The document provides instructions for mastering a home network by replacing the ISP-provided router with professional networking hardware. It recommends throwing away the ISP "box" and using a modem and separate router instead. The router should be a professional SOHO brand like Mikrotik, Ubiquiti or Turris Omnia for features like VLANs, QoS, routing, VPN, and advanced protocols. Basic firewall rules are outlined to secure the WAN connection by accepting ICMP, dropping invalid packets, and accepting established connections.
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
The number of embedded devices that are connected to the internet is growing each day. Nowadays, they are installed majorly using a wireless connection. They need mobile network coverage to be connected to the internet. Read our next blog which tells you about the various configurations to connect a device such as Colibri iMX6S with the Colibri Evaluation Board running Linux to the internet through the PPP (Point-to-Point Protocol) link. Read More: https://www.toradex.com/blog/how-to-use-gsm-3g-4g-in-embedded-linux-systems
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
The number of embedded devices that are connected to the internet is growing each day. Nowadays, they are installed majorly using a wireless connection. They need mobile network coverage to be connected to the internet. Read our next blog which tells you about the various configurations to connect a device such as Colibri iMX6S with the Colibri Evaluation Board running Linux to the internet through the PPP (Point-to-Point Protocol) link. Read More: https://www.toradex.com/blog/how-to-use-gsm-3g-4g-in-embedded-linux-systems
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
An experience is a personal and emotional event we remember. Every experience is established based upon pre-determined expectations we conceive and create in our minds. It’s personal, and therefore, remains a moving and evolving target in every scenario. When our experience concludes and the moment has passed, the outcome remains in our memory. Think about what makes you happy when connecting with your own device and then think about what makes you really upset when things are hard, complicated, and slow. If the user has a bad experience in anyone of these areas (simple, fast, and smart), they are likely to leave, share their negative experience, and potentially never return. Users might forget facts or details about their computing environment but they find it difficult to forgot the feeling behind a bad network experience. When something goes wrong with the network or an application, do you always get the blame?
Update presented at LINX in November 2013 ( the London Internet Exchange ) regarding ExaBGP, The BGP swiss army knife of networking.
It includes information about the latest developments, and features, including RFC support, for ISP and IXP.
Users of BIRD and Quagga may find some information about features not yet present in other Open Source BGP implementation.
Next Generation Ethernet
Next Generation Ethernet is a platform that should deliver all of previous function requirements under on hood. I have grouped the Generations in this way because Cisco has different purpose-built product lines for each of 4 waves of technology. Counter to that Extreme offers a platform solution for a customer to build his network on. Extreme does not require different switches to address different convergence requirements, this would be cost prohibitive for most customers and complicated. Simply put to disrupt the Cisco market, Extreme must deliver more with less.
The IEEE is pushing Ethernet to unimaginable speeds, with the 40/100Gigabit Ethernet standard expected to be ratified in 2010 and Terabit Ethernet on the drawing board for 2015. Here's a timeline showing key milestones in the growth of Ethernet Sstandard's-compliant products are expected to ship in the second half of next year, not long after the expected June 2010 ratification of the 802.3ba standard.
Complexity - Complex systems are a special type of chaotic system. They display a very interesting type of emergent behavior called, logically enough, complex adaptive behavior. But we are getting ahead of ourselves. There’s a need to back up a bit and describe a fundamental behavior that occurs at the granular level and leads to complex adaptive behavior. It is self -organization. Complex Adaptive Behavior is the name given to this forming-falling apart-reforming-falling apart-… behavior. Specifically it is defined as many agents working in parallel to accomplish a goal. It is conflict ridden, very fluid, and very positive. The hallmark of emergent, complex adaptive behavior is it brings about a change from the starting point that is not just different in degree but in kind. In biology a good example of this is the emergence of consciousness. Another example is the Manhattan Project and the development of the atomic bomb. Below is a checklist that helps facilitate a qualitative assessment of the level of complexity. It is in everyday language to facilitate use by a broad range of stakeholders and team members. In other words, it stays away from jargon, which can be the kiss of death when requesting information from people.
The Checklist
Not sure how the project will get done; Many stakeholders, teams and sub-teams;
Too Many vendors; New vendors;
New client; Team members are geographically dispersed;
End-users are geographically dispersed; Many organizations;
Many cultures (professional, organizational, sociological);
Many languages (professional, organizational, sociological);
High risk;
Lack of quality best characterized by lack of acceptance criteria;
Lack of clear requirements and too Many tasks;
Arbitrary budget or end date;
Inadequate resources;
Leading-edge technology;
New, unproven application of existing technology;
High degree of interconnectedness (professional, technological, political, sociological).
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
These are slides from our meetup. We give a quick intro to Arduino and then work thru a series of tasks. First we integrate the HC-SR04 sonar then transmit JSON with the cheap 433MHz radios. And finally we add a receiver to hear what others are transmitting.
The example code is on github here:
https://github.com/fwin-dev/arduino_sonar_web_api
Internet Of Things: Hands on: YOW! nightAndy Gelme
Introduction to the Internet Of Things ... using the MeshThing hardware running Contiki mesh-networking software for IPv6 / 6LoWPAN. Also, Daryl Wilding McBride (@darylwmcb) covers building a quadcopter for the Outback Joe competition.
My slide at the Milan Codemotion 2015, a session called "An Adventure with ESP8266 and IOT" about using the esp8266 with NodeMCU, mosquitto, nodejs and an accelerometer. All the sourcecode will be available at http://pestohacks.blogspot.com soon
An alternative to the core/aggregation/access layer network topology has emerged known as leaf-spine. In a leaf-spine architecture, a series of leaf switches form the access layer. These switches are fully meshed to a series of spine switches. One way is to create a Spine and Leaf architecture, also known as a Distributed Core. This architecture has two main components: Spine switches and Leaf switches. Intuition Systems can think of spine switches as the core, but instead of being a large, chassis-based switching platform, the spine is composed of many high-throughput Layer 3 switches with high port density. The mesh ensures that access-layer switches are no more than one hop away from one another, minimizing latency and the likelihood of bottlenecks between access-layer switches. When networking vendors speak of an Ethernet fabric, this is generally the sort of topology they have in mind.
Haven’t we spent the last few decades disaggregating datacenter architecture? And if so, what does disaggregation mean now, is it something different? Strictly speaking, to “disaggregate” means to divide
Making wearables with NodeMCU - FOSDEM 2017Etiene Dalcol
NodeMCU is an open hardware IoT platform based on eLua for the ESP8266 microcontroller. It allows creating low-cost projects using Wi-Fi and easy scripting in Lua, which makes it great for making wearables, for example. In this talk I'll give an introduction to the platform, show how I built an audio reactive graduation dress and share the materials to get you started on your own wearable project. This talk is ideal for beginners to hardware hacking or Lua enthusiasts looking for project inspiration.
An experience is a personal and emotional event we remember. Every experience is established based upon pre-determined expectations we conceive and create in our minds. It’s personal, and therefore, remains a moving and evolving target in every scenario. When our experience concludes and the moment has passed, the outcome remains in our memory. Think about what makes you happy when connecting with your own device and then think about what makes you really upset when things are hard, complicated, and slow. If the user has a bad experience in anyone of these areas (simple, fast, and smart), they are likely to leave, share their negative experience, and potentially never return. Users might forget facts or details about their computing environment but they find it difficult to forgot the feeling behind a bad network experience. When something goes wrong with the network or an application, do you always get the blame?
Update presented at LINX in November 2013 ( the London Internet Exchange ) regarding ExaBGP, The BGP swiss army knife of networking.
It includes information about the latest developments, and features, including RFC support, for ISP and IXP.
Users of BIRD and Quagga may find some information about features not yet present in other Open Source BGP implementation.
Next Generation Ethernet
Next Generation Ethernet is a platform that should deliver all of previous function requirements under on hood. I have grouped the Generations in this way because Cisco has different purpose-built product lines for each of 4 waves of technology. Counter to that Extreme offers a platform solution for a customer to build his network on. Extreme does not require different switches to address different convergence requirements, this would be cost prohibitive for most customers and complicated. Simply put to disrupt the Cisco market, Extreme must deliver more with less.
The IEEE is pushing Ethernet to unimaginable speeds, with the 40/100Gigabit Ethernet standard expected to be ratified in 2010 and Terabit Ethernet on the drawing board for 2015. Here's a timeline showing key milestones in the growth of Ethernet Sstandard's-compliant products are expected to ship in the second half of next year, not long after the expected June 2010 ratification of the 802.3ba standard.
Complexity - Complex systems are a special type of chaotic system. They display a very interesting type of emergent behavior called, logically enough, complex adaptive behavior. But we are getting ahead of ourselves. There’s a need to back up a bit and describe a fundamental behavior that occurs at the granular level and leads to complex adaptive behavior. It is self -organization. Complex Adaptive Behavior is the name given to this forming-falling apart-reforming-falling apart-… behavior. Specifically it is defined as many agents working in parallel to accomplish a goal. It is conflict ridden, very fluid, and very positive. The hallmark of emergent, complex adaptive behavior is it brings about a change from the starting point that is not just different in degree but in kind. In biology a good example of this is the emergence of consciousness. Another example is the Manhattan Project and the development of the atomic bomb. Below is a checklist that helps facilitate a qualitative assessment of the level of complexity. It is in everyday language to facilitate use by a broad range of stakeholders and team members. In other words, it stays away from jargon, which can be the kiss of death when requesting information from people.
The Checklist
Not sure how the project will get done; Many stakeholders, teams and sub-teams;
Too Many vendors; New vendors;
New client; Team members are geographically dispersed;
End-users are geographically dispersed; Many organizations;
Many cultures (professional, organizational, sociological);
Many languages (professional, organizational, sociological);
High risk;
Lack of quality best characterized by lack of acceptance criteria;
Lack of clear requirements and too Many tasks;
Arbitrary budget or end date;
Inadequate resources;
Leading-edge technology;
New, unproven application of existing technology;
High degree of interconnectedness (professional, technological, political, sociological).
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
These are slides from our meetup. We give a quick intro to Arduino and then work thru a series of tasks. First we integrate the HC-SR04 sonar then transmit JSON with the cheap 433MHz radios. And finally we add a receiver to hear what others are transmitting.
The example code is on github here:
https://github.com/fwin-dev/arduino_sonar_web_api
Internet Of Things: Hands on: YOW! nightAndy Gelme
Introduction to the Internet Of Things ... using the MeshThing hardware running Contiki mesh-networking software for IPv6 / 6LoWPAN. Also, Daryl Wilding McBride (@darylwmcb) covers building a quadcopter for the Outback Joe competition.
My slide at the Milan Codemotion 2015, a session called "An Adventure with ESP8266 and IOT" about using the esp8266 with NodeMCU, mosquitto, nodejs and an accelerometer. All the sourcecode will be available at http://pestohacks.blogspot.com soon
An alternative to the core/aggregation/access layer network topology has emerged known as leaf-spine. In a leaf-spine architecture, a series of leaf switches form the access layer. These switches are fully meshed to a series of spine switches. One way is to create a Spine and Leaf architecture, also known as a Distributed Core. This architecture has two main components: Spine switches and Leaf switches. Intuition Systems can think of spine switches as the core, but instead of being a large, chassis-based switching platform, the spine is composed of many high-throughput Layer 3 switches with high port density. The mesh ensures that access-layer switches are no more than one hop away from one another, minimizing latency and the likelihood of bottlenecks between access-layer switches. When networking vendors speak of an Ethernet fabric, this is generally the sort of topology they have in mind.
Haven’t we spent the last few decades disaggregating datacenter architecture? And if so, what does disaggregation mean now, is it something different? Strictly speaking, to “disaggregate” means to divide
Making wearables with NodeMCU - FOSDEM 2017Etiene Dalcol
NodeMCU is an open hardware IoT platform based on eLua for the ESP8266 microcontroller. It allows creating low-cost projects using Wi-Fi and easy scripting in Lua, which makes it great for making wearables, for example. In this talk I'll give an introduction to the platform, show how I built an audio reactive graduation dress and share the materials to get you started on your own wearable project. This talk is ideal for beginners to hardware hacking or Lua enthusiasts looking for project inspiration.
Learn the different things you can do when you learn home networking. Can do more detailed tutorials when requested. As this is my first Slideshare, don't expect perfection.
This tutorial gives very good understanding on Computer Networks After completing this tutorial,You will find yourself at a moderate level of expertise in knowing Advance Networking(CCNA), from where you can take yourself to next levels.
Convergence of device and data at the Edge CloudMichelle Holley
Ever growing need of Intelligent Systems evolves analytics and decision making into AI with Machine Learning as tools for knowledge assimilation. What is essential for ML is a form of data that has inherent information that can be translated to useful information (intelligence) for decision making. IoT is the key for intelligent systems as they collect data at every end point. They are like ends of neuron network in human body. And the data collected has to be refined for decision making as it traverses up to the brain (AI Cloud) – like lymph nodes we have Edge Clouds. We will explore in this short talk two aspects of such IoT infrastructure where you have lossy network for IoTs, gateway options for device data and how it can seamlessly integrate with Edge Cloud Networks. We will review such protocols as Wireless Mesh, programmable gateways and extension of overlays into the Cloud.
Speaker: Murali Rangachari, Futurewei Technologies
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
4. What, why ?
Internet Service Provider (ISP) deliver "BOXes" as Customer
Premises Equipment (CPE) of their network
They want their customer to plug-and-play
Those BOXes, are very cheap and locked hardware
In a word, they are poor
Don't trust the marketing song of your ISP
They work for very basic usages
They are usually not very secured
https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les-
modems-sfrnumericable
5. Why change ?
To master things from A to Z
To support more devices (IOT, domotic, servers) in your house
If you have many devices, better get rid of your box
If you need input traffic (self hosted infrastructure)
If you want to push security further (IOT ?)
If you want to load-balance with several ISP
If you want to peer with other trusted people (through VPN)
And create/manage your own Internet
If you need security (through IPSEC f.e)
8. As a reminder
Protocols are open
You should be able to change any hardware, by another (from
different brand)
As soon as it talks the same protocols, it must work
Some ISP don't follow RFCs for some protocols
That makes you have to use DPA/DPI
That makes you have to patch your stack
10. My experience, my knowledge, my shares
Actually at home...
I own several different Internet provider connections
IP failover, advanced routing scenarios, traffic shapping and QOS
Dual stack IPV4 and IPV6
Separation of input and output streams
I have several machines and wifi networks
I have no more "boxes"
I'm VPN linked with other guys doing same stuff as me
I'm hosting some public Internet services (DNS, HTTP, etc...)
12. Getting rid of your box
To trash your box, you need a modem, depending on the
technology provided.
ADSL
Then you can plug-in an ADSL modem
Cable (DOCSIS)
You may use a DOCSIS modem
Fiber ONT based
You can plug-in using RJ45 or SFP
Fiber Raw mode
You may plug-in using an SFP adapter
13. Notice
I talked about modems to manage input ISP stream, not routers
Many modem actually can/do route
Do not use their router ! !
We must use the modem just to convert the signal, into an RJ45
socket
Then, we'll plug our RJ45 RAW Internet cable, into our own
router, of our taste
Buy the "simplest" modem, if possible, with no router inside
Mind the chipset (Broadcom are good)
19. Keeping your box, at a minimum
You dont want to buy a modem ?
There is a solution of keeping your provider box
But only use it as a modem !
Disable anything else, but the modem
Especially : disable their shitty slow/unsecure poor router
This is called the "bridge mode" (L2 bridge)
20. Box as a modem : bridge mode
2 scenarios (2018) :
Your box can be bridged (L2)
SFR/Numéricable LaBox
Freebox
Everything is then all right
Your box cant be bridged (L2)
Others (Orange, Bouygues)
You'll need to buy a modem
Or suffer from horrible network stack (DMZ, or Double-NAT)
If fiber technology, you should use ONT or Raw SFP
21. ISP Box Conclusion
Ask to run the box as a modem, not a router (bridge mode)
If possible : you can keep your box
Free - SFR
If not possible : you must replace it by custom hardware
Orange - Btel
Dont use the box router (router mode)
Other alternative ISP exist
22. I got my Internet plug !
Bridged-box or custom modem , now , your Internet connexion
is arriving through one cable
It is time to route it and start doing some network stuff
85.2.208.135*
2a01:ca:b5ee:ed::/56*
* : example provider IP
24. Router
Pay the price : the heart of your network
Too many references on the market
Do not choose a general purpose low level brand
Linksys, tp-link, netgear, etc...
Don't blindly trust marketing
Those are not really better than ISP box
Poor hardware
Not many customization
No routing protocol management
No VPN possibilities, or weak ones
In a word : low-level entry market products (even "advanced" ones)
25. Professional router brands
Turn to professional dedicated hardware brands
Datacenter hardware is not for your usage and cost
SOHO is what you need : Small Office Home Office hardware
SOHO are not that much expensive (60€ to 1000€)
The smallest SOHO router starts by about 60-80€
2 kinds
Open , based on Linux or Unix stacks
Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ...
Closed, based on custom OS (Unix derivated often)
Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
26. My experience
I run Mikrotik for router and wifi spot
Professional hardware
"RouterOS" is the name of the OS
Not open source
Based on Linux Kernel
Full of features, stable, maintained
Licence pricing is really good
Perfect for advanced networking at home or for small businesses
(SOHO), with a clearly reasonnable pricing
I run Ubiquiti for switch
Perfect balance in price / usage for SOHO
29. Mikrotik
https://mikrotik.com/
https://routerboard.com/
Size your needs
Prices go from 60$ to 4000$ per unit (L3 routers)
Basically, the CPU and RAM will increase the price
If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM
Mind the hardware dimensions
Some are small devices, some are 1U rack sized
34. Wifi ?
Don't fear the wifi.
Wifi support will be added to our stack thanks to Access Points
(AP)
Usually better than embeded router wifi
35. Router quick tour
Every port can be wired independently
Some devices provide switch chips
Some devices provide Wifi
It's better to use dedicated hardware for such tasks
You basically tell each port what you want it to do
1/ You create L2 and L3 links
2/ You arrange routes
3/ You secure everything with the integrated firewall
4/ You control traffic bandwidth with queues and QOS
39. Dedicated switches
The problem with routers is that they are not good switches
They may do the job, but take care of not going through the
CPU for switching purposes
Tip : bridges trafic often go through CPU
Buy the right hardware for the right purpose
For full L2 switching, nothing beats switch ASICS
40. Using a dedicated switch
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
41. Even better with 802.1ad LACP
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
LACP
42. More complex setup
provider #1
provider #2
provider #1 TV stream
provider #2
SIP stream
IP cameras
computers NAS
Iots
44. RouterOS
A full Network OS
You must familiarize with it
You must have strong general networking knowledge (master OSI,
master TCP/IP and common protocols at several layers)
RouterOS supports
Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP -
Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS
- TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping
flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ...
In short : many advanced technologies in one box
Have a look at the licencing details
45. RouterOS details
You may access RouterOS using :
Web HTTP-HTTPS access
SSH / Telnet, using command line
WinBox (Windows GUI tool)
Console port (special cable needed)
FTP-TFTP for internal storage access
An HTTP interface demo exists online
At http://demo.mt.lv
Documentation
https://wiki.mikrotik.com/wiki/Manual:TOC
49. Let's go for our first simple example
Distributing Internet at home
50. Very simple Internet sharing setup
Gigabit switch 1
WAN modem
PC1 PC2
Ethernet switch 2
(unused)
51. What we need
Isolate port 10 (eth10) from switch 2 : this is WAN
Use full switch 1 by bridging ports together
Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide
fixed IP
Create an IP and network for the full switch 1 (LAN)
Let's choose 192.168.0.0/28
Let's add it a DHCP-server
Create a source NAT on eth10 for LAN traffic to be NATed over
WAN
56. Security foreword
If you want to design your own network from scratch , you are
responsible of your own security
Bad firewall configuration will lead into security breaches in
your home, from external , through the wires.
Take care
Secure your network like your secure your home
Lock doors
Take care of basement, windows and other ways to reach you
Think about everything
57. WAN security
Your WAN part is directly connected to Internet
You'll then start experiencing attacks to your external IP
You must now protect yourself
From WAN input traffic , that's the basics (IN)
From your own untrusted output traffic, that's optional (OUT)
Welcome FIREWALL
58. Firewall filter chains
Input
Traffic which dest-addr is one of your router's
Forward
Traffic flowing through your router (which dst-addr is routable and
not one of your router's)
Output
Traffic generated by the router internal OS, which src-addr will be
one of your router's
"FooBar"
You can create as many custom chains as you want
59. Firewall : main rules
One rule targets one chain (not zero, not several : one)
Input
Forward
Output
Xyzbaz : custom chain (you can add infinite custom chains)
For every chain, rules are ordered
If rule 3 breaks the chain (by DROPing for example), then rule 4 and
others won't be triggered
Rules can jump
You can say "rule 3, match packets XXXX and jump to chain ZZZZ"
You have to carefully follow the packet path into your head
Don't get lost !
60. Firewall perf
We use connection tracking firewall here
Activated by default. Can be setup (connection lifetimes)
Raw firewall is available too
If you don't organize flows the right way
You'll burn your CPU as traffic increases
Organize rules (they are ordered in lists) cleverly
The most likely to happen should come first
To some point, you'll need better hardware (CPU and RAM)
Time to upgrade then
At 1Gbps per link, that can increase very fast according to needs
62. Accept ICMP
Don't blindly block ICMP
Internet Control Message Protocol
A good engineer does not blindly block all ICMP traffic
ICMP is used to debug your router and networks
Mainly using "ping" or "traceroute"
ICMP is used to debug IP
"network unreachable", "admin prohibited", "frag. needed"
Thus ICMP helps router and OSI 4 protocols (TCP)
ICMP is mandatory to IPV6 (cant work without it)
63. Or at least, control ICMP
You may suffer from ICMP attacks
Then you may limit ICMP traffic to some rate
Or you may classify ICMP traffic
http://www.nthelp.com/icmp.html
64. Drop Invalid
Invalid packets are packets which present themselves as being
part of a non existant connection
Not seen before by con-track firewall
Basically : traffic injection attempts / attacks or replays
Or networking problems
(Advanced routing protocol could suffer from that
We don't care at our level )
65. Accept established
Established are packets from whom router knows something
Basically : this is the way-back return traffic
This rule is very useful to match the return traffic and not block it
You can blindly assume that you accept packets comming from
connections you did create or accept, right ?
This rule will as well reduce firewall CPU pressure
66. Accept forwarding
As a router, your role is to forward packets from one interface to
another
Using routing tables
Let's accept default forwarding
This is by default
But adding a rule will allow you to remember that
And to collect statistics about it
68. Firewall jail
Simple : you program the firewall so that you lock yourself out
of the box.
Like when you close your front door, with keys in the lock on the
other side
WARNING
It is easy to lock yourself out of your box
Always, keep that in mind while firewalling
69. Firewall jail example
"For every INPUT , DROP it"
You just locked yourself out !
Connection will immediately get lost
4 solutions :
Reset your router ( pay the price ! )
Access using console port (you'll need a special console wire)
Prevent it by yourself opening a hidden door (a special port)
Use an embeded anti-lock system
Vendors usually provide anti-lock systems
Mikrotik provides two of them
70. Open a "hidden" door by yourself
Here, eth9 can be used to connect to any router IP and access
your router
This assumes you have a physical access to it
This assumes you open firewall in input using "in-interface"
match
71. Let's protect ourselves
Accept Input from trusted 192.168.0.0 network
Accept input from your fail-over interface
And deny Input from everywhere else
Reminder : Input means your router itself, not any else machine
72. Reject Ip private ranges ("bogons") on ISP outputs
Also, you may blackhole/reject private IP
routes (called "bogons")
RFC 1918 ranges and others
This may mitigate some DOS attacks and
prevent private ranges from leaking to
your ISP gateway
This is a well known network good
practice for routers
75. What we got
We got a customized router that
Gets its WAN IP using DHCP on a port connected to ISP modem
Has an IP on a LAN segment (192.168.0.14/28)
Provides a DHCP server on the LAN segment (192.168.0.0/28)
Has an src-nat masquerading rule to allow LAN to access Internet
We got a customized firewall
Allows traffic from the LAN segment and a fail-over interface
Denies traffic from everywhere else (including WAN)
Detects scan attempts on WAN interface, and ban them
Isn't it cool so far ? ;-)
78. VLANs
Virtual LANs , 802.1Q
Allow several LAN to pass through
The same switch segment (L2), same switch ports
Very useful to isolate traffics
But still keep them in the same physical cables
High security and performance
VLAN A cannot communicate with VLAN B (in L2 , but L3)
Each VLAN has its own broadcast domain
QOS possible (802.1P)
Class Of Service possible / Traffic Priorisation
79. VLAN example
Each VLAN shares the same physical switch/ports
But two VLAN cant communicate with each other at L2
VLAN200
VLAN100
80. VLAN use case example
Let's isolate our 192.168.0.0/28 network for us : private
network (untaggued)
Any unknown soul connecting will be assigned special VLAN100
Let's connect a wifi AP , distributing those 2 VLANs :
SSID "my-private-network" : untaggued
SSID "my-public-network" : taggued in VLAN100
82. AP on LAN
If you bridge your AP on LAN, it will be given an IP by your
DHCP-server
And it will serve clients on the LAN segments
Just all right
192.168.0.0/28192.168.0.0/28
WAN
83. AP with VLAN
public wifi
private wifiprivate wifi
private LANprivate LAN
WAN
85. Adding the IP
Add an IP to the router on this VLAN
Let's choose 192.168.1.14
Let's choose a network of 192.168.1.0/28
86. Adding the DHCP server
Let's add a new DHCP server so that clients connected to this
VLAN will be given some network conf
192.168.1.1 to 192.168.1.13 (/28 network)
87. Allow VLAN to access WAN
Let's NAT it to give it Internet (WAN) access
89. Connecting to a second ISP
(multi-homing)
Advanced usage and techniques
90. Connecting to a second ISP
If our ISP goes down, we won't have Internet access any more :-
(
Why not apply to a second ISP ?
Prices are cheap nowadays, we really can afford it
Or even more ? 3 ISPs ?
92. A second default route ?
ISP == Internet access , let's add then a second default route
The route "distance" metric tells which one to use when several
routes exist for the same target
The smallest distance will be prefered
With such a setup, if one ISP goes down, the router will
automatically, and transparently route traffic to the other one
We got a fail-over setup :-)
93. Security with several ISP
Now, pirates have a second door they can fire in
A nice solution to that, is to group both ISP interfaces (eth9 and
eth10) into an interface group
And use this group into the firewall
WAN1
WAN2
95. Asymetric routing and connection stickyness
If one incoming connection (to one of our server f.e) comes
from ISP #1
We must be sure answer will leave our router back to ISP #1
If it leaves through ISP #2 , as we NAT the output, the packet will
get dropped by the destination
And that will leak our ISP #2 IP to our destination
We need sticky connections
We'll use the firewall mangle to perform that step
96. Setting up sticky connections
Mark for internal network (forward)
Mark also for router traffic (input / output)
97. Balancing traffic through ISPs
Instead of fail-over, you can also balance the output traffic
If you want to balance with no specific rule, use an ECMP route
type
You add one route, but several gateways for them
ROS will balance using an L3 balance policy
99. Children VLAN
Children at home connect to their own VLAN
Manual config, MAC fixed config or 802.1x advanced authentication
Only activate forward to Internet at fixed hours
Time for bed ? Internet "disconnects itself"
Easy to ban an IP or a MAC for some time
"Do your homework first"
L7 filter (high CPU needed)
Deny L7 keywords : "facebook" , "war", "sex"
Deny protocols : p2p, torrent, etc...
Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] )
L7 HTTP interception (transparent proxy) and filtering
100. QOS
Route TV VLAN and VOIP (phone) VLANs independently
QOS traffic at L2 or L3
Allocate bandwidth dynamically
Prevent IGMP Snooping broadcasts
101. Automation
Add IP Cameras or any full automation system
Isolate L2 using VLANS
Secure with 802.1X (Radius auth, auto VLAN assignment)
Route L3
Implement aggressive security for your IOT
Control everything easily , remotely
102. Ideas
For this connection, drop one packet out of XXX
Script X to be dynamic
Randomly drop packets
Blackhole IP or even AS
Deny access to whole networks at routing level
Anti DDOS useful technics
Give network access only through specific time spans
Detect attacks, block attakers, limit bandwidth with queues