
Back when there were more IPv4 addresses left it was just an area on their control panel to add your optional /29 or /30 block (you just had to tick a box confirming you'd read the rules and fill in for each IP what you were using it for).
|
|
|
|
Use the A&A L2TP service or start reverse proxying/using Tailscale/Cloudflare Tunnel etc. The requirement for a /29 can be worked around in a lot of situations.
|
|
|
|
I expect Cerberus do. I used to have a /30 included as part of my FTTPoD service from them, but I've since migrated to Aquiss and now only have a single IPv4 address.
The solution I have adopted is to use IPv6, and share my single static public IPv4 address between all servers. On the router I forward a bunch of IPv4 ports to a container which is running sniproxy to handle all inbound TLS services.
sniproxy reads the Server Name Indication (SNI) at the start of a TLS negotiation, and forwards the traffic to the IPv6 address of the server with the same name. In the DNS for each server I list an AAAA record pointing directly at the server, and an A record pointing at my single public IPv4 address.
The net result is: if I connect inbound to my network from an IPv6-enabled network it just goes end-to-end. If I connect from an IPv4-only network then it goes via the proxy. This all happens transparently. The proxy doesn't decrypt any traffic and doesn't need any certificates. I think haproxy can do this too, by the way.
Setting this up is a one-time job, saves you money, and gives you a lot wider choice of ISP. But it does require some networking and container know-how.
Also, you don't *need* to deploy any IPv6 for this - you can have the proxy forward to private IPv4 addresses inside your network. It's just I like the idea of bypassing the proxy when it's not needed.
|
|
|
|
What's the difference between all these subnets? Is lower better?
|
|
|
I do this actually for incoming services (as in I use ipv4 with looking at the SNI name to route traffic) - the issue was that I wanted to create a high availability pfsense cluster, and the only official supported way to do this is for each pfsense instance to have it's own ipv4 address, and then a shared ipv4 address for the actual WAN traffic.
I've resorted to setting this up an unofficial way that only one pfsense instance has internet connectivity (as they have to use the one ip), it's not ideal but it does work.
Edited by tidycosty (Tue 03-Sep-24 15:16:47)
|
|
|
|
The reasoning for this was to set up a pfsense ha cluster which needs 3 ipv4 addresses, otherwise, like you said, NAT works fine
|
|
|
Hmm, that depends then on exactly how the upstream connectivity is provided (PPPoE or IPoE)
If it's PPPoE then Googling turns up this:
https://forum.netgate.com/topic/135904/configure-an-...
If it's IPoE, you might get away with configuring private IPs for the pfSense WAN interfaces, and use the public IP address for the CARP VIP only. But I've not tried that.
Note that even if your ISP gives you a /29 subnet, you'd still need a router to route that subnet, so you've moved your SPOF from the firewalls to the upstream router (and ultimately if the service is coming over a single cable, that's the SPOF). But it is nice to be able to failover between pfSense boxes for seamless upgrades.
Edited by candlerb (Tue 03-Sep-24 15:59:47)
|
|
|
What's the difference between all these subnets? Is lower better?
Lower number = more IP addresses.
IPv4 addresses are 32 bits long. If you get a "/32" address that means that all 32 bits are set by the provider, so you only have a single address available.
A "/29" means a prefix of 29 bits from the provider, and the remaining 3 bits are for you to set. This gives 8 combinations from 000 to 111, so it's a range of 8 IP addresses.
In practice, if you use this directly on an ethernet LAN, the first and last addresses are reserved for network address and broadcast address, and one will be needed by your router, so you can connect up to 5 end devices (e.g. servers or firewalls) with unique IP addresses.
All the registries which assign IPv4 addresses have run out, so IPv4 addresses are a scarce commodity and traded at high cost on the open market.
The supposed "solution" was to replace IPv4 with IPv6, which has 128-bit addresses.
There are lots of IPv6 addresses available, and the IPv6 Internet runs in parallel with the IPv4 Internet. Unfortunately you need an IPv4 address if you want to communicate with any other device on the Internet which has only an IPv4 address - and that's almost everything.
|
|
|
|
Use private addresses on the 'WAN' side of your pfSense box and then have the device you sit in front of it that is doing the PPPoE route a single /30 towards your pfSense VIP giving you 4 public IPs that you can use in NAT rules.
Challenge then is to find an ISP that will do this, but I know that Gamma when you ask for a routed public IP route a /30 towards whatever static IP you're already assigned by PPPoE. The intention is that you configure this on your router but if you use a device that can do its own routes then you don't have to do this. BT Business I think also operates in this way.
|
|
|
Challenge then is to find an ISP that will do this, but I know that Gamma when you ask for a routed public IP route a /30 towards whatever static IP you're already assigned by PPPoE.
Cerberus did this with my /30. It was something.232/30, so I had .233 for the router, and .232 .234 .235 available that I static-routed to loopback interfaces on VMs.
|
|
|
|
How are you finding Aquiss?
Do you have any smokeping graphs to anything showing the latency consistency of them? I assume your on OR not CF fibre.
|
Pages in this thread: 
Print Thread
