[ale] VLANs for home with a Linux Router

George Allen glallen01 at gmail.com
Wed Jan 4 20:57:46 EST 2017 

I'm still in the midst of a network rebuild here. I originally tried to use
ddwrt on an old linksys to provide vlans, used a MicroTik RouterBoard 260GS
that someone gave me for a while, and finally broke down and bought a
Ubiquiti EdgeSwitch.

The edgeswitch is great - does all the things you'd expect from a managed
switch, but it's vyatta under the hood. Bought it looking for a switch that
I can manage with ssh and keys, and eventually puppet or ansible... that
doesn't cost $$ like cisco.

The spanport feeds a Zotac running security onion with bro-ids, snort and
criticalstack feeds. I briefly had pfSense up on the Zotac running between
the inside and outside vlans on the switch, but moved it to a SmartOS VM
running on a NUC and haven't had time to get the trunk port setup right on
the SmartOS side. There are also zones setup for Splunk and ELK for playing
with logs and data.

The Ubiquiti Unifi gear is a bit more gui-driven and 'integrated' if you
connect their APs to their Unifi switch, but the EdgeSwitch and EdgeRouter
are vyatta linux on both, pretty straight forward and a great step up from
wrt if you're not going to do the networking from scratch in normal linux.

Has anyone setup squid with ssl-peek/slice or ssl-bump? Squid was the one
thing I couldn't get working right in pfsense - but it may have been
underpowered on the Zotac.

-George

On Mon, Jan 2, 2017 at 9:40 PM, Chuck Payne <terrorpup at gmail.com> wrote:

>
> On Mon, Jan 2, 2017 at 8:13 PM, Alex Carver <agcarver+ale at acarver.net>
> wrote:
>
>> On 2017-01-02 16:55, DJ-Pfulio wrote:
>> > On 01/02/2017 06:55 PM, Robert L. Harris wrote:
>> >> Linux firewall
>> >
>> > That can mean almost anything.
>> >
>> > VLANs are "suggestions", not security, unless there is physical
>> separation at
>> > some point.
>> >
>> > Better to segment the network using a different router port for each
>> subnet and
>> > separate "dumb" switches for each, as needed.
>> >
>> > This is actually how I do it, but with pfsense for the router. A normal
>> linux
>> > distro can do it, just tie the firewall rules to the specific
>> interface. Don't
>> > know about typical $20 home routers.
>>
>> If you have a router with something like OpenWRT installed then it can
>> handle tagging, too.  Otherwise it's probably easiest to get something
>> like a Ubiquiti EdgeRouter if an appliance is desired instead of rolling
>> one from scratch.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> Like JD, I use pfsense, but I also have a Netgear GT748 switch that does
> vlans. I have four that my pfsense manages
>
> vlan1 192.168.1.0/24 things that can be open
> vlan2 192.168.5.0/24 things that are blocked ( my kids network, they have
> their only wireless network )
> vlan3  192.168.10.0/24 things that I need for work, they can be access
> via my openvpn
> vlan4  192.168.253.0/24 openvpn
>
> I know it a bit much, but after catching someone spying on me this summer,
> I had to bring things out. With kids under 18, I feel much better that I am
> monitor and blocking things. Like, my 5 year finds youtube videos of let
> things I not ready to talk about so easy, are bloclked now. The firewall
> logs are great. You can click on ip and setup rules right there, in matters
> of seconds.
>
> I tried to do with this openSUSE, they have a great firewall that is built
> in, but iptables rules can be hard to write. One thing that won me more
> over with pfsense, was the fact I had a hard fail on my Saturday. I fired
> up a virt, took a backup that I had made and restored it, it installed all
> my adds (nmap, openvpnclient, darkstat, and more ) with our me asking. It
> read it from the config, I only lost two vpn accounts because they made
> after my last backup. But I was only down for 15mins, I have since
> replaced the drive and it backup with the update config. Doing a fresh
> install of openSUSE or Debian, usually takes much longer.
>
>
> --
> Terror PUP a.k.a
> Chuck "PUP" Payne
> -----------------------------------------
> Discover it! Enjoy it! Share it! openSUSE Linux.
> -----------------------------------------
> openSUSE -- Terrorpup
> openSUSE Ambassador/openSUSE Member
> skype,twiiter,identica,friendfeed -- terrorpup
> freenode(irc) --terrorpup/lupinstein
> Register Linux Userid: 155363
>
> Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> package and distribute , or create your own linux distro. Give SUSE Studio
> a try.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170104/b8cc87fb/attachment.html>

More information about the Ale mailing list