kuckucksmuehle:hackerspace:firewall

This is an old revision of the document!

Firewall

The Firewall is a router called firewall in the internal network. It makes sure all connections are routed through the vpn and switches (and later balances) traffic through our different Internet connections (Satelite, DSL, [planned Fiber, maybe LTE, Wifi]).

Configuration

The firewall is a APU with 3 gigabit network ports and Opnfsense as operating system.

The network ports are named igb0, igb1, igb2

igb0 is the uplink to the DSL network and has a dynamic IP address. igb1 is the uplink to the SAT network and has a dynamic IP address. igb2 is the interface to the network used by all clients in the premises and has a fixed IP address (192.168.1.1).

DHCP Server

The dhcp server is available on the igb2 network only and gives out dynamic addresses from 192.168.1.100 to 192.168.1.255 and fixed addresses from 192.168.1.10 to 192.168.1.99 .

OpenVPN Client

The OpenVPN client connects to a remote host tunnel all the traffic. When the VPN connection is up, all traffic gets forwarded through the VPN, when it is down, no traffic gets forwarded.

Firewall Rules

Firewall Rules are set in Opnfsense. Outbound Nat Rules make sure that no traffic from the internal network is sent to the internet when the VPN is not up

We have at the moment a Debain running on a Z-Box (will be changed in the future). And configured the rules with “ferm”:http://ferm.foo-projects.org/.

There are several configurations in the /etc/ferm directory that can be loaded with ferm [filename]

/etc/ferm/default.conf

This file is loaded every time the VPN connection state changes with a udev rule. It ensures that traffic is only forwarded through the VPN and never leaves the box unless it is VPN traffic or DNS traffic to a limited set of servers.

/etc/ferm/admin.conf

This file is used to unlock the restrictive firewall during administration. This allows the firewall to connect to the distribution repositories and download updates.

/etc/cron.d/toggle_uplink.sh

This script is used to switch between uplinks (satellite or DSL) using a cron job. It is configured to shut down the VPN, set a different configuration (TCP for satellite, UDP for DSL) and trigger the reconnect. The VPN provider is instructed to provide a fixed IP so running downloads should continue.

crontab -e as root

At the moment the router switches at night to the satelite, to use the flatrate of the satelite between 0:00-6:00 UTC + 1.

  • kuckucksmuehle/hackerspace/firewall.1519668120.txt.gz
  • Last modified: 2018/02/26 19:02
  • by kimparker