On 28/11/2021 15:22, d...@d404.nl wrote:
On 28-11-2021 15:36, wirelessduck--- via Dng wrote:
On 29 Nov 2021, at 01:07, tito via Dng <dng@lists.dyne.org> wrote:
On Sun, 28 Nov 2021 07:20:14 -0600
o1bigtenor via Dng <dng@lists.dyne.org> wrote:
Greetings
In anticipation of a fiber optical connection (moving from a
wireless) I
have been planning out and purchasing some bits of hardware. Am finding
that networking is, at least sure seems to be, another black hole
for time
and effort.
TL;DR (skip to last paragraphs for the question(s))
At present this is a soho office kind of installation but that will
slowly
be morphing into something that is at least somewhat larger. There
are a
number of input sensor locations being worked on some of which would be
generating, initially at least, up to 15 data streams sampled possibly
every second (some maybe more often - - - decisions aren't all done
as yet)
so there will be a fair amount of data running around on my network
which
I'm trying to keep largely a wired affair.
At this point I'm working on the three entry bits of hardware (and
their
software) - - - the router, hardware firewall, and the managed
switch. The
initial hockup on the fiber system is going to be at 250 Mbps
sysmetric.
For the router I'm planning on using OpenWRT running on a Nanopi
r4s which
according to the folks over on openwrt capable of even very close
to full
Gbps speeds (IIRC tested to some 918 Mbps) which would give some
headroom
for future increases although I don't see a need for the foreseeable
future.
For the switch I have found myself a XyZel 1900-48 that I'm working on
getting OpenWRT on. This ability to run a managed switch on OpenWRT is
somewhat new but its open source and I'm not tied (I don't think) to
OpenWRT - - - - except I don't know any other real alternative - - - so
that's not a difficult solution either. I don't 'need' 48 ports but
I have
16 at present on a hub and its almost full and that's for stuff
only here
in the orifice (sic!). I also want the capabilities of forcing
streaming
services and wireless communications to not collect any more data
from any
other part of the network (using VLANs) as is possible.
Then lastly to the hardware firewall.
I've been looking at pfsense and opnsense. Both are ipv6 possible
although
both are mostly focused on ipv4 at the present. IPfire seems to
have gotten
itself into a holding pattern and is not continuing work toward ipv6
functionality. Any one of these options are producing headaches
when I'm
trying to figure out how to configure them - - - nothing installed at
present, just researching so far.
So - - - - questions - - - -
1. is my splitting the network system into the three parts a good
idea or
should I truncate parts 1 and 2 into the router? If you would
please give
reasons - - - please?
Hi,
If you want to have reliability splitting is good, if the router breaks
you still have a working firewall and switch and so on.
If you want also some redundancy you should think of buying
two of everything:
2 routers
2 firewalls
2 switches (2 x24 rather than 1x48 ports)
I personally prefer x86 hardware for this kind of things
when I see that little boxes like the Nanopi R4S they make me
think about toys. In my case sadly I'm tied to adsl over pots
so for the modem I still need to use this little plastic blackboxes.
In your case I would swap the nanopi for a nice mini-itx board
with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well
ventilated case (with low noise Noctua fans).
2. are there any good sources for information on and about networking?
debian has moved to nftables from iptables - - - is devuan doing
similar?
I think so.
Where does one find information to enable a firewall that works yet
isn't stupid?
I use arno-iptables-firewall It is easy to create a basic setup for
your network,
reliable, comes with good defaults and can easily be tweaked (for
port-forwarding,
vpns, geoip filtering and so on, don't know about vlans as don't use
them yet).
(I've wondered about having some kind of easy 'switch' that when
users left
their systems that the system wouldn't be calling home in the
overnight at
least a la ms googly. Dunno if that's 'simple' or not - - - so much to
learn and so little time to do it all in!)
TIA
Ciao,
Tito
I’ve just finished setting up a new router using PCEngines APU2
(apu4d4 model) with OpenWRT. Uses x64 AMD Embedded G series GX-412TC
and has 4x Intel i211AT Ethernet ports. It also runs a Coreboot bios
and I can see regular bios updates approximately monthly. The
coreboot bios and AMD CPU were the main reasons I picked this over a
Qotom box. It’s also fanless which is good for a quiet environment.
The only downside is having only serial console output so you need a
serial cable or serial-usb cable for the initial setup or bios
configuration changes. Thankfully subsequent bios updates can be done
with OpenWRT via flashrom.
https://pcengines.ch/apu2.htm
https://pcengines.github.io/
https://teklager.se/en/knowledge-base/openwrt-installation-instructions/
--
Tom
Interesting this PCEngines hardware! I did have Qotom hardware with
pfSense but it failed after a few years. Now I am using a fairly old
Fujitsi with a AMD G-T56N processor and two Realtek network interfaces
which is supposed to be low powered < 10W.
I prefer pfSense over OpenWRT but is maybe more a habit. Although i do
have a wireless AP from Netgear with OpenWrt. But I too certainly
prefer X86 hardware with Intel Ethernet ports for a firewall.
One reason for my pfSense preference is the possibility to backup your
configuration and restore it on other hardware in minutes. The fork
OPNsense looks good to me too but I do not have real life experience
with it.
Grtz.
Nick
I prefer Devuan 4.0 running on Sophos XG 115 (Rev 3) hardware (under 10
watts) with my IPtables firewall rulesets that I have developed over the
last 10 years tweaking and honing and have survived several penetration
tests from well-known (in the UK at least) security companies.
Personally, I don't want to use OpenWRT, Pfsense or whatever when I have
already had 10+ years involvement in developing and implementing 'rock
hard' solutions using native IP tables ... YMMV ;-)
Mike
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng