|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
If that board has mini pci-e gigabit adapter just take off the brace and hang it out the back. Not elegant but gives you a 3rd dedicated nic that can connect direct to AP. thoughts?
also, you could use the pci not pci-e slot that is in that board (if i recall my specs) and cut a hole to get that 3rd slot. intel nics are cheap and good. Might not be a bad experiment. |
|
|||
what about using my mini pcie express slot for the extra port for vlanning off the wireless. I could run a ribbon as the last person suggested. I would like to use an intel nic though. i don't see any mini pci express cards. I also have a pci full size slot open, but since it's not express, my guess is throughput would suffer.
Confused and Frustrated. Thanks! |
|
||||
Quote:
Quote:
Last edited by jggimi; 10th March 2015 at 09:30 PM. Reason: typos |
|
|||
So I am confused.. clearly.
If I want to separate and keep both the wifi traffic and the wired lan traffic completely separated... does it matter (security/performance/etc) whether or not I use the same nic going to the unmanaged switch for the lan network or should i try to use 2 different nics. |
|
||||
Given that the switch doesn't do vlans, I would split it across two separate nics. You might be able to figure out a way to get multiple IPs on a single nic that aren't vlan tagged, but the traffic won't be technically separate.
And, because the traffic will be on separate NICs, there is no need for vlans (why bother with virtual lans when you have physically separate lans? You *could* hang a vlan interface off of a physical interface, but the switch still doesn't support it and it would offer you no additional benefit (minus perhaps the idea that you could vlan-tag other subnets on the same NIC down the road...but that would require your switch to support vlans now rather than later))).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
Ok so that is what i should do. I was saving the mini pci express port for flash storage if needed as I am using usb stick now. But if worse comes to worse I will just use the onboard sata and hook up an ssd so the heat is still low and still silent/fanless.
So 3 interfaces: em0 = connection to internet em1 = connection to unmanaged switch/wired lan addon_nic = connection to AP and all devices then i can setup 2 networks via pf and keep the wireless devices separate from the wired lan. Do I have this correct? Then I could still serve out dhcp and dns etc to the wireless clients as well. I am assuming I would have to have 2 dhcpd servers/configs running. maybe subnet both as a /25 like azarian said: Quote:
Thanks |
|
||||
You're on the right path. Something like this:
em1 = connection to unmanaged switch/wired lan addon_nic = connection to AP and all devices NIC configs: /etc/hostname.em1: Code:
inet 192.168.0.1 255.255.255.128 Code:
inet 192.168.0.129 255.255.255.128 Code:
subnet 192.168.0.0 netmask 255.255.255.128 { option routers 192.168.0.1; option domain-name-servers 192.168.0.1; # assuming you run unbound listening on multiple ips! range 192.168.0.2 192.168.0.126; } subnet 192.168.0.128 netmask 255.255.255.128 { option routers 192.168.0.129; option domain-name-servers 192.168.0.129; # assuming you run unbound listening on multiple ips! range 192.168.0.130 192.168.0.254; } Code:
ext_if = em0 lan = "192.168.0.0/25" wlan = "192.168.0.128/25" table <nated> { $lan, $wlan } pass out on $ext_if from <nated> nat-to ($ext_if) block in quick from $wlan to $lan block in quick from $lan to $wlan # total separation, if desired
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 11th March 2015 at 12:25 AM. Reason: added pf.conf skeleton |
|
||||
daemonbak, I don't know if you're still confused. But just in case:
Part of your confusion might have stemmed from not considering Ethernet LAN traffic as distinct from the TCP/IP traffic that travels over an Ethernet. It's easy to think of them as equivalent, because most of the time there's a one-to-one relationship between a TCP/IP subnet and an Ethernet LAN. (And your latest solution contemplates three LANs and three subnets.) But Ethernets and TCP/IP subnets aren't required to have a 1-to-1 relationship. Above, we discussed the implications of having multiple TCP/IP subnets share the same Ethernet LAN. I'd mentioned that this can solve some addressing or administrative issues but the subnets are not isolated, so this doesn't add any security. You might also be confused about VLANs, and that may be because some of your platforms -- such as OpenBSD, and perhaps your large-enterprise AP -- are VLAN-capable, and it appears that multiple virtual NICs can be created and used. Yes, virtual NICs are deployed, but the LANs each connect to are separate, unique Ethernet LANs. VLAN technology is used to logically combine multiple physical Ethernets. A managed switch is the central, key device in a VLAN network and an absolute requirement . The admin configures the switch and allocates its physical ports to separate Ethernet LANs for end-use devices. The admin configures other ports where those LANs are combined. These combined LAN ports are used for connections to -- for lack of a better term -- "back-haul" systems that need to communicate with multiple, distinct Ethernet LANs directly. A VLAN-connected server uses multiple virtual NICs to communicate to those individual physical Ethernet LANs --- I hope that this information helped, and wasn't excessively a review of knowledge you already have. If it was, I hope that at least I didn't bore you. Last edited by jggimi; 11th March 2015 at 04:34 PM. Reason: typos, clarity |
|
||||
I am kind of late for the party but it looks to me that this might be a good read for OP.
http://www.packetmischief.ca/2011/09...routing-table/ |
|
|||
Quote:
Last edited by daemonbak; 26th March 2015 at 09:57 PM. |
|
||||
My primary firewall at home is a dual onboard fxp box that has an re and rl. re and rl are both full size PCI (it's a 566 MHz i386). The re is a gigabit card and it handles 50-60 Mbps (my internet speed, haven't tested for max throughput, unfortunately) rather well. I'd prefer Intel over realtek, but I can't complain, FWIW.
To make it explicitly clear, I'm not recommending re or rl, I'm just commenting that they work for my use case.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
Any suggestions for a intel nic that will work with a mini pci express or standard full size pci slot? is there any advantages to using express over plane jane pci for a gigabit card?
It would have to hang outside the box as there is no room for expansion ports on the back. It would also not clear to ceiling of the case. I could drill a hole in the metal, run a cat cable in and then put the rj45 connector on after and then plug it in. But there is really no room inside. Would this be what I need? http://www.amazon.com/exec/obidos/ASIN/B006VCPB2S I would really like to keep it an intel nic for my third nic. Is there an intel nic version of this? I can't find one anywhere. What is everyone else using? trying to get this implemented asap so all help appreciated. Thanks |
|
||||
You've asked this same question several times here; and I haven't seen it addressed. You might have better luck asking this sort of question on misc@; this is a very smalll community and you'll reach orders of magnitude more people there.
OpenBSD driver support is by chipset, not by hardware vendor, but Intel happens to be a chipset manufacturer. |
|
|||
|
|
|||
Quote:
I can't find anyway to sandwitch another nic in my case. Although, I believe my case has more space than yours, it is still too tight. Here is my thread: http://daemonforums.org/showthread.php?p=54803 Did you ever get resolution to this or find something that might be a solution? Thanks Also, throughput should not suffer on a gigabit card, even if it is a basic PCI connector and not -e |
|
|||
Quote:
SUBNET TRUSTED LAN: 192.168.0.2 192.168.0.126 SUBNET UNTRUSTED LAN/WIRELESS: 192.168.0.130 192.168.0.254 I know that if I had 192.168.0.2 and 192.168.0.45 on a normal computer, it would freak out on which interface to exit for connections. But I am usually 255.255.255.0 not 255.255.255.128 I am assuming with a firewall though this would be ok. Or should I switch one dhcp interface so instead I would have: SUBNET TRUSTED LAN: 192.168.0.2 - 192.168.0.126 SUBNET UNTRUSTED LAN/WIRELESS: 192.168.1.2 - 192.168.1.126 or does having the subnet as 255.255.255.128 make it so there are no issues with them both being 192.168.0.x? Feel free to ask clarification, very sleepy now. |
|
||||
Do not configure two NICs on the same subnet. OpenBSD does not support this, except in special cases when trunk(4), bridge(4) or carp(4) interfaces are configured.
You can deploy similar addressing to meet your intentions, perhaps using two /25 subnets (netmask 255.255.255.128), which would not violate this provisioning rule. Instead of a single 256-address subnet, you would configure two 128-address subnets: 192.168.0.0/25 (range .0 through .127) and 192.168.0.128/25 (range .128 through .255). As with a /24, the low-order addresses (.0 and .128) would be reserved for routing, while the high-order addresses (.127 and .255) would be reserved for broadcast. Last edited by jggimi; 23rd May 2015 at 01:20 PM. Reason: added trunk(4), fixed a typo, clarity |
|
||||
TL;DR: 192.168.0.0/25 and 192.168.0.128/25 are indeed separate subnets and will not cause any routing issues if a machine has one address from each subnet.
As jggimi has pointed out already, you'll run into issues with two nics on the same subnet, as it causing routing issues. You might be able to do a virtual route table configuration to accomplish that, but I have yet to take that plunge into what appears (to me, as of yet, since I haven't had a need for it yet) to be complete insanity. As you stated, setting the subnet to 255.255.255.128 would make them separate subnets (again, as detailed by jggimi). In fact, you can drop the /25 down further as such: 192.168.0.0/24 = 256 addresses 192.168.0.0/25 = 128 addresses 192.168.0.0/26 = 64 addresses 192.168.0.0/27 = 32 addresses 192.168.0.0/28 = 16 addresses 192.168.0.0/29 = 8 addresses 192.168.0.0/30 = 4 addresses In all of those above, you can actually use the number of addresses - 2 (network and broadcast each take a single address out of the pool for /30 and above). This means a /30 actually has two usable addresses (and is useful for a setup where you have a single isolated machine (addresses in the /30 would be network, gateway, host, broadcast, so you can only have one host). To figure out the next range up from your current one, you'd count the number of addresses up from where you are. For instance, if you are using 192.168.0.0/28, the next *network* address would be 16 addresses up, or subnet 192.168.0.16/28, and the next subnet after that would be 192.168.0.32/28, then 192.168.0.48/28, then 192.168.0.64/28, and so on. As a separate example, just look at the routing table of a configuration like you're working on (10.2.0.0/24 in my network is dedicated to Windows machines, which I put in their own /30's for isolation purposes...the following output is separated for visibility): Code:
$ netstat -rnf inet | egrep '10.2|Iface' Destination Gateway Flags Refs Use Mtu Prio Iface -- 10.2.0.0/30 link#15 UC 1 0 - 4 vlan2000 10.2.0.1 00:01:29:0c:00:89 UHLl 0 0 - 1 lo0 10.2.0.2 f0:1f:af:5c:27:eb UHLc 4959 89251403 - L 4 vlan2000 -- 10.2.0.4/30 link#16 UC 1 0 - 4 vlan2001 10.2.0.5 00:01:29:0c:00:89 UHLl 0 0 - 1 lo0 10.2.0.6 50:46:5d:50:5a:f4 UHLc 1 167633949 - 4 vlan2001 -- 10.2.0.8/30 link#17 UC 1 0 - 4 vlan2002 10.2.0.9 00:01:29:0c:00:89 UHLl 0 0 - 1 lo0 10.2.0.10 00:1a:a0:5e:93:fe UHLc 3518 31997246 - 4 vlan2002 -- 10.2.0.12/30 link#18 UC 0 0 - 4 vlan2003 10.2.0.13 00:01:29:0c:00:89 UHLl 0 0 - 1 lo0
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 23rd May 2015 at 08:01 PM. |
|
||||
I believe ARP issues also occur. It's an architectural "don't."
If this were my network, I'd use an addressing schema that is more readily understandable than two adjacent /25 subnets. Such as two distinct /24 subnets. RFC 1918 offers us room to configure 69,888 /24 subnets, and we should exploit that small freedom to make our administrative lives easier. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Virtual Vs. Physical Interfaces in pf | geppettodivacin | OpenBSD Security | 4 | 4th August 2014 08:25 PM |
Need to move wireless access "inside" the firewall | thefronny | OpenBSD Security | 2 | 13th December 2010 09:01 PM |
OpenBSD firewall with only one physical NIC | idosch | OpenBSD Security | 5 | 25th April 2010 12:11 AM |
Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
import physical freeBSD into VMWARE (ESX) server as a vServer | ccc | FreeBSD General | 6 | 3rd October 2008 07:04 AM |