:: Re: [DNG] networking thinking
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Mike Tubby
日付:  
To: dng
題目: Re: [DNG] networking thinking


On 28/11/2021 15:22, dng@??? wrote:
> On 28-11-2021 15:36, wirelessduck--- via Dng wrote:
>>
>>
>>> On 29 Nov 2021, at 01:07, tito via Dng <dng@???> wrote:
>>>
>>> On Sun, 28 Nov 2021 07:20:14 -0600
>>> o1bigtenor via Dng <dng@???> wrote:
>>>
>>>> Greetings
>>>>
>>>> In anticipation of a fiber optical connection (moving from a
>>>> wireless) I
>>>> have been planning out and purchasing some bits of hardware. Am finding
>>>> that networking is, at least sure seems to be, another black hole
>>>> for time
>>>> and effort.
>>>>
>>>> TL;DR (skip to last paragraphs for the question(s))
>>>>
>>>> At present this is a soho office kind of installation but that will
>>>> slowly
>>>> be morphing into something that is at least somewhat larger. There
>>>> are a
>>>> number of input sensor locations being worked on some of which would be
>>>> generating, initially at least, up to 15 data streams sampled possibly
>>>> every second (some maybe more often - - - decisions aren't all done
>>>> as yet)
>>>> so there will be a fair amount of data running around on my network
>>>> which
>>>> I'm trying to keep largely a wired affair.
>>>>
>>>> At this point I'm working on the three entry bits of hardware (and
>>>> their
>>>> software) - - - the router, hardware firewall, and the managed
>>>> switch. The
>>>> initial hockup on the fiber system is going to be at 250 Mbps
>>>> sysmetric.
>>>>
>>>> For the router I'm planning on using OpenWRT running on a Nanopi
>>>> r4s which
>>>> according to the folks over on openwrt capable of even very close
>>>> to full
>>>> Gbps speeds (IIRC tested to some 918 Mbps) which would give some
>>>> headroom
>>>> for future increases although I don't see a need for the foreseeable
>>>> future.
>>>>
>>>> For the switch I have found myself a XyZel 1900-48 that I'm working on
>>>> getting OpenWRT on. This ability to run a managed switch on OpenWRT is
>>>> somewhat new but its open source and I'm not tied (I don't think) to
>>>> OpenWRT - - - - except I don't know any other real alternative - - - so
>>>> that's not a difficult solution either. I don't 'need' 48 ports but
>>>> I have
>>>> 16 at present on a hub and its almost full and that's for stuff
>>>> only here
>>>> in the orifice (sic!). I also want the capabilities of forcing
>>>> streaming
>>>> services and wireless communications to not collect any more data
>>>> from any
>>>> other part of the network (using VLANs) as is possible.
>>>>
>>>> Then lastly to the hardware firewall.
>>>> I've been looking at pfsense and opnsense. Both are ipv6 possible
>>>> although
>>>> both are mostly focused on ipv4 at the present. IPfire seems to
>>>> have gotten
>>>> itself into a holding pattern and is not continuing work toward ipv6
>>>> functionality. Any one of these options are producing headaches
>>>> when I'm
>>>> trying to figure out how to configure them - - - nothing installed at
>>>> present, just researching so far.
>>>>
>>>> So - - - - questions - - - -
>>>> 1. is my splitting the network system into the three parts a good
>>>> idea or
>>>> should I truncate parts 1 and 2 into the router? If you would
>>>> please give
>>>> reasons - - - please?
>>>
>>> Hi,
>>>
>>> If you want to have reliability splitting is good, if the router breaks
>>> you still have a working firewall and switch and so on.
>>> If you want also some redundancy you should think of buying
>>> two of everything:
>>>
>>> 2 routers
>>> 2 firewalls
>>> 2 switches (2 x24 rather than 1x48 ports)
>>>
>>> I personally prefer x86 hardware for this kind of things
>>> when I see that little boxes like the Nanopi R4S they make me
>>> think about toys. In my case sadly I'm tied to adsl over pots
>>> so for the modem I still need to use this little plastic blackboxes.
>>> In your case I would swap the nanopi for a nice mini-itx board
>>> with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
>>> ventilated case (with low noise Noctua fans).
>>>
>>>> 2. are there any good sources for information on and about networking?
>>>>     debian has moved to nftables from iptables  - - - is devuan doing
>>>> similar?
>>>
>>> I think so.
>>>
>>>>     Where does one find information to enable a firewall that works yet
>>>> isn't stupid?
>>>
>>> I use arno-iptables-firewall It is easy to create a basic setup for
>>> your network,
>>> reliable, comes with good defaults and can easily be tweaked (for
>>> port-forwarding,
>>> vpns, geoip filtering and so on, don't know about vlans as don't use
>>> them yet).
>>>
>>>> (I've wondered about having some kind of easy 'switch' that when
>>>> users left
>>>> their systems that the system wouldn't be calling home in the
>>>> overnight at
>>>> least a la ms googly. Dunno if that's 'simple' or not - - - so much to
>>>> learn and so little time to do it all in!)
>>>>
>>>> TIA
>>>
>>> Ciao,
>>> Tito
>>
>> I’ve just finished setting up a new router using PCEngines APU2
>> (apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC
>> and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios
>> and I can see regular bios updates approximately monthly. The
>> coreboot bios and AMD CPU were the main reasons I picked this over a
>> Qotom box. It’s also fanless which is good for a quiet environment.
>>
>> The only downside is having only serial console output so you need a
>> serial cable or serial-usb cable for the initial setup or bios
>> configuration changes. Thankfully subsequent bios updates can be done
>> with OpenWRT via flashrom.
>>
>> https://pcengines.ch/apu2.htm
>> https://pcengines.github.io/
>> https://teklager.se/en/knowledge-base/openwrt-installation-instructions/
>>
>> --
>> Tom
>
> Interesting this PCEngines hardware! I did have Qotom hardware with
> pfSense but it failed after a few years. Now I am using a fairly old
> Fujitsi with a AMD G-T56N processor and two Realtek network interfaces
> which is supposed to be low powered < 10W.
>
> I prefer pfSense over OpenWRT but is maybe more a habit. Although i do
> have a wireless AP from Netgear with OpenWrt. But I too certainly
> prefer X86 hardware with Intel Ethernet ports for a firewall.
>
> One reason for my pfSense preference is the possibility to backup your
> configuration and restore it on other hardware in minutes. The fork
> OPNsense looks good to me too but I do not have real life experience
> with it.
>
> Grtz.
>
> Nick
>
>


I prefer Devuan 4.0 running on Sophos XG 115 (Rev 3) hardware (under 10
watts) with my IPtables firewall rulesets that I have developed over the
last 10 years tweaking and honing and have survived several penetration
tests from well-known (in the UK at least) security companies.

Personally, I don't want to use OpenWRT, Pfsense or whatever when I have
already had 10+ years involvement in developing and implementing 'rock
hard' solutions using native IP tables ... YMMV ;-)


Mike





>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng