Yes, I know this is ridiculous, overkill and borderline insane, but so am I and my paranoia won't let me sleep at night if I don't build something like this. I will also let you know I am no network guy, so if you hear something ridiculous there is that.
The situation:
Obviously this excludes (((CISCO))) shit
Any hardware or software suggestions, or tips I should take into account in my most retarded yet summer venture?
Also, stupid overengineered setups general.
Other urls found in this thread:
landashop.com
pcengines.ch
pcengines.ch
pine64.org
twitter.com
What?
Yeah, I accidentally the sentence there. I meant "3 wireless shits and 4 wired ones".
That doesn't sound overengineered to me. Looks like you'd like stuff like soekris (expensive) or pcengines. Install OpenBSD on it. I'm not sure how easily available it is outside Europe and what the alternatives are.
install gentoo
When I mentioned the setup to a network engineer friend of mine, he told me I was insane. Certainly not a conventional home network setup, but oh well.
I have heard of PC Engines. Pretty cool machines overall, but it seems they don't go down from 100 euros. I probably won't find anything else in that price range that isn't complicated as all fuck to install something in it and has 3 (!!!) RJ45 connectors and is basically a fully featured PC, but I was still hoping for something cheaper, like an Orange Pi R1 (maybe too cheap) or a Pine A64 with a USB network adapter; wouldn't be half as cool and powerful as an APU 2c2. Do you happen to know any trustworthy website in which I can order one of those? 2C2 seem to cost around 130 euros (and who knows how much does it cost shipping to my third world European country), but then there is this place where they sell the 2C2 for 100 euros, but then they also sell a 3C2 which doesn't even exist on PC Engines' website.
landashop.com
The 3c2 is an actual model, it's just not listed on the official website for some reason.
pcengines.ch
Also, according to pcengines.ch
He sounds like a filthy casual.
The PC Engines units look interesting, but you need to seriously question if you're going to be using it long enough to offset $100 or whatever of electricity, which is a lot. My fileserver is an ancient Core 2 system with a lot of spinning platters, and I've estimated it only eats $10/month of electricity, which makes replacing it not really worth it.
I'd recommend finding an old low-end desktop and using that to start, then upgrade to some dedicated hardware after you're satisfied with how it turns out. If electricity is really that expensive, or you don't have access to free hardware, consider the rock64 (pine64.org
My advice is to use pfsense, since it makes it easy to get started, and is just freebsd underneath, so you can do more advanced things as you need.
You should be using vlans.
Wireless on one, wired on another, server on both.
Let the upstream devices deal with firewalling and segmentation.
From there, the server can act as a secure mediator of wlan and lan, as well as host whatever the fuck you want.
VLANs aren't really pointful here, because if you can't trust the device on the other end, you have to stick them on a dedicated tagged port, which means either you have to have a switch that supports VLANs, which is more expensive than bunch of random $5 NICs, or you need dedicated NICs on the firewall/router, at which point you might as well just use isolated LANs, skip the virtual.
2006 called to tell you you're a faggot.
DDWRT, OpenWRT, and Tomato support VLANs.
Consumer switches don't give a shit about VLAN tagged frames.
Linux and BSD can do software vlan tagging, and everyone under the sun supports vlan tagged frames, even relshit.
Because you're not doing any layer 3 routing, nearly anything can handle a network that size.
You only tag the frames on whatever port your sever occupies, which you already trust, everything else gets untagged traffic.
As for security, just block infrastructure access from whatever vlans you don't want.
If you want a service on your botnet vlan, spin it up in a vm and setup a firewall on the infrastructure and server to lock it down.
vlans are step #1 in securing a lan.
I once lived in a dorm for a few months. The shitty administrator there kept fucking up the wifi, so I ran a network cable from the modem to one of my laptops. But I also wanted to use my other laptop and I didn't have another network cable with me. So I made a hotspot on my android phone and connected both laptops to it. Then I SSHed into the one which was connected to internet and made a socks proxy (-D ), and then socksified my system with tsocks.
For some reason I still stick with this system even when I have a proper working wireless router. I guess I'm too lazy to remove all the shit I set up for it to all go through the SSH connection. Whenever I take my computer elsewhere, I replace the internal IP of the internet-connected laptop with its external IP and everything still works (it functions like a VPN then). It would work great with tor I think.
lrn2read. What's to stop the botnet in blue to decide to tag themselves into green's VLAN? VS for no real extra expense, stick a $5 broadcom NIC into the server, and you have a router.
2 problems with that statement. First, if you're not doing layer 3, the VLANs aren't going to be able to communicate. Second, nearly everything can do a gigabit of routing. You can do ~4Gb/s per thread on any decent hardware from this decade.
Lol. Step 1 is starting from the bottom and understanding what you're doing, not jumping straight to some cargo-cult security of "VLANs will fix everything". Start with the basics, like setting up a meaningful firewall, organizing your network and getting control of DHCP, and locking down your server. VLANs come much later.
There's plenty of purposes for VLANs, but for security, a config error doesn't accidentally bridge 2 separate ethernet cables, but it will knock out your VLANs, so for the beginner, buy a $5 NIC and skip the pitfalls.
t. my job title is senior systems administrator
if that's true then you need to relearn some networking dude.
Layer 2 can still talk between each other, you just need a router to do so.
I don't even get this, do you setup VLANS where all ports are tagged with all VLANs?
An elcheapo computer running 2 NICs plus a L2 switch will do what you want WITH more control.
Routers are Layer 3 by definition. Fuck, there are Layer 3 switches and most network guys will tell you that's just a fancy name for a stripped down router.
What does this have to do with the core network concept that anything on the same VLAN can communicate with each other without a piece of Layer 3 hardware?
was saying:
Educate us on the difference between 192.168.1.33/24 and 393.129.2.69, then apply that same concept to VLANs.
I'll save you some time and post the answer:
A transmission crossing networks requires an intermediary, like a server connected to both networks, or a route between the networks.
Data can't cross a VLAN unless there's an intermediary in the form of a server connected to both networks, or a route between the networks.
Thus defeating the entire point of having the VLANs in the first place. Put the server between the networks, and you have the exact same logical layout, but is much simpler for a beginner, which is what I've been saying from the beginning.
>
So for OP's situation, I'd suggest the following:
Split the secure and insecure sides of the network and have each on a separate port on the server.
If your internet is DSL, you can have it come into the secure side and set the modem/router combo into bridged mode and pass the PPP traffic to the server and run pppd there.
If not, you just have the ISP supplied modem on a third port of your server.
Now all you need to do is to set the server as the gateway for both subnets, set up NAT and a firewall on the server, and lock it down.
You can get all this started with an old desktop and a couple of cheap NICs. Power consumption will be a bit high, but that's offset by the low capital cost (would be $10 in my country's monopoly money). From there, once you're satisfied with how it works, find yourself a nice cheap low powered miniITX board and a couple SSDs and you should be able to do this in < 20W
Nope
>/g/
>>>/4chan/
>>>/india/
>>>/designated/
Care to back that with something that doesn't smell like your down syndrome ass? Most consumer switching hardware can barely handle a gigabit of throughput, and now you're saying that a router-on-a-stick arrangement + passing half the frames to the processor for tagging is going to have no performance impact? Try the fuck again.
Yeah you fucking do, unless you plan on either trusting the untrusted devices to do their own vlans (or even support vlans for that matter), so you're stuck tagging everything to in one of the 2 nets to the appropriate VLAN.
This is supposed to be a secure network setup, not a kafkaesque autism simulator. What I said was not that it's impossible to do this with VLANs, but that it's needlessly complicated to do so, and here you are proving me right.
I almost had to take your post seriously, but then I saw that you recycled a reaction image. Better luck next time kiddo.
>
What century are you from? You can max out gigE on 4 year old netgear or dlink unmanaged switches.
5 year old asus and linksys routers can do the tagging just fine with plenty of room to do actual routing.
You shit talking software tagging reeks of "industry" retards attempting to shut down software raid.
Correct.
Just a few lines later:
>Yeah you fucking do tag all frames on wire to use vlans
More self contradiction.
No you don't.
Search: VLAN access port
Search: VLAN trunk port
You only tag trunks.
You put a switch on your access port, or add in more access ports.
Furthermore, if you do what suggested, you don't have to tag anything on wire.
VLANs make it so you don't have to be stuck.
Why not do it like pic related?
Ok, since you clearly don't understand how VLANs/switching/routing/english works, here's a breakdown of what you're proposing: (assumption is that this is all consumer hardware)
A frame comes in on the access port from one of the isolated segments, and is destined for the router (this is probably 90% of traffic)
It needs a VLAN tag added so it can go out the trunk to the router, so it makes one trip through the switch to go to the management plane, gets a tag added
It then goes through the switch again to go from the management plane to the trunk port and is sent to the router
So it has to make twice as many trips through the switching hardware.
Additionally, if the internet connection comes into the switch in question, it has to make 2 more trips through the switch to get the VLAN tag removed
Yes, that's what a gigabit of throughput means. The problems start when you have 2 or more streams trying to use that gigabit of throughput, you're not going to get a gigabit on each port. Hell, mid-range commercial switches will only have ~5Gb/s of throughput for a 12 port gigabit switch. Or less if you're enough of a sucker to buy HP
So once you get the amplification effect of having to pass frames to the management plane and/or making a round trip out to the router, you start to eat up the throughput rather quickly.
>