Subnetting ist etwas anderes. Das Unterteilen eines Netzes in mehrere Unternetze (Subnets).
Das was du möchtest sind 2 Netze, die durch einen Router verbunden werden. Somit ist dein Ansatz schon richtig.
Zu beachten wäre, wenn du auf das Netz der WG von deinem privaten Netz zugreifen möchtest und Namen verwenden willst, dass dein Router den "WG-Router" als DNS verwendet. Wenn du das nicht möchtest, weil du z.B. eigene DNS-Eintrage verwenden willst, dann musst du die Einträge bei deinem privaten Router selbst eintragen für das WG-Netz.
DHCP in beiden Netzen ist kein Problem, da DHCP-Server im Normalfall nur in einem Netzwerk arbeiten und ohne spezielle Konfiguration nicht geroutet werden. Daher musst du nur darauf achten, dass du unterschiedlich Adressbereiche konfigurierst. D.h. der Router im WG-Netz vergibt z.B. IP-Adressen im Bereich 192.168.1.0/24
und dein privater Router im Bereich 192.168.2.0/24
.
Ein Plaste-WLAN-Router reicht für sowas aus. Wenn du dich allerdings irgendwann dazu entscheidest, dass zumindest eine/r Zugriff auf das NAS erhalten soll, dann brauchst du eine Firewall für dein privates Netz. Beispielsweise IPFire auf einem Alix Board, damit kannst du genau steuern, wer (welche IP) vom WG-Netz auf Ressourcen in deinem privaten Netz zugreifen darf. Diese Variante ist etwas kostenintensiv. Je nach Ausstattung um die 200€. Aber man kann dabei auch viel über Netzwerke lernen. Die Internetgeschwindigkeit an sich wird nicht beeinträchtigt. Der WG-Router muss die Pakete von/ aus deinem privaten Netz ja im Prinzip genauso weiterleiten, wie die Pakete der Netzwerkgeräte deiner Mitbewohner/innen.
IPFire Ok more of a distribution but it's reduced 99% of the headaches I had with shitty modems and selfhosting.
Not to mention it's allowed me to do more tricky things like:
Details: In the process of converting all cat5 runs to Cat6a
Just upgraded my connection to much higher speed connection cable internet connection.
Top to Bottom:
Future (near): Have all Cat6a runs enter this room and bundle neatly and manage into Cat6a patch panel.
Most of the messy wires going into the Linkys will be replaced with 1 foot cat6a patch cables from patch panel to Linksys
Add Blue Network (WiFi subnet ) to existing red, green and orange (DMZ) networks.
I don't own any R-Pi's yet actually. :D It's a Core2 Duo T7200 on a Kontron 986LCD-M board with an extra Intel PCI NIC. Running IPfire with UpdateAccelerator and a few other things enabled. It runs my gigabit fibre connection just fine. I've actually had more issues with the FlexATX PSUs I've bought dying after a couple of years.
I still like the atom processor because many are free of Spectre problems. Unfortunately, the Linux folks are hell bent on burying the 32 bit platforms.
Used atoms are being ripped out of industrial installations right now. They aren't expensive.
Here's a good distro with a GUI Tor install: https://www.ipfire.org/
It continues to amaze just how many people will walk around that nail on the parking lot instead of picking it up so someone doesn't get a flat.
​
If you want Tor benefits - you should run a relay. Here's an easy build with automatic installation and a Gui : https://www.ipfire.org/
You should know that network configuration and monitoring is somewhat complex just by nature. There are some linux distributions or custom firmware packages that add some features to make management easier, but in general you still have to have some level of knowledge about what's going on and how to ask the right questions.
Here's a firewall distribution that is somewhat user-friendly: https://www.ipfire.org/features
Also, I'm not sure what you mean by "remotely change network name".
Spontan würd ich da jetzt nen RasPi nennen. DHCP frisst ja nix. Aber der Beschreibung nach soll das ja dann doch nicht 'nur' ein DHCP Server sein. NAT ist ja dann schon wieder eine ganz andere Hausnummer.
Wie wäre es denn mit IPFire für den Job anstatt sich da auf Debian Basis selbst was zusammen zu frickeln?
I just finished wiring the whole house to connect all the devices to gigabit ethernet. The wireless connectivity is minimal, only for cell phones and a few IoT devices in close range of the wireless router (ISP-1) through the Guest-Wifi functionality that it provides, which is in fact a vlan. So for now, expanding the wireless range is not a concern for me.
I am very interested in learning pfsense, in fact the modest server in my diagram have an virtualized ipfire, but until I have the appropriate knowledge, I need a safe environment where I can practice without compromising the availability of the network for my family.
My goal is to achieve through proper segmentation the isolation of the subnets between the three firewalls. I still don't know exactly how to do it, but I'm looking for opinions that confirm or deny this possibility.
Like any enthusiast I feel the constant urge to buy more and more equipment, but if I don't start with something, with what I have, I do nothing but buy and procrastinate, I hope someone can confirm that not only happens to me (lol)
Zeronet is an honest effort, and it will get better over time.
It's time for the freedom loving to crack open their wallet and build seeders. Walk the walk. Requires only an old laptop and time.
Extra points for those who build Tor relays like this one: https://www.ipfire.org/
And once LOKI gets released - time to build for it too.
It would be wonderful if Cloudflare just died.
Hallo echtIrre,
hervorragend! Welche Lunix-Distribution nutzt du denn und welche Virtualisierungssoftware?
Ich will Windows allerdings weiterhin stand-alone nutzen und ziehe in Erwägung, im neuen Jahr mit IPfire zu experimentieren. Auch das sollte mit einem Raspberry Pi machbar sein.
Da auf dem Windows-Rechner nur albernes Zeug liegt, genügt mir das gelegentliche händische Backup mit dem USB-Stick.
Veeam Agent soll gut sein.
In einer Cloud würde ich auch nichts wichtiges sichern.
Gruß!
Depending on the provider, they can or will install an RJ45 plug (regular network port) instead of a coax run. I have had them do this for me at every install I’ve had. From there I use an older PC to run IPFire https://www.ipfire.org/ it’s a pretty easy to use and setup firewall/router that is also pretty powerful.
Theres tons of nice little programs, that do just that - and more. Most of them also act as a pretty good firewall and have other features - like caching proxy and tons of other nice features out of the box. I can recommend IPFire in that case. The best thing is, this kind of software mostly runs on low-power cheap hardware. Just check it out here: https://www.ipfire.org/
Ip fire: https://www.ipfire.org/
Update accelerator: https://wiki.ipfire.org/configuration/network/update-booster
Judging by the wiki, this add-on is now a part of the base install of ipfire, and just needs to be configured on the admin web page after install.
​
Doesn't get easier. You build this firewall, then use Pakfire to install your relay. If I remember correctly, it even opens the ports you need.
​
Grsec and Pax hardened. No bloated code as this is purpose built to be a router.
I think you're on to something here. Suppose you're looking for a carefully built and tested prototype or "reference design" you can cookie cutter anywhere with the assurance no dangerous mistakes found their way into it?
​
A nice standardized safe design...
​
Have been looking for that too. Never found one. Appears you are truly on your own here :( And I can't figure out how this happened.
​
DID find a nice hardened relay design tho: https://www.ipfire.org/
Punch a single button - it becomes a Tor relay.
Thanks, it's always important to set appropriate expectations… Otherwise the hate mail rolls in.
If you use a popular|common distro, squid is available from most repositories as-is. On an rpm & systemd based system, you can have a test bed up and running very quickly (less than five minutes) with the above config changes and the following two commands…
# dnf -y install squid # systemctl start squid
Macintosh probably has squid directly available too, or if not, via homebrew. As for Windows? It might be easiest just to run a virtual machine with a minimal install of a popular Linux distro, or a ready-made router appliance, like IPFIRE, which makes squid available with a web-based UI to manage it.
Take a look at this: https://www.ipfire.org/
​
A grsec hardened router with a checkbox to install your Tor relay. Shove it into a DMZ and you're done (or use it as your primary router).
Easiest way: https://www.ipfire.org/
You click on the pakfire feature installer - and your box becomes a GRSec hardened relay. Just put it inside a demilitarized zone on your router and you are done.
Save yourself some hassle. A complete hardened Tor relay with automatic setup: https://www.ipfire.org/
I would suspect that an older 64bit atom is ideal, though 32 bit runs also.
Some of those older Atoms are immune to the Spectre processor bug. May not be an isie wit more powerful motherboards....but the atom takes all possibilities for that flaw off the table.
Virtually every processor manufactured over the last 30 yrs has that Spectre flaw.
Thank you for the response.
> Makes it easy on you. GRC hardened: https://www.ipfire.org/
Sorry what does this mean?
> you will need to purchase a SMARTDNS subscription
I searched for SMARTDNS and found several websites offering this, are you referring to a specific one?
> Armies of lizardpeople descend on businesses every day peddling "Baracuda box snake oil"
Wait, what is this???? Sorry I don't understand.
> I hope you read this and just get mad enough to setup your relay.
To be honest you've made setting up a non-exit relay sound really scary. Did you mean that I should get mad because streaming providers and business websites will block me and set up a relay as a response???
Makes it easy on you. GRC hardened: https://www.ipfire.org/
You home IP address will be blocked by many streaming providers (all of them are morons), so you will need to purchase a SMARTDNS subscription. SmartDNS reroutes your streamer to a differnt residential IP address. A conventional VPN will not work.
Armies of lizardpeople descend on businesses every day peddling "Baracuda box snake oil". And the blocking lists they provide subscribers include all Tor middle relays. So some businesses may block you too.
Not a real problem, you should be using a VPN for clearnet access anyway. But it can be annoying when you forget this fact :)
I hope you read this and just get mad enough to setup your relay.
I run a combination of IPFire (https://www.ipfire.org/) as my edge router and transparent proxy. Also use CleanBrowsing DNS (https://cleanbrowsing.org/ip-address). They have multiple levels of filtering: * Family Filter (Really strict, blocks reddit) * Adult Filter * Security Filter
This still isn't a replacement for talking to your kids though. Nor does it fully protect them. If I could find porn in the 80s without the internet, so can kids today.
>Ein Plaste-WLAN-Router reicht für sowas aus. Wenn du dich allerdings irgendwann dazu entscheidest, dass zumindest eine/r Zugriff auf das NAS erhalten soll, dann brauchst du eine Firewall für dein privates Netz. Beispielsweise IPFire auf einem Alix Board, damit kannst du genau steuern, wer (welche IP) vom WG-Netz auf Ressourcen in deinem privaten Netz zugreifen darf. Diese Variante ist etwas kostenintensiv. Je nach Ausstattung um die 200€. Aber man kann dabei auch viel über Netzwerke lernen.
Hätte ich nicht auch so eine Firewall, wenn ich z.B. dd-wrt auf ein TP-Link TL-WR841N mache?
this is another alternative. be aware, both PFSense and IPFire are the type of firewalls that need a bit of time/knowledge to setup. this does not mean that you must be familiar with the OSI model nor anything of the nature.
what it does mean is that you get out of it what you put into it.
If you want content filtering it's probably better to go with something like IPfire on a separate computer. It has many features and greatly eases administration.
Consider the computer headless. If you don't plan on using it for anything else I'd recommend something like a NanoPI NEO over a raspberry pi any day. It's cheaper, smaller, and will do the job just as well.
What you want is a gateway. Granted the gateway can be running a proxy server.
It can be done with a raspberry pi, but I would not recommend it. If it's your first time doing something like this, or even working with Linux, you'd probably be better off simply installing something like IPFire on an old computer and seeing if you like it first. It will simplify a lot of the more complex settings and eliminate the need for terminal usage, aside from initial setup. It supports all the features you're looking for basically out of the box. If you decide you like that, then you can go ahead and switch to manually doing everything with a pi if you really want.
I'm with you -- I'm likely going to dig out one of my old SBCs and just set up a simple DHCP server on the guest wireless for now. Not elegant, but it'll get the job done.
I'm actually using IPfire for my gateway / firewall currently. I administer a massive Checkpoint appliance at my day job, so for me IPfire hits that sweet spot between simplicity and customizability. Right now I'm logging the traffic from the cams, and later this week I'm going to drop everything that isn't normal Wyze traffic. Might as well make the guest network as useless as possible to any potential intruders!
For your notes.
Very easy to setup Grsec and Pax hardened Linux firewall. Clicking the checkbox downloads and installs a Tor relay. From there, you just put it inside your router's DMZ.
Probably not as heavy duty as your machine - but very easy to setup.
https://smile.amazon.com/ Adds up
Easiest and perhaps hardest relay you can build:
https://www.ipfire.org/ Click the box, download and install relay automatically. Grsec and Pax hardened distro.
Take your new Tor relay, assign it a fixed address from your router, put that address in the router's demilitarized zone DMZ. There is literally nothing else you must do.