Small LAN, firewall and DHCP

firdeb · 07-13-2017, 06:26 PM

Hello, I'm trying to understand how to configure a small lan with a firewall.
I've an old unused machine and I would use it as a firewall for my home network, I don't really need it, but I'm curious to understand how it works

I read some docs and how to, but I still have some problems...

This is what I thought:

Code:

                 |some_wireless_devices|
                         |
                        |AP|
                         |
                         |
|ISP|----|modem|----|firewall| //DHCP here?
                         |
                         |
                    |eth switch|
                      |  |  |
                      |  |  |__|eth_dev_1|
                      |  |
                      |  |_____|eth_dev_2|
                      |  
                      |________|eth_dev_N|

Basically my idea was: firewall is the only one connected directly to the modem, all outgoing traffic is directed throught it and devices on LAN can communicate in a "secure area".

More: I would use firewall server to limit bandwith of each device and keep a log of outgoing traffic. My router has not advanced settings, I can just set QoS and other stuff, nothing about bandwidth limit (and I would not change it if possibile!).

I have some questions:

1. first of all: are there any huge mistakes in that network?

2. router: can I set up a DHCP service in firewall and let it to manage LAN address? If no, where should I put a router?

3. it's a small network (about 10 devices) and a desktop is absolutely oversized, but I'm wondering: how much "power" is needed to handle a small network like mine?

I hope it's clear, thanks!

jefro · 07-13-2017, 07:51 PM

The questions are clear. The answer not so.

Of course the wireless part bypasses firewall.

The age of the machine may be needed to tell if it can handle 10 clients. Running AV on it may drag the lan down.

DHCP isn't a big deal. I'd put it on firewall computer. Firewall's tend to have a red and green sort of nic status. While you can push dhcp across the firewall it may be easier to do it on green side.

The type of firewall you use and the add-on's that you enable will tell if this is going to work. Might look at what sites like Untangle linux would use for specs.

In a real situation you can easily use a firewall inside the lan or use a VM off a more powerful computer. Just have to watch to force lan to go to that device.

firdeb · 07-14-2017, 08:20 AM

Quote:

The age of the machine may be needed to tell if it can handle 10 clients. Running AV on it may drag the lan down.

I'll use an "old" desktop with a first gen i5 (I don't remember which model, I'll search for it if needed), 4GB ram, integrated gigabit ethernet and a second ethernet interface on pci. Somewhere I should have also a wireless card, if needed.
With AV I suppose you mean antivirus, I don't think I'll need one, keep it simple for now

Quote:

Of course the wireless part bypasses firewall.

Mmh... If I put an AP after firewall, how can wireless devices bypass the firewall?

Quote:

DHCP isn't a big deal. I'd put it on firewall computer. Firewall's tend to have a red and green sort of nic status. While you can push dhcp across the firewall it may be easier to do it on green side.

I didn't understand. What do you mean with "red and green sort of nic status" ?

Just to clearify: I have this desktop, a simple modem, a wireless modem/router, a 8-port ethernet switch and about 10 devices (both wireless and wired) that need to communicate to each other.
I need to limit bandwith of every device when needed, I'd like to keep a log of activities and, of course, setting some classic rules for packets filtering and similar.
No AV for now. It may be usefull in future, but I can always add it and keeping the same network structure, right?

Do you have an alternative solution?

Thanks!

edit: as I said, this is just for understand how firewall works, if you have any suggestions about others features I would happy to hear them!

jefro · 07-14-2017, 03:34 PM

There is no simple answer to firewall. The tools out there and the add-ons are many to secure your home.
I think I'd look at Untangle linux to start. It is a simple solution and has many free plug-ins. PFsense and a few others are very popular.
Generally linux users employ iptables and they build rules or use FWbuilder program to assist.

I didn't get where the internet was from. Thought you got it from some wireless device to an AP. I see now that you meant to use the computer as a lan to wi-fi.

Before we get too far, you really need to pick a firewall distro or decide on what to add to a common distro to make it into a firewall.

The I5 should be a very capable system I'd suspect unless you have a fiber wan.

Ztcoracat · 07-14-2017, 10:05 PM

Maybe give Clear OS a spin:-

Plenty to choose from on these pages.

http://www.techradar.com/news/6-best...ewalls-of-2017

http://www.techradar.com/news/6-best...ewalls-of-2017

IP Tables
https://help.ubuntu.com/community/IptablesHowTo
https://wiki.debian.org/iptables
https://www.tecmint.com/basic-guide-...tips-commands/

firdeb · 07-20-2017, 08:22 AM

Thanks for replies, I was looking for some reviews of most known firewall OS and they are really similar for my purposes, the main difference is in hardware support, I need to test some of them.

I'll start with PFsense, Clear OS and IPFire.
I'll try to set up my server as both firewall and (dhcp) router, don't know exactly how but I found some docs!

Just another quick question: I have also a raspberry pi (first gen), could I use it? It could be great for its low power consuming, but what about performance? Can it handle a small network like mine with about 10 devices?

Ztcoracat · 07-20-2017, 10:19 AM

Quote:

Originally Posted by firdeb

Thanks for replies, I was looking for some reviews of most known firewall OS and they are really similar for my purposes, the main difference is in hardware support, I need to test some of them.

I'll start with PFsense, Clear OS and IPFire.
I'll try to set up my server as both firewall and (dhcp) router, don't know exactly how but I found some docs!

Just another quick question: I have also a raspberry pi (first gen), could I use it? It could be great for its low power consuming, but what about performance? Can it handle a small network like mine with about 10 devices?

You're Welcome.

I don't know if it can handle a small network with 10 devices or not.
Wait for jefro to answer you on that:-

jefro · 07-21-2017, 04:34 PM

The term "firewall" is very basic. It doesn't fully tell us the entire amount of work that you will request it to do.

A Pi could handle 10 systems using very basic firewall features I'd suppose if you don't have fiber connection speeds.

Most folks set up a more robust firewall. The use many of the features these distro's offer to make the system more secure. Using such a unified threat management on anything smaller than maybe a celron N3XXX with 4-16G ram may not work.

The best thing to do it try stuff. Only that way will you get real world metrics on use. There are all sorts of web documentation on this subject but as with all minimum spec's they are really the very minimum.

Like backups, even a minimal firewall is better than none.