Network configuration: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older editNewer edit →
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Line 1: Line 1:
== Overview ==
== Overview ==


* DOCSIS modem in bridge mode provided by Spectrum (no WiFi)
* DOCSIS modem provided by Spectrum (no WiFi)
* Ubiquiti Edgerouter as firewall and 4 ports (one is used up by the DLINK)
* Ubiquiti Edgerouter as firewall and 4 ports (one is used up by the DLINK)
* 8 port DLINK 1G switch
* 8 port DLINK 1G switch
* Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman
* Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman
* WLAN wildsong2 2.4 GHz
* WLAN wildsong5 5 GHz


Bellman provides inside DNS and DHCP. [https://cloudflare.com/ Cloudflare] does public DNS for me.
Bellman provides inside DNS and DHCP. [https://cloudflare.com/ Cloudflare] does public DNS for me.
* WLAN wildsong2 2.4 GHz
* WLAN wildsong5 5 GHz


Someday I might put up SSID=wildsong for guest access
Someday I might put up SSID=wildsong for guest access
and create a separate VLAN but at the moment I have more interesting things to do.
and create a separate VLAN but at the moment I have more interesting things to do.
=== Pi-hole experiment ===
2019-03-27 I tried [http://pi-hole.net/ Pi-hole] for a few hours yesterday but it meant more complexity for little return so I turned it back off.
I installed it on Bellman in Docker, which created conflicts with port 80
and due to DHCP, potentially lots more complexity. I think the best approach to implement it would be either to stick it on a spare Pi
or to move DHCP back onto the Edgerouter, it should not be too hard to do that. Then I could turn off DHCP in the Pi-hole docker.
But really, it did not buy me much over blocking ads in the browser with UBlock Origin. So for now, it's dormant. Bellman runs dnsmasq. Done.


=== Wired ===
=== Wired ===

Revision as of 16:25, 27 March 2019

Overview

  • DOCSIS modem provided by Spectrum (no WiFi)
  • Ubiquiti Edgerouter as firewall and 4 ports (one is used up by the DLINK)
  • 8 port DLINK 1G switch
  • Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman
  • WLAN wildsong2 2.4 GHz
  • WLAN wildsong5 5 GHz

Bellman provides inside DNS and DHCP. Cloudflare does public DNS for me.

Someday I might put up SSID=wildsong for guest access and create a separate VLAN but at the moment I have more interesting things to do.

Pi-hole experiment

2019-03-27 I tried Pi-hole for a few hours yesterday but it meant more complexity for little return so I turned it back off.

I installed it on Bellman in Docker, which created conflicts with port 80 and due to DHCP, potentially lots more complexity. I think the best approach to implement it would be either to stick it on a spare Pi or to move DHCP back onto the Edgerouter, it should not be too hard to do that. Then I could turn off DHCP in the Pi-hole docker.

But really, it did not buy me much over blocking ads in the browser with UBlock Origin. So for now, it's dormant. Bellman runs dnsmasq. Done.

Wired

  • Bellman server
  • Murre Windows 10 Desktop
  • Other random gadgets come and go including a few Raspberry Pi's
  • 1 Grandstream Android phone

Wireless via Unifi

I think everything but the Squeezebox should work on 5 GHz.

In the eLab,

  • Desktop Tern in the eLab.
  • 1 Grandstream Android phone

Laptops

Squeezebox, 2.4 GHz ONLY

EdgeRouter-X

2018-12-19 installed 1.10.8

Use bwilson account to get access

You can SSH into it or go to its web interface.

I have a basic firewall set up here; there are additional rules on Bellman.

Port forwarding to Bellman

  • SSH
  • Asterisk (UDP for RTP, 5060-5061 for SIP)
  • HTTP,HTTPS
  • 8080-9300 for testing sundry Tomcat services

Masquerade for outbound traffic

DDNS set up

This router does DDNS to Cloudflare. For internal web access use https://gw/#Services/DNS -- but I set it up with CLI. When debugging keep in mind it's using ddclient and you can open up the executable if you want because it's just perl source code.

Another tip - grab the ddclient source from github and look at the sample files.

Command line: ssh bwilson@gw (from Bellman typically) 

configure
set service dns dynamic interface eth0 service custom-cloudflare protocol cloudflare
set service dns dynamic interface eth0 service custom-cloudflare server www.cloudflare.com

set service dns dynamic interface eth0 service custom-cloudflare host-name bellman.wildsong.biz
set service dns dynamic interface eth0 service custom-cloudflare login "[email protected]"
set service dns dynamic interface eth0 service custom-cloudflare password "API KEY GOES HERE"

set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz ssl=yes"
set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz use=web ssl=yes"
commit
save
exit

To see current settings: 

show service dns
dynamic {
    interface eth0 {
        service custom-cloudflare {
            host-name bellman.wildsong.biz
            login [email protected]
            options zone=wildsong.biz
            password xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
            protocol cloudflare
            server www.cloudflare.com
        }
    }
}
forwarding {
    cache-size 400
    listen-on switch0
    name-server 8.8.8.8
    name-server 8.8.4.4
    options expand-hosts
}

Use this command to get status: 

show dns dynamic status

Force update: 

update dns dynamic interface eth0

Test 

ddclient -daemon=0 -debug -verbose -noquiet -file=/etc/ddclient/ddclient_eth0.conf

This makes me nervous but it's saying it is a WARNING. 

Dec 21 02:51:10 ubnt ddclient[28406]: WARNING:  file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = 
Dec 21 02:51:11 ubnt ddclient[28406]: WARNING:  skipping update of bellman.wildsong.biz from <nothing> to 71.8.165.46.

Firewall ruleset

In the Port Forwarding tab, turn off the feature that automatically allows port forwarded traffic.

In the WAN_IN ruleset, I have 6 rules now

  1. Allow established/related
  2. Drop invalid state
  3. Accept media traffic - ports 10000-20000 both TCP and UDP
  4. Accept all Twilio traffic for North America (using a group)
  5. Accept SSH destination bellman port 22
  6. Accept HTTPS destination bellman port 443
  7. Accept destination bellman port 8080-9300 - Docker Tomcat (including ElasticSearch)

Tuning a firewall rule remotely

I like using vi to make small changes to the existing config, I only have to use a few unfamiliar commands that way.

  1. Log in via ssh (goto bellman first and then ssh bwilson@gw).
  2. Assume rootly powers, sudo -s
  3. Make a copy of the config file, for example, cd /; cp config.boot config.boot.geoserver
  4. Edit the copy, vi config.boot.geoserver
  5. Use these commands
configure
load config.boot.geoserver
compare saved

If the changes look like what you actually want, go for it, the worst thing that you can do is lock yourself out of your network! 

commit

The new config is now operational. Test it, edit and commit again if you want, until it works. If you want at this point you could reload the old config and you are back where you were: 

# Fall back to old config
load config.boot
commit

OR move forward 

save
exit

and that's it.

Getting hammered from the Internet on my Asterisk server

Set up a whitelist for Twilio and block all other outside SIP traffic.

"Simply create an address group, name it "whitelist" and add the allowed IP addresses.

Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."

It appears to be working; I can still see attempts in the "STATS" tab for WAN-IN but nothing on the Asterisk console. This should reduce the work that Bellman has to do, checking ACL lists.

Getting syn flooded from 23.225.141.70

ssh 192.168.123.1
configure

# Find a good rule number to use
show firewall name WAN_IN

# Add the rule to blacklist the attacker

set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 source address 23.225.141.70
set firewall name WAN_IN rule 40 protocol tcp

commit; save

# Did not work!

delete firewall name WAN_IN rule 40
commit; save

# Heavy handed, but we're running all services on HTTP anyway
# Just drop port forwarding for port 80!

show port-forward

rule 4 {
    description HTTP
    forward-to {
        address 192.168.123.2
        port 80
    }
    original-port 80
    protocol tcp
}
...

delete port-forward rule 4
commit; save

This worked. For now anyway.

Unifi

Use vastra account to get access to UniFi server in Docker.

2018-11-05 Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.

Retrieved from "https://wiki.wildsong.biz//index.php?title=Network_configuration&oldid=11743"