Re: [DNG] networking thinking

[Gabe Stanton via Dng]

On Sun, 2021-11-28 at 07:20 -0600, o1bigtenor via Dng wrote:
I've been looking at pfsense and opnsense.

Sorry for reviving a month old thread but I'm just catching up on
emails and thought it might be useful to share that Opnsense hasn't
supported x86 for about 2 years. 

I use Opnsense and have for quite a while. I switched over from pfsense
quite a while back though I can't recall why. I almost stopped using
Opnsense when they dropped x86 but I ended up switching hardware to
comply. It was probably x86 support that caused me to switch to
Opnsense in the first place.

Gabe
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] networking thinking

[Rod Rodolico via Dng]

We use OPNSense for almost everything that does not require untrained
users to manage things. For the latter, we use IPFire.

OPNSense works for small offices that just want VPN, up to our NOC where
we have two routers (active/failover), DMZ and multiple backend LAN's.
But, it does require some networking knowledge (though not as much as
"roll your own"). Don't know what part of the world you're in, but we
use Protectli (https://protectli.com/) hardware from the US. Pricey, but
I've not had a hardware failure in the 5+ years I've been using their
stuff. They have an option for Coreboot, a video port and a serial port,
so I feel I'm covered.

OPNSense also sells hardware specific to the appliance.

We also purchase used enterprise grade network switches (mainly HP) and
have had good results with them since we can monitor and configure at
will. The smaller clients are running little 16 port, 15 year old
switches, and at the NOC we're using two 96 port switches in and HA
configuration. As mentioned, the webUI on the switches doesn't work most
of the time, but I'm mainly a CLI type of tech anyway, so it doesn't
bother me.

Reply to questions:

1. Less hardware is better from a maintenance point of view. OPNSense
has an excellent firewall, so I do not have a separate firewall device.
My reason is pure laziness; I go to one interface I'm comfortable with
and configure there. Most of my firewalling is just allowing traffic
from one VLAN to another anyway, which is more of a routing thing.

2. No good training on networking that I know of except going back to
school.

If you decide to go with OPNSense, they have some decent documentation,
and the pfSense site has more. Feel free to visit my notes site at
http://kb.unixservertech.com for some recipes on OPNSense, but be warned
these are my personal notes and I'm not a good writer. I mainly stick
things out there so I don't have to remember them next time, but
occasionally, the OPNSense people will do an upgrade that negates all or
part of my notes.

Rod

On 11/29/21 3:38 PM, Adrian Zaugg wrote:
> Hi TIA
> 
> In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht:
> 
>> 1. is my splitting the network system into the three parts a good idea or
>> should I truncate parts 1 and 2 into the router? If you would please give
>> reasons - - - please?
> Less devices, less to setup and maintain and less to break: I would go with 1 
> Firewall and 1 Switch.
> 
> Get a box with an SFP Port for your firewall and install OPNSense on it. 
> Stick 
> your fiber directly in your firewall, if your provider lets you chose and 
> does 
> not insist on some plastic box. If he does, then try to use it in bridge 
> mode. 
> Upon request, the providers over here tell what one has to do, when using a 
> media converter (e.g. VLAN tag or PPPoE).
> 
> OPNSense and pfSense are excellent firewall distributions and IPv6 is well 
> integrated with both of them. They are almost identical, coming the same way. 
> OPNSense is more community oriented where as pfSense drifted away to be more 
> commercial now, but Documentation is better.
> 
> PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts 
> for 
> ever and has a core boot BIOS. There soon will be a version with an SFP port 
> available. You won't get Gigabit-Speed through an APU with OPNSense (around 
> 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want 
> to 
> be ready for gigabit speed. 
> 
> There are many nice boxes around without SFP ports (like the ones from AsRock 
> industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run 
> stable (Linux in contrary runs like a charm on these). 
> 
> Zyxel Switches are basically OK, but you don't get security updates after 
> some 
> years, the interface doesn't work on all browsers and they have weird bugs 
> (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik 
> using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and 
> they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE 
> for 
> <$100. If you want to play around with your Zyxel to install whatever on it, 
> that's fine, but I wouldn't invest my time on that ─ better get your lab 
> running.
> 
> Opinions on the topic will go apart, you'll get tons of advice in any 
> direction. To a certain extent it's about your personal liking. Mine you 
> probably just read above...
> 
> Regards, Adrian.
> 
> 
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 

-- 
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465 US
https://dailydata.net
214.827.2170 ext 100
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] networking thinking

[Mike Tubby]

On 28/11/2021 15:22, d...@d404.nl wrote:

On 28-11-2021 15:36, wirelessduck--- via Dng wrote:




On 29 Nov 2021, at 01:07, tito via Dng  wrote:

On Sun, 28 Nov 2021 07:20:14 -0600
o1bigtenor via Dng  wrote:


Greetings

In anticipation of a fiber optical connection (moving from a 
wireless) I

have been planning out and purchasing some bits of hardware. Am finding
that networking is, at least sure seems to be, another black hole 
for time

and effort.

TL;DR (skip to last paragraphs for the question(s))

At present this is a soho office kind of installation but that will 
slowly
be morphing into something that is at least somewhat larger. There 
are a

number of input sensor locations being worked on some of which would be
generating, initially at least, up to 15 data streams sampled possibly
every second (some maybe more often - - - decisions aren't all done 
as yet)
so there will be a fair amount of data running around on my network 
which

I'm trying to keep largely a wired affair.

At this point I'm working on the three entry bits of hardware (and 
their
software) - - - the router, hardware firewall, and the managed 
switch. The
initial hockup on the fiber system is going to be at 250 Mbps 
sysmetric.


For the router I'm planning on using OpenWRT running on a Nanopi 
r4s which
according to the folks over on openwrt capable of even very close 
to full
Gbps speeds (IIRC tested to some 918 Mbps) which would give some 
headroom

for future increases although I don't see a need for the foreseeable
future.

For the switch I have found myself a XyZel 1900-48 that I'm working on
getting OpenWRT on. This ability to run a managed switch on OpenWRT is
somewhat new but its open source and I'm not tied (I don't think) to
OpenWRT - - - - except I don't know any other real alternative - - - so
that's not a difficult solution either. I don't 'need' 48 ports but 
I have
16 at present on a hub and its almost full and that's for stuff 
only here
in the orifice (sic!). I also want the capabilities of forcing 
streaming
services and wireless communications to not collect any more data 
from any

other part of the network (using VLANs) as is possible.

Then lastly to the hardware firewall.
I've been looking at pfsense and opnsense. Both are ipv6 possible 
although
both are mostly focused on ipv4 at the present. IPfire seems to 
have gotten

itself into a holding pattern and is not continuing work toward ipv6
functionality. Any one of these options are producing headaches 
when I'm

trying to figure out how to configure them - - - nothing installed at
present, just researching so far.

So - - - - questions - - - -
1. is my splitting the network system into the three parts a good 
idea or
should I truncate parts 1 and 2 into the router? If you would 
please give

reasons - - - please?


Hi,

If you want to have reliability splitting is good, if the router breaks
you still have a working firewall and switch and so on.
If you want also some redundancy you should think of buying
two of everything:

2 routers
2 firewalls
2 switches (2 x24 rather than 1x48 ports)

I personally prefer x86 hardware for this kind of things
when I see that little boxes like the Nanopi R4S they make me
think about toys. In my case sadly I'm tied to adsl over pots
so for the modem I still need to use this little plastic blackboxes.
In your case I would swap the nanopi for a nice mini-itx board
with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
ventilated case (with low noise Noctua fans).


2. are there any good sources for information on and about networking?
debian has moved to nftables from iptables  - - - is devuan doing
similar?


I think so.


Where does one find information to enable a firewall that works yet
isn't stupid?


I use arno-iptables-firewall It is easy to create a basic setup for 
your network,
reliable, comes with good defaults and can easily be tweaked (for 
port-forwarding,
vpns, geoip filtering and so on, don't know about vlans as don't use 
them yet).


(I've wondered about having some kind of easy 'switch' that when 
users left
their systems that the system wouldn't be calling home in the 
overnight at

least a la ms googly. Dunno if that's 'simple' or not - - - so much to
learn and so little time to do it all in!)

TIA


Ciao,
Tito


I’ve just finished setting up a new router using PCEngines APU2 
(apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC 
and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios 
and I can see regular bios updates approximately monthly. The 
coreboot bios and AMD CPU were the main reasons I picked this over a 
Qotom box. It’s also fanless which is good for a quiet environment.


The only downside is having only serial console output so you need a 
serial cable or serial-usb cable for the initial setup or bios 
configuration changes. Thankfully subsequent bios updates can be done 
with OpenWRT via flashrom.


https://pcengines.ch/apu2.htm

Re: [DNG] networking thinking

[Adrian Zaugg]

Hi TIA

In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht:

> 1. is my splitting the network system into the three parts a good idea or
> should I truncate parts 1 and 2 into the router? If you would please give
> reasons - - - please?
Less devices, less to setup and maintain and less to break: I would go with 1 
Firewall and 1 Switch.

Get a box with an SFP Port for your firewall and install OPNSense on it. Stick 
your fiber directly in your firewall, if your provider lets you chose and does 
not insist on some plastic box. If he does, then try to use it in bridge mode. 
Upon request, the providers over here tell what one has to do, when using a 
media converter (e.g. VLAN tag or PPPoE).

OPNSense and pfSense are excellent firewall distributions and IPv6 is well 
integrated with both of them. They are almost identical, coming the same way. 
OPNSense is more community oriented where as pfSense drifted away to be more 
commercial now, but Documentation is better.

PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts for 
ever and has a core boot BIOS. There soon will be a version with an SFP port 
available. You won't get Gigabit-Speed through an APU with OPNSense (around 
800Mbit/s), get something with a CPU on par with a Intel N4100, if you want to 
be ready for gigabit speed. 

There are many nice boxes around without SFP ports (like the ones from AsRock 
industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run 
stable (Linux in contrary runs like a charm on these). 

Zyxel Switches are basically OK, but you don't get security updates after some 
years, the interface doesn't work on all browsers and they have weird bugs 
(e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik 
using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and 
they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE for 
<$100. If you want to play around with your Zyxel to install whatever on it, 
that's fine, but I wouldn't invest my time on that ─ better get your lab 
running.

Opinions on the topic will go apart, you'll get tons of advice in any 
direction. To a certain extent it's about your personal liking. Mine you 
probably just read above...

Regards, Adrian.




signature.asc
Description: This is a digitally signed message part.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] networking thinking

[onefang]

On 2021-11-29 18:23:25, Simon wrote:
> o1bigtenor via Dng  wrote:
> 

> > 1. is my splitting the network system into the three parts a good
> > idea or should I truncate parts 1 and 2 into the router? If you would
> > please give reasons - - - please?
> 
> Six of one, half a dozen of the other. Sometimes having separate boxes
> is good, other times it isn’t. For example, if you run a router doing NAT
> (on IPv4) behind a firewall, then the firewall doesn’t see details of
> where the traffic comes from - only the mangled version where it’s all
> coming from one address. On the other hand, sometimes it can be tricky
> making everything work on one box - e.g. doing traffic shaping both ways
> when there’s multiple internal networks can require an intermediate
> virtual port (an IFB, intermediate function block, in iptables
> terminology) to route traffic through and I never did get the hang of
> that.
> 
> > 2. are there any good sources for information on and about networking? 
> >  debian has moved to nftables from iptables  - - - is devuan doing 
> > similar?
> 
> Everything has moved, or will be moving, to nftables - it’s a kernel
> thing. There’s a shim layer to provide an iptables interface to help
> people through the transition, but I suspect it might struggle with some
> of the more complex stuff due to differences in semantics between
> iptables and nftables.
> 
> >  Where does one find information to enable a firewall that works
> > yet isn't stupid?
> 
> I’m afraid that’s up there with the answer to life, the universe, and
> everything - and in this case it’s not 42 ;-)
> 
> 
> Back when it was part of the day job, I would “sort of absorb” bits and
> pieces until I knew enough about networking to be dangerous. After that,
> it’s a case of recognising when there’s a gap in the knowledge and
> filling it through reading/research.
> 
> Sometimes a good starting point is to have a specific thing you need a
> pointer to and asking others.
> 
> 
> In the past my preferred firewall was Shorewall - it’s quite a steep
> learning curve, but not as steep as native iptables, and not as limiting
> as most other firewalls. However, I’m not sure of it’s current status as
> it was always very tightly bound into the semantics of iptables and would
> probably need a bottom up re-write to work well with nftables.
> 
> But while the learning curve can be steep when past the basics, the
> examples will let you get common setups going very quickly.
> 
> But by far the biggest thing that I liked about Shorewall was the
> “everything  is in a bunch of text files” approach - meaning that you can
> look at the files and see what’s going on - and, I know this will
> frighten many used to GUIs, you can put comments in the files to tell you
> what is going on ! At the same job I mention below, some of the
> fireballing was down with Zyxel appliances - all though a “rubbish” GUI
> that makes finding anything difficult and documenting it impossible.
> Almost a write-only system.

I use Shorewall to, for my home systems, and for the servers I'm looking
after.  I hope they update to nftables, or I'll have to find a new
firewall.

-- 
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] networking thinking

[Simon]

o1bigtenor via Dng  wrote:

> 1. is my splitting the network system into the three parts a good idea or 
> should I truncate parts 1 and 2 into the router? If you would please give 
> reasons - - - please?

Six of one, half a dozen of the other. Sometimes having separate boxes is good, 
other times it isn’t. For example, if you run a router doing NAT (on IPv4) 
behind a firewall, then the firewall doesn’t see details of where the traffic 
comes from - only the mangled version where it’s all coming from one address. 
On the other hand, sometimes it can be tricky making everything work on one box 
- e.g. doing traffic shaping both ways when there’s multiple internal networks 
can require an intermediate virtual port (an IFB, intermediate function block, 
in iptables terminology) to route traffic through and I never did get the hang 
of that.

> 2. are there any good sources for information on and about networking? 
>  debian has moved to nftables from iptables  - - - is devuan doing 
> similar?

Everything has moved, or will be moving, to nftables - it’s a kernel thing. 
There’s a shim layer to provide an iptables interface to help people through 
the transition, but I suspect it might struggle with some of the more complex 
stuff due to differences in semantics between iptables and nftables.

>  Where does one find information to enable a firewall that works yet 
> isn't stupid?

I’m afraid that’s up there with the answer to life, the universe, and 
everything - and in this case it’s not 42 ;-)


Back when it was part of the day job, I would “sort of absorb” bits and pieces 
until I knew enough about networking to be dangerous. After that, it’s a case 
of recognising when there’s a gap in the knowledge and filling it through 
reading/research.

Sometimes a good starting point is to have a specific thing you need a pointer 
to and asking others.


In the past my preferred firewall was Shorewall - it’s quite a steep learning 
curve, but not as steep as native iptables, and not as limiting as most other 
firewalls. However, I’m not sure of it’s current status as it was always very 
tightly bound into the semantics of iptables and would probably need a bottom 
up re-write to work well with nftables.
But while the learning curve can be steep when past the basics, the examples 
will let you get common setups going very quickly.
But by far the biggest thing that I liked about Shorewall was the “everything  
is in a bunch of text files” approach - meaning that you can look at the files 
and see what’s going on - and, I know this will frighten many used to GUIs, you 
can put comments in the files to tell you what is going on ! At the same job I 
mention below, some of the fireballing was down with Zyxel appliances - all 
though a “rubbish” GUI that makes finding anything difficult and documenting it 
impossible. Almost a write-only system.

For the ultimate in control, eschew packages and get down and dirty with the 
native commands - i.e. learn how to drive nftables directly.



tito via Dng  wrote:

> I personally prefer x86 hardware for this kind of things

Me too, though there’s some fairly decent small computers about these days. 
IIRC the rPi4 has a “real” network interface, and gigabit at that - so it would 
probably make a fairly decent “router on a stick”.

Router on a stick being a reference to something like a lollipop where there’s 
a “blob” on the end of a single stick. You can use VLANs up this single 
ethernet link to separate the different classes of traffic - e.g. a VLAN for 
the connection to your ISP, another for a management subnet for the switches 
etc, another for the main office LAN, another for a guess WiFi, …
At my last place I had a Debian VM (pre SystemD) with something like 3 DSL 
(PPPoE) connections, another via an ethernet provider, a backend for 
inter-server traffic, office LAN, guest LAN, management LAN, and possibly 
something else as well. Most run on separate VLANs over a single ethernet 
interface. And all configured with Shorewall.


Simon


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] networking thinking

[d...@d404.nl]

On 28-11-2021 15:36, wirelessduck--- via Dng wrote:




On 29 Nov 2021, at 01:07, tito via Dng  wrote:

On Sun, 28 Nov 2021 07:20:14 -0600
o1bigtenor via Dng  wrote:


Greetings

In anticipation of a fiber optical connection (moving from a wireless) I
have been planning out and purchasing some bits of hardware. Am finding
that networking is, at least sure seems to be, another black hole 
for time

and effort.

TL;DR (skip to last paragraphs for the question(s))

At present this is a soho office kind of installation but that will 
slowly

be morphing into something that is at least somewhat larger. There are a
number of input sensor locations being worked on some of which would be
generating, initially at least, up to 15 data streams sampled possibly
every second (some maybe more often - - - decisions aren't all done 
as yet)
so there will be a fair amount of data running around on my network 
which

I'm trying to keep largely a wired affair.

At this point I'm working on the three entry bits of hardware (and their
software) - - - the router, hardware firewall, and the managed 
switch. The

initial hockup on the fiber system is going to be at 250 Mbps sysmetric.

For the router I'm planning on using OpenWRT running on a Nanopi r4s 
which
according to the folks over on openwrt capable of even very close to 
full
Gbps speeds (IIRC tested to some 918 Mbps) which would give some 
headroom

for future increases although I don't see a need for the foreseeable
future.

For the switch I have found myself a XyZel 1900-48 that I'm working on
getting OpenWRT on. This ability to run a managed switch on OpenWRT is
somewhat new but its open source and I'm not tied (I don't think) to
OpenWRT - - - - except I don't know any other real alternative - - - so
that's not a difficult solution either. I don't 'need' 48 ports but 
I have
16 at present on a hub and its almost full and that's for stuff only 
here

in the orifice (sic!). I also want the capabilities of forcing streaming
services and wireless communications to not collect any more data 
from any

other part of the network (using VLANs) as is possible.

Then lastly to the hardware firewall.
I've been looking at pfsense and opnsense. Both are ipv6 possible 
although
both are mostly focused on ipv4 at the present. IPfire seems to have 
gotten

itself into a holding pattern and is not continuing work toward ipv6
functionality. Any one of these options are producing headaches when I'm
trying to figure out how to configure them - - - nothing installed at
present, just researching so far.

So - - - - questions - - - -
1. is my splitting the network system into the three parts a good 
idea or
should I truncate parts 1 and 2 into the router? If you would please 
give

reasons - - - please?


Hi,

If you want to have reliability splitting is good, if the router breaks
you still have a working firewall and switch and so on.
If you want also some redundancy you should think of buying
two of everything:

2 routers
2 firewalls
2 switches (2 x24 rather than 1x48 ports)

I personally prefer x86 hardware for this kind of things
when I see that little boxes like the Nanopi R4S they make me
think about toys. In my case sadly I'm tied to adsl over pots
so for the modem I still need to use this little plastic blackboxes.
In your case I would swap the nanopi for a nice mini-itx board
with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
ventilated case (with low noise Noctua fans).


2. are there any good sources for information on and about networking?
debian has moved to nftables from iptables  - - - is devuan doing
similar?


I think so.


Where does one find information to enable a firewall that works yet
isn't stupid?


I use arno-iptables-firewall It is easy to create a basic setup for 
your network,
reliable, comes with good defaults and can easily be tweaked (for 
port-forwarding,
vpns, geoip filtering and so on, don't know about vlans as don't use 
them yet).


(I've wondered about having some kind of easy 'switch' that when 
users left
their systems that the system wouldn't be calling home in the 
overnight at

least a la ms googly. Dunno if that's 'simple' or not - - - so much to
learn and so little time to do it all in!)

TIA


Ciao,
Tito


I’ve just finished setting up a new router using PCEngines APU2 
(apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC 
and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios 
and I can see regular bios updates approximately monthly. The coreboot 
bios and AMD CPU were the main reasons I picked this over a Qotom box. 
It’s also fanless which is good for a quiet environment.


The only downside is having only serial console output so you need a 
serial cable or serial-usb cable for the initial setup or bios 
configuration changes. Thankfully subsequent bios updates can be done 
with OpenWRT via flashrom.


https://pcengines.ch/apu2.htm 

Re: [DNG] networking thinking

[wirelessduck--- via Dng]

> On 29 Nov 2021, at 01:07, tito via Dng  wrote:
> 
> On Sun, 28 Nov 2021 07:20:14 -0600
> o1bigtenor via Dng  wrote:
> 
>> Greetings
>> 
>> In anticipation of a fiber optical connection (moving from a wireless) I
>> have been planning out and purchasing some bits of hardware. Am finding
>> that networking is, at least sure seems to be, another black hole for time
>> and effort.
>> 
>> TL;DR (skip to last paragraphs for the question(s))
>> 
>> At present this is a soho office kind of installation but that will slowly
>> be morphing into something that is at least somewhat larger. There are a
>> number of input sensor locations being worked on some of which would be
>> generating, initially at least, up to 15 data streams sampled possibly
>> every second (some maybe more often - - - decisions aren't all done as yet)
>> so there will be a fair amount of data running around on my network which
>> I'm trying to keep largely a wired affair.
>> 
>> At this point I'm working on the three entry bits of hardware (and their
>> software) - - - the router, hardware firewall, and the managed switch. The
>> initial hockup on the fiber system is going to be at 250 Mbps sysmetric.
>> 
>> For the router I'm planning on using OpenWRT running on a Nanopi r4s which
>> according to the folks over on openwrt capable of even very close to full
>> Gbps speeds (IIRC tested to some 918 Mbps) which would give some headroom
>> for future increases although I don't see a need for the foreseeable
>> future.
>> 
>> For the switch I have found myself a XyZel 1900-48 that I'm working on
>> getting OpenWRT on. This ability to run a managed switch on OpenWRT is
>> somewhat new but its open source and I'm not tied (I don't think) to
>> OpenWRT - - - - except I don't know any other real alternative - - - so
>> that's not a difficult solution either. I don't 'need' 48 ports but I have
>> 16 at present on a hub and its almost full and that's for stuff only here
>> in the orifice (sic!). I also want the capabilities of forcing streaming
>> services and wireless communications to not collect any more data from any
>> other part of the network (using VLANs) as is possible.
>> 
>> Then lastly to the hardware firewall.
>> I've been looking at pfsense and opnsense. Both are ipv6 possible although
>> both are mostly focused on ipv4 at the present. IPfire seems to have gotten
>> itself into a holding pattern and is not continuing work toward ipv6
>> functionality. Any one of these options are producing headaches when I'm
>> trying to figure out how to configure them - - - nothing installed at
>> present, just researching so far.
>> 
>> So - - - - questions - - - -
>> 1. is my splitting the network system into the three parts a good idea or
>> should I truncate parts 1 and 2 into the router? If you would please give
>> reasons - - - please?
> 
> Hi,
> 
> If you want to have reliability splitting is good, if the router breaks
> you still have a working firewall and switch and so on.
> If you want also some redundancy you should think of buying 
> two of everything:
> 
> 2 routers 
> 2 firewalls
> 2 switches (2 x24 rather than 1x48 ports)
> 
> I personally prefer x86 hardware for this kind of things
> when I see that little boxes like the Nanopi R4S they make me
> think about toys. In my case sadly I'm tied to adsl over pots
> so for the modem I still need to use this little plastic blackboxes.
> In your case I would swap the nanopi for a nice mini-itx board
> with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
> ventilated case (with low noise Noctua fans).
> 
>> 2. are there any good sources for information on and about networking?
>> debian has moved to nftables from iptables  - - - is devuan doing
>> similar?
> 
> I think so.
> 
>> Where does one find information to enable a firewall that works yet
>> isn't stupid?
> 
> I use arno-iptables-firewall It is easy to create a basic setup for your 
> network,
> reliable, comes with good defaults and can easily be tweaked (for 
> port-forwarding, 
> vpns, geoip filtering and so on, don't know about vlans as don't use them 
> yet).
> 
>> (I've wondered about having some kind of easy 'switch' that when users left
>> their systems that the system wouldn't be calling home in the overnight at
>> least a la ms googly. Dunno if that's 'simple' or not - - - so much to
>> learn and so little time to do it all in!)
>> 
>> TIA
> 
> Ciao,
> Tito

I’ve just finished setting up a new router using PCEngines APU2 (apu4d4 model) 
with OpenWRT. Uses x64 AMD Embedded G series GX-412TC and has 4x Intel i211AT 
Ethernet ports. It also runs a Coreboot bios and I can see regular bios updates 
approximately monthly. The coreboot bios and AMD CPU were the main reasons I 
picked this over a Qotom box. It’s also fanless which is good for a quiet 
environment.

The only downside is having only serial console output so you need a serial 
cable or serial-usb cable for the initial setup or bios 

Re: [DNG] networking thinking

[tito via Dng]

On Sun, 28 Nov 2021 07:20:14 -0600
o1bigtenor via Dng  wrote:

> Greetings
> 
> In anticipation of a fiber optical connection (moving from a wireless) I
> have been planning out and purchasing some bits of hardware. Am finding
> that networking is, at least sure seems to be, another black hole for time
> and effort.
> 
> TL;DR (skip to last paragraphs for the question(s))
> 
> At present this is a soho office kind of installation but that will slowly
> be morphing into something that is at least somewhat larger. There are a
> number of input sensor locations being worked on some of which would be
> generating, initially at least, up to 15 data streams sampled possibly
> every second (some maybe more often - - - decisions aren't all done as yet)
> so there will be a fair amount of data running around on my network which
> I'm trying to keep largely a wired affair.
> 
> At this point I'm working on the three entry bits of hardware (and their
> software) - - - the router, hardware firewall, and the managed switch. The
> initial hockup on the fiber system is going to be at 250 Mbps sysmetric.
> 
> For the router I'm planning on using OpenWRT running on a Nanopi r4s which
> according to the folks over on openwrt capable of even very close to full
> Gbps speeds (IIRC tested to some 918 Mbps) which would give some headroom
> for future increases although I don't see a need for the foreseeable
> future.
> 
> For the switch I have found myself a XyZel 1900-48 that I'm working on
> getting OpenWRT on. This ability to run a managed switch on OpenWRT is
> somewhat new but its open source and I'm not tied (I don't think) to
> OpenWRT - - - - except I don't know any other real alternative - - - so
> that's not a difficult solution either. I don't 'need' 48 ports but I have
> 16 at present on a hub and its almost full and that's for stuff only here
> in the orifice (sic!). I also want the capabilities of forcing streaming
> services and wireless communications to not collect any more data from any
> other part of the network (using VLANs) as is possible.
> 
> Then lastly to the hardware firewall.
> I've been looking at pfsense and opnsense. Both are ipv6 possible although
> both are mostly focused on ipv4 at the present. IPfire seems to have gotten
> itself into a holding pattern and is not continuing work toward ipv6
> functionality. Any one of these options are producing headaches when I'm
> trying to figure out how to configure them - - - nothing installed at
> present, just researching so far.
> 
> So - - - - questions - - - -
> 1. is my splitting the network system into the three parts a good idea or
> should I truncate parts 1 and 2 into the router? If you would please give
> reasons - - - please?

Hi,

If you want to have reliability splitting is good, if the router breaks
you still have a working firewall and switch and so on.
If you want also some redundancy you should think of buying 
two of everything:

2 routers 
2 firewalls
2 switches (2 x24 rather than 1x48 ports)

I personally prefer x86 hardware for this kind of things
when I see that little boxes like the Nanopi R4S they make me
think about toys. In my case sadly I'm tied to adsl over pots
so for the modem I still need to use this little plastic blackboxes.
In your case I would swap the nanopi for a nice mini-itx board
with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
ventilated case (with low noise Noctua fans).

> 2. are there any good sources for information on and about networking?
>  debian has moved to nftables from iptables  - - - is devuan doing
> similar?

I think so.

>  Where does one find information to enable a firewall that works yet
> isn't stupid?

I use arno-iptables-firewall It is easy to create a basic setup for your 
network,
reliable, comes with good defaults and can easily be tweaked (for 
port-forwarding, 
vpns, geoip filtering and so on, don't know about vlans as don't use them yet).
 
> (I've wondered about having some kind of easy 'switch' that when users left
> their systems that the system wouldn't be calling home in the overnight at
> least a la ms googly. Dunno if that's 'simple' or not - - - so much to
> learn and so little time to do it all in!)
> 
> TIA

Ciao,
Tito
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] networking thinking

[o1bigtenor via Dng]

Greetings

In anticipation of a fiber optical connection (moving from a wireless) I
have been planning out and purchasing some bits of hardware. Am finding
that networking is, at least sure seems to be, another black hole for time
and effort.

TL;DR (skip to last paragraphs for the question(s))

At present this is a soho office kind of installation but that will slowly
be morphing into something that is at least somewhat larger. There are a
number of input sensor locations being worked on some of which would be
generating, initially at least, up to 15 data streams sampled possibly
every second (some maybe more often - - - decisions aren't all done as yet)
so there will be a fair amount of data running around on my network which
I'm trying to keep largely a wired affair.

At this point I'm working on the three entry bits of hardware (and their
software) - - - the router, hardware firewall, and the managed switch. The
initial hockup on the fiber system is going to be at 250 Mbps sysmetric.

For the router I'm planning on using OpenWRT running on a Nanopi r4s which
according to the folks over on openwrt capable of even very close to full
Gbps speeds (IIRC tested to some 918 Mbps) which would give some headroom
for future increases although I don't see a need for the foreseeable
future.

For the switch I have found myself a XyZel 1900-48 that I'm working on
getting OpenWRT on. This ability to run a managed switch on OpenWRT is
somewhat new but its open source and I'm not tied (I don't think) to
OpenWRT - - - - except I don't know any other real alternative - - - so
that's not a difficult solution either. I don't 'need' 48 ports but I have
16 at present on a hub and its almost full and that's for stuff only here
in the orifice (sic!). I also want the capabilities of forcing streaming
services and wireless communications to not collect any more data from any
other part of the network (using VLANs) as is possible.

Then lastly to the hardware firewall.
I've been looking at pfsense and opnsense. Both are ipv6 possible although
both are mostly focused on ipv4 at the present. IPfire seems to have gotten
itself into a holding pattern and is not continuing work toward ipv6
functionality. Any one of these options are producing headaches when I'm
trying to figure out how to configure them - - - nothing installed at
present, just researching so far.

So - - - - questions - - - -
1. is my splitting the network system into the three parts a good idea or
should I truncate parts 1 and 2 into the router? If you would please give
reasons - - - please?
2. are there any good sources for information on and about networking?
 debian has moved to nftables from iptables  - - - is devuan doing
similar?
 Where does one find information to enable a firewall that works yet
isn't stupid?

(I've wondered about having some kind of easy 'switch' that when users left
their systems that the system wouldn't be calling home in the overnight at
least a la ms googly. Dunno if that's 'simple' or not - - - so much to
learn and so little time to do it all in!)

TIA
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng