Securing a LAN & server :: Home Networking, Internet Connection Sharing, etc.

Technical Discussion
>> Home Networking, Internet Connection Sharing, etc.

Pages in this thread: 1 | [2] | (show all)

Print Thread

Woolwich
(committed) Wed 01-Jul-20 15:21:05

Re: Securing a LAN & server

[re: prlzx] [link to this post]

In reply to a post by prlzx:
If you are trying to provide additional protection for an SSH server on port 22, you could require that anyone connecting to this first establishes a VPN connection.

In that case only remote networks on site-to-site links and remote clients on client remote access VPN could connect to the server.

Yes, absolutely. I got here because the VPN on the FritzBox is too slow. My workaround is to use rsync running on Port 22. That's the only reason its open. I'd rather it shut, run the backups in the VPN and when needed only open Port 22 for local access within the LAN (keeping the port closed on the firewall).

That's the plan if something like the Edgerouter is what I need.

prlzx
(experienced) Wed 01-Jul-20 15:52:07

Re: Securing a LAN & server

[re: prlzx] [link to this post]

Text

Internet
  ||--||---------+
  ||         | ISP Network |
  |          |--|---ISP----+
  |  | DSL circuit
  |--|---Customer-------------
  | Modem
  |  |--- Main Router ----------------+
  |                                | WAN PPP session (inc. public IP)  |
  |                                | ### (firewall on WAN)             |
  |                                |Routing----------+                 |
  |              |                 | ### (firewall) ###                |
  |              |                 | LAN            DMZ                | 
  |--------------|-----------------+  |              |
  +--PC(s)  +--Server(s)
  +--others

prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

prlzx
(experienced) Wed 01-Jul-20 16:05:14

Re: Securing a LAN & server

[re: Woolwich] [link to this post]

In reply to a post by Woolwich:
What I have now:

FritzBox modem/router/VPN -> Server

what happens now is the Server has to deal with everyone who want to visit Port 22, use my SMTP service etc etc.

What I think I want:

Modem - > Edgerouter for VPN and Firewall -> Server

what happens then is the Edgerouter blocks the bots and runs the VPN to the other LANs so the Server logs are shorter.

While an EdgeRouter or a pfSense appliance are both capable of routing, firewalling and VPN they don't have a built in DSL modem, nor W-Fi access point nor DECT.
So this is generally a disadvantage if wanting to keep the number of boxes low.

It's not a problem for offices with comms room(s)
as you will deploy separate Wi-Fi access points rather than hoping a bit of signal leaks out into the office space,
and even a small cab can have rack/shelf for a modem alongside router and switch(es).

That said it is still possible to do

Text
1 23	WAN---Fritz!---LAN--+--EdgeRouter VPN Endpoint \| {local network devices, wired and W-Fi from Fritz!, VPN sites links from EdgeRouter}

(in this diagram, the VPN endpoint is plugged into one of your Fritz!box LAN ports, or equivalently into a LAN switch,
other topologies are possible depending on what your main router is)

But requires:
(a) some static routing* on the Fritz
(b) VPN site-to-site settings migrated off Fritz! and onto VPN endpoint
(c) Fritz! Port forwarding of traffic matching VPN-encrypted ports/protocols to the EdgeRouter

It's also an option to put the server on the "other side" of the EdgeRouter (i.e. on another interface)
if you want to use it to police access between local devices and server.

Don't do this if you want the server to participate fully in the LAN for media sharing / storage / casting etc.
But it is one (of many) ways to create a type of DMZ, such as if you can't fully trust the server if it serves the public.

(*) What is a static route?
A static route is a bit like a diversion. If the desired destination matches a rule, traffic is re-routed to a different next hop.
Traffic not matching a static route is compared against the rest of the routing table until it reaches the default route, which on a home or SOHO setup, is the the route out of the WAN interface towards the ISP.

prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Wed 01-Jul-20 17:06:02)

Woolwich
(committed) Wed 01-Jul-20 16:14:04

Re: Securing a LAN & server

[re: prlzx] [link to this post]

In reply to a post by prlzx:
While an EdgeRouter or a pfSense appliance are both capable of routing, firewalling and VPN they don't have a built in DSL modem, nor W-Fi access point nor DECT.

So I need a modem. I have an old Openreach one, or another FritzBox I've never used which can be used in modem only mode? Then the Edgerouter or whatever which will do VPN and firewall. Then I could add the FritzBox back in to do WiFi, VoIP and DECT and routing for the LAN.

Still don't know how the firewall decides who/what gets through. Is it password based? If not I might as well carry on with the FritzBox.

prlzx
(experienced) Wed 01-Jul-20 16:20:20

Re: Securing a LAN & server

[re: Woolwich] [link to this post]

Firewalls decide what type of traffic is allowed through based on protocols, source / destination IP addresses, and ports (if TCP/UDP).

VPN servers decide what device or person who has access based on authentication and authorisation
Authentication can be in the form of a PSK, or asymmetric PKI, or username/password or some combination.

If the firewall is only allowing VPN traffic in from outside, and only to a nominated VPN endpoint, it doesn't need to know who it is.

The VPN endpoint knows who it is, with the VPN being either a service on your main router (as describes what you currently have), or on another appliance.

prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Wed 01-Jul-20 16:42:48)

Woolwich
(committed) Wed 01-Jul-20 16:24:33

Re: Securing a LAN & server

[re: prlzx] [link to this post]

In reply to a post by prlzx:
Firewalls decide what type of traffic is allowed through based on protocols, source / destination IP addresses, and ports (if TCP/UDP).

So that's how the FritzBox works, if I had a separate firewall I'm not gaining anything. The only reason for having a separate box now would be for the VPN to run at a reasonable speed.

(Yea, I know, a dedicated firewall can do more fancy stuff with clever blocklists and the like. But I'm not a data centre!)

prlzx
(experienced) Wed 01-Jul-20 16:26:44

Re: Securing a LAN & server

[re: Woolwich] [link to this post]

In reply to a post by Woolwich:
In reply to a post by prlzx:
Firewalls decide what type of traffic is allowed through based on protocols, source / destination IP addresses, and ports (if TCP/UDP).

So that's how the FritzBox works, if I had a separate firewall I'm not gaining anything. The only reason for having a separate box now would be for the VPN to run at a reasonable speed.

(Yea, I know, a dedicated firewall can do more fancy stuff with clever blocklists and the like. But I'm not a data centre!)

OK so getting to the difference, the Fritz! firewall would not need to encrypt, inspect or decrypt the VPN, it merely port forwards (because it matches a rule) to the endpoint, so you are offloading the slow crypto task to another device.

Also it follows that your site-to-site VPNs won't run any faster unless sites at both ends can run the crypto faster.

It sounds like it would be useful to wait for @caffn8me's feedback too as I'm not sure how much your scenario would benefit either.

prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Wed 01-Jul-20 17:11:26)

Woolwich
(committed) Wed 01-Jul-20 16:44:32

Re: Securing a LAN & server

[re: prlzx] [link to this post]

In reply to a post by prlzx:
OK so getting to the difference, the Fritz! firewall would not need to encrypt, inspect or decrypt the VPN, it merely port forwards (because it matches a rule) to the endpoint, so you are offloading the slow crypto task to another device.

Also it follows that your site-to-site VPNs won't run any faster unless sites at both ends can run the crypto faster.

Yes, I'm assuming I'd need Edgerouters at all ends of the locations I want to LAN to LAN with.

As I see your plan, the Edgerouter connects physically to the FritzBox. The FB port forwards VPN requests to the ER. Clearly there's currently something clever going on in the FB I don't know about or understand. I can sit here on WiFi chatting with the interwebs and at the same time access files on a LAN in another city. If the VPN is taken out of the FB - placed after the FB - how do I access it over WiFi?

prlzx
(experienced) Wed 01-Jul-20 16:53:24

Re: Securing a LAN & server

[re: Woolwich] [link to this post]

In reply to a post by Woolwich:
As I see your plan, the Edgerouter connects physically to the FritzBox. The FB port forwards VPN requests to the ER. Clearly there's currently something clever going on in the FB I don't know about or understand. I can sit here on WiFi chatting with the interwebs and at the same time access files on a LAN in another city. If the VPN is taken out of the FB - placed after the FB - how do I access it over WiFi?

Fritz! is your default gateway (because DHCP supplies that info along with your LAN IP and DNS settings).
LAN - wired and Wi-Fi - both receive same set of network settings from DHCP
- the only difference is whether it happened to arrive on an air interface or a wire interface, the network is otherwise the same.

You send some traffic to a private IP in the remote VPN range.
One or more static routes* (see notes a-c) added to Fritz! match that destination IP
Fritz! says "hey so that is not in the direction of the ISP, the next hop needs to be the local VPN endpoint instead"
Local VPN endpoint receives traffic routed from Fritz destined for a private IP address matching a remote site
Local VPN endpoint encrypts the traffic and sends it back out via its default gateway (the Fritz!) towards the remote site.
As far as Fritz! is concerned, this is just any old traffic with the destination now being the public IP of the remote site.

(*) @caffn8me also mentioned this in the related thread.

prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Wed 01-Jul-20 17:25:41)

Pages in this thread: 1 | [2] | (show all)

Print Thread

Jump to