:: Re: [DNG] networking thinking
トップ ページ
このメッセージを削除
このメッセージに返信
著者: dng@d404.nl
日付:  
To: dng
題目: Re: [DNG] networking thinking
On 28-11-2021 15:36, wirelessduck--- via Dng wrote:
>
>
>> On 29 Nov 2021, at 01:07, tito via Dng <dng@???> wrote:
>>
>> On Sun, 28 Nov 2021 07:20:14 -0600
>> o1bigtenor via Dng <dng@???> wrote:
>>
>>> Greetings
>>>
>>> In anticipation of a fiber optical connection (moving from a wireless) I
>>> have been planning out and purchasing some bits of hardware. Am finding
>>> that networking is, at least sure seems to be, another black hole
>>> for time
>>> and effort.
>>>
>>> TL;DR (skip to last paragraphs for the question(s))
>>>
>>> At present this is a soho office kind of installation but that will
>>> slowly
>>> be morphing into something that is at least somewhat larger. There are a
>>> number of input sensor locations being worked on some of which would be
>>> generating, initially at least, up to 15 data streams sampled possibly
>>> every second (some maybe more often - - - decisions aren't all done
>>> as yet)
>>> so there will be a fair amount of data running around on my network
>>> which
>>> I'm trying to keep largely a wired affair.
>>>
>>> At this point I'm working on the three entry bits of hardware (and their
>>> software) - - - the router, hardware firewall, and the managed
>>> switch. The
>>> initial hockup on the fiber system is going to be at 250 Mbps sysmetric.
>>>
>>> For the router I'm planning on using OpenWRT running on a Nanopi r4s
>>> which
>>> according to the folks over on openwrt capable of even very close to
>>> full
>>> Gbps speeds (IIRC tested to some 918 Mbps) which would give some
>>> headroom
>>> for future increases although I don't see a need for the foreseeable
>>> future.
>>>
>>> For the switch I have found myself a XyZel 1900-48 that I'm working on
>>> getting OpenWRT on. This ability to run a managed switch on OpenWRT is
>>> somewhat new but its open source and I'm not tied (I don't think) to
>>> OpenWRT - - - - except I don't know any other real alternative - - - so
>>> that's not a difficult solution either. I don't 'need' 48 ports but
>>> I have
>>> 16 at present on a hub and its almost full and that's for stuff only
>>> here
>>> in the orifice (sic!). I also want the capabilities of forcing streaming
>>> services and wireless communications to not collect any more data
>>> from any
>>> other part of the network (using VLANs) as is possible.
>>>
>>> Then lastly to the hardware firewall.
>>> I've been looking at pfsense and opnsense. Both are ipv6 possible
>>> although
>>> both are mostly focused on ipv4 at the present. IPfire seems to have
>>> gotten
>>> itself into a holding pattern and is not continuing work toward ipv6
>>> functionality. Any one of these options are producing headaches when I'm
>>> trying to figure out how to configure them - - - nothing installed at
>>> present, just researching so far.
>>>
>>> So - - - - questions - - - -
>>> 1. is my splitting the network system into the three parts a good
>>> idea or
>>> should I truncate parts 1 and 2 into the router? If you would please
>>> give
>>> reasons - - - please?
>>
>> Hi,
>>
>> If you want to have reliability splitting is good, if the router breaks
>> you still have a working firewall and switch and so on.
>> If you want also some redundancy you should think of buying
>> two of everything:
>>
>> 2 routers
>> 2 firewalls
>> 2 switches (2 x24 rather than 1x48 ports)
>>
>> I personally prefer x86 hardware for this kind of things
>> when I see that little boxes like the Nanopi R4S they make me
>> think about toys. In my case sadly I'm tied to adsl over pots
>> so for the modem I still need to use this little plastic blackboxes.
>> In your case I would swap the nanopi for a nice mini-itx board
>> with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
>> ventilated case (with low noise Noctua fans).
>>
>>> 2. are there any good sources for information on and about networking?
>>>     debian has moved to nftables from iptables  - - - is devuan doing
>>> similar?
>>
>> I think so.
>>
>>>     Where does one find information to enable a firewall that works yet
>>> isn't stupid?
>>
>> I use arno-iptables-firewall It is easy to create a basic setup for
>> your network,
>> reliable, comes with good defaults and can easily be tweaked (for
>> port-forwarding,
>> vpns, geoip filtering and so on, don't know about vlans as don't use
>> them yet).
>>
>>> (I've wondered about having some kind of easy 'switch' that when
>>> users left
>>> their systems that the system wouldn't be calling home in the
>>> overnight at
>>> least a la ms googly. Dunno if that's 'simple' or not - - - so much to
>>> learn and so little time to do it all in!)
>>>
>>> TIA
>>
>> Ciao,
>> Tito
>
> I’ve just finished setting up a new router using PCEngines APU2
> (apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC
> and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios
> and I can see regular bios updates approximately monthly. The coreboot
> bios and AMD CPU were the main reasons I picked this over a Qotom box.
> It’s also fanless which is good for a quiet environment.
>
> The only downside is having only serial console output so you need a
> serial cable or serial-usb cable for the initial setup or bios
> configuration changes. Thankfully subsequent bios updates can be done
> with OpenWRT via flashrom.
>
> https://pcengines.ch/apu2.htm <https://pcengines.ch/apu2.htm>
> https://pcengines.github.io/ <https://pcengines.github.io/>
> https://teklager.se/en/knowledge-base/openwrt-installation-instructions/
> <https://teklager.se/en/knowledge-base/openwrt-installation-instructions/>
>
> --
> Tom


Interesting this PCEngines hardware! I did have Qotom hardware with
pfSense but it failed after a few years. Now I am using a fairly old
Fujitsi with a AMD G-T56N processor and two Realtek network interfaces
which is supposed to be low powered < 10W.

I prefer pfSense over OpenWRT but is maybe more a habit. Although i do
have a wireless AP from Netgear with OpenWrt. But I too certainly prefer
X86 hardware with Intel Ethernet ports for a firewall.

One reason for my pfSense preference is the possibility to backup your
configuration and restore it on other hardware in minutes. The fork
OPNsense looks good to me too but I do not have real life experience
with it.

Grtz.

Nick