Network Topology Question - Firewall, etc.

R

rpiatt

Member
I have been planning my wiring for some time (see Planning my Panel and Wiring), and have been delayed due to the birth of my second child and several other events. however, i am now back on it and have a question relating to Network Topology...

My current plan is to have my cable modem in the panel with the main feed into that modem for providing broadband access. I have been trying to figure out what to put after that and in what order. Specifically, I am thinking about a dedicated firewall. I do plan to get a WHS up later in the year and want to be able to access it via the broadband connection, but want to protect the rest of my network from intrusion.

My original plan was to just utilize the firewall applications in use on the various running on my home network, but I now think the distributed approach can lead to failures. What I am considering is this:

I have a no-longer-used Linksys WRT54GS that I would flash with DD-WRT (which currently works beautifully on my WRT-350N), turn off its wireless capabilities since it will be in the panel, and activate the firewall capabilities using iptables (NetFilter iptables) and Firewall Builder (fwbuilder.org) This device would then be placed immediately behind my cable modem in the topology, and then my gigabit ethernet switch would follow that. I would continue to use my WRT-350N for wireless access in my home office, but with gigabit ethernet throughout the house, the need for wireless becomes less necessary.

From what I have been able to read on the Internet, this seems like a plausible option... however, i was curious what other cocooners are doing in this regard. I am not married to this approach and would like some feedback.

Your thoughts are appreciated... -_-

-Randy
 
It sounds like a good setup. If you have a low power PC sitting around, I would recommend something like m0n0wall instead of the Linksys router, which turns any low end machine into an enterprise grade firewall (doesn't require a HD, it's BSD based). It supports cool features such as captive portal, allowing you to lock down your wireless even more. I use an old Pentium 2 machine (no moving parts) at home, and run this setup in an enterprise environement as well (10+ interfaces, 665 days uptime as of today).

I have used FWbuilder in the past, but prefer m0n0's webbased interface.
 
I've built my server dated 2007 and put in Ubuntu Server about a couple months ago. I've setup my server as a router with two NIC interfaces: one internal for the Internet, and one PCI card for internal network (LAN).

To do that, I've installed DHCP server and BIND9 DNS server. IPTables has been already installed in Ubuntu by default. I configure the DNS server with my forward and lookup zone and setup forwarders to forward requests to the Internet. Internal DNS server is useful if you want to setup DNS poisoning, such as forwarding doubleclick.net to 127.0.0.1, etc. but I think it's important to use DansGuardian (web filter) and Squid (as transparent proxy) to configure the web filtering. I then have DHCP server up with default gateway for my internal NIC, along with my DNS server. I have it set to 10.x.x.x to get out of the same-old 192.168.x.x just for my preference and ease-of-typing, although the 10.x.x.x is for enterprise/businesses. -_-

Anyway, you can use Webmin to configure DHCP/DNS server.

I also have setup my IPv6 tunnel with go6.net! For that, I use tspc as an IPv6 tunnel and radvd for advertising IPv6 addresses (it's stateless, so that I don't need an IPv6 DHCP server). Once I got it setup, I went into ipv6.google.com to make sure it works!

For that, you have a lot of flexibility for customizing your server as a router and make it more advanced! You can even setup an IPv6 tunnel for your router, too!
 
Dan (electron) said:
It sounds like a good setup. If you have a low power PC sitting around, I would recommend something like m0n0wall instead of the Linksys router, which turns any low end machine into an enterprise grade firewall (doesn't require a HD, it's BSD based). It supports cool features such as captive portal, allowing you to lock down your wireless even more. I use an old Pentium 2 machine (no moving parts) at home, and run this setup in an enterprise environement as well (10+ interfaces, 665 days uptime as of today).

I have used FWbuilder in the past, but prefer m0n0's webbased interface.
Click to expand...

Well, I have the linksys sitting around (well, technically I let someone borrow it but should have it back in a few weeks), and I don't have any old PCs laying around. However, i bet I might be able to scratch one up and build it cheap, and throw it in a 1U chassis. I'll have to read up on Monowall.

Something else I have been considering, after reading this, is an Astaro Security Gateway. It seems like a lot of work, but it is free for home use, and sure seems to do a good job according to reviews I have read...

But this m0n0wall stuff has me intrigued.
 
The Astaro software isn't a bad package, but you would still require that dedicated (and probably more powerful PC). The reason I prefer m0n0wall, is that from a security/performance/uptime point of view, Astaro has too many 'toys'. My 665 days uptime shows how solid the m0n0 platform is. I also believe that Astaro requires a subscription fee for some of the features, and requires a hard drive, but it has been a few years since I looked at it.

If you do want all those 'extra' features, take a look at pfSense, which is a fork of m0n0wall, but adding features such as clustering, plugins, and more.
 
Dan (electron) said:
The Astaro software isn't a bad package, but you would still require that dedicated (and probably more powerful PC). The reason I prefer m0n0wall, is that from a security/performance/uptime point of view, Astaro has too many 'toys'. My 665 days uptime shows how solid the m0n0 platform is. I also believe that Astaro requires a subscription fee for some of the features, and requires a hard drive, but it has been a few years since I looked at it.

If you do want all those 'extra' features, take a look at pfSense, which is a fork of m0n0wall, but adding features such as clustering, plugins, and more.
Click to expand...

Out of curiosity, what are the specs on that PII box you are running it on. And what is the power supply rated at?
 
P2 266, 64 megs of ram I believe, 4 network interfaces, was using the CDROM/Floppy combo (the OS boots from CD, config stored on floppy), but I am now using a 256M flash disk. The system doesn't have any moving parts (fans broke a long time ago, never repaired them). I don't know what the powersupply is, the system is so old I don't remember.

I also have a 1U based system with 4 ports in another location, and a 2U SuperMicro server with a low end P4 cpu, which has the 10+ interfaces (it's overkill tho).
 
Oof. Those 1U systems are expensive...

Hmmmm. I was looking at maybe some used 1U / 2U server chassis on ebay, and you can get dual-zeon or under $100. I could probably add flash disk and the necessary NIC interfaces and be good to go...

Good info Dan.
 
I like having my router, gigabit switch, and wireless AP all on different devices. I use a WRT54GS flashed to Tomato as the router and firewall. The switch is a 24 port gigabit switch, and the AP is a Lafon router flashed to DD-WRT. The results are MUCH more stable than using a OEM router/switch/AP all on one device.

You could also look at the HP t5720 or t5700 thin clients if you are looking for a hardware based firewall. No moving parts and a 1ghz processor. Ram can be up to 1gb for the t5720 or 512 for the t5700. They run XPe and you can load programs/drivers on to the device. Prices range from about $50 to $125 on ebay. Low power consumption (something like 7-10 watts for the t5700) is really nice too.
 
Highest security is provided by a configuration known as a choke and gate. The idea is all external traffic goes to/from the choke, which can only talk to the gate. The gate checks every packet, and ensures any transit traffic obeys the rules. The choke rejects any packets that are addressed to any internal machine other than the gate, and any packets from any internal machine other than the gate. The gate is configured with appropriate ipfw/netfilter settings, including any port knocking. Both the choke and gate should run a high-security operating system: I prefer one of the BSDs: FreeBSD, NetBSD, or OpenBSD. More recently, antivirus and spyware scanners can run on the gate to make sure nothing malicious gets in (despite best efforts on the part of the silly humans). I've supported a company for 14 years without a single exploit getting into our high-speed network or (and more recently) colocation network. It takes 2 extra machines, but we reused old 386 machines (before turning on the scanning in 2002) and now we use 2GHz pentiums; the cost is negligible.

For a (dated) reference, look at Cheswick and Bellovin's book.
 
sic0048 said:
I like having my router, gigabit switch, and wireless AP all on different devices. I use a WRT54GS flashed to Tomato as the router and firewall. The switch is a 24 port gigabit switch, and the AP is a Lafon router flashed to DD-WRT. The results are MUCH more stable than using a OEM router/switch/AP all on one device.

You could also look at the HP t5720 or t5700 thin clients if you are looking for a hardware based firewall. No moving parts and a 1ghz processor. Ram can be up to 1gb for the t5720 or 512 for the t5700. They run XPe and you can load programs/drivers on to the device. Prices range from about $50 to $125 on ebay. Low power consumption (something like 7-10 watts for the t5700) is really nice too.
Click to expand...

Now that is a good idea... I wonder if I could flash any of that 5700 series with m0n0wall. I see the t5735 runs debian already...

And the nice thing, it looks like it is small enough to fit in the panel as well... Althought I may run it in my office next to my WHS when I get that set up...

More stuff to look at... I love this site...
 
rpiatt said:
Now that is a good idea... I wonder if I could flash any of that 5700 series with m0n0wall. I see the t5735 runs debian already...

And the nice thing, it looks like it is small enough to fit in the panel as well... Althought I may run it in my office next to my WHS when I get that set up...

More stuff to look at... I love this site...
Click to expand...

I forgot to mention that the stock HPs only have 1 NIC. But they do have a PCI slot that you could add another NIC in. They sell a PCI kit that includes a PCI riser card as well as a new face for the case that allows for the extra room that a PCI card would take. So that would be another expense required to make the thin client work as a firewall device. I think you can buy the PCI kits on eBay for about $30.
 
I have a buddy who works for HP (you make some good connections in grad school), and I am going to see if he has any access to any of them. Backup plan is ebay. We'll see what happens.
 
You must log in or register to reply here.

Similar threads

BraveSirRobbin
Needing Remote Access Advice
Replies
6
Views
326
BraveSirRobbin
BraveSirRobbin
J
Need VPN for foreign travel
Replies
4
Views
196
JimS
J
I
Raspberry Pi questions
Replies
5
Views
398
NormandyHA
NormandyHA
D
Omnipro network issues
2 3
Replies
31
Views
1K
electron
electron
J
Network switch not connecting at gigabit speed
Replies
6
Views
345
pete_c
pete_c
Back
Top