NL
OPNsense - Xs4all with separate VLAN
- on bare metal
Configuration of an OPNsense router / firewall for ISP Xs4all (former Kpn subsidiary)
This document is created based on various sources on the internet (see appendix).
i. Introduction
Starting point
Before we begin setting up our own router, it is always good to have your ideas aligned and following that, check if you have all the necessary equipment and tools at hand. So first, let's start with the layout of the network we want to create.
In this document, the network is a simple home network with a router at the base. We intend to replace the current Fritzbox 7590 router, supplied by our ISP Xs4all. Although FB7590 is doing what it is supposed to do, we want to replace it because we want to have more control over our network.
Router OS
After some experiments, for this series we have decided to go for OPNsense as the router OS. There are more router packages that can be used of course, like PfSense for instance, which is were OPNsense originates from.
Hardware
We have also chosen for bare metal pc installation and not VM. Both methods have their pros and cons, we will not discuss this here, see the internet for more information. In our mind, a bare metal pc solution makes most sense, when your not into running your own home lab.
We selected a X-brand compact mini pc from AliExpress. It has a Celeron N5105 processor, 8 GB ram, a 128GB SSD and comes with 4 2.5Gb interfaces. For most homes, the available network speed by the ISP will be 1 Gbits/s or less and these specifications should be enough, to handle the load.
The actual arrangement of the sockets for the N5105 version are different from the N100 version in the picture.
If you want to run higher LAN speeds in your home network, that is surely possible, but it won't increase the speed from your ISP's internet connection. Nowadays 2.5 and even 10 Gbits/s network switch are reasonably available, so you could opt for those.
Typically, this is a scenario when you want to run a home lab, with for instance a Proxmox or other hyper visor server. But that is something outside the scope of this document, that we won't address here.
When in doubt, visit the OPNsense site for the minimum requirements:
https://docs.opnsense.org/manual/hardware
Network topology
Obviously, since the bare metal will be a router, at least one port will be connecting to the WAN and one port will be our LAN connection. This leaves us with two "spare" ports, which we can use to utilize in our home network.
We decided to use one of these ports for a dedicated connection for IPTV, to which we connect our set top box for the TV. For this purpose a bridge will be set up. The following diagram shows the router setup.
|
Internet |
|
|
port 0 |
|
| |
| |
⇕ |
⇕ |
Xs4all internet setup
Connection
Xs4all uses PPPoE to setup the connection to our router. Normally, this would require a username and password to establish the connection.
Please note that the username and password for the PPPoE connection have no real meaning, because the PPPoE information is to put it simple, enhanced by the ISP with extra information of the physical connection (PADI or PPPoE Discovery Tagging).
This is what the ISP uses to identify your connection, the physical endpoint. Some explanation can be found here: https://community.freedom.nl/t/methode-van-toegang-pppoe/1485/11 (Dutch, near end op page).
"It does not really matter what is entered there. You should just leave it, as you have found it in your Fritzbox. For the password, you can use any code", at least that is what was told to me, by a Xs4All know-it-all on the KPN community.
Username and password
If you did not write the credentials down, just log in on your Fritzbox and go to Internet -> Account information, tab Internet access. There you can find the username as provided by the ISP. The password is obfuscated of course, but you can use any you like, e.g. "7590".
Common services
Xs4all has two VLANs defined for their services, Internet and IPTV. In the past also a VLAN for VoIP, but this is no longer the case. These VLANs must defined for the WAN port and routed to the corresponding LAN and IPTV port.
Internet
The Internet service uses VLAN with tag 6.
IPTV
Yhe IPTV service uses VLAN with tag 4.
DNS servers
Normally, the DNS servers are assigned by the ISP. If how ever you have set your own DNS servers on the FB7590, you may want to write them down also. They can be found under Internet -> Account information, tab DNS Server on the FB7590.
Other services
WiFi
The hardware we chose, comes without WiFi installed. Most likely a new access point will be installed, but for now we will use the FB7590 for this purpose. In the manual for the FB7590 is enough information available to setup this up correctly.
VoIP telephone
Unlike the FB7590, there is no VoIP support in our hardware, so we have to solve this in an other way. We have chosen to use a Gigaset N510 IP Pro DECT base station, since we already have DECT phones in use with the FB7590. We will cover this topic in a separate document later.
Additional information
On the FB7590 internet monitor page, we can find some additional information about our router's WAN connection. We can see our public IPv4 and IPv6 addresses listed and also the assigned IPv4 and IPv6 DNS server addresses, each two servers.
Even more information can be obtained, when visiting an internet site that offers a so called "WhoAmI" service. There are also sites available, that provide port scanning services and more tools to check the security of your router.
Implementation
We will implement the connection for Xs4all in a step by step fashion. First, we will setup the Internet connection. Once this is working, we will continue with the IPTV configuration. There are two reasons for this approach.
In order to configure IPTV, we need to have a working Internet connection in the first place.
Second, if you have a Internet only services with Xs4all, you can skip the IPTV configuration steps.
20250217-01