Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Mastering your home network - Do It Yourself

871 vues

Publié le

Mastering your home network - Do It Yourself

Publié dans : Internet
  • Soyez le premier à commenter

Mastering your home network - Do It Yourself

  1. 1. Mastering your home network stack with SOHO pro hardware
  2. 2. Main Course  1°) Throw away your ISP "box", use a basic modem/ONT  2°) Buy a real hardware router  3°) Buy your other network hardware (Wifi AP, switch, wires, adapters, etc...)  4°) Plug-in and master everything  VLANs (802.1q)  QOS, traffic shaping, load balancing, 802.1p prio  Custom routing rules and routing tables, VRF, MPLS  VPN to external sites  BGP / OSPF advanced dynamic routing  ...
  3. 3. ISP CPE (Box)
  4. 4. What, why ?  Internet Service Provider (ISP) deliver "BOXes" as Customer Premises Equipment (CPE) of their network  They want their customer to plug-and-play  Those BOXes, are very cheap and locked hardware  In a word, they are poor  Don't trust the marketing song of your ISP  They work for very basic usages  They are usually not very secured  https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les- modems-sfrnumericable
  5. 5. Why change ?  To master things from A to Z  To support more devices (IOT, domotic, servers) in your house  If you have many devices, better get rid of your box  If you need input traffic (self hosted infrastructure)  If you want to push security further (IOT ?)  If you want to load-balance with several ISP  If you want to peer with other trusted people (through VPN)  And create/manage your own Internet  If you need security (through IPSEC f.e)
  6. 6. In a picture
  7. 7. In a picture
  8. 8. As a reminder  Protocols are open  You should be able to change any hardware, by another (from different brand)  As soon as it talks the same protocols, it must work  Some ISP don't follow RFCs for some protocols  That makes you have to use DPA/DPI  That makes you have to patch your stack
  9. 9. My own experience
  10. 10. My experience, my knowledge, my shares  Actually at home...  I own several different Internet provider connections  IP failover, advanced routing scenarios, traffic shapping and QOS  Dual stack IPV4 and IPV6  Separation of input and output streams  I have several machines and wifi networks  I have no more "boxes"  I'm VPN linked with other guys doing same stuff as me  I'm hosting some public Internet services (DNS, HTTP, etc...)
  11. 11. Using a modem in place of your box
  12. 12. Getting rid of your box  To trash your box, you need a modem, depending on the technology provided.  ADSL  Then you can plug-in an ADSL modem  Cable (DOCSIS)  You may use a DOCSIS modem  Fiber ONT based  You can plug-in using RJ45 or SFP  Fiber Raw mode  You may plug-in using an SFP adapter
  13. 13. Notice  I talked about modems to manage input ISP stream, not routers  Many modem actually can/do route  Do not use their router ! !  We must use the modem just to convert the signal, into an RJ45 socket  Then, we'll plug our RJ45 RAW Internet cable, into our own router, of our taste  Buy the "simplest" modem, if possible, with no router inside  Mind the chipset (Broadcom are good)
  14. 14. ADSL modem IN OUT
  15. 15. DOCSIS modem IN OUT
  16. 16. Fiber external ONT IN OUT
  17. 17. Fiber, RAW SFP socket Fiber IN
  18. 18. Bridging the box
  19. 19. Keeping your box, at a minimum  You dont want to buy a modem ?  There is a solution of keeping your provider box  But only use it as a modem !  Disable anything else, but the modem  Especially : disable their shitty slow/unsecure poor router  This is called the "bridge mode" (L2 bridge)
  20. 20. Box as a modem : bridge mode  2 scenarios (2018) :  Your box can be bridged (L2)  SFR/Numéricable LaBox  Freebox  Everything is then all right  Your box cant be bridged (L2)  Others (Orange, Bouygues)  You'll need to buy a modem  Or suffer from horrible network stack (DMZ, or Double-NAT)  If fiber technology, you should use ONT or Raw SFP
  21. 21. ISP Box Conclusion  Ask to run the box as a modem, not a router (bridge mode)  If possible : you can keep your box  Free - SFR  If not possible : you must replace it by custom hardware  Orange - Btel  Dont use the box router (router mode)  Other alternative ISP exist
  22. 22. I got my Internet plug !  Bridged-box or custom modem , now , your Internet connexion is arriving through one cable  It is time to route it and start doing some network stuff 85.2.208.135* 2a01:ca:b5ee:ed::/56* * : example provider IP
  23. 23. Router
  24. 24. Router  Pay the price : the heart of your network  Too many references on the market  Do not choose a general purpose low level brand  Linksys, tp-link, netgear, etc...  Don't blindly trust marketing  Those are not really better than ISP box  Poor hardware  Not many customization  No routing protocol management  No VPN possibilities, or weak ones  In a word : low-level entry market products (even "advanced" ones)
  25. 25. Professional router brands  Turn to professional dedicated hardware brands  Datacenter hardware is not for your usage and cost  SOHO is what you need : Small Office Home Office hardware  SOHO are not that much expensive (60€ to 1000€)  The smallest SOHO router starts by about 60-80€  2 kinds  Open , based on Linux or Unix stacks  Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ...  Closed, based on custom OS (Unix derivated often)  Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
  26. 26. My experience  I run Mikrotik for router and wifi spot  Professional hardware  "RouterOS" is the name of the OS  Not open source  Based on Linux Kernel  Full of features, stable, maintained  Licence pricing is really good  Perfect for advanced networking at home or for small businesses (SOHO), with a clearly reasonnable pricing  I run Ubiquiti for switch  Perfect balance in price / usage for SOHO
  27. 27. Ubiquiti routers  Ubiquiti is another trade providing Debian based hardwares
  28. 28. Turris Omnia router  Again, Linux based  OpenWRT
  29. 29. Mikrotik  https://mikrotik.com/  https://routerboard.com/  Size your needs  Prices go from 60$ to 4000$ per unit (L3 routers)  Basically, the CPU and RAM will increase the price  If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM  Mind the hardware dimensions  Some are small devices, some are 1U rack sized
  30. 30. Mikrotik example routers  https://routerboard.com/RB2011iL-IN  ~ 100€
  31. 31. Mikrotik best starter product
  32. 32. Mikrotik example routers  https://routerboard.com/RB1100AHx2  ~250€
  33. 33. Mikrotik example routers  https://routerboard.com/CCR1009-7G-1C-1SplusPC  ~450€
  34. 34. Wifi ?  Don't fear the wifi.  Wifi support will be added to our stack thanks to Access Points (AP)  Usually better than embeded router wifi
  35. 35. Router quick tour  Every port can be wired independently  Some devices provide switch chips  Some devices provide Wifi  It's better to use dedicated hardware for such tasks  You basically tell each port what you want it to do  1/ You create L2 and L3 links  2/ You arrange routes  3/ You secure everything with the integrated firewall  4/ You control traffic bandwidth with queues and QOS
  36. 36. Quick example WAN Servers LANHome LANHome LAN
  37. 37. Quick example 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18
  38. 38. Quick example 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VPN 192.168.1.100/32
  39. 39. Dedicated switches  The problem with routers is that they are not good switches  They may do the job, but take care of not going through the CPU for switching purposes  Tip : bridges trafic often go through CPU  Buy the right hardware for the right purpose  For full L2 switching, nothing beats switch ASICS
  40. 40. Using a dedicated switch 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk
  41. 41. Even better with 802.1ad LACP 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk LACP
  42. 42. More complex setup provider #1 provider #2 provider #1 TV stream provider #2 SIP stream IP cameras computers NAS Iots
  43. 43. RouterOS
  44. 44. RouterOS  A full Network OS  You must familiarize with it  You must have strong general networking knowledge (master OSI, master TCP/IP and common protocols at several layers)  RouterOS supports  Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP - Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS - TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ...  In short : many advanced technologies in one box  Have a look at the licencing details
  45. 45. RouterOS details  You may access RouterOS using :  Web HTTP-HTTPS access  SSH / Telnet, using command line  WinBox (Windows GUI tool)  Console port (special cable needed)  FTP-TFTP for internal storage access  An HTTP interface demo exists online  At http://demo.mt.lv  Documentation  https://wiki.mikrotik.com/wiki/Manual:TOC
  46. 46. RouterOS book
  47. 47. WinBox GUI
  48. 48. Let's go for our first simple example
  49. 49. Let's go for our first simple example Distributing Internet at home
  50. 50. Very simple Internet sharing setup Gigabit switch 1 WAN modem PC1 PC2 Ethernet switch 2 (unused)
  51. 51. What we need  Isolate port 10 (eth10) from switch 2 : this is WAN  Use full switch 1 by bridging ports together  Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide fixed IP  Create an IP and network for the full switch 1 (LAN)  Let's choose 192.168.0.0/28  Let's add it a DHCP-server  Create a source NAT on eth10 for LAN traffic to be NATed over WAN
  52. 52. GO
  53. 53. We have a simple setup :-) DHCP client 98.2.245.78 192.168.0.14 network 192.168.0.0/28 DHCP server 192.168.0.1192.168.0.2 NAT masquerade Routing table : 0.0.0.0/0 -> 98.2.245.1 98.2.245.0/24 -> eth10 192.168.0.0/28 -> switch1
  54. 54. Linux utilities and network debugging tools  mtr  ipcalc  iperf  nmap  ethtool  And of course :  tcpdump / wireshark  switch port mirroring  TZSP
  55. 55. SECURITY
  56. 56. Security foreword  If you want to design your own network from scratch , you are responsible of your own security  Bad firewall configuration will lead into security breaches in your home, from external , through the wires.  Take care  Secure your network like your secure your home  Lock doors  Take care of basement, windows and other ways to reach you  Think about everything
  57. 57. WAN security  Your WAN part is directly connected to Internet  You'll then start experiencing attacks to your external IP  You must now protect yourself  From WAN input traffic , that's the basics (IN)  From your own untrusted output traffic, that's optional (OUT)  Welcome FIREWALL
  58. 58. Firewall filter chains  Input  Traffic which dest-addr is one of your router's  Forward  Traffic flowing through your router (which dst-addr is routable and not one of your router's)  Output  Traffic generated by the router internal OS, which src-addr will be one of your router's  "FooBar"  You can create as many custom chains as you want
  59. 59. Firewall : main rules  One rule targets one chain (not zero, not several : one)  Input  Forward  Output  Xyzbaz : custom chain (you can add infinite custom chains)  For every chain, rules are ordered  If rule 3 breaks the chain (by DROPing for example), then rule 4 and others won't be triggered  Rules can jump  You can say "rule 3, match packets XXXX and jump to chain ZZZZ"  You have to carefully follow the packet path into your head  Don't get lost !
  60. 60. Firewall perf  We use connection tracking firewall here  Activated by default. Can be setup (connection lifetimes)  Raw firewall is available too  If you don't organize flows the right way  You'll burn your CPU as traffic increases  Organize rules (they are ordered in lists) cleverly  The most likely to happen should come first  To some point, you'll need better hardware (CPU and RAM)  Time to upgrade then  At 1Gbps per link, that can increase very fast according to needs
  61. 61. Let's add our firewall rules
  62. 62. Accept ICMP  Don't blindly block ICMP  Internet Control Message Protocol  A good engineer does not blindly block all ICMP traffic  ICMP is used to debug your router and networks  Mainly using "ping" or "traceroute"  ICMP is used to debug IP  "network unreachable", "admin prohibited", "frag. needed"  Thus ICMP helps router and OSI 4 protocols (TCP)  ICMP is mandatory to IPV6 (cant work without it)
  63. 63. Or at least, control ICMP  You may suffer from ICMP attacks  Then you may limit ICMP traffic to some rate  Or you may classify ICMP traffic  http://www.nthelp.com/icmp.html
  64. 64. Drop Invalid  Invalid packets are packets which present themselves as being part of a non existant connection  Not seen before by con-track firewall  Basically : traffic injection attempts / attacks or replays  Or networking problems  (Advanced routing protocol could suffer from that  We don't care at our level )
  65. 65. Accept established  Established are packets from whom router knows something  Basically : this is the way-back return traffic  This rule is very useful to match the return traffic and not block it  You can blindly assume that you accept packets comming from connections you did create or accept, right ?  This rule will as well reduce firewall CPU pressure
  66. 66. Accept forwarding  As a router, your role is to forward packets from one interface to another  Using routing tables  Let's accept default forwarding  This is by default  But adding a rule will allow you to remember that  And to collect statistics about it
  67. 67. Firewall jail
  68. 68. Firewall jail  Simple : you program the firewall so that you lock yourself out of the box.  Like when you close your front door, with keys in the lock on the other side  WARNING  It is easy to lock yourself out of your box  Always, keep that in mind while firewalling
  69. 69. Firewall jail example  "For every INPUT , DROP it"  You just locked yourself out !  Connection will immediately get lost  4 solutions :  Reset your router ( pay the price ! )  Access using console port (you'll need a special console wire)  Prevent it by yourself opening a hidden door (a special port)  Use an embeded anti-lock system  Vendors usually provide anti-lock systems  Mikrotik provides two of them
  70. 70. Open a "hidden" door by yourself  Here, eth9 can be used to connect to any router IP and access your router  This assumes you have a physical access to it  This assumes you open firewall in input using "in-interface" match
  71. 71. Let's protect ourselves  Accept Input from trusted 192.168.0.0 network  Accept input from your fail-over interface  And deny Input from everywhere else  Reminder : Input means your router itself, not any else machine
  72. 72. Reject Ip private ranges ("bogons") on ISP outputs  Also, you may blackhole/reject private IP routes (called "bogons")  RFC 1918 ranges and others  This may mitigate some DOS attacks and prevent private ranges from leaking to your ISP gateway  This is a well known network good practice for routers
  73. 73. We are done :-)
  74. 74. Break, zoom out
  75. 75. What we got  We got a customized router that  Gets its WAN IP using DHCP on a port connected to ISP modem  Has an IP on a LAN segment (192.168.0.14/28)  Provides a DHCP server on the LAN segment (192.168.0.0/28)  Has an src-nat masquerading rule to allow LAN to access Internet  We got a customized firewall  Allows traffic from the LAN segment and a fail-over interface  Denies traffic from everywhere else (including WAN)  Detects scan attempts on WAN interface, and ban them  Isn't it cool so far ? ;-)
  76. 76. Advanced usage and techniques
  77. 77. Wifi and VLANs Advanced usage and techniques
  78. 78. VLANs  Virtual LANs , 802.1Q  Allow several LAN to pass through  The same switch segment (L2), same switch ports  Very useful to isolate traffics  But still keep them in the same physical cables  High security and performance  VLAN A cannot communicate with VLAN B (in L2 , but L3)  Each VLAN has its own broadcast domain  QOS possible (802.1P)  Class Of Service possible / Traffic Priorisation
  79. 79. VLAN example  Each VLAN shares the same physical switch/ports  But two VLAN cant communicate with each other at L2 VLAN200 VLAN100
  80. 80. VLAN use case example  Let's isolate our 192.168.0.0/28 network for us : private network (untaggued)  Any unknown soul connecting will be assigned special VLAN100  Let's connect a wifi AP , distributing those 2 VLANs :  SSID "my-private-network" : untaggued  SSID "my-public-network" : taggued in VLAN100
  81. 81. Wifi with VLAN VPN LAN WAN Untrusted input NAT VLAN 100
  82. 82. AP on LAN  If you bridge your AP on LAN, it will be given an IP by your DHCP-server  And it will serve clients on the LAN segments  Just all right 192.168.0.0/28192.168.0.0/28 WAN
  83. 83. AP with VLAN public wifi private wifiprivate wifi private LANprivate LAN WAN
  84. 84. Adding the VLAN  Add a new VLAN on our bridge  VLAN ID = 100
  85. 85. Adding the IP  Add an IP to the router on this VLAN  Let's choose 192.168.1.14  Let's choose a network of 192.168.1.0/28
  86. 86. Adding the DHCP server  Let's add a new DHCP server so that clients connected to this VLAN will be given some network conf  192.168.1.1 to 192.168.1.13 (/28 network)
  87. 87. Allow VLAN to access WAN  Let's NAT it to give it Internet (WAN) access
  88. 88. Et voilà
  89. 89. Connecting to a second ISP (multi-homing) Advanced usage and techniques
  90. 90. Connecting to a second ISP  If our ISP goes down, we won't have Internet access any more :- (  Why not apply to a second ISP ?  Prices are cheap nowadays, we really can afford it  Or even more ? 3 ISPs ?
  91. 91. A second ISP LAN WAN1 NAT VLAN 100 LAN WAN2
  92. 92. A second default route ?  ISP == Internet access , let's add then a second default route  The route "distance" metric tells which one to use when several routes exist for the same target  The smallest distance will be prefered  With such a setup, if one ISP goes down, the router will automatically, and transparently route traffic to the other one  We got a fail-over setup :-)
  93. 93. Security with several ISP  Now, pirates have a second door they can fire in  A nice solution to that, is to group both ISP interfaces (eth9 and eth10) into an interface group  And use this group into the firewall WAN1 WAN2
  94. 94. Wait ....  Our setup actually has a big problem ...
  95. 95. Asymetric routing and connection stickyness  If one incoming connection (to one of our server f.e) comes from ISP #1  We must be sure answer will leave our router back to ISP #1  If it leaves through ISP #2 , as we NAT the output, the packet will get dropped by the destination  And that will leak our ISP #2 IP to our destination  We need sticky connections  We'll use the firewall mangle to perform that step
  96. 96. Setting up sticky connections  Mark for internal network (forward)  Mark also for router traffic (input / output)
  97. 97. Balancing traffic through ISPs  Instead of fail-over, you can also balance the output traffic  If you want to balance with no specific rule, use an ECMP route type  You add one route, but several gateways for them  ROS will balance using an L3 balance policy
  98. 98. RouterOS Other ideas and scenarios
  99. 99. Children VLAN  Children at home connect to their own VLAN  Manual config, MAC fixed config or 802.1x advanced authentication  Only activate forward to Internet at fixed hours  Time for bed ? Internet "disconnects itself"  Easy to ban an IP or a MAC for some time  "Do your homework first"  L7 filter (high CPU needed)  Deny L7 keywords : "facebook" , "war", "sex"  Deny protocols : p2p, torrent, etc...  Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] )  L7 HTTP interception (transparent proxy) and filtering
  100. 100. QOS  Route TV VLAN and VOIP (phone) VLANs independently  QOS traffic at L2 or L3  Allocate bandwidth dynamically  Prevent IGMP Snooping broadcasts
  101. 101. Automation  Add IP Cameras or any full automation system  Isolate L2 using VLANS  Secure with 802.1X (Radius auth, auto VLAN assignment)  Route L3  Implement aggressive security for your IOT  Control everything easily , remotely
  102. 102. Ideas  For this connection, drop one packet out of XXX  Script X to be dynamic  Randomly drop packets  Blackhole IP or even AS  Deny access to whole networks at routing level  Anti DDOS useful technics  Give network access only through specific time spans  Detect attacks, block attakers, limit bandwidth with queues
  103. 103. Thank you for listening

×