Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| inbox:firewall:fw3_configurations:fw3_ref_topo [2018/09/11 16:41] – dturvene | docs:guide-user:firewall:fw3_configurations:fw3_ref_topo [2022/10/27 20:35] (current) – optimize title vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== Reference |
| This is the network topology used as a common reference for most configurations for this section. | This is the network topology used as a common reference for most configurations for this section. | ||
| - | Starting from the top of the diagram is the public internet. | + | Starting from the top of the diagram is the public internet. |
| - | single public IPv4 address leased from Verizon ($5US/ | + | The network has a single public IPv4 address leased from Verizon ($5US/ |
| - | Verizon [[http:// | + | This router handles the telephones, video set top boxes and internet access (triple play). |
| - | router. | + | There is a single GigE 802.3 interface to the **MAIN** router |
| - | internet access (triple play). | + | |
| - | **MAIN** router | + | |
| - | The router switch in | + | :!: Interestingly, |
| - | **MAIN** is configured to bridge all LAN-side traffic as the default '' | + | jungo appears to have been purchased by cisco systems many years ago; cisco is now selling [[https:// |
| - | on the '' | + | It looks like Verizon has been limping along without developer support since then... |
| - | [[inbox:firewall:firewall3: | + | |
| - | **MAIN** handles all the internal stations using the | + | Now on to more recent technology... |
| - | '' | + | |
| - | stations for printing and NAS. | + | The router switch in **MAIN** is configured to bridge all LAN-side traffic as the default '' |
| - | In the firewall test network | + | See [[docs:guide-user:firewall: |
| - | * **STA1** is a linux laptop, | + | **MAIN** handles all the internal stations using the '' |
| - | * **DUT** is the OpenWrt '' | + | In the firewall test network: |
| + | * **MAIN** is the OpenWrt production router, | ||
| + | * **STA1** is a linux laptop | ||
| + | * **DUT** is the OpenWrt '' | ||
| * **STA2** is a linux laptop, | * **STA2** is a linux laptop, | ||
| - | * **STA-printer** is an HP printer | + | |
| - | * **STA-server** is a linux desktop wired to a DUT ethenet | + | |
| + | * **STA-server2** is a linux desktop wired to a DUT 802.3 Ethernet | ||
| + | |||
| + | Unless otherwise noted, an IPv4 address is assigned using DHCP. | ||
| - | **MAIN** is provisioned with a static lease added for **DUT** so the **DUT** | + | **MAIN** is provisioned with a static lease added for **DUT** so the **DUT** will always gets the same IP address: '' |
| - | will always gets the same IP address: '' | + | Static routes |
| - | **DUT** network must also be added to the **MAIN** routing table so **STA1** can | + | See [[docs: |
| - | communicate with **STA2**. See [[docs: | + | |
| - | for provisioning static routes. | + | |
| - | The **DUT** is configured with two VLANS: | + | The **DUT** is configured with two VLANs. |
| - | the '' | + | '' |
| - | uses a single wired ethernet | + | '' |
| - | [[inbox: | + | |
| - | The reference topology allows firewall rules to be modified on | + | The reference topology allows firewall rules to be modified on the **DUT** in a sandbox |
| - | the **DUT** in a sandbox | + | Of secondary importantce, |
| - | Of secondary importantce, | + | |
| - | causing complete comms loss from **STA1** to the **DUT** | + | |
| - | (but it can still happen if I really hose the firewall rule set!) | + | |
| - | :!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic | + | :!: Generally the policy is set to ACCEPT for LAN to WAN so all traffic initiated from the LAN-side is forwarded. |
| - | initiated from the LAN-side is forwarded. | + | In our topology, the policy is set to REJECT, so a firewall rule must be explicitly added for each service from LAN to WAN (e.g. ICMP, SSH, HTTP). |
| - | REJECT, so a firewall rule must be explicitly added for each service from LAN | + | This results in less confusion when a packet |
| - | to WAN (e.g. ICMP, SSH, HTTP). | + | |
| - | when is forwarded but expect it to be rejected or dropped. | + | |
| - | {{ : | + | {{ : |