Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:fw3_configurations:fw3_ref_topo [2018/09/11 16:41] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_ref_topo [2022/10/27 20:35] (current) – optimize title vgaetera
Line 1: Line 1:
-====== fw3 Reference Network Topology ======+====== Reference network topology ======
 This is the network topology used as a common reference for most configurations for this section. This is the network topology used as a common reference for most configurations for this section.
  
-Starting from the top of the diagram is the public internet.  The network has a +Starting from the top of the diagram is the public internet. 
-single public IPv4 address leased from Verizon ($5US/month) terminating on a +The network has a single public IPv4 address leased from Verizon ($5US/month) terminating on a Verizon [[http://www.mocalliance.org/|Multimedia over Coax Alliance (MoCA)]] router. 
-Verizon [[http://www.mocalliance.org|Multimedia over Coax Alliance (MoCA)]] +This router handles the telephones, video set top boxes and internet access (triple play). 
-router.  This router which handles the telephones, video set top boxes and +There is a single GigE 802.3 interface to the **MAIN** router for all internal wired and wireless internet access.
-internet access (triple play).  There is a single GigE interface to the +
-**MAIN** router in the picture.+
  
-The router switch in +:!: Interestingly, the Verizon MoCA router runs on an ARM926 using the jungo ''openrq'' firmware, based on Linux 2.6.16. 
-**MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface +jungo appears to have been purchased by cisco systems many years ago; cisco is now selling [[https://www.cisco.com/c/en/us/products/video/videoscape-openrg/index.html|openrq]]. 
-on the ''192.16.3.0/24'' network.  See +It looks like Verizon has been limping along without developer support since then... 
-[[inbox:firewall:firewall3:fw3_network#lan-bridge|lan bridge]] for a description of this. + 
-**MAIN** handles all the internal stations using the  +Now on to more recent technology... 
-''192.168.3.0/24'' network, mostly WLAN stations but several wired ethernet + 
-stations for printing and NAS. +The router switch in **MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface on the ''192.16.3.0/24'' network. 
-In the firewall test network +See [[docs:guide-user:firewall:fw3_network#lan-bridge|lan bridge]] for a description of this. 
-  * **STA1** is a linux laptop, +**MAIN** handles all the internal stations using the ''192.168.3.0/24'' network, mostly WLAN stations but several wired Ethernet stations for printing and NAS. 
-  * **DUT** is the OpenWrt ''Device Under Test'' wired to one of the **MAIN** ethernet ports,+In the firewall test network
 +  * **MAIN** is the OpenWrt production router, 
 +  * **STA1** is a linux laptop from where most of testing is initiated
 +  * **DUT** is the OpenWrt ''Device Under Test'' router wired to one of the **MAIN** 802.3 Ethernet ports,
   * **STA2** is a linux laptop,   * **STA2** is a linux laptop,
-  * **STA-printer** is an HP printer wired to a DUT ethernet port, +  * **STA3** and **STA4** are 802.11 wifi devices (tablet, phone, etc.) 
-  * **STA-server** is a linux desktop wired to a DUT ethenet port.+  * **STA-server1** is a linux server wired to a DUT 802.3 Ethernet port in vlan 102
 +  * **STA-server2** is a linux desktop wired to a DUT 802.3 Ethernet port in vlan 103. 
 + 
 +Unless otherwise noted, an IPv4 address is assigned using DHCP.
  
-**MAIN** is provisioned with a static lease added for **DUT** so the **DUT** +**MAIN** is provisioned with a static lease added for **DUT** so the **DUT** will always gets the same IP address: ''192.168.3.11''. 
-will always gets the same IP address: ''192.168.3.11'' A static route to the +Static routes to the **DUT** network(s) must also be added to the **MAIN** routing table so **STA1** can communicate with devices in vlan 102 and vlan 103. 
-**DUT** network must also be added to the **MAIN** routing table so **STA1** can +See [[docs:guide-user:network:ipv4:start|ipv4 configuration]] for provisioning static routes.
-communicate with **STA2** See [[docs:guide-user:network:ipv4:start|ipv4 configuration]] +
-for provisioning static routes.+
  
-The **DUT** is configured with two VLANS: ''eth0.102'' is a lan bridge using +The **DUT** is configured with two VLANs. 
-the ''192.168.10.0/24'' network for basic firewall testing. ''eth0.103'' +''eth0.102'' is a lan bridge using the ''192.168.10.0/24'' network for basic firewall testing. 
-uses a single wired ethernet port for +''eth0.103'' has a single wired Ethernet port using the ''192.168.30.0/24'' network for [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.
-[[inbox:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.+
  
-The reference topology allows firewall rules to be modified on +The reference topology allows firewall rules to be modified on the **DUT** in a sandbox without exposing it to the Internet; only **MAIN** LAN-side stations can access the **DUT**. 
-the **DUT** in a sandbox so only **MAIN** LAN-side stations can access the **DUT**. +Of secondary importantce, firewall rule testing has little probability of causing complete comms loss from **STA1** to the **DUT** (but it can still happen if I really hose the firewall rule set!)
-Of secondary importantce, firewall rule testing has little probability of +
-causing complete comms loss from **STA1** to the **DUT** +
-(but it can still happen if I really hose the firewall rule set!)+
  
-:!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic +:!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic initiated from the LAN-side is forwarded. 
-initiated from the LAN-side is forwarded.  In our topology, the policy is set to +In our topology, the policy is set to REJECT, so a firewall rule must be explicitly added for each service from LAN to WAN (e.g. ICMP, SSH, HTTP). 
-REJECT, so a firewall rule must be explicitly added for each service from LAN +This results in less confusion when a packet is forwarded but is expected to be rejected or dropped.
-to WAN (e.g. ICMP, SSH, HTTP).  This results in less confusion +
-when is forwarded but expect it to be rejected or dropped.+
  
-{{ :media:firewall-test-topov3.png?direct&800 }}+{{ :media:firewall-test-topov4.png?direct&800 }}
  
  • Last modified: 2022/10/27 20:35
  • by vgaetera