kuckucksmuehle:hackerspace:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
kuckucksmuehle:hackerspace:firewall [2017/11/13 18:08] – [Configuration] kimparkerkuckucksmuehle:hackerspace:firewall [2018/03/22 18:20] (current) – add information how to handle network disturbance kimparker
Line 7: Line 7:
  
  
-We have at the moment Debain running on a Z-Box (will be changed in the future). And configured the rules with "ferm":http://ferm.foo-projects.org/.+The firewall is APU with 3 gigabit network ports and Opnfsense as operating system.
  
-There are several configurations in the ''/etc/ferm'' directory that can be loaded with ''ferm [filename]''+The network ports are named igb0, igb1, igb2
  
-''/etc/ferm/default.conf''+igb0 is the uplink to the DSL network and has a dynamic IP address. 
 +igb1 is the uplink to the SAT network and has a dynamic IP address. 
 +igb2 is the interface to the network used by all clients in the premises and has a fixed IP address (192.168.1.1).
  
-This file is loaded every time the VPN connection state changes with a udev rule. It ensures that traffic is only forwarded through the VPN and never leaves the box unless it is VPN traffic or DNS traffic to a limited set of servers.+==== DHCP Server ====
  
-''/etc/ferm/admin.conf''+The dhcp server is available on the igb2 network only and gives out dynamic addresses from 192.168.1.100 to 192.168.1.255 and fixed addresses from 192.168.1.10 to 192.168.1.99 .
  
-This file is used to unlock the restrictive firewall during administration. This allows the firewall to connect to the distribution repositories and download updates.+==== OpenVPN Client ====
  
-''/etc/cron.d/toggle_uplink.sh''+The OpenVPN client connects to a remote host tunnel all the trafficWhen the VPN connection is up, all traffic gets forwarded through the VPN, when it is down, no traffic gets forwarded.
  
-This script is used to switch between uplinks (satellite or DSL) using a cron job. It is configured to shut down the VPN, set a different configuration (TCP for satellite, UDP for DSL) and trigger the reconnect. The VPN provider is instructed to provide a fixed IP so running downloads should continue.+==== Firewall Rules ====
  
-''crontab -e as root''+Firewall Rules are set in Opnfsense. 
 +Outbound Nat Rules make sure that no traffic from the internal network is sent to the internet when the VPN is not up
  
-At the moment the router switches at night to the sateliteto use the flatrate of the satelite between 0:00-6:00  UTC + 1.+==== Handle Network Disturbances ==== 
 + 
 +Sometimes it is required to check which device is responsible for traffic. In rare circumstances it is also required to shut that device off. 
 + 
 +  - Login to https://192.168.1.1 
 +  - Open "Interfaces/Diagnostics/ARP Table" on a separate tab 
 +  - Open "Reporting/Insight" on a separate tab 
 +  - Open "Reporting/Traffic Graph", Select LAN 
 +  - Find the device causing trafficlook up the IP in the arp-table (gives more info like manufacturer) 
 +  - Open "Firewall/Traffic Shaper/Settings" -> Rules 
 +  - Duplicate the BAD GUI rule and enter the IP address, name the new rule and click apply
  
  • kuckucksmuehle/hackerspace/firewall.1510592881.txt.gz
  • Last modified: 2017/11/13 18:08
  • by kimparker