<div dir="ltr">I'm still in the midst of a network rebuild here. I originally tried to use ddwrt on an old linksys to provide vlans, used a MicroTik RouterBoard 260GS that someone gave me for a while, and finally broke down and bought a Ubiquiti EdgeSwitch.<div><br></div><div>The edgeswitch is great - does all the things you'd expect from a managed switch, but it's vyatta under the hood. Bought it looking for a switch that I can manage with ssh and keys, and eventually puppet or ansible... that doesn't cost $$ like cisco. </div><div><br></div><div>The spanport feeds a Zotac running security onion with bro-ids, snort and criticalstack feeds. I briefly had pfSense up on the Zotac running between the inside and outside vlans on the switch, but moved it to a SmartOS VM running on a NUC and haven't had time to get the trunk port setup right on the SmartOS side. There are also zones setup for Splunk and ELK for playing with logs and data.</div><div><br></div><div>The Ubiquiti Unifi gear is a bit more gui-driven and 'integrated' if you connect their APs to their Unifi switch, but the EdgeSwitch and EdgeRouter are vyatta linux on both, pretty straight forward and a great step up from wrt if you're not going to do the networking from scratch in normal linux.</div><div><br></div><div>Has anyone setup squid with ssl-peek/slice or ssl-bump? Squid was the one thing I couldn't get working right in pfsense - but it may have been underpowered on the Zotac.</div><div><br></div><div>-George</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 2, 2017 at 9:40 PM, Chuck Payne <span dir="ltr"><<a href="mailto:terrorpup@gmail.com" target="_blank">terrorpup@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Mon, Jan 2, 2017 at 8:13 PM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2017-01-02 16:55, DJ-Pfulio wrote:<br>
</span><span>> On 01/02/2017 06:55 PM, Robert L. Harris wrote:<br>
>> Linux firewall<br>
><br>
> That can mean almost anything.<br>
><br>
> VLANs are "suggestions", not security, unless there is physical separation at<br>
> some point.<br>
><br>
> Better to segment the network using a different router port for each subnet and<br>
> separate "dumb" switches for each, as needed.<br>
><br>
> This is actually how I do it, but with pfsense for the router. A normal linux<br>
> distro can do it, just tie the firewall rules to the specific interface. Don't<br>
> know about typical $20 home routers.<br>
<br>
</span>If you have a router with something like OpenWRT installed then it can<br>
handle tagging, too. Otherwise it's probably easiest to get something<br>
like a Ubiquiti EdgeRouter if an appliance is desired instead of rolling<br>
one from scratch.<br>
<div class="m_-6938649065684846158HOEnZb"><div class="m_-6938649065684846158h5"><br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo</a><br>
</div></div></blockquote></div><div class="gmail_extra"><br></div></div></div>Like JD, I use pfsense, but I also have a Netgear GT748 switch that does vlans. I have four that my pfsense manages </div><div class="gmail_extra"><br></div><div class="gmail_extra">vlan1 <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> things that can be open </div><div class="gmail_extra">vlan2 <a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a> things that are blocked ( my kids network, they have their only wireless network )</div><div class="gmail_extra">vlan3 <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> things that I need for work, they can be access via my openvpn </div><div class="gmail_extra">vlan4 <a href="http://192.168.253.0/24" target="_blank">192.168.253.0/24</a> openvpn </div><div class="gmail_extra"><br></div><div class="gmail_extra">I know it a bit much, but after catching someone spying on me this summer, I had to bring things out. With kids under 18, I feel much better that I am monitor and blocking things. Like, my 5 year finds youtube videos of let things I not ready to talk about so easy, are bloclked now. The firewall logs are great. You can click on ip and setup rules right there, in matters of seconds. </div><div class="gmail_extra"><br></div><div class="gmail_extra">I tried to do with this openSUSE, they have a great firewall that is built in, but iptables rules can be hard to write. One thing that won me more over with pfsense, was the fact I had a hard fail on my Saturday. I fired up a virt, took a backup that I had made and restored it, it installed all my adds (nmap, openvpnclient, darkstat, and more ) with our me asking. It read it from the config, I only lost two vpn accounts because they made after my last backup. But I was only down for 15mins, I have since replaced the drive and it backup with the update config. Doing a fresh install of openSUSE or Debian, usually takes much longer. <br><br clear="all"><div><br></div>-- <br><div class="m_-6938649065684846158gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Terror PUP a.k.a<br>Chuck "PUP" Payne<br>------------------------------<wbr>-----------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>------------------------------<wbr>-----------<br>openSUSE -- Terrorpup<br>openSUSE Ambassador/openSUSE Member<br>skype,twiiter,identica,<wbr>friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br> <br>Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.</div></div>
</div></div>
<br>______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
<br></blockquote></div><br></div>