Networking Question
Hello,
I may have opportunity to obtain a Intel EXPI9404PTLBLK PRO/1000 PT Quad Port ethernet adapter at a significantly reduced price.
What I would like to do with it, I want to make sure it is possible and sane before I buy it.
-=-
Device sits in CentOS box that connects directly to Internet via onboard network adapter.
It pretty much only acts as a NAT router + dhcp server + unbound recursive DNS for the private networks.
The four ethernet interfaces on the Intel adapter then :
Private Network A: 192.168.10.0/24
Private Network B: 192.168.20.0/24
Private Network C: 192.168.30.0/24
Private Network D: 192.168.40.0/24
A will have a NAS. I can reach it from Internet (via port forwarding)
and B and C (routing table) but from it, I can not connect to Internet or B, C, D. That network which likely will only have a few devices can not initiate connection to Internet or the other networks.
B is my trusted home network. It can connect to Internet (NAT) and to A
(port forwarding) but can not reach C or D
C is untrusted home network. Things like my TV and Bluray player that need Internet access but that I don’t want to have the ability to reach anything on B, but I do want them to be able to talk to NAS on A via port forwarding. I’m always paranoid about those devices on my network, I don’t trust what they are doing. Call it tin foil but I don’t trust them. Yet they don’t work right without access to Internet (updates /
netflix)
D when used is network for guests (will have cheap wifi attached), it only talks to Internet via straight NAT and can not talk to private networks A, B, C
-=-
Is this sane ?
12 thoughts on - Networking Question
B->A should use routing, with whatever port restrictions/packet filters you feel are appropriate. NAS file sharing protocols don’t much like NAT/port forwarding.
again, routing + packet filters for C->NAS.
not sure why D needs to be seperate from C, I’d probably treat the TV
stuff as Guest too, and have them on the same subnet.
you don’t use any wifi devices yourself, laptops or tablets or phones or whatever? A potentially better solution would be wifi with a ‘nocat splash’ portal page that you need to log into for unrestricted network access, otherwise you’re on the guest network. this can be done various ways.
I do use wifi myself but I was going to attach a WAP to B as well my home wired network.
I could combine D and C but the idea was to not have an open wifi router that can be used to access A
the C to A filters could explicitly allow the TV and such devices to access the NAS protocols while disallowing anything else.
No. Use VLANs instead of physical cables and physical switches. https://en.m.wikipedia.org/wiki/VLAN
How do they deal with guaranteeing there is not IP address and MAC address spoofing?
and you should also use bonding to aggregate link bandwith.
to run VLANs, you need a vlan capable switch.
you only run the vlan trunk to your ‘router’. all other switch ports are configured to be on one or another vlan, so there’s no opportunity for spoofing.
VLANs simply provide the same thing you are doing in the physical world (creating distinct broadcast domains), but does so logically/virtually. IP/MAC spoofing can only occur within a given broadcast domain.
Am 26.11.2015 um 22:01 schrieb Steven Tardy:
spoofing would not work without to be able to get the response i.e. massive compromised infrastructure …
In general, it’s possible. It’s sane if you want to study networking, but otherwise it’s a little over the top.
Most of the time you just need three zones: untrusted, DMZ, and trusted. Each zone has full access to a zone of lower trust metric, but limited or none to more trusted networks. The internet is part of the untrusted zone, and guest WiFi networks typically are, too. The untrusted zone has limited access (in your case, via port forwards) to the DMZ. The DMZ can access the internet, but not the trusted zone. The trusted zone has mostly unlimited access to everything. All zones should have egress filtering to prevent sending malicious traffic, or at least traffic with a bad source address.
I’d agree with Steven that for study’s sake, VLANs might be a better choice than multiple NICs for a few reasons: If you’re studying networking for professional reasons, you *will* need some experience with VLANs. Managed switches can be fairly reasonable. I like the HP
1810-8G (or 16G, or 24G, depending on how many ports you need). If you use multiple interfaces on your firewall, you’ll typically need switches for each one. If you use VLANs instead, you can dynamically assign ports to different broadcast domains.
As far as security goes, typically managed switches allow you to assign access to each VLAN per port. Because access to a virtual LAN is assigned to the port, and not to an IP address or MAC address, spoofing isn’t generally a concern.
You’re proposing that you set up hosts which are accessible by the internet (the least trusted zone) but don’t have internet access to retrieve and apply security updates. That’s not a good idea at all.
That’s possible, but iI can’t think of a good reason to use port forwarding, there. NAT is a crutch to compensate for a lack of addresses in the IPv4 network. You should only use it when there’s no other choice.
I wouldn’t argue that you should trust those devices. You definitely shouldn’t. But consider what you’re protecting. If you put them on the same network as the NAS, are you making it more exposed to attack? It’s already connected to the internet. Are you protecting those devices from the NAS, if it gets compromised? If so, what would an attacker gain by targeting those devices? Or maybe the guest WiFi network would be a good fit for those devices.
I’d encourage you to think about that carefully, because if you start segmenting your network without a specific need to do so, you’ll end up isolating each device individually.
It doesn’t need access to Internet to retrieve updates, I mirror CentOS
and EPEL via rsync locally on my network because it makes building packages in mock much faster.
I build LibreSSL for CentOS 7 and custom LAMP stack against it for CentOS 7. And I maintain my own media repository for ffmpeg and modern GStreamer packages, so that CentOS 7 for me has modern multimedia capabilities. So LAN mirrors are needed and exist, and updates don’t have to come from remote server.
I probably should have mentioned that.
Part of the issue I’m currently having on my local network, the router I
have seems to die if I try anything DNSSEC enforcing behind it, the caching nameserver in it just stops working.
So I have to run a recursive nameserver of my own on anything I want to validate with DNSSEC.
I know several consumer routers have had issues with security recently, and figured I’d just build a micro ATX to make my own, with DNSSEC
enforcing recursive resolver and a mirror for CentOS + EPEL built in for my CentOS hosts on my network.
I can get a WAP for my home wireless needs (small, two laptops and my phone, but I have some range issues with consumer wifi router) and turn my existing wifi router into the wifi for guests, powering it off when I
don’t have guests.
I don’t want to buy an expensive switch, this Intel card I potentially have an opportunity to get one for under $100 which is why I’m considering doing this.
-=- snip -=-
Port forwarding from B/C to A seems like it isn’t the right way. Thanks.
From Internet it’s the only way, but that will probably just be an SSH
port that is forwarded – my only purpose really is a place to put files I need to access when not at home (I don’t like cloud storage for personal files, I understand why servers use it but for personal files, I don’t like it, even encrypted I don’t want snoops to have access to them.)
Sure, but you can get a refurb HP 1810 8G for around $100, as well, and you’ll have more ports.