Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:fw3_configurations:fw3_ref_topo [2018/09/11 16:41] – dturvene | docs:guide-user:firewall:fw3_configurations:fw3_ref_topo [2018/09/22 13:14] – dturvene | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| single public IPv4 address leased from Verizon ($5US/ | single public IPv4 address leased from Verizon ($5US/ | ||
| Verizon [[http:// | Verizon [[http:// | ||
| - | router. | + | router. |
| - | internet access (triple play). | + | internet access (triple play). |
| - | **MAIN** router | + | **MAIN** router |
| + | |||
| + | :!: Interestingly, | ||
| + | firmware, based on Linux 2.6.16. | ||
| + | many years ago; cisco is now selling | ||
| + | [[https:// | ||
| + | It looks like Verizon has been limping along without developer support since then... | ||
| + | |||
| + | Now on to more recent technology... | ||
| The router switch in | The router switch in | ||
| **MAIN** is configured to bridge all LAN-side traffic as the default '' | **MAIN** is configured to bridge all LAN-side traffic as the default '' | ||
| on the '' | on the '' | ||
| - | [[inbox:firewall:firewall3: | + | [[docs:guide-user:firewall: |
| **MAIN** handles all the internal stations using the | **MAIN** handles all the internal stations using the | ||
| '' | '' | ||
| stations for printing and NAS. | stations for printing and NAS. | ||
| - | In the firewall test network | + | In the firewall test network: |
| - | * **STA1** is a linux laptop, | + | * **MAIN** is the OpenWrt production router, |
| - | * **DUT** is the OpenWrt '' | + | * **STA1** is a linux laptop |
| + | * **DUT** is the OpenWrt '' | ||
| * **STA2** is a linux laptop, | * **STA2** is a linux laptop, | ||
| - | * **STA-printer** is an HP printer | + | |
| - | * **STA-server** is a linux desktop wired to a DUT ethenet | + | |
| + | * **STA-server2** is a linux desktop wired to a DUT 802.3 ethernet | ||
| + | |||
| + | Unless otherwise noted, an IPv4 address is assigned using DHCP. | ||
| **MAIN** is provisioned with a static lease added for **DUT** so the **DUT** | **MAIN** is provisioned with a static lease added for **DUT** so the **DUT** | ||
| - | will always gets the same IP address: '' | + | will always gets the same IP address: '' |
| - | **DUT** network must also be added to the **MAIN** routing table so **STA1** can | + | **DUT** network(s) must also be added to the **MAIN** routing table so **STA1** can |
| - | communicate with **STA2**. See [[docs: | + | communicate with devices in vlan 102 and vlan 103. |
| + | See [[docs: | ||
| for provisioning static routes. | for provisioning static routes. | ||
| - | The **DUT** is configured with two VLANS: | + | The **DUT** is configured with two VLANs. |
| - | the '' | + | the '' |
| - | uses a single wired ethernet port for | + | '' |
| - | [[inbox: | + | [[docs: |
| The reference topology allows firewall rules to be modified on | The reference topology allows firewall rules to be modified on | ||
| - | the **DUT** in a sandbox | + | the **DUT** in a sandbox |
| + | only **MAIN** LAN-side stations can access the **DUT**. | ||
| Of secondary importantce, | Of secondary importantce, | ||
| causing complete comms loss from **STA1** to the **DUT** | causing complete comms loss from **STA1** to the **DUT** | ||
| Line 44: | Line 58: | ||
| REJECT, so a firewall rule must be explicitly added for each service from LAN | REJECT, so a firewall rule must be explicitly added for each service from LAN | ||
| to WAN (e.g. ICMP, SSH, HTTP). | to WAN (e.g. ICMP, SSH, HTTP). | ||
| - | when is forwarded but expect it to be rejected or dropped. | + | when a packet |
| - | {{ : | + | {{ : |