4. What, why ?
ī§ Internet Service Provider (ISP) deliver "BOXes" as Customer
Premises Equipment (CPE) of their network
ī§ They want their customer to plug-and-play
ī§ Those BOXes, are very cheap and locked hardware
ī§ In a word, they are poor
ī§ Don't trust the marketing song of your ISP
ī§ They work for very basic usages
ī§ They are usually not very secured
ī§ https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les-
modems-sfrnumericable
5. Why change ?
ī§ To master things from A to Z
ī§ To support more devices (IOT, domotic, servers) in your house
ī§ If you have many devices, better get rid of your box
ī§ If you need input traffic (self hosted infrastructure)
ī§ If you want to push security further (IOT ?)
ī§ If you want to load-balance with several ISP
ī§ If you want to peer with other trusted people (through VPN)
ī§ And create/manage your own Internet
ī§ If you need security (through IPSEC f.e)
8. As a reminder
ī§ Protocols are open
ī§ You should be able to change any hardware, by another (from
different brand)
ī§ As soon as it talks the same protocols, it must work
ī§ Some ISP don't follow RFCs for some protocols
ī§ That makes you have to use DPA/DPI
ī§ That makes you have to patch your stack
10. My experience, my knowledge, my shares
ī§ Actually at home...
ī§ I own several different Internet provider connections
ī§ IP failover, advanced routing scenarios, traffic shapping and QOS
ī§ Dual stack IPV4 and IPV6
ī§ Separation of input and output streams
ī§ I have several machines and wifi networks
ī§ I have no more "boxes"
ī§ I'm VPN linked with other guys doing same stuff as me
ī§ I'm hosting some public Internet services (DNS, HTTP, etc...)
12. Getting rid of your box
ī§ To trash your box, you need a modem, depending on the
technology provided.
ī§ ADSL
ī§ Then you can plug-in an ADSL modem
ī§ Cable (DOCSIS)
ī§ You may use a DOCSIS modem
ī§ Fiber ONT based
ī§ You can plug-in using RJ45 or SFP
ī§ Fiber Raw mode
ī§ You may plug-in using an SFP adapter
13. Notice
ī§ I talked about modems to manage input ISP stream, not routers
ī§ Many modem actually can/do route
ī§ Do not use their router ! !
ī§ We must use the modem just to convert the signal, into an RJ45
socket
ī§ Then, we'll plug our RJ45 RAW Internet cable, into our own
router, of our taste
ī§ Buy the "simplest" modem, if possible, with no router inside
ī§ Mind the chipset (Broadcom are good)
19. Keeping your box, at a minimum
ī§ You dont want to buy a modem ?
ī§ There is a solution of keeping your provider box
ī§ But only use it as a modem !
ī§ Disable anything else, but the modem
ī§ Especially : disable their shitty slow/unsecure poor router
ī§ This is called the "bridge mode" (L2 bridge)
20. Box as a modem : bridge mode
ī§ 2 scenarios (2018) :
ī§ Your box can be bridged (L2)
ī§ SFR/NumÊricable LaBox
ī§ Freebox
ī§ Everything is then all right
ī§ Your box cant be bridged (L2)
ī§ Others (Orange, Bouygues)
ī§ You'll need to buy a modem
ī§ Or suffer from horrible network stack (DMZ, or Double-NAT)
ī§ If fiber technology, you should use ONT or Raw SFP
21. ISP Box Conclusion
ī§ Ask to run the box as a modem, not a router (bridge mode)
ī§ If possible : you can keep your box
ī§ Free - SFR
ī§ If not possible : you must replace it by custom hardware
ī§ Orange - Btel
ī§ Dont use the box router (router mode)
ī§ Other alternative ISP exist
22. I got my Internet plug !
ī§ Bridged-box or custom modem , now , your Internet connexion
is arriving through one cable
ī§ It is time to route it and start doing some network stuff
85.2.208.135*
2a01:ca:b5ee:ed::/56*
* : example provider IP
24. Router
ī§ Pay the price : the heart of your network
ī§ Too many references on the market
ī§ Do not choose a general purpose low level brand
ī§ Linksys, tp-link, netgear, etc...
ī§ Don't blindly trust marketing
ī§ Those are not really better than ISP box
ī§ Poor hardware
ī§ Not many customization
ī§ No routing protocol management
ī§ No VPN possibilities, or weak ones
ī§ In a word : low-level entry market products (even "advanced" ones)
25. Professional router brands
ī§ Turn to professional dedicated hardware brands
ī§ Datacenter hardware is not for your usage and cost
ī§ SOHO is what you need : Small Office Home Office hardware
ī§ SOHO are not that much expensive (60âŦ to 1000âŦ)
ī§ The smallest SOHO router starts by about 60-80âŦ
ī§ 2 kinds
ī§ Open , based on Linux or Unix stacks
ī§ Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ...
ī§ Closed, based on custom OS (Unix derivated often)
ī§ Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
26. My experience
ī§ I run Mikrotik for router and wifi spot
ī§ Professional hardware
ī§ "RouterOS" is the name of the OS
ī§ Not open source
ī§ Based on Linux Kernel
ī§ Full of features, stable, maintained
ī§ Licence pricing is really good
ī§ Perfect for advanced networking at home or for small businesses
(SOHO), with a clearly reasonnable pricing
ī§ I run Ubiquiti for switch
ī§ Perfect balance in price / usage for SOHO
29. Mikrotik
ī§ https://mikrotik.com/
ī§ https://routerboard.com/
ī§ Size your needs
ī§ Prices go from 60$ to 4000$ per unit (L3 routers)
ī§ Basically, the CPU and RAM will increase the price
ī§ If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM
ī§ Mind the hardware dimensions
ī§ Some are small devices, some are 1U rack sized
34. Wifi ?
ī§ Don't fear the wifi.
ī§ Wifi support will be added to our stack thanks to Access Points
(AP)
ī§ Usually better than embeded router wifi
35. Router quick tour
ī§ Every port can be wired independently
ī§ Some devices provide switch chips
ī§ Some devices provide Wifi
ī§ It's better to use dedicated hardware for such tasks
ī§ You basically tell each port what you want it to do
ī§ 1/ You create L2 and L3 links
ī§ 2/ You arrange routes
ī§ 3/ You secure everything with the integrated firewall
ī§ 4/ You control traffic bandwidth with queues and QOS
39. Dedicated switches
ī§ The problem with routers is that they are not good switches
ī§ They may do the job, but take care of not going through the
CPU for switching purposes
ī§ Tip : bridges trafic often go through CPU
ī§ Buy the right hardware for the right purpose
ī§ For full L2 switching, nothing beats switch ASICS
40. Using a dedicated switch
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
41. Even better with 802.1ad LACP
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
LACP
42. More complex setup
provider #1
provider #2
provider #1 TV stream
provider #2
SIP stream
IP cameras
computers NAS
Iots
44. RouterOS
ī§ A full Network OS
ī§ You must familiarize with it
ī§ You must have strong general networking knowledge (master OSI,
master TCP/IP and common protocols at several layers)
ī§ RouterOS supports
ī§ Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP -
Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS
- TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping
flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ...
ī§ In short : many advanced technologies in one box
ī§ Have a look at the licencing details
45. RouterOS details
ī§ You may access RouterOS using :
ī§ Web HTTP-HTTPS access
ī§ SSH / Telnet, using command line
ī§ WinBox (Windows GUI tool)
ī§ Console port (special cable needed)
ī§ FTP-TFTP for internal storage access
ī§ An HTTP interface demo exists online
ī§ At http://demo.mt.lv
ī§ Documentation
ī§ https://wiki.mikrotik.com/wiki/Manual:TOC
49. Let's go for our first simple example
Distributing Internet at home
50. Very simple Internet sharing setup
Gigabit switch 1
WAN modem
PC1 PC2
Ethernet switch 2
(unused)
51. What we need
ī§ Isolate port 10 (eth10) from switch 2 : this is WAN
ī§ Use full switch 1 by bridging ports together
ī§ Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide
fixed IP
ī§ Create an IP and network for the full switch 1 (LAN)
ī§ Let's choose 192.168.0.0/28
ī§ Let's add it a DHCP-server
ī§ Create a source NAT on eth10 for LAN traffic to be NATed over
WAN
56. Security foreword
ī§ If you want to design your own network from scratch , you are
responsible of your own security
ī§ Bad firewall configuration will lead into security breaches in
your home, from external , through the wires.
ī§ Take care
ī§ Secure your network like your secure your home
ī§ Lock doors
ī§ Take care of basement, windows and other ways to reach you
ī§ Think about everything
57. WAN security
ī§ Your WAN part is directly connected to Internet
ī§ You'll then start experiencing attacks to your external IP
ī§ You must now protect yourself
ī§ From WAN input traffic , that's the basics (IN)
ī§ From your own untrusted output traffic, that's optional (OUT)
ī§ Welcome FIREWALL
58. Firewall filter chains
ī§ Input
ī§ Traffic which dest-addr is one of your router's
ī§ Forward
ī§ Traffic flowing through your router (which dst-addr is routable and
not one of your router's)
ī§ Output
ī§ Traffic generated by the router internal OS, which src-addr will be
one of your router's
ī§ "FooBar"
ī§ You can create as many custom chains as you want
59. Firewall : main rules
ī§ One rule targets one chain (not zero, not several : one)
ī§ Input
ī§ Forward
ī§ Output
ī§ Xyzbaz : custom chain (you can add infinite custom chains)
ī§ For every chain, rules are ordered
ī§ If rule 3 breaks the chain (by DROPing for example), then rule 4 and
others won't be triggered
ī§ Rules can jump
ī§ You can say "rule 3, match packets XXXX and jump to chain ZZZZ"
ī§ You have to carefully follow the packet path into your head
ī§ Don't get lost !
60. Firewall perf
ī§ We use connection tracking firewall here
ī§ Activated by default. Can be setup (connection lifetimes)
ī§ Raw firewall is available too
ī§ If you don't organize flows the right way
ī§ You'll burn your CPU as traffic increases
ī§ Organize rules (they are ordered in lists) cleverly
ī§ The most likely to happen should come first
ī§ To some point, you'll need better hardware (CPU and RAM)
ī§ Time to upgrade then
ī§ At 1Gbps per link, that can increase very fast according to needs
62. Accept ICMP
ī§ Don't blindly block ICMP
ī§ Internet Control Message Protocol
ī§ A good engineer does not blindly block all ICMP traffic
ī§ ICMP is used to debug your router and networks
ī§ Mainly using "ping" or "traceroute"
ī§ ICMP is used to debug IP
ī§ "network unreachable", "admin prohibited", "frag. needed"
ī§ Thus ICMP helps router and OSI 4 protocols (TCP)
ī§ ICMP is mandatory to IPV6 (cant work without it)
63. Or at least, control ICMP
ī§ You may suffer from ICMP attacks
ī§ Then you may limit ICMP traffic to some rate
ī§ Or you may classify ICMP traffic
ī§ http://www.nthelp.com/icmp.html
64. Drop Invalid
ī§ Invalid packets are packets which present themselves as being
part of a non existant connection
ī§ Not seen before by con-track firewall
ī§ Basically : traffic injection attempts / attacks or replays
ī§ Or networking problems
ī§ (Advanced routing protocol could suffer from that
ī§ We don't care at our level )
65. Accept established
ī§ Established are packets from whom router knows something
ī§ Basically : this is the way-back return traffic
ī§ This rule is very useful to match the return traffic and not block it
ī§ You can blindly assume that you accept packets comming from
connections you did create or accept, right ?
ī§ This rule will as well reduce firewall CPU pressure
66. Accept forwarding
ī§ As a router, your role is to forward packets from one interface to
another
ī§ Using routing tables
ī§ Let's accept default forwarding
ī§ This is by default
ī§ But adding a rule will allow you to remember that
ī§ And to collect statistics about it
68. Firewall jail
ī§ Simple : you program the firewall so that you lock yourself out
of the box.
ī§ Like when you close your front door, with keys in the lock on the
other side
ī§ WARNING
ī§ It is easy to lock yourself out of your box
ī§ Always, keep that in mind while firewalling
69. Firewall jail example
ī§ "For every INPUT , DROP it"
ī§ You just locked yourself out !
ī§ Connection will immediately get lost
ī§ 4 solutions :
ī§ Reset your router ( pay the price ! )
ī§ Access using console port (you'll need a special console wire)
ī§ Prevent it by yourself opening a hidden door (a special port)
ī§ Use an embeded anti-lock system
ī§ Vendors usually provide anti-lock systems
ī§ Mikrotik provides two of them
70. Open a "hidden" door by yourself
ī§ Here, eth9 can be used to connect to any router IP and access
your router
ī§ This assumes you have a physical access to it
ī§ This assumes you open firewall in input using "in-interface"
match
71. Let's protect ourselves
ī§ Accept Input from trusted 192.168.0.0 network
ī§ Accept input from your fail-over interface
ī§ And deny Input from everywhere else
ī§ Reminder : Input means your router itself, not any else machine
72. Reject Ip private ranges ("bogons") on ISP outputs
ī§ Also, you may blackhole/reject private IP
routes (called "bogons")
ī§ RFC 1918 ranges and others
ī§ This may mitigate some DOS attacks and
prevent private ranges from leaking to
your ISP gateway
ī§ This is a well known network good
practice for routers
75. What we got
ī§ We got a customized router that
ī§ Gets its WAN IP using DHCP on a port connected to ISP modem
ī§ Has an IP on a LAN segment (192.168.0.14/28)
ī§ Provides a DHCP server on the LAN segment (192.168.0.0/28)
ī§ Has an src-nat masquerading rule to allow LAN to access Internet
ī§ We got a customized firewall
ī§ Allows traffic from the LAN segment and a fail-over interface
ī§ Denies traffic from everywhere else (including WAN)
ī§ Detects scan attempts on WAN interface, and ban them
ī§ Isn't it cool so far ? ;-)
78. VLANs
ī§ Virtual LANs , 802.1Q
ī§ Allow several LAN to pass through
ī§ The same switch segment (L2), same switch ports
ī§ Very useful to isolate traffics
ī§ But still keep them in the same physical cables
ī§ High security and performance
ī§ VLAN A cannot communicate with VLAN B (in L2 , but L3)
ī§ Each VLAN has its own broadcast domain
ī§ QOS possible (802.1P)
ī§ Class Of Service possible / Traffic Priorisation
79. VLAN example
ī§ Each VLAN shares the same physical switch/ports
ī§ But two VLAN cant communicate with each other at L2
VLAN200
VLAN100
80. VLAN use case example
ī§ Let's isolate our 192.168.0.0/28 network for us : private
network (untaggued)
ī§ Any unknown soul connecting will be assigned special VLAN100
ī§ Let's connect a wifi AP , distributing those 2 VLANs :
ī§ SSID "my-private-network" : untaggued
ī§ SSID "my-public-network" : taggued in VLAN100
82. AP on LAN
ī§ If you bridge your AP on LAN, it will be given an IP by your
DHCP-server
ī§ And it will serve clients on the LAN segments
ī§ Just all right
192.168.0.0/28192.168.0.0/28
WAN
83. AP with VLAN
public wifi
private wifiprivate wifi
private LANprivate LAN
WAN
85. Adding the IP
ī§ Add an IP to the router on this VLAN
ī§ Let's choose 192.168.1.14
ī§ Let's choose a network of 192.168.1.0/28
86. Adding the DHCP server
ī§ Let's add a new DHCP server so that clients connected to this
VLAN will be given some network conf
ī§ 192.168.1.1 to 192.168.1.13 (/28 network)
87. Allow VLAN to access WAN
ī§ Let's NAT it to give it Internet (WAN) access
89. Connecting to a second ISP
(multi-homing)
Advanced usage and techniques
90. Connecting to a second ISP
ī§ If our ISP goes down, we won't have Internet access any more :-
(
ī§ Why not apply to a second ISP ?
ī§ Prices are cheap nowadays, we really can afford it
ī§ Or even more ? 3 ISPs ?
92. A second default route ?
ī§ ISP == Internet access , let's add then a second default route
ī§ The route "distance" metric tells which one to use when several
routes exist for the same target
ī§ The smallest distance will be prefered
ī§ With such a setup, if one ISP goes down, the router will
automatically, and transparently route traffic to the other one
ī§ We got a fail-over setup :-)
93. Security with several ISP
ī§ Now, pirates have a second door they can fire in
ī§ A nice solution to that, is to group both ISP interfaces (eth9 and
eth10) into an interface group
ī§ And use this group into the firewall
WAN1
WAN2
95. Asymetric routing and connection stickyness
ī§ If one incoming connection (to one of our server f.e) comes
from ISP #1
ī§ We must be sure answer will leave our router back to ISP #1
ī§ If it leaves through ISP #2 , as we NAT the output, the packet will
get dropped by the destination
ī§ And that will leak our ISP #2 IP to our destination
ī§ We need sticky connections
ī§ We'll use the firewall mangle to perform that step
96. Setting up sticky connections
ī§ Mark for internal network (forward)
ī§ Mark also for router traffic (input / output)
97. Balancing traffic through ISPs
ī§ Instead of fail-over, you can also balance the output traffic
ī§ If you want to balance with no specific rule, use an ECMP route
type
ī§ You add one route, but several gateways for them
ī§ ROS will balance using an L3 balance policy
99. Children VLAN
ī§ Children at home connect to their own VLAN
ī§ Manual config, MAC fixed config or 802.1x advanced authentication
ī§ Only activate forward to Internet at fixed hours
ī§ Time for bed ? Internet "disconnects itself"
ī§ Easy to ban an IP or a MAC for some time
ī§ "Do your homework first"
ī§ L7 filter (high CPU needed)
ī§ Deny L7 keywords : "facebook" , "war", "sex"
ī§ Deny protocols : p2p, torrent, etc...
ī§ Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] )
ī§ L7 HTTP interception (transparent proxy) and filtering
100. QOS
ī§ Route TV VLAN and VOIP (phone) VLANs independently
ī§ QOS traffic at L2 or L3
ī§ Allocate bandwidth dynamically
ī§ Prevent IGMP Snooping broadcasts
101. Automation
ī§ Add IP Cameras or any full automation system
ī§ Isolate L2 using VLANS
ī§ Secure with 802.1X (Radius auth, auto VLAN assignment)
ī§ Route L3
ī§ Implement aggressive security for your IOT
ī§ Control everything easily , remotely
102. Ideas
ī§ For this connection, drop one packet out of XXX
ī§ Script X to be dynamic
ī§ Randomly drop packets
ī§ Blackhole IP or even AS
ī§ Deny access to whole networks at routing level
ī§ Anti DDOS useful technics
ī§ Give network access only through specific time spans
ī§ Detect attacks, block attakers, limit bandwidth with queues