1 |
Leonid Eremin posted on Sun, 15 Mar 2015 22:08:16 +0300 as excerpted: |
2 |
|
3 |
> Why don't you look for something [like the 2-port mobo I have, LAN/WAN |
4 |
> with a gigabit switch on the LAN side]? Of course, if you don't have |
5 |
> some sophisticated routing rules which requires >=4 NICs. |
6 |
|
7 |
I explained this in the original post, but it was long and admittedly |
8 |
people might have skimmed, so here it is again. |
9 |
|
10 |
A big part of the whole /point/ of going amd64-based router, despite the |
11 |
expense and hassle over an old generic off-the-shelf, is that: |
12 |
|
13 |
(a) I want to put gentoo on it, in part so I can easily play with per- |
14 |
port firewalling/routing/traffic-shaping rules. My current old Linksys |
15 |
WRT54GL running OpenWRT actually has the ability to configure each of the |
16 |
five ethernet ports (plus the wifi) separately, but I've not played with |
17 |
it much, in part because it's sufficiently different from my gentoo |
18 |
comfort zone that working with its config is like reading and writing a |
19 |
different language I don't really know, such that I'm constantly having |
20 |
to lookup stuff. |
21 |
|
22 |
Which I'd be willing to do were I doing a bunch of openwrt, but for just |
23 |
the one router, it seems like a waste, and I have to look stuff up again |
24 |
every time I want to make a change because I never actually bothered |
25 |
learning it properly. |
26 |
|
27 |
(b) From experience with the netbook, I know that even if it's gentoo, I |
28 |
won't keep up with it if I'm building everything separately for it. |
29 |
Thus, amd64 gentoo, so for many packages I can build once and binpkg |
30 |
install three times, to the new router, the main machine, and my new |
31 |
netbook, if/when I get one (that side of the thread hasn't gotten any |
32 |
hits, yet). |
33 |
|
34 |
|
35 |
So, while I don't have specific rules for all the ports /yet/, for me at |
36 |
least, a good part of the whole point of bothering with an amd64 router |
37 |
instead of just doing off-the-shelf, is that I /can/ do specific rules |
38 |
for each port, and I want at least five ports (six would be better, two |
39 |
builtin and the quad-port, but five should do for now), plus a USB- |
40 |
connected wifi expansion option should I choose to exercise it. |
41 |
|
42 |
Things I already have in mind: |
43 |
|
44 |
* I'd very much like to specifically route only VoIP stuff to the VoIP |
45 |
phone adapter, and keep it from accessing the rest of the LAN. It's |
46 |
actually a proprietary adapter, tho I suspect it's running standard SIP- |
47 |
based VoIP, setup such that it keeps an open connection to the VoIP |
48 |
server and thus can be contacted across the NAPT-based router/firewall, |
49 |
and I'd also very much like to log to what it's actually connecting, and |
50 |
eventually block pretty much everything but the main VoIP server it's |
51 |
connecting to. (Sometimes it rings once but doesn't complete an inbound |
52 |
call. I strongly suspect that's unfriendly VoIP probes from |
53 |
telemarketers, etc, that can't complete the call since they can't bridge |
54 |
the NAPT. Getting more information and potentially blocking those would |
55 |
be nice.) |
56 |
|
57 |
Of course as I said, my current router can do it, but working with its |
58 |
configuration is like trying to read/write a foreign language, so I've |
59 |
not bothered. |
60 |
|
61 |
* The current firewalling is pretty simple NAPT based, with a bit of |
62 |
stateful for stuff like FTP. That means pretty much all outgoing is |
63 |
allowed, only incoming really controlled in any way. I want to be much |
64 |
stricter with outgoing. |
65 |
|
66 |
* I'd like to be able to run simple outside-accessible servers, probably |
67 |
on the router itself since it's about the only thing on all the time, |
68 |
listening on some high port. Nothing fancy, just enough to host |
69 |
individual files I can link to, etc. Limiting access to particular IP |
70 |
ranges, on high-range ports I specify, etc, is planned. That's why I |
71 |
said outside accessible, NOT publicly accessible. |
72 |
|
73 |
* I have/had my current netbook setup such that I could run an ssh server |
74 |
on it when I wanted, allowing connections only from the main machine (via |
75 |
local-routed-only IP-address), on the LAN. Since I deliberately didn't |
76 |
have anything particularly private on the netbook, I figured running the |
77 |
server on it was least-risk. Of course it was private key authorization |
78 |
only, no password, as well, and not listening on the usual ssh port. But |
79 |
I didn't have any specific rules on the router. With the new router and |
80 |
new chromebook reimaged to gentoo, I plan on allowing only specific port |
81 |
to port ssh connections and blocking any others. Accepting/routing only |
82 |
ssh connections to the main machine port from the netbook port, as well |
83 |
as by netbook LAN IP only, should give me enough additional security to |
84 |
feel comfortable running an ssh server on the main machine as well, so I |
85 |
can connect to it from the netbook. Obviously I'd still only start it |
86 |
manually, when I expected to be using it, in ordered to avoid having it |
87 |
running all the time, for efficiency and security reasons both. |
88 |
|
89 |
* That's four ports (wan, main, netbook, VoIP). The fifth is guest, |
90 |
which I'll probably leave more open to the net, while strictly |
91 |
controlling what it can access on the LAN. After all, I can add new |
92 |
permissions for port-to-port access to my main machine or netbook |
93 |
dynamically, if needed. |
94 |
|
95 |
* The router itself should be reasonably capable of serving as a LAN |
96 |
print or storage server, should I decide to set it up as such, as long as |
97 |
I don't expect it to do everything at once. And being constantly on will |
98 |
make it convenient for that. Thus the chances of needing more ports for |
99 |
that goes down dramatically. |
100 |
|
101 |
* Of course that's not including the possible USB-connected wifi, which |
102 |
could of course have its own separate rules enforced, potentially even |
103 |
with multiple virtual wifi networks. But I'm old enough to appreciate |
104 |
the security and constancy of physically wired connections, so while I |
105 |
want to keep the wifi option open (which is easy to do with usb-connected |
106 |
wifi, even if I don't have an open PCIE slot), it's not one I plan to |
107 |
exercise immediately. But if/when I do, I imagine I'll be pretty strict |
108 |
with the wired-lan connection rules for it, since I don't particularly |
109 |
trust wireless as I don't have the physical control of it that I do of |
110 |
wired connections. I might setup a publicly accessible no-login, |
111 |
bandwidth-limited and possibly censorware limited internet connection, |
112 |
however, just because... |
113 |
|
114 |
* Should I expand beyond that, or should I find real life changing such |
115 |
that I have a family's connections to secure and route as well, this |
116 |
experience will guide me as I expand. Chances are they'll be way less |
117 |
concerned about security, and will be happy with general wifi internet |
118 |
access. If I need more ethernet ports, I'll have to evaluate at that |
119 |
point whether I need a bigger router, or can simply hang a switch off one |
120 |
of the existing ports and shift roles and rules around to accomodate. |
121 |
What I'll be learning with this more limited setup will help. |
122 |
|
123 |
-- |
124 |
Duncan - List replies preferred. No HTML msgs. |
125 |
"Every nonfree program has a lord, a master -- |
126 |
and if you use the program, he is your master." Richard Stallman |