Securing a LAN & server

Following on from an earlier discussion about VPN speeds, I want to understand how and why to best use a hardware firewall and or VPN.

At the minute I have a FritzBox router which is a FTTC modem/router and everything works from that. It has a firewall (I guess) and I open ports to allow access from the interwebs to my server. The router does (slow) VPN.

So how does a hardware device like an Edgerouter X (ER-X) mentioned by caffn8me fit in? I need my router to act as the modem so is it

modem --> firewall device --> router --> server & other LAN devices

in which case I need another router or the Edgerouter does that?

This setup puts the VPN on the Edgerouter and I assume all the settings I made on my router have to be made there instead.

So how does this prevent my server logs filling up with failed attempts to access via SSH and email? Are authorised users going to have to be added to the Edgerouter as well as the server? Or do I need an LDAP server in the mix as well?

The other thing the FritzBox does now is VoIP so however thing work I want to keep that. And the WiFi!

Let's break it down.

Router, Firewall and VPN appliances tend to share some overlapping functions.
So it's often possible to buy an appliance which combines 2 or 3 of the functions.

In a home setup it may do these combinations of functions acceptably for capacity of connection and number of users being served.

Potential advantages in separating out the functions is modularity - you can swap out the VPN part or be reconfiguring or testing changes to it without affecting your main router / Internet connection directly.

A dedicated device may also be more optimised for that function than being a compromise for multi-functions.

For home or SOHO your main router's primary function is to route between your local network and the Internet (or more precisely the ISP's network).

Because the you don't control the ISPs network or its firewalls you will also want a firewall on the first device between the outside world and your local network (so probably on the main router).

Because you want your local addresses to be private (at least for IPv4) you will want that firewall to also have NAT functions.

Because the ISP uses some form of DSL (unless you on a leased line or true ethernet or fibre connection) there will be a modem in the mix. This can be part of the main router or a dedicated modem (whose only job is to convert DSL to ethernet - the main router will still do the PPPoE login).

If you choose to have a dedicated VPN endpoint device, your main router is still the default gateway for all your local network devices, and so any settings relating to the ISP connection will remain there.

The firewall on the main router will need to allow encrypted VPN traffic to reach the VPN endpoint, whether via some type of port forwarding (destination NAT) or by having a small public IP subnet associated with your service instead of just a single public IP.

In the latter case one of the interfaces on the main router is often modified to no longer be LAN but dedicated to servicing the public network. Or it might call it a DMZ network.

Whether or not NAT is involved the firewall will also need to have related rules to allow this traffic (not just translate the IPs).

Edited by prlzx (Wed 01-Jul-20 14:55:17)

In reply to a post by prlzx:

In a home setup it may do these combinations of functions acceptably for capacity of connection and number of users being served.

Yes, that's where I am now with a FritzBox 7490. It works well and the reason for buying it in the first place was to get four devices in one box (modem & router - which were separate - VoIP box and DECT plus gigabit Etherenet). My main reason for asking now is that the VPN in the 7490 is - I've recently discovered - total pants with a very low throughput. (It's a relatively well know problem, nothing to do with my settings or setup. AVM say there's new firmware in the summer which should help.)

I'm running a small server and the idea of filtering the bots before they hit the actual server appeals. So that's why I have a couple of specific questions. For example does it ask for credentials before allowing anyone through to Port 22? Otherwise I might just wait and see if the VPN on the FritzBox is improved and then I can close some ports .

Because a dedicated VPN endpoint is no longer the default gateway for your local network,
while VPN traffic after decryption will reach your local network, when your local devices reply they won't automatically know to send it back through the VPN endpoint.

Likewise if local devices are trying to initiate connections to another VPN site they won't know to send it to the dedicated VPN endpoint.

However in most cases all this needs is one or more additional routes (static routes) on the main router so that traffic matching VPN addresses is sent through the VPN endpoint.

Depending on how your number the networks used for VPN, you may be able to summarise multiple sites under less static routes or even a single one.

For example if your remote sites all use 192.168.8x.yy addresses, this could be summarised as
192.168.80.0/28 - fail - how embarrassing
192.168.80.0/20
(actually aggregates the range 192.168.80.0 to 192.168.95.255 as it is 16x a single /24 network)

Edited by prlzx (Wed 01-Jul-20 17:50:53)

In reply to a post by prlzx:

The firewall on the main router will need to allow encrypted VPN traffic to reach the VPN endpoint, whether via some type of port forwarding (destination NAT) or by having a small public IP subnet associated with your service instead of just a single public IP.

Sorry, should be more specific. I have and want a couple of LAN to LAN VPN connections. Permanent connections across three maybe four locations. The FritzBox does that now, but its too slow for moving large files or off-site backups.

I do also make use of the VPN when down the cafe for safer browsing and banking.

If you are trying to provide additional protection for an SSH server on port 22, you could require that anyone connecting to this first establishes a VPN connection.

In that case only remote networks on site-to-site links and remote clients on client remote access VPN could connect to the server.

That being the case port 22 on the main router firewall does not need to be open at all, nor does it require the port forward, because only private networks (not the Internet) are accessing the server.

You can and should still require authentication on the SSH server whether by user/password or user/SSH public key, but only if the corresponding private key is safe on the remote computer (i.e. the other discussion around whether the private key has a passphrase).
You also want a process in place for revoking access from compromised accounts.

Yes I'm breaking it into parts because I think it's an interesting topic and others might need to pick out just the parts that apply to their own use case.

Also because otherwise it becomes a single post essay!

Will come back to edit this reply later.

What I have now:

FritzBox modem/router/VPN -> Server

what happens now is the Server has to deal with everyone who want to visit Port 22, use my SMTP service etc etc.

What I think I want:

Modem - > Edgerouter for VPN and Firewall -> Server

what happens then is the Edgerouter blocks the bots and runs the VPN to the other LANs so the Server logs are shorter.