Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
inbox:firewall:fw3_configurations:fw3_ref_topo [2018/09/11 16:41] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_ref_topo [2022/10/27 20:34] – optimize title vgaetera
Line 1: Line 1:
-====== fw3 Reference Network Topology ======+====== Reference Network Topology ======
 This is the network topology used as a common reference for most configurations for this section. This is the network topology used as a common reference for most configurations for this section.
  
-Starting from the top of the diagram is the public internet.  The network has a +Starting from the top of the diagram is the public internet. 
-single public IPv4 address leased from Verizon ($5US/month) terminating on a +The network has a single public IPv4 address leased from Verizon ($5US/month) terminating on a Verizon [[http://www.mocalliance.org/|Multimedia over Coax Alliance (MoCA)]] router. 
-Verizon [[http://www.mocalliance.org|Multimedia over Coax Alliance (MoCA)]] +This router handles the telephones, video set top boxes and internet access (triple play). 
-router.  This router which handles the telephones, video set top boxes and +There is a single GigE 802.3 interface to the **MAIN** router for all internal wired and wireless internet access.
-internet access (triple play).  There is a single GigE interface to the +
-**MAIN** router in the picture.+
  
-The router switch in +:!: Interestingly, the Verizon MoCA router runs on an ARM926 using the jungo ''openrq'' firmware, based on Linux 2.6.16. 
-**MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface +jungo appears to have been purchased by cisco systems many years ago; cisco is now selling [[https://www.cisco.com/c/en/us/products/video/videoscape-openrg/index.html|openrq]]. 
-on the ''192.16.3.0/24'' network.  See +It looks like Verizon has been limping along without developer support since then... 
-[[inbox:firewall:firewall3:fw3_network#lan-bridge|lan bridge]] for a description of this. + 
-**MAIN** handles all the internal stations using the  +Now on to more recent technology... 
-''192.168.3.0/24'' network, mostly WLAN stations but several wired ethernet + 
-stations for printing and NAS. +The router switch in **MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface on the ''192.16.3.0/24'' network. 
-In the firewall test network +See [[docs:guide-user:firewall:fw3_network#lan-bridge|lan bridge]] for a description of this. 
-  * **STA1** is a linux laptop, +**MAIN** handles all the internal stations using the ''192.168.3.0/24'' network, mostly WLAN stations but several wired Ethernet stations for printing and NAS. 
-  * **DUT** is the OpenWrt ''Device Under Test'' wired to one of the **MAIN** ethernet ports,+In the firewall test network
 +  * **MAIN** is the OpenWrt production router, 
 +  * **STA1** is a linux laptop from where most of testing is initiated
 +  * **DUT** is the OpenWrt ''Device Under Test'' router wired to one of the **MAIN** 802.3 Ethernet ports,
   * **STA2** is a linux laptop,   * **STA2** is a linux laptop,
-  * **STA-printer** is an HP printer wired to a DUT ethernet port, +  * **STA3** and **STA4** are 802.11 wifi devices (tablet, phone, etc.) 
-  * **STA-server** is a linux desktop wired to a DUT ethenet port.+  * **STA-server1** is a linux server wired to a DUT 802.3 Ethernet port in vlan 102
 +  * **STA-server2** is a linux desktop wired to a DUT 802.3 Ethernet port in vlan 103. 
 + 
 +Unless otherwise noted, an IPv4 address is assigned using DHCP.
  
-**MAIN** is provisioned with a static lease added for **DUT** so the **DUT** +**MAIN** is provisioned with a static lease added for **DUT** so the **DUT** will always gets the same IP address: ''192.168.3.11''. 
-will always gets the same IP address: ''192.168.3.11'' A static route to the +Static routes to the **DUT** network(s) must also be added to the **MAIN** routing table so **STA1** can communicate with devices in vlan 102 and vlan 103. 
-**DUT** network must also be added to the **MAIN** routing table so **STA1** can +See [[docs:guide-user:network:ipv4:start|ipv4 configuration]] for provisioning static routes.
-communicate with **STA2** See [[docs:guide-user:network:ipv4:start|ipv4 configuration]] +
-for provisioning static routes.+
  
-The **DUT** is configured with two VLANS: ''eth0.102'' is a lan bridge using +The **DUT** is configured with two VLANs. 
-the ''192.168.10.0/24'' network for basic firewall testing. ''eth0.103'' +''eth0.102'' is a lan bridge using the ''192.168.10.0/24'' network for basic firewall testing. 
-uses a single wired ethernet port for +''eth0.103'' has a single wired Ethernet port using the ''192.168.30.0/24'' network for [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.
-[[inbox:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.+
  
-The reference topology allows firewall rules to be modified on +The reference topology allows firewall rules to be modified on the **DUT** in a sandbox without exposing it to the Internet; only **MAIN** LAN-side stations can access the **DUT**. 
-the **DUT** in a sandbox so only **MAIN** LAN-side stations can access the **DUT**. +Of secondary importantce, firewall rule testing has little probability of causing complete comms loss from **STA1** to the **DUT** (but it can still happen if I really hose the firewall rule set!)
-Of secondary importantce, firewall rule testing has little probability of +
-causing complete comms loss from **STA1** to the **DUT** +
-(but it can still happen if I really hose the firewall rule set!)+
  
-:!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic +:!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic initiated from the LAN-side is forwarded. 
-initiated from the LAN-side is forwarded.  In our topology, the policy is set to +In our topology, the policy is set to REJECT, so a firewall rule must be explicitly added for each service from LAN to WAN (e.g. ICMP, SSH, HTTP). 
-REJECT, so a firewall rule must be explicitly added for each service from LAN +This results in less confusion when a packet is forwarded but is expected to be rejected or dropped.
-to WAN (e.g. ICMP, SSH, HTTP).  This results in less confusion +
-when is forwarded but expect it to be rejected or dropped.+
  
-{{ :media:firewall-test-topov3.png?direct&800 }}+{{ :media:firewall-test-topov4.png?direct&800 }}
  
  • Last modified: 2022/10/27 20:35
  • by vgaetera