Configuring your OPNsense router for Internode NBN HFC

I have just upgraded (finally) from TPG ADSL2 internet to NBN using HFC infrastructure. My ISP is Internode.

Installation went pretty smooth. Technician visited today, drilled a few holes to install a new HFC outlet in our house, and pulled the (slightly odd) HFC coax cable trough the wall. He also handed me an NBN ‘modem’.

I use OPNsense (a FreeBSD based firewall) as my router and intended on using it for my NBN connection as well. Key things to note:

  • Internode use PPPoE for their NBN HFC connections
  • You need to configure it your PPPOE vlanid 2. This is critical, otherwise the connection will not work

I took the following steps in OPNsense to set it up. Note my interface is bge1 — you need to use the correct network interface which is connected to the LAN port of the NBN HFC modem.

  • Interfaces – Other Types – VLAN = [ interface: bge1, tag: 2, PCP: 0 ]. Creates new interface bge1_vlanX.
  • Interfaces – Point-to-Point – Devices = [ Iface: re0, Iface(s): bge1_vlanX ]. Fill in login/password here. Creates new interface pppoe0
  • Interfaces – Assignments – WAN = pppoe0
  • Interfaces – WAN – IPv4 Configuration Type = PPPoE
  • Reboot. Check in Interfaces – WAN, that login/password been populated from pppoe0.
  • Check Dashboard WAN and Gateway/WAN_PPPOE for populated IP addresses.
  • Check Interfaces – Point-to-Point – Log file if you experience any errors.

Update: Thanks to ICBM on Whirlpool for inspiration and initial instructions.

Thoughts on the new Assistance & Access bill

A few people have asked me about my views on the recent Assistance & Access (A&A) bill passed by the the Australian parliament. A&A, an amendment to the Telecommunications Act of 1997, gives new powers to ASIO and other law enforcement and intelligence agencies to circumvent end-to-end encryption in technology (such as WhatsApp) and wiretap suspected criminals, e.g. terrorists.

In short, intelligence agencies can now compel companies such as Facebook, Apple, and Google to secretly install backdoors in their software in order to enable wiretapping. It is allegedly the first of its kind in any democratic country, providing powers greater than those of the UK Investigatory Powers Act, which was considered incompatible with EU civil liberties and privacy laws.

Whilst I wholeheartedly agree with the need to fight terrorism, giving government authorities the ability to install trojans and other backdoors in hardware and software is not the solution. There are 5 key reasons for this: 

  • It derails the trust in one of our greatest sources of future prosperity in Australia: our technology industry. Australian technology start-ups are booming, as evidenced through Xero, Atlassian, and Canva. Prospects of government-funded backdoors could severely hurt their reputation. In addition, we run the risk of large technology companies such as Google and Facebook, significant employers of Australian talent, pulling the pin on local presence in order to avoid the new legislation. 
  • It undermines our democratic rights to privacy. In an open, democratic society, people have the right to privacy and free speech without fear of government surveillance. If we keep chipping away on our democratic rights, we end up being no better than the totalitarian regimes we set out to fight in the first place.
  • It is insecure by design, opening the door for criminals to leverage the same backdoor. Security holes, backdoors, and mathematics in general do not discriminate who the user is, because they can’t. The backdoors imposed by government officials are secretive, until they are not. Yes, there are legal provisions that make it illegal for anyone to leak information about an introduced backdoor, but everytime a new update is pushed unexpectedly by a software vendor, we can expect malicious attackers to start scanning applications for security holes. 
  • It is ineffective, only addressing a subset of use cases. Yes, criminals can no longer use / trust WhatsApp and similar proprietary services with operations on Australian soil. However, the legislation doesn’t consider how copylefted and open source software such as Linux, OpenSSH, or critical infrastructure libraries such as OpenSSL will work? Theoretically, if a backdoor is introduced in open source, it will be visible to everyone immediately, rendering it useless. Will the Government fly officials to Canada to tell Theo de Raadt to install government backdoors in order to avoid criminals communicating secretly via an SSH tunnel?
  • It is a non-technical solution to an inherently technical problem – square peg, round hole. The debate and public commentary suggests that the majority of politicians did not understand the context and ramifications of what they are voting on. It’s great that they agree on the broad outcome required (we need better access to wiretaps), but it doesn’t make the underlying technical go away (the law of mathematics). Adding to this, the law as rushed through without due debate and broad consultation.

I will end this post with a quote from ProtonMail’s write-up on A&A

On Thursday, the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.”