Topics

Q: Not state of the art LAN setup

Gordon Haverland
 

If a person allows wifi content to enter a LAN, it could be from
authorized sources or non-authorized sources. But the intention is
that it is authorized. And to my simple thinking, the only way to do
this is to allow almost no content via unencrypted IP and force all
traffic to use VPN to do anything. Which supposedly forces some
undesirable person accessing the LAN via wifi to break a much harder
certificate used for VPN.

I only have 1 niece, and one weekend when I wasn't here, she
disconnected some of my network to plug her stupid Apple shit into my
LAN so that she could get access to the Internet for something or
another. I could ask her to not do this, but at some point in the
future someone else could do something similar; and so a better
solution is needed.

DHCP hands out IP addresses. If the "same" computer connect to a DHCP
(on a router) to get an IP, it gets the same IP address. Things can
change on that particular computer, which causes a DHCP server to give
a different IP address.

Let's say that all DHCP looks at, is the MAC address. So, if someone
wants to get connected to the LAN, and they have problems, they might
think that "all" that is required is to look for the MAC addresses on
the LAN now, DOS a machine with one of those MAC addresses, and then
attempt to connect to the network using a changed MAC address to be the
same of the machine knocked off.

I don't know very much about DHCP servers (such as are in routers), but
I think they use more than MAC addresses. But, I suspect if they
knocked an existing MAC address off, and connected using that MAC
address, they would get an IP from the DHCP server. And I suspect it
would be a different IP (but I could be wrong).

If all machines (legitimately) on my farm (LAN) know that a simple
login is NOT enough, that they need to login to a VPN served by one
(better yet, more than 1, but I don't know if this is possible) a
"server" on the LAN; that might accomplish what I want. But, maybe
there are other solutions that I don't know about?

We set up QOS on this simple router, and it allow almost no bandwidth
to traffic that is unencrypted on the LAN, and nearly 100% to traffic
that is encrypted (and on a VPN).

To snoop MAC addresses and knock one of those off, probably isn't too
difficult. To then break a VPN certificate to get "real" access to the
LAN is a considerably harder issue, and maybe they will go away.

Is that the only solution? Is there something better?

Thanks.

--

Gord

Andrew Stott
 

You could setup something like 802.1x authentication on your network. You need to meet certain criteria before a device is allowed to connect. It could be a bit of a nightmare to get setup but it will prevent unauthorized devices. You will likely need a managed switch though depending on the implementation. You will likely need to setup your own certificate authority to issue certificates too.

We're in the middle of rolling out Cisco's version of this at work - it's caused a few bumps along the road, however it works as intended. If you don't meet the criteria specified for authentication you aren't getting any traffic onto the network.

Andrew

-----Original Message-----
From: elug@groups.io <elug@groups.io> On Behalf Of Gordon Haverland via Groups.Io
Sent: Sunday, December 8, 2019 8:24 PM
To: elug@groups.io
Subject: [elug] Q: Not state of the art LAN setup

If a person allows wifi content to enter a LAN, it could be from authorized sources or non-authorized sources. But the intention is that it is authorized. And to my simple thinking, the only way to do this is to allow almost no content via unencrypted IP and force all traffic to use VPN to do anything. Which supposedly forces some undesirable person accessing the LAN via wifi to break a much harder certificate used for VPN.

I only have 1 niece, and one weekend when I wasn't here, she disconnected some of my network to plug her stupid Apple shit into my LAN so that she could get access to the Internet for something or another. I could ask her to not do this, but at some point in the future someone else could do something similar; and so a better solution is needed.

DHCP hands out IP addresses. If the "same" computer connect to a DHCP (on a router) to get an IP, it gets the same IP address. Things can change on that particular computer, which causes a DHCP server to give a different IP address.

Let's say that all DHCP looks at, is the MAC address. So, if someone wants to get connected to the LAN, and they have problems, they might think that "all" that is required is to look for the MAC addresses on the LAN now, DOS a machine with one of those MAC addresses, and then attempt to connect to the network using a changed MAC address to be the same of the machine knocked off.

I don't know very much about DHCP servers (such as are in routers), but I think they use more than MAC addresses. But, I suspect if they knocked an existing MAC address off, and connected using that MAC address, they would get an IP from the DHCP server. And I suspect it would be a different IP (but I could be wrong).

If all machines (legitimately) on my farm (LAN) know that a simple login is NOT enough, that they need to login to a VPN served by one (better yet, more than 1, but I don't know if this is possible) a "server" on the LAN; that might accomplish what I want. But, maybe there are other solutions that I don't know about?

We set up QOS on this simple router, and it allow almost no bandwidth to traffic that is unencrypted on the LAN, and nearly 100% to traffic that is encrypted (and on a VPN).

To snoop MAC addresses and knock one of those off, probably isn't too difficult. To then break a VPN certificate to get "real" access to the LAN is a considerably harder issue, and maybe they will go away.

Is that the only solution? Is there something better?

Thanks.

--

Gord

Andrew Stott
 

It may be simpler to just setup a VLAN for Guest access - that way you can have a guest SSID on your wifi that is isolated from your devices. Toss your unused ports on your devices into that VLAN as well (or just turn them off). Again will require a managed switch if you have one. Not sure what you are running for a router - I think you were running OpenWRT at one point - I think that will do vlans on the ports on the device itself but it would require some research.

Andrew

-----Original Message-----
From: elug@groups.io <elug@groups.io> On Behalf Of Gordon Haverland via Groups.Io
Sent: Sunday, December 8, 2019 8:24 PM
To: elug@groups.io
Subject: [elug] Q: Not state of the art LAN setup

If a person allows wifi content to enter a LAN, it could be from authorized sources or non-authorized sources. But the intention is that it is authorized. And to my simple thinking, the only way to do this is to allow almost no content via unencrypted IP and force all traffic to use VPN to do anything. Which supposedly forces some undesirable person accessing the LAN via wifi to break a much harder certificate used for VPN.

I only have 1 niece, and one weekend when I wasn't here, she disconnected some of my network to plug her stupid Apple shit into my LAN so that she could get access to the Internet for something or another. I could ask her to not do this, but at some point in the future someone else could do something similar; and so a better solution is needed.

DHCP hands out IP addresses. If the "same" computer connect to a DHCP (on a router) to get an IP, it gets the same IP address. Things can change on that particular computer, which causes a DHCP server to give a different IP address.

Let's say that all DHCP looks at, is the MAC address. So, if someone wants to get connected to the LAN, and they have problems, they might think that "all" that is required is to look for the MAC addresses on the LAN now, DOS a machine with one of those MAC addresses, and then attempt to connect to the network using a changed MAC address to be the same of the machine knocked off.

I don't know very much about DHCP servers (such as are in routers), but I think they use more than MAC addresses. But, I suspect if they knocked an existing MAC address off, and connected using that MAC address, they would get an IP from the DHCP server. And I suspect it would be a different IP (but I could be wrong).

If all machines (legitimately) on my farm (LAN) know that a simple login is NOT enough, that they need to login to a VPN served by one (better yet, more than 1, but I don't know if this is possible) a "server" on the LAN; that might accomplish what I want. But, maybe there are other solutions that I don't know about?

We set up QOS on this simple router, and it allow almost no bandwidth to traffic that is unencrypted on the LAN, and nearly 100% to traffic that is encrypted (and on a VPN).

To snoop MAC addresses and knock one of those off, probably isn't too difficult. To then break a VPN certificate to get "real" access to the LAN is a considerably harder issue, and maybe they will go away.

Is that the only solution? Is there something better?

Thanks.

--

Gord

o1bigtenor
 

On Sun, Dec 8, 2019 at 10:10 PM Andrew Stott <andrew@...> wrote:

It may be simpler to just setup a VLAN for Guest access - that way you can have a guest SSID on your wifi that is isolated from your devices. Toss your unused ports on your devices into that VLAN as well (or just turn them off). Again will require a managed switch if you have one. Not sure what you are running for a router - I think you were running OpenWRT at one point - I think that will do vlans on the ports on the device itself but it would require some research.
Greetings

Would it be possible to limit access using something like either
iptables or nftables?

I'm thinking that commonly the DHCP server has somewhat consistent IP addresses
for machines commonly on the lan. Even when an existing machine on the lan is
unplugged if a 'different' machine is attached the ip address issued
is usually not
one of the previous. So if the firewall is setup so that only packets
from 'known'
systems are accepted onto the lan (I'm talking about things from the
point of view of
the lan - - - not the wan!). Might be a relatively simple solution.

Regards

Gordon Haverland
 

On Mon, 9 Dec 2019 04:10:00 +0000
"Andrew Stott" <andrew@...> wrote:

managed switch
The only switches I have worked with, are un-managed.


I got annoyed with the changes some advertisers are inflicting on DNS,
and so I decided to set up a pi-hole for my LAN.

And then I realized that a whole bunch of intended updates probably
need to be finished before I start adding a pi-hole. By and large I
think the switches have 8 ports and routers I am using have 5 ports.

My connection to the Internet on my side, is a Ubiquity PTP link (5
GHz?) that is either up to date, or close. The next thing downline, is
currently an OpenWRT router that probably should have been updated long
ago.

My thinking is that I spend the time to update a newer router, to serve
as the new connection between the PTP and my LAN.

If my LAN server had an empty slot for another ethernet card, I might
do something different; but I don't think it has an empty slot. It may
have a slot I can make empty.

In any event, my initial thought was to plug two unmanaged switches
into the router; one for amd64 class machines, and one for RPi class
machines. Which would leave it with 3 unused ports.

What I think you are suggesting, is that I obtain a managed switch, and
I plug the managed switch into the "new" router which is downstream of
the Ubiquity PTP. I have 2 "new" routers here (they were new 1.x years
ago): a TP-Link WR1043N v5.0 and a TP-Link Archer C7 AC1750 v2.0. The
1043 has a slightly faster CPU and only does 2.4 GHz wifi, and the C7
has twice as much RAM with a slightly slower CPU and does both 2.4 and
5 GHz wifi.

I have 4 "permanent" amd64 type desktop and/or server type machines,
and I have a mini-ITX with an amd64 type CPU, which will eventually be
able to be put in my truck, or brought into the house (it isn't
permanent, it is mobile). Two of the permanent machines are close to
where the router for the LAN will be, as is the mobile machine. The
other two permanent are in another room on a different circuit.

I have some RPi:
1. Rock Pi 4b (Rockchip 3399)
2. PinePro 64 laptop (coming also Rockchip 3399)
3. Odroid-C2
4. RPi 3b+
5. probably others (older)

The 3b+ is going to become the Pi-hole (for now). At some point, I am
going to set up a GPS base station, and the Odroid-C2 is going to be
associated with that GPS chip. The RockPi 4b is probably going to do a
couple of things, serve NTP (if the Odroid is maxed out dealing with
the GPS chip) and serve as the computer sending GPS corrections to the
rovers on the farm (hopefully RTK).

From a wiring point of view, the ethernet line from the Ubiquity comes
into my bedroom, which is where the POE to run the Ubiquity is served
from. There are 3 computers and 3 UPS in my bedroom. In the next room
(on a different circuit) are 2 more computers and 2 more UPS.

The garage is attached to the house, and it will (probably) be where
the Archer C7 is located. Possibly in the "attic", or if need be on
top (in a "box"). I can see a need for sensors (and Arduino and/or RPi
in the garage, I don't know that I need a desktop in there) in the
garage. I think off the NE corner of the garage, I would like to mount
a directional antenna for wifi pointing roughly NE, which is where I
would like to build a "garage" for my tractor and also set up my 10m
pole to mount my weather station on. The point is to get that weather
data back to the house.

Because of terrain and trees, I think I need to set "routers" on the
perimeter of the farm (1/8 mile wide by 1/2 mile long) with directional
antennae "pointing inwards". Or rather, on half (or so) of the
perimeter; it might end up being 3/4 of the perimeter. That 1/8 mile
width is 660 feet, which is nominally twice the range of the "n"
protocol? These routers would be configured for mesh networking.

For the long direction, the bottom fenceline of the farm has line of
sight (ignoring the presence of trees) to about 2/3 or 3/4 of the way
up. The top fenceline only sees down about 1/4 of the way. The SE
corner of the farm has an east slope and is much steeper than the rest
of the farm which is a north slope.

If I have to set up a RPi with a directional antenna to be a mesh
networking router, I might as well put rudimentary weather
instrumentation in that unit, as well as cameras (visible and NIR). I
have a deer problem, so learning more about the deer is important.
Some neighbour's cat also comes to visit, but I don't know which
neighbour.

I live within the 5(?)km exclusion zone around airports, or rather all
of the farm is within that exclusion zone. So, finding something other
than a quadcopter to try and image the ground from the sky is much
preferred. My plan is to make a heavy ground robot and tether a
balloon to it. Hanging below the balloon on a stabilised platform,
will be visible, NIR and LWIR cameras. And GPS, and I will want to get
the best that RTK can provide in finding the positions of those cameras.


Storing water is best done at as high an elevation as one can arrange.
I have a single dugout that is at about 80% of the farm. It has had
essentially no protection from winds since we bought the farm in 1975.
Other neighbours are actively cutting trees (lower than the dugout) or
have horses killing trees (lower than the dugout). A neighbour about
level with the dugout, doesn't seem to be changing his trees (at the
moment - he is older than me and the "new owners" could decide to start
cutting trees too). My limited water resource would do better, if I
would keep the wind off it. And whatever is growing on my land would
probably do better if there was less wind. Growing trees to shield the
wind, when deer like to eat trees creates a conflict; which is why I
need to learn more about these deer (all of them: white tail, mule,
moose, ...).


If you had pointers about documentation on how to work with VLANs, that
would be nice. I am trying to wade through wikipedia, parts make sense
and other parts don't.

Thanks.

--

Gord

William Henderson aka Slackrat
 

"Gordon Haverland" <ghaverla@...> writes:

stupid Apple shit
+1

--
William Henderson
aka Slackrat
http://billh.sdf.org/slackware.jpg