Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:firewall:fw3_configurations:fw3_ref_topo [2018/09/11 16:47] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_ref_topo [2018/09/22 13:14] dturvene
Line 5: Line 5:
 single public IPv4 address leased from Verizon ($5US/month) terminating on a single public IPv4 address leased from Verizon ($5US/month) terminating on a
 Verizon [[http://www.mocalliance.org|Multimedia over Coax Alliance (MoCA)]] Verizon [[http://www.mocalliance.org|Multimedia over Coax Alliance (MoCA)]]
-router.  This router which handles the telephones, video set top boxes and +router.  This router handles the telephones, video set top boxes and 
-internet access (triple play).  There is a single GigE interface to the +internet access (triple play).  There is a single GigE 802.3 interface to the 
-**MAIN** router in the picture.+**MAIN** router for all internal wired and wireless internet access. 
 + 
 +:!: Interestingly, the Verizon MoCA router runs on an ARM926 using the jungo ''openrq''  
 +firmware, based on Linux 2.6.16.  jungo appears to have been purchased by cisco systems 
 +many years ago; cisco is now selling  
 +[[https://www.cisco.com/c/en/us/products/video/videoscape-openrg/index.html|openrq]]. 
 +It looks like Verizon has been limping along without developer support since then... 
 + 
 +Now on to more recent technology...
  
 The router switch in The router switch in
 **MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface **MAIN** is configured to bridge all LAN-side traffic as the default ''br-lan'' interface
 on the ''192.16.3.0/24'' network.  See on the ''192.16.3.0/24'' network.  See
-[[inbox:firewall:firewall3:fw3_network#lan-bridge|lan bridge]] for a description of this.+[[docs:guide-user:firewall:fw3_network#lan-bridge|lan bridge]] for a description of this.
 **MAIN** handles all the internal stations using the  **MAIN** handles all the internal stations using the 
 ''192.168.3.0/24'' network, mostly WLAN stations but several wired ethernet ''192.168.3.0/24'' network, mostly WLAN stations but several wired ethernet
Line 19: Line 27:
   * **MAIN** is the OpenWrt production router,   * **MAIN** is the OpenWrt production router,
   * **STA1** is a linux laptop from where most of testing is initiated,   * **STA1** is a linux laptop from where most of testing is initiated,
-  * **DUT** is the OpenWrt ''Device Under Test'' router wired to one of the **MAIN** ethernet ports,+  * **DUT** is the OpenWrt ''Device Under Test'' router wired to one of the **MAIN** 802.3 ethernet ports,
   * **STA2** is a linux laptop,   * **STA2** is a linux laptop,
-  * **STA-printer** is an HP printer wired to a DUT ethernet port, +  * **STA3** and **STA4** are 802.11 wifi devices (tablet, phone, etc.) 
-  * **STA-server** is a linux desktop wired to a DUT ethenet port.+  * **STA-server1** is a linux server wired to a DUT 802.3 ethernet port in vlan 102
 +  * **STA-server2** is a linux desktop wired to a DUT 802.3 ethernet port in vlan 103.
  
 Unless otherwise noted, an IPv4 address is assigned using DHCP. Unless otherwise noted, an IPv4 address is assigned using DHCP.
  
 **MAIN** is provisioned with a static lease added for **DUT** so the **DUT** **MAIN** is provisioned with a static lease added for **DUT** so the **DUT**
-will always gets the same IP address: ''192.168.3.11''.  A static route to the +will always gets the same IP address: ''192.168.3.11''.  Static routes to the 
-**DUT** network must also be added to the **MAIN** routing table so **STA1** can +**DUT** network(s) must also be added to the **MAIN** routing table so **STA1** can 
-communicate with **STA2**.  See [[docs:guide-user:network:ipv4:start|ipv4 configuration]]+communicate with devices in vlan 102 and vlan 103.   
 +See [[docs:guide-user:network:ipv4:start|ipv4 configuration]]
 for provisioning static routes. for provisioning static routes.
  
Line 35: Line 45:
 the ''192.168.10.0/24'' network for basic firewall testing. the ''192.168.10.0/24'' network for basic firewall testing.
 ''eth0.103'' has a single wired ethernet port using the ''192.168.30.0/24'' network for ''eth0.103'' has a single wired ethernet port using the ''192.168.30.0/24'' network for
-[[inbox:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.+[[docs:guide-user:firewall:fw3_configurations:fw3_dmz|DMZ]] testing.
  
 The reference topology allows firewall rules to be modified on The reference topology allows firewall rules to be modified on
Line 48: Line 58:
 REJECT, so a firewall rule must be explicitly added for each service from LAN REJECT, so a firewall rule must be explicitly added for each service from LAN
 to WAN (e.g. ICMP, SSH, HTTP).  This results in less confusion to WAN (e.g. ICMP, SSH, HTTP).  This results in less confusion
-when is forwarded but expect it to be rejected or dropped.+when a packet is forwarded but is expected to be rejected or dropped.
  
-{{ :media:firewall-test-topov3.png?direct&800 }}+{{ :media:firewall-test-topov4.png?direct&800 }}
  
  • Last modified: 2022/10/27 20:35
  • by vgaetera