DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 24th February 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by daemonbak View Post
Also, get some coffee rocket357 ;-)
Done =)

Quote:
Originally Posted by daemonbak View Post
Can I really have 2 vlans on that single nic? Would that slow down the network/wan speed or are there any other gotchas that would say, don't do this! Instead just figure out how to sandwitch another nic card in there. That would make 3 nics (1 to cable modem, one to lan side unmanaged switch and one to the AP direct).
I have hit an issue regarding vlans on a single nic, yes. I have aggregated two fxp interfaces on my home firewall with LACP and run all of the vlans off of the trunk, such that connections via the vlans are distributed across the LACP trunk. I do this because:

vlan2001 wants to xfer a file to vlan2002. This means the connection was going up vlan2001 via the physical nic, processed by the firewall, and sent back down the physical nic to vlan2002 (i.e. send/receive simultaneously. This was causing minor slowdowns of other traffic (mostly noticeable on stuff like VoIP) on the vlan pool for the physical nic). With LACP, the firewall can receive on one nic and send on the other as if they were a single nic, reducing noticeable slowdowns for other connections.

But really, unless you are doing cross-vlan large high speed transfers, you won't notice.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 24th February 2015 at 07:29 PM.
Reply With Quote
Old 25th February 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

If that board has mini pci-e gigabit adapter just take off the brace and hang it out the back. Not elegant but gives you a 3rd dedicated nic that can connect direct to AP. thoughts?

also, you could use the pci not pci-e slot that is in that board (if i recall my specs) and cut a hole to get that 3rd slot. intel nics are cheap and good. Might not be a bad experiment.
Reply With Quote
Old 10th March 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

what about using my mini pcie express slot for the extra port for vlanning off the wireless. I could run a ribbon as the last person suggested. I would like to use an intel nic though. i don't see any mini pci express cards. I also have a pci full size slot open, but since it's not express, my guess is throughput would suffer.

Confused and Frustrated.

Thanks!
Reply With Quote
Old 10th March 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by daemonbak View Post
what about using my mini pcie express slot for the extra port for vlanning off the wireless.
A separate NIC would not be "vlan," but would just be a separate Ethenet broadcast domain and a separate IP subnet.
Quote:
I also have a pci full size slot open, but since it's not express, my guess is throughput would suffer.
Conventional PCI is 133 MB/s, which is 1064 Mb/s. The Ubiquiti Networks's website states the UAP PRO runs at 450 Mb/s or 300 Mb/s, depending on band in use. Based on that alone, I don't think PCI will be a bottleneck.

Last edited by jggimi; 10th March 2015 at 09:30 PM. Reason: typos
Reply With Quote
Old 10th March 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

So I am confused.. clearly.

If I want to separate and keep both the wifi traffic and the wired lan traffic completely separated... does it matter (security/performance/etc) whether or not I use the same nic going to the unmanaged switch for the lan network or should i try to use 2 different nics.
Reply With Quote
Old 10th March 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Given that the switch doesn't do vlans, I would split it across two separate nics. You might be able to figure out a way to get multiple IPs on a single nic that aren't vlan tagged, but the traffic won't be technically separate.

And, because the traffic will be on separate NICs, there is no need for vlans (why bother with virtual lans when you have physically separate lans? You *could* hang a vlan interface off of a physical interface, but the switch still doesn't support it and it would offer you no additional benefit (minus perhaps the idea that you could vlan-tag other subnets on the same NIC down the road...but that would require your switch to support vlans now rather than later))).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 10th March 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

Ok so that is what i should do. I was saving the mini pci express port for flash storage if needed as I am using usb stick now. But if worse comes to worse I will just use the onboard sata and hook up an ssd so the heat is still low and still silent/fanless.

So 3 interfaces:
em0 = connection to internet
em1 = connection to unmanaged switch/wired lan
addon_nic = connection to AP and all devices

then i can setup 2 networks via pf and keep the wireless devices separate from the wired lan.

Do I have this correct?

Then I could still serve out dhcp and dns etc to the wireless clients as well. I am assuming I would have to have 2 dhcpd servers/configs running. maybe subnet both as a /25 like azarian said:
Quote:
Wired lan clients get dhcp in the range of 192.168.0.1 - 192.168.0.126
Wireless clients get dhcp in the range of 192.168.0.129 - 192.168.0.254
Obviously 127 and 255 would be reserved for broadcast
Then keep the two completely seperated via PF or am i going down the wrong tangent?

Thanks
Reply With Quote
Old 11th March 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

You're on the right path. Something like this:

em1 = connection to unmanaged switch/wired lan
addon_nic = connection to AP and all devices

NIC configs:
/etc/hostname.em1:
Code:
inet 192.168.0.1 255.255.255.128
/etc/hostname.${ADDONNIC}0
Code:
inet 192.168.0.129 255.255.255.128
/etc/dhcpd.conf (NOTE: You can serve multiple subnets with a single running dhcpd!)
Code:
  subnet 192.168.0.0 netmask 255.255.255.128 { 
    option routers 192.168.0.1;
    option domain-name-servers 192.168.0.1; # assuming you run unbound listening on multiple ips!
    range 192.168.0.2 192.168.0.126; 
  } 
  subnet 192.168.0.128 netmask 255.255.255.128 { 
    option routers 192.168.0.129;
    option domain-name-servers 192.168.0.129; # assuming you run unbound listening on multiple ips!
    range 192.168.0.130 192.168.0.254; 
  }
/etc/pf.conf:
Code:
ext_if = em0
lan = "192.168.0.0/25"
wlan = "192.168.0.128/25"
table <nated> { $lan, $wlan }

pass out on $ext_if from <nated> nat-to ($ext_if)

block in quick from $wlan to $lan
block in quick from $lan to $wlan  # total separation, if desired
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 11th March 2015 at 12:25 AM. Reason: added pf.conf skeleton
Reply With Quote
Old 11th March 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

daemonbak, I don't know if you're still confused. But just in case:

Part of your confusion might have stemmed from not considering Ethernet LAN traffic as distinct from the TCP/IP traffic that travels over an Ethernet. It's easy to think of them as equivalent, because most of the time there's a one-to-one relationship between a TCP/IP subnet and an Ethernet LAN. (And your latest solution contemplates three LANs and three subnets.)

But Ethernets and TCP/IP subnets aren't required to have a 1-to-1 relationship. Above, we discussed the implications of having multiple TCP/IP subnets share the same Ethernet LAN. I'd mentioned that this can solve some addressing or administrative issues but the subnets are not isolated, so this doesn't add any security.

You might also be confused about VLANs, and that may be because some of your platforms -- such as OpenBSD, and perhaps your large-enterprise AP -- are VLAN-capable, and it appears that multiple virtual NICs can be created and used. Yes, virtual NICs are deployed, but the LANs each connect to are separate, unique Ethernet LANs.

VLAN technology is used to logically combine multiple physical Ethernets. A managed switch is the central, key device in a VLAN network and an absolute requirement . The admin configures the switch and allocates its physical ports to separate Ethernet LANs for end-use devices. The admin configures other ports where those LANs are combined. These combined LAN ports are used for connections to -- for lack of a better term -- "back-haul" systems that need to communicate with multiple, distinct Ethernet LANs directly.

A VLAN-connected server uses multiple virtual NICs to communicate to those individual physical Ethernet LANs

---

I hope that this information helped, and wasn't excessively a review of knowledge you already have. If it was, I hope that at least I didn't bore you.

Last edited by jggimi; 11th March 2015 at 04:34 PM. Reason: typos, clarity
Reply With Quote
Old 11th March 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

I am kind of late for the party but it looks to me that this might be a good read for OP.

http://www.packetmischief.ca/2011/09...routing-table/
Reply With Quote
Old 13th March 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

Quote:
Originally Posted by rocket357 View Post
You're on the right path. Something like this:

em1 = connection to unmanaged switch/wired lan
addon_nic = connection to AP and all devices

NIC configs:
/etc/hostname.em1:
Code:
inet 192.168.0.1 255.255.255.128
/etc/hostname.${ADDONNIC}0
Code:
inet 192.168.0.129 255.255.255.128
/etc/dhcpd.conf (NOTE: You can serve multiple subnets with a single running dhcpd!)
Code:
  subnet 192.168.0.0 netmask 255.255.255.128 { 
    option routers 192.168.0.1;
    option domain-name-servers 192.168.0.1; # assuming you run unbound listening on multiple ips!
    range 192.168.0.2 192.168.0.126; 
  } 
  subnet 192.168.0.128 netmask 255.255.255.128 { 
    option routers 192.168.0.129;
    option domain-name-servers 192.168.0.129; # assuming you run unbound listening on multiple ips!
    range 192.168.0.130 192.168.0.254; 
  }
/etc/pf.conf:
Code:
ext_if = em0
lan = "192.168.0.0/25"
wlan = "192.168.0.128/25"
table <nated> { $lan, $wlan }

pass out on $ext_if from <nated> nat-to ($ext_if)

block in quick from $wlan to $lan
block in quick from $lan to $wlan  # total separation, if desired
That cleared a lot up. Thanks. Now i know where to start.

Last edited by daemonbak; 26th March 2015 at 09:57 PM.
Reply With Quote
Old 13th March 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

My primary firewall at home is a dual onboard fxp box that has an re and rl. re and rl are both full size PCI (it's a 566 MHz i386). The re is a gigabit card and it handles 50-60 Mbps (my internet speed, haven't tested for max throughput, unfortunately) rather well. I'd prefer Intel over realtek, but I can't complain, FWIW.

To make it explicitly clear, I'm not recommending re or rl, I'm just commenting that they work for my use case.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 26th March 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

Any suggestions for a intel nic that will work with a mini pci express or standard full size pci slot? is there any advantages to using express over plane jane pci for a gigabit card?

It would have to hang outside the box as there is no room for expansion ports on the back.

It would also not clear to ceiling of the case.

I could drill a hole in the metal, run a cat cable in and then put the rj45 connector on after and then plug it in. But there is really no room inside.

Would this be what I need?
http://www.amazon.com/exec/obidos/ASIN/B006VCPB2S

I would really like to keep it an intel nic for my third nic.

Is there an intel nic version of this? I can't find one anywhere.

What is everyone else using? trying to get this implemented asap so all help appreciated.

Thanks
Reply With Quote
Old 27th March 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You've asked this same question several times here; and I haven't seen it addressed. You might have better luck asking this sort of question on misc@; this is a very smalll community and you'll reach orders of magnitude more people there.

OpenBSD driver support is by chipset, not by hardware vendor, but Intel happens to be a chipset manufacturer.
Reply With Quote
Old 27th March 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

I had no idea you would also take a standard PCI NIC.
http://www.ebay.com/itm/351244231349
Enjoy.
Reply With Quote
Old 20th May 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

Quote:
Originally Posted by daemonbak View Post
what about using my mini pcie express slot for the extra port for vlanning off the wireless. I could run a ribbon as the last person suggested. I would like to use an intel nic though. i don't see any mini pci express cards. I also have a pci full size slot open, but since it's not express, my guess is throughput would suffer.

Confused and Frustrated.

Thanks!
We seem to be in the same boat. You have different hardware and purpose for more nics, but the issue seems similar.

I can't find anyway to sandwitch another nic in my case. Although, I believe my case has more space than yours, it is still too tight.

Here is my thread: http://daemonforums.org/showthread.php?p=54803

Did you ever get resolution to this or find something that might be a solution? Thanks

Also, throughput should not suffer on a gigabit card, even if it is a basic PCI connector and not -e
Reply With Quote
Old 23rd May 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 51
Default

Quote:
Originally Posted by rocket357 View Post
You're on the right path. Something like this:

em1 = connection to unmanaged switch/wired lan
addon_nic = connection to AP and all devices

NIC configs:
/etc/hostname.em1:
Code:
inet 192.168.0.1 255.255.255.128
/etc/hostname.${ADDONNIC}0
Code:
inet 192.168.0.129 255.255.255.128
/etc/dhcpd.conf (NOTE: You can serve multiple subnets with a single running dhcpd!)
Code:
  subnet 192.168.0.0 netmask 255.255.255.128 { 
    option routers 192.168.0.1;
    option domain-name-servers 192.168.0.1; # assuming you run unbound listening on multiple ips!
    range 192.168.0.2 192.168.0.126; 
  } 
  subnet 192.168.0.128 netmask 255.255.255.128 { 
    option routers 192.168.0.129;
    option domain-name-servers 192.168.0.129; # assuming you run unbound listening on multiple ips!
    range 192.168.0.130 192.168.0.254; 
  }
/etc/pf.conf:
Code:
ext_if = em0
lan = "192.168.0.0/25"
wlan = "192.168.0.128/25"
table <nated> { $lan, $wlan }

pass out on $ext_if from <nated> nat-to ($ext_if)

block in quick from $wlan to $lan
block in quick from $lan to $wlan  # total separation, if desired
Follow up question. Would there be any issues with having 2 networks with the same 192.168.0.x on the firewall device? I think there would be no issues with:

SUBNET TRUSTED LAN:
192.168.0.2 192.168.0.126
SUBNET UNTRUSTED LAN/WIRELESS:
192.168.0.130 192.168.0.254

I know that if I had 192.168.0.2 and 192.168.0.45 on a normal computer, it would freak out on which interface to exit for connections. But I am usually 255.255.255.0 not 255.255.255.128

I am assuming with a firewall though this would be ok.

Or should I switch one dhcp interface so instead I would have:

SUBNET TRUSTED LAN:
192.168.0.2 - 192.168.0.126
SUBNET UNTRUSTED LAN/WIRELESS:
192.168.1.2 - 192.168.1.126

or does having the subnet as 255.255.255.128 make it so there are no issues with them both being 192.168.0.x?

Feel free to ask clarification, very sleepy now.
Reply With Quote
Old 23rd May 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Do not configure two NICs on the same subnet. OpenBSD does not support this, except in special cases when trunk(4), bridge(4) or carp(4) interfaces are configured.

You can deploy similar addressing to meet your intentions, perhaps using two /25 subnets (netmask 255.255.255.128), which would not violate this provisioning rule.

Instead of a single 256-address subnet, you would configure two 128-address subnets: 192.168.0.0/25 (range .0 through .127) and 192.168.0.128/25 (range .128 through .255).

As with a /24, the low-order addresses (.0 and .128) would be reserved for routing, while the high-order addresses (.127 and .255) would be reserved for broadcast.

Last edited by jggimi; 23rd May 2015 at 01:20 PM. Reason: added trunk(4), fixed a typo, clarity
Reply With Quote
Old 23rd May 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

TL;DR: 192.168.0.0/25 and 192.168.0.128/25 are indeed separate subnets and will not cause any routing issues if a machine has one address from each subnet.

As jggimi has pointed out already, you'll run into issues with two nics on the same subnet, as it causing routing issues. You might be able to do a virtual route table configuration to accomplish that, but I have yet to take that plunge into what appears (to me, as of yet, since I haven't had a need for it yet) to be complete insanity.

As you stated, setting the subnet to 255.255.255.128 would make them separate subnets (again, as detailed by jggimi). In fact, you can drop the /25 down further as such:

192.168.0.0/24 = 256 addresses
192.168.0.0/25 = 128 addresses
192.168.0.0/26 = 64 addresses
192.168.0.0/27 = 32 addresses
192.168.0.0/28 = 16 addresses
192.168.0.0/29 = 8 addresses
192.168.0.0/30 = 4 addresses

In all of those above, you can actually use the number of addresses - 2 (network and broadcast each take a single address out of the pool for /30 and above). This means a /30 actually has two usable addresses (and is useful for a setup where you have a single isolated machine (addresses in the /30 would be network, gateway, host, broadcast, so you can only have one host).

To figure out the next range up from your current one, you'd count the number of addresses up from where you are. For instance, if you are using 192.168.0.0/28, the next *network* address would be 16 addresses up, or subnet 192.168.0.16/28, and the next subnet after that would be 192.168.0.32/28, then 192.168.0.48/28, then 192.168.0.64/28, and so on.

As a separate example, just look at the routing table of a configuration like you're working on (10.2.0.0/24 in my network is dedicated to Windows machines, which I put in their own /30's for isolation purposes...the following output is separated for visibility):

Code:
$ netstat -rnf inet | egrep '10.2|Iface'
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
--
10.2.0.0/30        link#15            UC         1        0     -     4 vlan2000
10.2.0.1           00:01:29:0c:00:89  UHLl       0        0     -     1 lo0
10.2.0.2           f0:1f:af:5c:27:eb  UHLc    4959 89251403     - L   4 vlan2000
--
10.2.0.4/30        link#16            UC         1        0     -     4 vlan2001
10.2.0.5           00:01:29:0c:00:89  UHLl       0        0     -     1 lo0
10.2.0.6           50:46:5d:50:5a:f4  UHLc       1 167633949     -     4 vlan2001
--
10.2.0.8/30        link#17            UC         1        0     -     4 vlan2002
10.2.0.9           00:01:29:0c:00:89  UHLl       0        0     -     1 lo0
10.2.0.10          00:1a:a0:5e:93:fe  UHLc    3518 31997246     -     4 vlan2002
--
10.2.0.12/30       link#18            UC         0        0     -     4 vlan2003
10.2.0.13          00:01:29:0c:00:89  UHLl       0        0     -     1 lo0
You'll note that 10.2.0.12/30 does not yet have a host in it, it's simply there for the next Windows device that finds a home in my house.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 23rd May 2015 at 08:01 PM.
Reply With Quote
Old 24th May 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by rocket357 View Post
...as it causing routing issues..
I believe ARP issues also occur. It's an architectural "don't."

If this were my network, I'd use an addressing schema that is more readily understandable than two adjacent /25 subnets. Such as two distinct /24 subnets.

RFC 1918 offers us room to configure 69,888 /24 subnets, and we should exploit that small freedom to make our administrative lives easier.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Vs. Physical Interfaces in pf geppettodivacin OpenBSD Security 4 4th August 2014 08:25 PM
Need to move wireless access "inside" the firewall thefronny OpenBSD Security 2 13th December 2010 09:01 PM
OpenBSD firewall with only one physical NIC idosch OpenBSD Security 5 25th April 2010 12:11 AM
Firewall Blocking Good Traffic plexter OpenBSD Security 6 8th January 2009 05:58 PM
import physical freeBSD into VMWARE (ESX) server as a vServer ccc FreeBSD General 6 3rd October 2008 07:04 AM


All times are GMT. The time now is 10:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick