How to configure an NZ Fibre UFB Connection on a Fortinet Firewall Appliance
**This is a legacy article which does not meet some of our quality standards. While it may contain useful information, is retained here for legacy reasons only.**
There has been quite a few misleading pieces of info floating around the various ISP’s in NZ about what you can or can’t do relating to connecting your own ‘modem’ to the New Zelaand Chorus Fibre Broadband network, sometimes referred to as UFB.
This article aims to clear some of these up by way of example, but there are a few basics to clear up first.
- Chorus install and provide the physical NZ fibre UFB (in 99% of cases this will be the only way you’ll get it) NOT your ISP. Your ISP connects to the fibre via the internet, and can request the provisioning of that fibre (if you’re like most people and didn’t have it already). That is why this article is about connecting to Chorus Fibre not to e.g. Slingshot, Xtra or some other ISP.
- Chorus provide the modem (called an ONT), your ISP provides a router. You cannot change the ONT, but you CAN change the router. Please don’t call the router a modem – this is why there has been so much confusion as you absolutely cannot change the modem, but you CAN change the router.
- ONT stands for ‘Optical Network Terminal’, I know that because it’s written on it, so don’t tell me it isn’t. Basically it’s what’s known as a transceiver that translates optical data traffic to your typical copper data traffic with some added smarts in it, namely a PPPoE dialer, which is why it is a modem.
- Just because you’ve got e.g. a 30Mb down and 10Mb up fibre connection does not mean you would actually get these speeds, this just outlines the maximum performance capability of your particular NZ fibre UFB Plan, the rest is up to your ISP and what particular international and national speeds they have paid for. You will need to raise performance issues with your ISP if your speeds are slow.
- You don’t have to use the in built telephone port in your supplied modem (Slingshot tried to tell me that I did, they also tried to tell me that I couldn’t put my own router on – both not true). I’m using their already supplied Linksys ATA adapter for this connected to my Fortinet router – so yes it’s the same iTalk account with a couple of new settings – simply replace your old akl.italk.co.nz setting with 220.127.116.11 and you’re all done!
Right, now let’s get started. I’m using this example on a fortinet, because it’s a relatively common ‘upper end’ device that is super awesome and I wanted to promote it ;). In reality anyone that didn’t already know points 1-5 above probably wouldn’t want to be installing a fortinet, but I felt like it and somehow hope that it will help someone somewhere even if they don’t understand the next bit.
The below instructions are started from a freshly installed firmware and a completely out of the box default setup.
Log into fortinet admin / blank password
- Go to network / interface
- Choose create new / interface
- Name: – Chorus UFB
- Type: VLAN
- Interface wan1
- VLAN ID 10
- Addressing mode PPPoE
- username: your isp login
- password: your isp password
- Any other settings you require such as FMG-Access or HTTPS etc.
- Apply / OK
You should now have a physically working login to your NZ Fibre UFB.
There are a few more steps though – they are:
- Ensure your LAN IP address is in the correct range
- Ensure your DHCP server is set up with the correct lan IP address
- Ensure you have a new firewall rule added
How to change the LAN IP address
- Go to Network / interface
- Check internal then click edit
- Under the addressing mode section, ensure manual is selected and replace with your desired IP address.
- Note that if you’re changing the subnet range and using DHCP, this will not automatically change the DHCP scope, you will need to connect with a manual IP address and reconfigure the DHCP server seperately.
- Click Apply / OK.
How to update the DHCP server scope
- Click Network / DHCP Server
- Check the internal network and choose edit
- Under the IP section, update to your appropriate subnet / range.
- Add any IP reservations you need by using the ‘Add from DHCP client list option or entering manually by choosing create new.
Create a matching firewall rule for NZ Fibre UFB
In it’s most basic form (I won’t go into the complex parts) you need an outgoing allow rule for the new NZ Fibre UFB interface
- Go to the Policy tab, then choose policy / policy
- Click Create New
- Source Interface/Zone: NZ Fibre UFB (or whatever you named your Chorus UFB PPPoE connection)
- Source Address: All
- Destination Interface/Zone: Internal
- Destination Address: All
- Schedule: always
- Service: ANY
- Action: Accept
- Ensure Enable Nat is ticked on and use destination interface address is selected.
There are other options in there that we won’t worry about at the moment. This will get your basic NZ Fibre UFB up and running.
You will need to also create one for any other interfaces eg. Wireless – NZ Fibre UFB
Change your admin password
- System tab, admin, administrators
- check the tickbox next to admin
- click edit
- click change password, follow the onscreen prompts.