Network configuration: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older editNewer edit →
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
mNo edit summary
Line 23: Line 23:
=== Wireless via Unifi ===
=== Wireless via Unifi ===


I think everything but the Squeezebox should work on 5 GHz.
I think everything but the Squeezebox should work on 5 GHz but 2.4 works better in the living room sometimes.


In the eLab,  
In the eLab,  
Line 36: Line 36:
Squeezebox, 2.4 GHz ONLY
Squeezebox, 2.4 GHz ONLY


== Edgerouter ==
== EdgeRouter-X ==
 
2018-11-05 Current firmware is 1.9.7; 1.10.7 is available and a few fixes might be relevant.
   
   
Use bwilson account to get access
Use bwilson account to get access


You can SSH into it or go to its [http://192.168.1.1 web interface].
You can SSH into it or go to its [https://192.168.123.1 web interface].


I have a basic firewall set up here.
I have a basic firewall set up here.
Port forwarding to [[Bellman]]
* SSH
* Asterisk (UDP for RTP, 5060-5061 for SIP)
* HTTPS (not HTTP!)
Masquerade for outbound traffic
=== Getting hammered from the Internet on my Asterisk server ===
Set up a [https://www.twilio.com/console/sip-trunking/your-network whitelist for Twilio] and block all other outside SIP traffic.
"Simply create an address group, name it "whitelist" and add the allowed IP addresses.
Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."


=== Getting syn flooded from 23.225.141.70 ===
=== Getting syn flooded from 23.225.141.70 ===


ssh into bellman
ssh 192.168.123.1
then ssh into edgerouter
 
  configure
  configure
   
   
Line 91: Line 107:


Use vastra account to get access to [https://bellman.wildsong.biz:8443/ UniFi server in Docker.]
Use vastra account to get access to [https://bellman.wildsong.biz:8443/ UniFi server in Docker.]
2018-11-05 Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.


[[Category: Network]]
[[Category: Network]]

Revision as of 04:00, 6 November 2018

Overview

  • Aris DOCSIS modem in bridge mode provided by Spectrum (no WiFi thank you very much!)
  • Ubiquiti Edgerouter as firewall and 4 ports (one is used up by the DLINK)
  • 8 port DLINK 1G switch
  • Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman

Bellman provides DNS and DHCP

  • WLAN wildsong2 2.4 GHz
  • WLAN wildsong5 5 GHz

Someday I might put up SSID=wildsong for guest access and create a separate VLAN but at the moment I have more interesting things to do.

Wired

  • Bellman server
  • Murre Windows 10 Desktop
  • Other random gadgets come and go including a Raspberry Pi
  • 1 Grandstream Android phone

Wireless via Unifi

I think everything but the Squeezebox should work on 5 GHz but 2.4 works better in the living room sometimes.

In the eLab,

  • Desktop Tern in the eLab.
  • 1 Grandstream Android phone

Laptops

Squeezebox, 2.4 GHz ONLY

EdgeRouter-X

2018-11-05 Current firmware is 1.9.7; 1.10.7 is available and a few fixes might be relevant.

Use bwilson account to get access

You can SSH into it or go to its web interface.

I have a basic firewall set up here.

Port forwarding to Bellman

  • SSH
  • Asterisk (UDP for RTP, 5060-5061 for SIP)
  • HTTPS (not HTTP!)

Masquerade for outbound traffic

Getting hammered from the Internet on my Asterisk server

Set up a whitelist for Twilio and block all other outside SIP traffic.

"Simply create an address group, name it "whitelist" and add the allowed IP addresses.

Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."


Getting syn flooded from 23.225.141.70

ssh 192.168.123.1
configure

# Find a good rule number to use
show firewall name WAN_IN

# Add the rule to blacklist the attacker

set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 source address 23.225.141.70
set firewall name WAN_IN rule 40 protocol tcp

commit; save

# Did not work!

delete firewall name WAN_IN rule 40
commit; save

# Heavy handed, but we're running all services on HTTP anyway
# Just drop port forwarding for port 80!

show port-forward

rule 4 {
    description HTTP
    forward-to {
        address 192.168.123.2
        port 80
    }
    original-port 80
    protocol tcp
}
...

delete port-forward rule 4
commit; save

This worked. For now anyway.

Unifi

Use vastra account to get access to UniFi server in Docker.

2018-11-05 Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.

Retrieved from "https://wiki.wildsong.biz//index.php?title=Network_configuration&oldid=11293"