> On 29 Nov 2021, at 01:07, tito via Dng <dng@???> wrote:
>
> On Sun, 28 Nov 2021 07:20:14 -0600
> o1bigtenor via Dng <dng@???> wrote:
>
>> Greetings
>>
>> In anticipation of a fiber optical connection (moving from a wireless) I
>> have been planning out and purchasing some bits of hardware. Am finding
>> that networking is, at least sure seems to be, another black hole for time
>> and effort.
>>
>> TL;DR (skip to last paragraphs for the question(s))
>>
>> At present this is a soho office kind of installation but that will slowly
>> be morphing into something that is at least somewhat larger. There are a
>> number of input sensor locations being worked on some of which would be
>> generating, initially at least, up to 15 data streams sampled possibly
>> every second (some maybe more often - - - decisions aren't all done as yet)
>> so there will be a fair amount of data running around on my network which
>> I'm trying to keep largely a wired affair.
>>
>> At this point I'm working on the three entry bits of hardware (and their
>> software) - - - the router, hardware firewall, and the managed switch. The
>> initial hockup on the fiber system is going to be at 250 Mbps sysmetric.
>>
>> For the router I'm planning on using OpenWRT running on a Nanopi r4s which
>> according to the folks over on openwrt capable of even very close to full
>> Gbps speeds (IIRC tested to some 918 Mbps) which would give some headroom
>> for future increases although I don't see a need for the foreseeable
>> future.
>>
>> For the switch I have found myself a XyZel 1900-48 that I'm working on
>> getting OpenWRT on. This ability to run a managed switch on OpenWRT is
>> somewhat new but its open source and I'm not tied (I don't think) to
>> OpenWRT - - - - except I don't know any other real alternative - - - so
>> that's not a difficult solution either. I don't 'need' 48 ports but I have
>> 16 at present on a hub and its almost full and that's for stuff only here
>> in the orifice (sic!). I also want the capabilities of forcing streaming
>> services and wireless communications to not collect any more data from any
>> other part of the network (using VLANs) as is possible.
>>
>> Then lastly to the hardware firewall.
>> I've been looking at pfsense and opnsense. Both are ipv6 possible although
>> both are mostly focused on ipv4 at the present. IPfire seems to have gotten
>> itself into a holding pattern and is not continuing work toward ipv6
>> functionality. Any one of these options are producing headaches when I'm
>> trying to figure out how to configure them - - - nothing installed at
>> present, just researching so far.
>>
>> So - - - - questions - - - -
>> 1. is my splitting the network system into the three parts a good idea or
>> should I truncate parts 1 and 2 into the router? If you would please give
>> reasons - - - please?
>
> Hi,
>
> If you want to have reliability splitting is good, if the router breaks
> you still have a working firewall and switch and so on.
> If you want also some redundancy you should think of buying
> two of everything:
>
> 2 routers
> 2 firewalls
> 2 switches (2 x24 rather than 1x48 ports)
>
> I personally prefer x86 hardware for this kind of things
> when I see that little boxes like the Nanopi R4S they make me
> think about toys. In my case sadly I'm tied to adsl over pots
> so for the modem I still need to use this little plastic blackboxes.
> In your case I would swap the nanopi for a nice mini-itx board
> with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
> ventilated case (with low noise Noctua fans).
>
>> 2. are there any good sources for information on and about networking?
>> debian has moved to nftables from iptables - - - is devuan doing
>> similar?
>
> I think so.
>
>> Where does one find information to enable a firewall that works yet
>> isn't stupid?
>
> I use arno-iptables-firewall It is easy to create a basic setup for your network,
> reliable, comes with good defaults and can easily be tweaked (for port-forwarding,
> vpns, geoip filtering and so on, don't know about vlans as don't use them yet).
>
>> (I've wondered about having some kind of easy 'switch' that when users left
>> their systems that the system wouldn't be calling home in the overnight at
>> least a la ms googly. Dunno if that's 'simple' or not - - - so much to
>> learn and so little time to do it all in!)
>>
>> TIA
>
> Ciao,
> Tito
I’ve just finished setting up a new router using PCEngines APU2 (apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios and I can see regular bios updates approximately monthly. The coreboot bios and AMD CPU were the main reasons I picked this over a Qotom box. It’s also fanless which is good for a quiet environment.
The only downside is having only serial console output so you need a serial cable or serial-usb cable for the initial setup or bios configuration changes. Thankfully subsequent bios updates can be done with OpenWRT via flashrom.
https://pcengines.ch/apu2.htm
https://pcengines.github.io/
https://teklager.se/en/knowledge-base/openwrt-installation-instructions/
--
Tom