LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   home network configuration with DMZ and VLAN (https://www.linuxquestions.org/questions/linux-networking-3/home-network-configuration-with-dmz-and-vlan-918026/)

bruce.wayne 12-10-2011 06:37 AM
home network configuration with DMZ and VLAN
 
Hi everyone,

since I want to structure my home network for security reasons, I like to hear some thoughts of you. I have read in forums and articles about vlan tagging and dmz, but i am not very confident at all.

The following is my desired plan:
1) one server in the dmz for my web page and torrent downloading (prefering ethernet connection)
2) three macbooks for internet surfing and other things (most of the time connected via wlan)
3) one pc for development (desktop) - connected via ethernet
4) one NAS with private data (some sensible and confident - enterprise data)
5) one smartphone connected via wlan when at home (for accessing data of other devices)
6) one TV (ethernet) and a playstation 3 (wlan) for video streaming and watching

network management devices available:
1) ISP router (3G, 4 ethernet ports and wlan) - some proprietary software on it)
2) TP-Link TL-WR1043ND with openwrt installed (5 ethernet ports and wlan)
3) a old non-manageable (layer 2) DLink network switch

special things to mention:
1) the two routers are splitted in different rooms and are only connected via wlan (living room, working room) - have no space for cables. I know that's not the best case, but i have to live with it.
2) tv (living room) is connect with the router 1 for streaming reasons
3) NAS can be placed in either of the rooms
4) in the working room is the development PC connected
5) wlan printer is also in the working room

all pc's except the server should be able to access the NAS. NAS should be only accessable from the LAN, and not from the internet/WAN (wide area network). pc's should be able to access the server.

since I am stuck at the moment, whats the securest way to connect the devices (by vlan tagging and DMZ with the server), I would appreciate some answers of you.

thanks in advance,
bruce wayne

devwatchdog 12-11-2011 12:03 PM
I imagine the first thing that should be done is assess as to which devices you own would support VLANs. Not knowing what model the ISP router is, we'll have to assume it does not support VLANs.

Another question: does the ISP router have a firewall?

I'm thinking your OpenWRT TP-Link should support VLANs. I have installed OpenWRT on Belkin F5D8230 access points over the last several years and although I don't use the VLAN functionality, I know the firmware I compiled had it.

VLAN tagging will only come into play if you are setting up a trunk to carry more than one VLAN, which at this point I don't see happening. The VLANs you will set up will be what are known as access ports, which more or less are just regular ethernet connections with the difference being the device will recognize the devices plugged into the ports assigned to each VLAN as being assigned to a broadcast domain. For instance, you could assign two ports on the TP-Link to VLAN10, then two as VLAN20, and then you'd be able to send traffic between the devices in those VLANs without that traffic being sent out the ports not assigned to that VLAN. VLAN10 traffic is only sent out on ports in VLAN10.

I suppose what I would do is assign VLANs on the TP-Link to the ports where you have the NAS isolated into one VLAN, and everything else in another for the non-WIFI traffic. In order to get traffic from the ISP router to the TP-Link will involve you adding a route to it directing traffic destined for the various networks connected to the TP-Link. For instance, say you had a network of 172.20.18.0/24 set up on VLAN10 on the TP-Link. The ISP router is not going to know it is there, as any of the networks you assigned to the VLANs won't be directly connected to the ISP router. Seeing you're using WIFI to communicate between the ISP router and the TP-Link, say it was connected using 10.34.28.0/24, with 10.34.28.10 being assigned to the TP-Link. When using Linux, you would use the command:

Code:
route add -net 172.20.18.0/24 gw 10.34.28.10
but you'd probably be using a GUI on the ISP router to add it.

Which leads me to ask: how do you have your TP-Link set up presently? Is the wireless interface bridged with the switch side of the access point? I know that the default configs do this (or at least the ones I have seen are that way). I set my access points up where the WIFI, switch/LAN, and WAN interfaces are all independent interfaces where nothing is bridged. If you have the TP-Link set up where the WIFI is bridged with the switch, the WIFI can be assigned to a VLAN. Here's an explanation:

https://forum.openwrt.org/viewtopic.php?id=17096

When you start mucking around with the TP-Link, you're going to risk losing access to it as a misconfiguration could render it 'bricked', where you'll have to either reflash if that is possible. Some of these access points can be rendered totally useless unless you use jtag to resurrect them. The Belkins I use had a serial connector onboard so I can pretty much do as I please and not have to worry about that happening, but without a serial connection a simple mistake can leave you starting from scratch.

Seeing your whole LAN will have access to the NAS, but nothing from public address space (WAN), it appears we're getting back to the ISP router. If it doesn't have a firewall, I'd recommend getting one to put between it and the LAN. That's the most important component in your network regarding security. Block all inbound and allow outbound as needed, or all of it, or whatever you deem necessary.

If I were to set up your network, of course there would be a firewall in place to isolate the LAN from internet traffic. I'd then take the TP-Link and use the wired ethernet port for WAN on it as the port connecting the NAS. That port is not part of the switch, and can have its own network assigned. Considering it will be on a different network, you can then use firewall rules to drop everything inbound on it, and then create specific rules to allow inbound traffic from specific devices. If you don't isolate your DMZ with firewall rules, it's not really any different than any other part of the LAN.

With that setup, you'll not need VLANs, achieve your goal and leave the rest of your LAN pretty much the way it is -- no matter how your WIFI is set up.

Food for thought. Feel free to ask away. Got some time over the next few days.

bruce.wayne 12-12-2011 12:11 PM
hi devwatchdog,

thanks for the good explanation and impressions. First I want to answer your question to redeem the blurring ;).
You are right (I knew that I forgot some things to mention), the ISP router is not capable of VLANs, the TP-Link of course is. The ISP router has built-in firewall, so that should do the job, I think.

The best case would be to have a wired connection from the TP-Link WAN port to the ISP router. To do so, I would have to run a CAT-Cable through my whole flat - not in a nice way. To connect the bed room with the living room would be the only worse case ;).
At the moment I am using some spare time to configure the TP-Link as client bridge in order to use the WLAN as my uplink interface to the ISP router. It's more tricky than I thought - I see the WLAN with the correct MAC of the ISP router, but I cannot ping. Don't know much about that at the moment. Maybe I am more familiar with it soon (if you have suggestion, feel free).

Configuring the firewall of the ISP router to let only necessary port/ip-protocol combination inbound and outbound will be a necessary task, there I am with you. That was also my first thought to put the NAS in an own VLAN and the rest in another. To further differentiate between the wired network and the wireless network is also very good.

TP-Link bricked? Done already ;). And got it work again (failsafe mode and deleting the modifications). Serial interface would be good for telnet in emergency situations - but badly it's not present.

The thing were I am a little bit stuck at the moment is the WLAN bridge between the TP-Link router and the ISP router (not only the configuration part). I have read different ways to connect and also some configuration possibilities on the router ("client", AP (WDS), Client (WDS)), but I am a little bit confused what will be the best choice. Or are there some that are impossible - here I would be also thankful for some input.

My highest prio in the configuration is the security of the NAS. That one should be isolated best possible. That's why I want the web server to be connected to the ISP router, and not to the TP-Link. If you have some more details what to keep in mind during the firewall configuration/routing tables, ... fell free. The more I know, the better it is. Also the possibilities during configuration would be helpful.

Thanks in advance. If I have missed something, don't hesitate to ask.

devwatchdog 12-18-2011 12:38 AM
I'll be responding sometime within the next few days. Sorry 'bout the delay. I've got a spare Belkin set up that I can test to see what it takes to connect it to a AP as a client. Shouldn't be too challenging.

As for the rest, I'll address that soon.

bruce.wayne 12-18-2011 02:55 AM
Yesterday evening I managed to get the client mode working. Cause was that in the ISP router the MAC of TP was inserted for bridging. By deleting this line it worked. So you do not need to invest your time on this. But very thanks for your help.

TP-address range: 192.168.1.x
ISP router range: 192.168.2.x

But another thins at the moment. Maybe you have some suggestions. Yesterday I tried to get DLNA/UPNP working - was not lucky about that. server is in the TP-IP-range and the TV is in the ISP-IP-range. I have to invest more time here how to configure the port forwardings right, but at the moment I have read some posts that this might not work. DO you have any experience about it?
Thanks.

devwatchdog 12-19-2011 11:16 AM
Can devices communicate between the two networks properly? Such as say you ping from a device connected to the ISP router (192.168.1/24) LAN to a device connected to the TP (192.168.2/24) does it work? (and vice versa)

I'm a little confused as to what you might have done with the TP. It doesn't sound like it is still in bridged mode -- I'm guessing you are getting a DHCP lease on the WIFI interface (or static, doesn't matter -- I'd go static), and then have the switch interface set up with 192.168.2/24 and acting as a DHCP server. Effectively you've taken what is normally labeled as the WAN interface and a RJ45 connection, and moved that responsibility to the WIFI interface. It doesn't really matter, as networking is networking, and what we actually call these interfaces is irrelevant. The only issue that might come into play is how the firewall is set up on OpenWRT.

Something I'm wondering is if the traffic that is destined for the ISP router, be it internet destined traffic or a device in the 192.168.1/24 network, is being NAT'ed when sent through the TP. If it were, the you'd not see problems when sending traffic from the TP based devices toward the ISP router and devices in 192.168.1/24. However, devices in the 192.168.1/24 network do not know where 192.168.2/24 is.

I'm just speculating presently. Let me know how you have that TP set up. It might just be as simple as adding the route I mentioned earlier to the ISP router.

bruce.wayne 12-23-2011 01:35 AM
Hey, thanks for your answer and sorry for the late response. I'm currently (since a week) on a business trip and have not the possibilitry at the moment to test pinging, but I'll try it in the next few days.

You are completely right that I'm using the Wifi-interface as wan-interface for connecting to the ISP-router. As would've done, I've configured a static address in the 192.168.2.x subnetwortk. The TP-Link-router is also acting as a DHCP-server but the connected hosts are all connected with a static address. I'll need the DHSCP only when connecting temporary a new laptop...

The downside of teh solution is (unluckily) that the TP-Wifi is exclusive for the uplink. So I cannot extend the WLAN-range of my ISP-router unluckily - but I thank that I'll have to live with that. Internt connection works for the clients connected to the TP. Only thing I have to investigate is a desktop-machine that is knowcking down my traffic on the TP - but that's another site ;).
To get that all working, I have set the TP as gateway and the ISP as DNS server for the computers connected to the TP.

OpenWRT fw is cureently set as default, tried only to put some route in on port, let me think... 5002/3/4? (one of that), that I#ve found in a forum. I've read that this is teh port the PS3 media server (I'm using for streaming) is using.

If you have some more concrete question to explain my situation clealier, feel free :).

Thanks for your spended time so far and help.

bruce.wayne 12-24-2011 02:58 AM
Hello,
as promised I have tested the connections. From a computer connected to the ISP-router with an address 192.168.2.151 I cannot ping the subnetwork. I can only ping the WAN-interface of the TP-router (which is, of course, an 192.168.2.x address). The subnetwork-If (192.168.1.1 - the other side of the TP) cannot be reached (ICMP-message timeout). The other way round is no problem. A computer with the address 192.168.1.250 (connected to the TP) can ping all computers in the network, also those in the ISP-subnetwork (for example 192.168.2.151).
Any suggestions?


All times are GMT -5. The time now is 12:34 AM.