On 5/4/22 09:07, john doe wrote:
> Here are some comments in addition to this thread:
> - Do not use the router capability provided by your ISP.
> This is mainly to avoid letting your ISP remotely control the thing and
> disable the firewall for example.
>
> If you can, use your own router.
>
> If your ISP requires to work with their router put the ISP thing in
> 'bridge'/modem only mode, this will allow to get your public IPv4
> address to your own gateway.
As per the OP, I also have AT&T residential service. I use a
router-behind-router configuration -- an AT&T residential gateway
between the Internet and what is effectively a DMZ, and a UniFi Security
Gateway 3P between the DMZ and the LAN. Advantages of this
configuration include:
1. The AT&T DMZ is available (wired and Wi-Fi) when the UniFi LAN is
down for maintenance or modification. My wife and children need
Internet connectivity 24x7, regardless of my "experiments".
2, I can connect a laptop to the DMZ and configure/ test/ verify/
trouble-shoot UniFi from the outside (notably laptop VPN connectivity).
On 5/5/22 07:34, Tom Browder wrote:
> ... given a properly passwordless ssh connection, is there anything
> extraordinarily dangerous versus a VPN, or is it the redundancy you
favor?
> (I am the only superuser, and usually the only user of my network.)
AIUI SSH with passwords disabled and strong passphrase-protected keys is
secure.
AIUI VPN with strong pre-shared keys and strong passphrases is secure.
My primary use-case for SSH is CVS. This can be accomplished via port
forwarding on the gateway. (The router-behind-router topology means I
need to do this twice.) The challenge is when you want to access
multiple LAN hosts via SSH. Options include adding (and translating)
non-standard ports, and using an SSH jump host. (Lucas recommends the
latter.)
A VPN connection means that my laptop can see all hosts and services on
the LAN when I am remote. My primary use-case is accessing the file
server (Samba) using a GUI file manager application. I can also SSH
directly into any host. UniFi provides the network tools for the VPN,
and Windows and macOS provide the client tools for the VPN. I have
never succeeded configuring a VPN client on Debian.
> BTW, regarding pfsense, I forgot it runs on BSD, so I plan to get their
> small appliance to hang off the ISP router.
Prior to UniFi, I variously used PC's with general-purpose (Red Hat,
Debian) and purpose-built Linux (IPCop) and BSD (pfSense) distributions,
and commercial routers (Netgear) with stock and FOSS (OpenWRT) firmware
as Internet gateways/ routers. Raw Linux was configured via the
console. All the others had web control panels. Then I added a Wi-Fi
access point. Now I needed to keep two device settings in sync via two
web control panels. It was tedious. Then I added a remote site,
dynamic DNS, and connected the two sites with a VPN. Management became
a PITA.
I currently have one site with one UniFi security gateway (USG) and
three UniFi Wi-Fi access points. Management is via one UniFi web
control panel running on a purpose-built VPS. The UniFi controller
manages and synchronizes the settings on individual devices based upon
higher level abstractions ("Software Defined Networking"), such as
networks. I defined a network, followed the protocol to adopt hardware
devices, and it just works. Management is easy. UniFi provides many
additional features, including port-forwarding and VPN's.
Note that UniFi hardware products run embedded Linux. When I encounter
a difficult trouble-shooting problem, UniFi technical support guided me
to a console roll-up cable for the USG, and helped me configure system
logging to a network host.
David