What is the Problem?

Fixed Line communication has changed.

History

In Germany (I am talking exclusively about the situation in Germany, all of this might apply elsewhere) we had POTS, before the 90s. Then ISDN came up with some technical advantages, during the very late 80s and early 90s. However, ISDN never fully replaced POTS; both coexisted. POTS and ISDN were mighty slow for data communication (POTS maxed out at 0.056 Mbps and ISDN maxed out at 0.128 Mbps for most users). The problem to be solved were the low quality cables reaching to the end users. Those cables (until today) usually are twisted pair unshielded copper wires. And when I say 'twisted pair' I do not mean '4 twisted pairs as in ethernet CAT7 cables', but 'you get a single pair of copper wires', i.e. 2 thin copper wires are your communications line. Those wires usually run a few hundred meters to some device concentrating the lines, I have no clue what happens there in detail. The problem of sending useful amounts of data per second over these anemic wires was solved by DSL in the 90s. In the beginning it gave you a downstream of 0.768 Mbps and an upstream of 0.128 Mbps.

Today, these rates vary by quality and length of your copper wires and by local telco infrastructure, mostly between 2 Mbps and 100 Mbps downstream and between 0.192 Mbps and 40 Mbps upstream. DSL is some high frequency technology, I have no idea how it really works, but it sure is jolly good. With the advent of 0.5 - 1 Mbps upstream rates, unlimited data transfer plans, and (in many respects) useful application layer protocols for telephony services over the internet (summed up as 'VoIP'), came the telcos' idea to phase out POTS and ISDN and from now on only provide (a) a data line, and (b) servers for internet telephony.

Present/Future

These lines are known as 'Annex J' lines in Germany. There is no POTS or ISDN signal on Annex J lines, these lines are solely used for DSL signals. Cutting out the POTS/ISDN signal allows to speed things up a bit. This eliminates two technologies: ISDN and POTS. Elimination of those technologies will reduce the telcos' costs. On the other hand, it increases the technological burden on the user: plugging a telephone into a POTS line was sufficient to make a phone call. With pure data lines you need (a) to establish the DSL-connection, (b) establish an internet connection over the DSL line, (c) connect a phone to your internet connection, (d) register your phone with the VoIP services. Following (a) through (d) leaves you with a functioning phone and little security. For some added security, you will need a step between (b) and (c), setting up a firewall.

Problem at Hands

Let us put all of this into a picture:

This seems like one hell of a mighty complicated set up just to make a phone call. Compare it to making a phone call over POTS.

Much simpler, one could argue. Of course, this is comparing apples and bananas. The set up in the last picture allows to make a phone call, but does not allow to browse this website. So we get something in return for the higher technological burden. Telcos try to hide (not in a malign way) the increased complexity from the users by offering all-in-one devices. These usually comprise the DSL bridge, a router/firewall and an ATA (analog telephone adapter). All in one devices are plugged into the wall on one side and (your old analog) telephones and your computers are plugged into the device. After proper configuration of the device, the user does not need to know about the complex diagram above. The crux here are (a) after proper configuration, and (b) troubleshooting, and (c) modularity.

ad (a): If you want something out of the ordinary (e.g. increases security), you have to know everything again.

ad (b): Say, something does not work. Is it the DSL line? Is it the routing part? Is it the ATA/phone? Who knows, when you cannot check the individual devices' communication with each other. Try calling your telco's helpline, and have fun getting the runaround.

ab (c): You want some extra functionality (usually in your firewall/router) not available in your current device? If you went for an all in one device, you will now (i) have to exchange all devices, (ii) relearn your new device(s), and (iii) properly configure your new device(s).

Solution

Here is my solution for you: Buy different devices. DSL modems and ATAs will not pose much of a problem, there is not much to them. For the usual 16 Mbps Annex J line in Germany an Allnet ALL0333CJ will do the trick (more information on Annex J modems). If you want to continue using your analog phones or ISDN phones you will need an ATA device. I have not much experience with those, this bundle of an ATA and a DECT phone works just fine (the black box with the blue light is an ATA with an integrated answering machine).

The real problem is the router/firewall. This is where you need to know lots of stuff. Hence, I will guide you through getting a sweet little system up and running, with a lot of extra functionality over your telco-provided all-in-one box. Let us see what I want in this device (: these parts of the guide are done; : these parts of the guide are to be done):

  1. IPv4
  2. IPv6
  3. (internal) DHCP server for IPv4 and IPv6
  4. DNS relay for IPv4 and IPv6
  5. PPPoE
  6. QoS capability
  7. ssh accessibility
  8. Full log capability
  9. https based configuration capability for basic settings
  10. wlan access point
  11. Dynamic DNS updater
  12. Fully customizable netfilter based firewall / (it is there, I just have not written anything about it yet)
  13. strongSwan based IPSec with X.509 certificates (allows connecting multiple sites, like office<==>home or home<==>hotel, not limited to one connection)
  14. TOR/Privoxy proxy
  15. Isolated guest network to provide restricted access to guests with wifi phones etc.

Emphasized functionalities usually are not or only weakly available in consumer grade all in one devices. Commercial appliances are available and could be used, however they usually come at a (mostly reasonable) price, but worse, especially for IPSec, they lock you in to some vendor. Commercially, you will not get your every IPSec wish granted, unless you fork over a lot of cash. Full netfilter, IPSec and ssh accessibility are the unique selling points for me. IPv4, IPv6, DHCP, DNS relay, PPPoE, QoS, logs, https configuration, wlan, and DDNS are pretty much standard on those devices, albeit much less customizable than in my solution. TOR/Privoxy, well, is a nice add on but definitely not necessary, given the existence of their excellent TOR Browser Bundle.

I am using the IPSec functionality to have access to my home network and my families network when I am away from home. With IPSec there is no need to be afraid of untrusted networks at your current location.

What you are going to end up with when you follow my steps, will be a TP-Link WR1043ND, with OpenWRT 14.07 (Barrier Breaker) installed, pivot-overlay to a USB drive for extended storage, and strongSwan installed.

 
 

© 2013-2015 Christian Westphal
Template design by Andreas Viklund