Comment

Comment on Let's talk about free/FOSS routing platforms for the homelab

MigratingtoLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago

Most home setups will likely work fine with just one firewall, but I am planning for 2 at the very least for my network. Also, sometimes it might be better to run a separate router in a VM and have a distinct network behind it if you want to segment said network more thoroughly/want to emulate an enterprise environment etc. I personally see good use for running 2 or more routers (software/hardware) in a lab, but YMMV

source

Sort:hotnew top

h3ndrik@feddit.de ⁨9⁩ ⁨months⁩ ago
Thanks. I was going a bit more for the “what do you need that for” aspect. Emulating an enterprise environment sounds more like tinkering or learning? I mean I get network segmenting if you want to seperate for example an home-office from the entertainment devices in the livingroom from the cheap unpatched IoT devices… And also have a seperate network to experiment in the basement lab… Doing firewalling to keep the TV from transmitting behaviour tracking data to the manufacturer… Stop the kids from accessing the network share…

But are that hypothetical use-cases? Or what do people actually use the 2 consecutive firewalls and different network segments for?

source
- MigratingtoLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago
  Thanks for explaining your rationale for the question. I’m in the US and whilst power isn’t the least expensive in the world, it’s not as bad, as say, Germany.
  
  If you look at my history, in my previous post I was talking about hosting AD. Alongside that, I will also be hosting (sometime in the near future) an IOT controller, messaging, many IOT devices etc. Instead of just creating VLANs (which is certainly a valid approach), I’d like to create a separate network (and bind the VMs behind the router to only be able to pass traffic through that router with ACLs and defining it as the gateway).
  
  I do not have a massive consumer base at home (the nod towards “12 laptops, bunch of PCs and a home datacenter” isn’t really for me), but I will have a lot of service VMs, containers etc. Some of them, I’d like for them to stay contained and not have to write additional firewall rules/ACLs on my main router - I can write those in the config of the secondary router and have a clean separation between a testing network (which is the purpose for the secondary router as a VM, for me) and my actual gateway.
  
  Now, in terms of hardware, I’d like to run 2 different firewalls too. Part of this is a paranoia on my part about Intel ME - the plan was to run an OpenWRT router which would be connected to the internet, with a second router on x86 (which is why I made this post and was looking forward to this discussion) behind it, whilst intentionally double-NATting myself. I will also be setting up ACLs on the OpenWRT router/firewall to attempt to prevent Intel ME from ever accessing the internet - I believe that even if ME can utilise the same MAC of the NIC to send packets, it cannot use the same IP address. I’m also in the phase of researching other parameters on which I can filter out such traffic and only allow traffic from my trusted node (i.e. router/firewall OS) to access the internet. This argument probably won’t hold up very well against real-world scenarios and I might face hitches along the way, but I want to try it.
  
  Also, I’ll feel safer experimenting on my “main” firewall/router (the x86 box - like I mentioned to another commenter, I might run a DIY OpenBSD router on it) if I have a firewall/NAT setup in front of it to take care of my network.
  
  Thanks for the question, and I’m sure my words don’t make much sense (technically speaking), but this is simply what I cobbled together thinking about what I can realistically do.
  
  source
  - h3ndrik@feddit.de ⁨9⁩ ⁨months⁩ ago
    Ah. Thanks for explaining :-)
    
    Yeah, the …keeping the mess somewhere else and not doing it on the important firewall… makes sense.
    
    I also like to keep it clean so everything is a bit more modular and better to maintain.
    
    I think the double-NAT is a bad idea. Such things just cause pain and break in unexpected ways. I’d rather focus on getting the firewall right. And the NAT doesn’t add anything here. A firewall is the correct tool to filter packets between two network segments. A NAT is a crude thing that happens to drop incoming connections from the other side. But you could as well instruct your firewall to drop those packets.
    
    source
    MigratingtoLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago
    You’re right, I should have thought a bit more before I answered. Thinking about it, double NAT doesn’t achieve anything. With that said, the main way in which this is a problem is if one were to forward ports, in which case they’d need to forward ports from both firewalls.
    
    Yes, I will be dealing with firewalls on both appliances.
    
    I too will be investing more into Zigbee in the future, but having a central controller with MQTT can help. I haven’t decided if I want to go completely without WiFi. There’s certainly security considerations to going to Zigbee. Like you, I do not plan to utilise many proprietary IOT solutions and buy into the massive appliances being controlled with outdated software. I’ll stick to dumb appliances as much as I can.
    
    I don’t think it’s particularly malicious either, but the problem I have is that it is essentially at ring 0. As such, my OS can’t do anything about it, which means I’m going to have to find alternatives to deal with it. I would have loved to have every device have a FOSS bootloader but I suppose that’s a long way away.
    
    Thanks for your comment.
    
    source
    -> View More Comments