SlideShare a Scribd company logo

Mastering your home network - Do It Yourself

â€ĸ
â€ĸ
julien pauli
julien pauli

Mastering your home network - Do It Yourself

Internet
1 of 103
Mastering your home network stack with SOHO pro hardware
Main Course ī‚§ 1°) Throw away your ISP "box", use a basic modem/ONT ī‚§ 2°) Buy a real hardware router ī‚§ 3°) Buy your other network hardware (Wifi AP, switch, wires, adapters, etc...) ī‚§ 4°) Plug-in and master everything ī‚§ VLANs (802.1q) ī‚§ QOS, traffic shaping, load balancing, 802.1p prio ī‚§ Custom routing rules and routing tables, VRF, MPLS ī‚§ VPN to external sites ī‚§ BGP / OSPF advanced dynamic routing ī‚§ ...
ISP CPE (Box)
What, why ? ī‚§ Internet Service Provider (ISP) deliver "BOXes" as Customer Premises Equipment (CPE) of their network ī‚§ They want their customer to plug-and-play ī‚§ Those BOXes, are very cheap and locked hardware ī‚§ In a word, they are poor ī‚§ Don't trust the marketing song of your ISP ī‚§ They work for very basic usages ī‚§ They are usually not very secured ī‚§ https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les- modems-sfrnumericable
Why change ? ī‚§ To master things from A to Z ī‚§ To support more devices (IOT, domotic, servers) in your house ī‚§ If you have many devices, better get rid of your box ī‚§ If you need input traffic (self hosted infrastructure) ī‚§ If you want to push security further (IOT ?) ī‚§ If you want to load-balance with several ISP ī‚§ If you want to peer with other trusted people (through VPN) ī‚§ And create/manage your own Internet ī‚§ If you need security (through IPSEC f.e)
In a picture
In a picture
As a reminder ī‚§ Protocols are open ī‚§ You should be able to change any hardware, by another (from different brand) ī‚§ As soon as it talks the same protocols, it must work ī‚§ Some ISP don't follow RFCs for some protocols ī‚§ That makes you have to use DPA/DPI ī‚§ That makes you have to patch your stack
My own experience
My experience, my knowledge, my shares ī‚§ Actually at home... ī‚§ I own several different Internet provider connections ī‚§ IP failover, advanced routing scenarios, traffic shapping and QOS ī‚§ Dual stack IPV4 and IPV6 ī‚§ Separation of input and output streams ī‚§ I have several machines and wifi networks ī‚§ I have no more "boxes" ī‚§ I'm VPN linked with other guys doing same stuff as me ī‚§ I'm hosting some public Internet services (DNS, HTTP, etc...)
Using a modem in place of your box
Getting rid of your box ī‚§ To trash your box, you need a modem, depending on the technology provided. ī‚§ ADSL ī‚§ Then you can plug-in an ADSL modem ī‚§ Cable (DOCSIS) ī‚§ You may use a DOCSIS modem ī‚§ Fiber ONT based ī‚§ You can plug-in using RJ45 or SFP ī‚§ Fiber Raw mode ī‚§ You may plug-in using an SFP adapter
Notice ī‚§ I talked about modems to manage input ISP stream, not routers ī‚§ Many modem actually can/do route ī‚§ Do not use their router ! ! ī‚§ We must use the modem just to convert the signal, into an RJ45 socket ī‚§ Then, we'll plug our RJ45 RAW Internet cable, into our own router, of our taste ī‚§ Buy the "simplest" modem, if possible, with no router inside ī‚§ Mind the chipset (Broadcom are good)
ADSL modem IN OUT
DOCSIS modem IN OUT
Fiber external ONT IN OUT
Fiber, RAW SFP socket Fiber IN
Bridging the box
Keeping your box, at a minimum ī‚§ You dont want to buy a modem ? ī‚§ There is a solution of keeping your provider box ī‚§ But only use it as a modem ! ī‚§ Disable anything else, but the modem ī‚§ Especially : disable their shitty slow/unsecure poor router ī‚§ This is called the "bridge mode" (L2 bridge)
Box as a modem : bridge mode ī‚§ 2 scenarios (2018) : ī‚§ Your box can be bridged (L2) ī‚§ SFR/NumÊricable LaBox ī‚§ Freebox ī‚§ Everything is then all right ī‚§ Your box cant be bridged (L2) ī‚§ Others (Orange, Bouygues) ī‚§ You'll need to buy a modem ī‚§ Or suffer from horrible network stack (DMZ, or Double-NAT) ī‚§ If fiber technology, you should use ONT or Raw SFP
ISP Box Conclusion ī‚§ Ask to run the box as a modem, not a router (bridge mode) ī‚§ If possible : you can keep your box ī‚§ Free - SFR ī‚§ If not possible : you must replace it by custom hardware ī‚§ Orange - Btel ī‚§ Dont use the box router (router mode) ī‚§ Other alternative ISP exist
I got my Internet plug ! ī‚§ Bridged-box or custom modem , now , your Internet connexion is arriving through one cable ī‚§ It is time to route it and start doing some network stuff 85.2.208.135* 2a01:ca:b5ee:ed::/56* * : example provider IP
Router
Router ī‚§ Pay the price : the heart of your network ī‚§ Too many references on the market ī‚§ Do not choose a general purpose low level brand ī‚§ Linksys, tp-link, netgear, etc... ī‚§ Don't blindly trust marketing ī‚§ Those are not really better than ISP box ī‚§ Poor hardware ī‚§ Not many customization ī‚§ No routing protocol management ī‚§ No VPN possibilities, or weak ones ī‚§ In a word : low-level entry market products (even "advanced" ones)
Professional router brands ī‚§ Turn to professional dedicated hardware brands ī‚§ Datacenter hardware is not for your usage and cost ī‚§ SOHO is what you need : Small Office Home Office hardware ī‚§ SOHO are not that much expensive (60â‚Ŧ to 1000â‚Ŧ) ī‚§ The smallest SOHO router starts by about 60-80â‚Ŧ ī‚§ 2 kinds ī‚§ Open , based on Linux or Unix stacks ī‚§ Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ... ī‚§ Closed, based on custom OS (Unix derivated often) ī‚§ Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
My experience ī‚§ I run Mikrotik for router and wifi spot ī‚§ Professional hardware ī‚§ "RouterOS" is the name of the OS ī‚§ Not open source ī‚§ Based on Linux Kernel ī‚§ Full of features, stable, maintained ī‚§ Licence pricing is really good ī‚§ Perfect for advanced networking at home or for small businesses (SOHO), with a clearly reasonnable pricing ī‚§ I run Ubiquiti for switch ī‚§ Perfect balance in price / usage for SOHO
Ubiquiti routers ī‚§ Ubiquiti is another trade providing Debian based hardwares
Turris Omnia router ī‚§ Again, Linux based ī‚§ OpenWRT
Mikrotik ī‚§ https://mikrotik.com/ ī‚§ https://routerboard.com/ ī‚§ Size your needs ī‚§ Prices go from 60$ to 4000$ per unit (L3 routers) ī‚§ Basically, the CPU and RAM will increase the price ī‚§ If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM ī‚§ Mind the hardware dimensions ī‚§ Some are small devices, some are 1U rack sized
Mikrotik example routers ī‚§ https://routerboard.com/RB2011iL-IN ī‚§ ~ 100â‚Ŧ
Mikrotik best starter product
Mikrotik example routers ī‚§ https://routerboard.com/RB1100AHx2 ī‚§ ~250â‚Ŧ
Mikrotik example routers ī‚§ https://routerboard.com/CCR1009-7G-1C-1SplusPC ī‚§ ~450â‚Ŧ
Wifi ? ī‚§ Don't fear the wifi. ī‚§ Wifi support will be added to our stack thanks to Access Points (AP) ī‚§ Usually better than embeded router wifi
Router quick tour ī‚§ Every port can be wired independently ī‚§ Some devices provide switch chips ī‚§ Some devices provide Wifi ī‚§ It's better to use dedicated hardware for such tasks ī‚§ You basically tell each port what you want it to do ī‚§ 1/ You create L2 and L3 links ī‚§ 2/ You arrange routes ī‚§ 3/ You secure everything with the integrated firewall ī‚§ 4/ You control traffic bandwidth with queues and QOS
Quick example WAN Servers LANHome LANHome LAN
Quick example 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18
Quick example 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VPN 192.168.1.100/32
Dedicated switches ī‚§ The problem with routers is that they are not good switches ī‚§ They may do the job, but take care of not going through the CPU for switching purposes ī‚§ Tip : bridges trafic often go through CPU ī‚§ Buy the right hardware for the right purpose ī‚§ For full L2 switching, nothing beats switch ASICS
Using a dedicated switch 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk
Even better with 802.1ad LACP 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk LACP
More complex setup provider #1 provider #2 provider #1 TV stream provider #2 SIP stream IP cameras computers NAS Iots
RouterOS
RouterOS ī‚§ A full Network OS ī‚§ You must familiarize with it ī‚§ You must have strong general networking knowledge (master OSI, master TCP/IP and common protocols at several layers) ī‚§ RouterOS supports ī‚§ Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP - Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS - TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ... ī‚§ In short : many advanced technologies in one box ī‚§ Have a look at the licencing details
RouterOS details ī‚§ You may access RouterOS using : ī‚§ Web HTTP-HTTPS access ī‚§ SSH / Telnet, using command line ī‚§ WinBox (Windows GUI tool) ī‚§ Console port (special cable needed) ī‚§ FTP-TFTP for internal storage access ī‚§ An HTTP interface demo exists online ī‚§ At http://demo.mt.lv ī‚§ Documentation ī‚§ https://wiki.mikrotik.com/wiki/Manual:TOC
RouterOS book
WinBox GUI
Let's go for our first simple example
Let's go for our first simple example Distributing Internet at home
Very simple Internet sharing setup Gigabit switch 1 WAN modem PC1 PC2 Ethernet switch 2 (unused)
What we need ī‚§ Isolate port 10 (eth10) from switch 2 : this is WAN ī‚§ Use full switch 1 by bridging ports together ī‚§ Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide fixed IP ī‚§ Create an IP and network for the full switch 1 (LAN) ī‚§ Let's choose 192.168.0.0/28 ī‚§ Let's add it a DHCP-server ī‚§ Create a source NAT on eth10 for LAN traffic to be NATed over WAN
GO
We have a simple setup :-) DHCP client 98.2.245.78 192.168.0.14 network 192.168.0.0/28 DHCP server 192.168.0.1192.168.0.2 NAT masquerade Routing table : 0.0.0.0/0 -> 98.2.245.1 98.2.245.0/24 -> eth10 192.168.0.0/28 -> switch1
Linux utilities and network debugging tools ī‚§ mtr ī‚§ ipcalc ī‚§ iperf ī‚§ nmap ī‚§ ethtool ī‚§ And of course : ī‚§ tcpdump / wireshark ī‚§ switch port mirroring ī‚§ TZSP
SECURITY
Security foreword ī‚§ If you want to design your own network from scratch , you are responsible of your own security ī‚§ Bad firewall configuration will lead into security breaches in your home, from external , through the wires. ī‚§ Take care ī‚§ Secure your network like your secure your home ī‚§ Lock doors ī‚§ Take care of basement, windows and other ways to reach you ī‚§ Think about everything
WAN security ī‚§ Your WAN part is directly connected to Internet ī‚§ You'll then start experiencing attacks to your external IP ī‚§ You must now protect yourself ī‚§ From WAN input traffic , that's the basics (IN) ī‚§ From your own untrusted output traffic, that's optional (OUT) ī‚§ Welcome FIREWALL
Firewall filter chains ī‚§ Input ī‚§ Traffic which dest-addr is one of your router's ī‚§ Forward ī‚§ Traffic flowing through your router (which dst-addr is routable and not one of your router's) ī‚§ Output ī‚§ Traffic generated by the router internal OS, which src-addr will be one of your router's ī‚§ "FooBar" ī‚§ You can create as many custom chains as you want
Firewall : main rules ī‚§ One rule targets one chain (not zero, not several : one) ī‚§ Input ī‚§ Forward ī‚§ Output ī‚§ Xyzbaz : custom chain (you can add infinite custom chains) ī‚§ For every chain, rules are ordered ī‚§ If rule 3 breaks the chain (by DROPing for example), then rule 4 and others won't be triggered ī‚§ Rules can jump ī‚§ You can say "rule 3, match packets XXXX and jump to chain ZZZZ" ī‚§ You have to carefully follow the packet path into your head ī‚§ Don't get lost !
Firewall perf ī‚§ We use connection tracking firewall here ī‚§ Activated by default. Can be setup (connection lifetimes) ī‚§ Raw firewall is available too ī‚§ If you don't organize flows the right way ī‚§ You'll burn your CPU as traffic increases ī‚§ Organize rules (they are ordered in lists) cleverly ī‚§ The most likely to happen should come first ī‚§ To some point, you'll need better hardware (CPU and RAM) ī‚§ Time to upgrade then ī‚§ At 1Gbps per link, that can increase very fast according to needs
Let's add our firewall rules
Accept ICMP ī‚§ Don't blindly block ICMP ī‚§ Internet Control Message Protocol ī‚§ A good engineer does not blindly block all ICMP traffic ī‚§ ICMP is used to debug your router and networks ī‚§ Mainly using "ping" or "traceroute" ī‚§ ICMP is used to debug IP ī‚§ "network unreachable", "admin prohibited", "frag. needed" ī‚§ Thus ICMP helps router and OSI 4 protocols (TCP) ī‚§ ICMP is mandatory to IPV6 (cant work without it)
Or at least, control ICMP ī‚§ You may suffer from ICMP attacks ī‚§ Then you may limit ICMP traffic to some rate ī‚§ Or you may classify ICMP traffic ī‚§ http://www.nthelp.com/icmp.html
Drop Invalid ī‚§ Invalid packets are packets which present themselves as being part of a non existant connection ī‚§ Not seen before by con-track firewall ī‚§ Basically : traffic injection attempts / attacks or replays ī‚§ Or networking problems ī‚§ (Advanced routing protocol could suffer from that ī‚§ We don't care at our level )
Accept established ī‚§ Established are packets from whom router knows something ī‚§ Basically : this is the way-back return traffic ī‚§ This rule is very useful to match the return traffic and not block it ī‚§ You can blindly assume that you accept packets comming from connections you did create or accept, right ? ī‚§ This rule will as well reduce firewall CPU pressure
Accept forwarding ī‚§ As a router, your role is to forward packets from one interface to another ī‚§ Using routing tables ī‚§ Let's accept default forwarding ī‚§ This is by default ī‚§ But adding a rule will allow you to remember that ī‚§ And to collect statistics about it
Firewall jail
Firewall jail ī‚§ Simple : you program the firewall so that you lock yourself out of the box. ī‚§ Like when you close your front door, with keys in the lock on the other side ī‚§ WARNING ī‚§ It is easy to lock yourself out of your box ī‚§ Always, keep that in mind while firewalling
Firewall jail example ī‚§ "For every INPUT , DROP it" ī‚§ You just locked yourself out ! ī‚§ Connection will immediately get lost ī‚§ 4 solutions : ī‚§ Reset your router ( pay the price ! ) ī‚§ Access using console port (you'll need a special console wire) ī‚§ Prevent it by yourself opening a hidden door (a special port) ī‚§ Use an embeded anti-lock system ī‚§ Vendors usually provide anti-lock systems ī‚§ Mikrotik provides two of them
Open a "hidden" door by yourself ī‚§ Here, eth9 can be used to connect to any router IP and access your router ī‚§ This assumes you have a physical access to it ī‚§ This assumes you open firewall in input using "in-interface" match
Let's protect ourselves ī‚§ Accept Input from trusted 192.168.0.0 network ī‚§ Accept input from your fail-over interface ī‚§ And deny Input from everywhere else ī‚§ Reminder : Input means your router itself, not any else machine
Reject Ip private ranges ("bogons") on ISP outputs ī‚§ Also, you may blackhole/reject private IP routes (called "bogons") ī‚§ RFC 1918 ranges and others ī‚§ This may mitigate some DOS attacks and prevent private ranges from leaking to your ISP gateway ī‚§ This is a well known network good practice for routers
We are done :-)
Break, zoom out
What we got ī‚§ We got a customized router that ī‚§ Gets its WAN IP using DHCP on a port connected to ISP modem ī‚§ Has an IP on a LAN segment (192.168.0.14/28) ī‚§ Provides a DHCP server on the LAN segment (192.168.0.0/28) ī‚§ Has an src-nat masquerading rule to allow LAN to access Internet ī‚§ We got a customized firewall ī‚§ Allows traffic from the LAN segment and a fail-over interface ī‚§ Denies traffic from everywhere else (including WAN) ī‚§ Detects scan attempts on WAN interface, and ban them ī‚§ Isn't it cool so far ? ;-)
Advanced usage and techniques
Wifi and VLANs Advanced usage and techniques
VLANs ī‚§ Virtual LANs , 802.1Q ī‚§ Allow several LAN to pass through ī‚§ The same switch segment (L2), same switch ports ī‚§ Very useful to isolate traffics ī‚§ But still keep them in the same physical cables ī‚§ High security and performance ī‚§ VLAN A cannot communicate with VLAN B (in L2 , but L3) ī‚§ Each VLAN has its own broadcast domain ī‚§ QOS possible (802.1P) ī‚§ Class Of Service possible / Traffic Priorisation
VLAN example ī‚§ Each VLAN shares the same physical switch/ports ī‚§ But two VLAN cant communicate with each other at L2 VLAN200 VLAN100
VLAN use case example ī‚§ Let's isolate our 192.168.0.0/28 network for us : private network (untaggued) ī‚§ Any unknown soul connecting will be assigned special VLAN100 ī‚§ Let's connect a wifi AP , distributing those 2 VLANs : ī‚§ SSID "my-private-network" : untaggued ī‚§ SSID "my-public-network" : taggued in VLAN100
Wifi with VLAN VPN LAN WAN Untrusted input NAT VLAN 100
AP on LAN ī‚§ If you bridge your AP on LAN, it will be given an IP by your DHCP-server ī‚§ And it will serve clients on the LAN segments ī‚§ Just all right 192.168.0.0/28192.168.0.0/28 WAN
AP with VLAN public wifi private wifiprivate wifi private LANprivate LAN WAN
Adding the VLAN ī‚§ Add a new VLAN on our bridge ī‚§ VLAN ID = 100
Adding the IP ī‚§ Add an IP to the router on this VLAN ī‚§ Let's choose 192.168.1.14 ī‚§ Let's choose a network of 192.168.1.0/28
Adding the DHCP server ī‚§ Let's add a new DHCP server so that clients connected to this VLAN will be given some network conf ī‚§ 192.168.1.1 to 192.168.1.13 (/28 network)
Allow VLAN to access WAN ī‚§ Let's NAT it to give it Internet (WAN) access
Et voilà
Connecting to a second ISP (multi-homing) Advanced usage and techniques
Connecting to a second ISP ī‚§ If our ISP goes down, we won't have Internet access any more :- ( ī‚§ Why not apply to a second ISP ? ī‚§ Prices are cheap nowadays, we really can afford it ī‚§ Or even more ? 3 ISPs ?
A second ISP LAN WAN1 NAT VLAN 100 LAN WAN2
A second default route ? ī‚§ ISP == Internet access , let's add then a second default route ī‚§ The route "distance" metric tells which one to use when several routes exist for the same target ī‚§ The smallest distance will be prefered ī‚§ With such a setup, if one ISP goes down, the router will automatically, and transparently route traffic to the other one ī‚§ We got a fail-over setup :-)
Security with several ISP ī‚§ Now, pirates have a second door they can fire in ī‚§ A nice solution to that, is to group both ISP interfaces (eth9 and eth10) into an interface group ī‚§ And use this group into the firewall WAN1 WAN2
Wait .... ī‚§ Our setup actually has a big problem ...
Asymetric routing and connection stickyness ī‚§ If one incoming connection (to one of our server f.e) comes from ISP #1 ī‚§ We must be sure answer will leave our router back to ISP #1 ī‚§ If it leaves through ISP #2 , as we NAT the output, the packet will get dropped by the destination ī‚§ And that will leak our ISP #2 IP to our destination ī‚§ We need sticky connections ī‚§ We'll use the firewall mangle to perform that step
Setting up sticky connections ī‚§ Mark for internal network (forward) ī‚§ Mark also for router traffic (input / output)
Balancing traffic through ISPs ī‚§ Instead of fail-over, you can also balance the output traffic ī‚§ If you want to balance with no specific rule, use an ECMP route type ī‚§ You add one route, but several gateways for them ī‚§ ROS will balance using an L3 balance policy
RouterOS Other ideas and scenarios
Children VLAN ī‚§ Children at home connect to their own VLAN ī‚§ Manual config, MAC fixed config or 802.1x advanced authentication ī‚§ Only activate forward to Internet at fixed hours ī‚§ Time for bed ? Internet "disconnects itself" ī‚§ Easy to ban an IP or a MAC for some time ī‚§ "Do your homework first" ī‚§ L7 filter (high CPU needed) ī‚§ Deny L7 keywords : "facebook" , "war", "sex" ī‚§ Deny protocols : p2p, torrent, etc... ī‚§ Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] ) ī‚§ L7 HTTP interception (transparent proxy) and filtering
QOS ī‚§ Route TV VLAN and VOIP (phone) VLANs independently ī‚§ QOS traffic at L2 or L3 ī‚§ Allocate bandwidth dynamically ī‚§ Prevent IGMP Snooping broadcasts
Automation ī‚§ Add IP Cameras or any full automation system ī‚§ Isolate L2 using VLANS ī‚§ Secure with 802.1X (Radius auth, auto VLAN assignment) ī‚§ Route L3 ī‚§ Implement aggressive security for your IOT ī‚§ Control everything easily , remotely
Ideas ī‚§ For this connection, drop one packet out of XXX ī‚§ Script X to be dynamic ī‚§ Randomly drop packets ī‚§ Blackhole IP or even AS ī‚§ Deny access to whole networks at routing level ī‚§ Anti DDOS useful technics ī‚§ Give network access only through specific time spans ī‚§ Detect attacks, block attakers, limit bandwidth with queues
Thank you for listening

Recommended

L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
Naked BGP
Naked BGPNaked BGP
Naked BGPThomas Mangin
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
HIGH SPEED U.S.B 3.0
HIGH SPEED U.S.B 3.0HIGH SPEED U.S.B 3.0
HIGH SPEED U.S.B 3.0pranay agrawal
 
Introduction to routers
Introduction to routersIntroduction to routers
Introduction to routersSantosh Kulkarni
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
Dedicated server brussels
Dedicated server brusselsDedicated server brussels
Dedicated server brusselsDebranjan Bhattacharyya
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 

Recommended

L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
Naked BGP
Naked BGPNaked BGP
Naked BGPThomas Mangin
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
HIGH SPEED U.S.B 3.0
HIGH SPEED U.S.B 3.0HIGH SPEED U.S.B 3.0
HIGH SPEED U.S.B 3.0pranay agrawal
 
Introduction to routers
Introduction to routersIntroduction to routers
Introduction to routersSantosh Kulkarni
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
Dedicated server brussels
Dedicated server brusselsDedicated server brussels
Dedicated server brusselsDebranjan Bhattacharyya
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
tplink manual best
tplink manual best tplink manual best
tplink manual best bhandaridaka
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012Philip Polstra
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...codebits
 
IoT: Internet of Things with Python
IoT: Internet of Things with PythonIoT: Internet of Things with Python
IoT: Internet of Things with PythonLelio Campanile
 
Internet of things - with routers
Internet of things - with routersInternet of things - with routers
Internet of things - with routersTavish Naruka
 
6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)Jeff Green
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 
Node mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqttNode mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqttæ‰ŋįŋ° 蔡
 
7.) convergence (w automation)
7.) convergence (w automation)7.) convergence (w automation)
7.) convergence (w automation)Jeff Green
 
Mutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand InterconnectMutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand InterconnectNaoto MATSUMOTO
 
Arduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz RadiosArduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Sharon Cheung
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
ESP8266 and IOT
ESP8266 and IOTESP8266 and IOT
ESP8266 and IOTdega1999
 
20.) physical (optics copper and power)
20.) physical (optics copper and power)20.) physical (optics copper and power)
20.) physical (optics copper and power)Jeff Green
 
Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017Etiene Dalcol
 
NETWORK INTERFACE CARD
NETWORK INTERFACE CARDNETWORK INTERFACE CARD
NETWORK INTERFACE CARDSubhamKumarYadav2
 
Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577guest854c41d
 
Domotic dojo!
Domotic dojo!Domotic dojo!
Domotic dojo!Dr. Paolo Di Prodi
 

More Related Content

What's hot

MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
tplink manual best
tplink manual best tplink manual best
tplink manual best bhandaridaka
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012Philip Polstra
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...codebits
 
IoT: Internet of Things with Python
IoT: Internet of Things with PythonIoT: Internet of Things with Python
IoT: Internet of Things with PythonLelio Campanile
 
Internet of things - with routers
Internet of things - with routersInternet of things - with routers
Internet of things - with routersTavish Naruka
 
6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)Jeff Green
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 
Node mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqttNode mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqttæ‰ŋįŋ° 蔡
 
7.) convergence (w automation)
7.) convergence (w automation)7.) convergence (w automation)
7.) convergence (w automation)Jeff Green
 
Mutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand InterconnectMutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand InterconnectNaoto MATSUMOTO
 
Arduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz RadiosArduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Sharon Cheung
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
ESP8266 and IOT
ESP8266 and IOTESP8266 and IOT
ESP8266 and IOTdega1999
 
20.) physical (optics copper and power)
20.) physical (optics copper and power)20.) physical (optics copper and power)
20.) physical (optics copper and power)Jeff Green
 
Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017Etiene Dalcol
 
NETWORK INTERFACE CARD
NETWORK INTERFACE CARDNETWORK INTERFACE CARD
NETWORK INTERFACE CARDSubhamKumarYadav2
 

What's hot (20)

MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
 
tplink manual best
tplink manual best tplink manual best
tplink manual best
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
 
IoT: Internet of Things with Python
IoT: Internet of Things with PythonIoT: Internet of Things with Python
IoT: Internet of Things with Python
 
Internet of things - with routers
Internet of things - with routersInternet of things - with routers
Internet of things - with routers
 
6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)6.) switch quick config (fixed summits)
6.) switch quick config (fixed summits)
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
 
Node mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqttNode mcu x raspberrypi2 x mqtt
Node mcu x raspberrypi2 x mqtt
 
7.) convergence (w automation)
7.) convergence (w automation)7.) convergence (w automation)
7.) convergence (w automation)
 
Mutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand InterconnectMutating IP Network Model Ethernet-InfiniBand Interconnect
Mutating IP Network Model Ethernet-InfiniBand Interconnect
 
Arduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz RadiosArduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz Radios
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017
 
Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
ESP8266 and IOT
ESP8266 and IOTESP8266 and IOT
ESP8266 and IOT
 
20.) physical (optics copper and power)
20.) physical (optics copper and power)20.) physical (optics copper and power)
20.) physical (optics copper and power)
 
Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017Making wearables with NodeMCU - FOSDEM 2017
Making wearables with NodeMCU - FOSDEM 2017
 
NETWORK INTERFACE CARD
NETWORK INTERFACE CARDNETWORK INTERFACE CARD
NETWORK INTERFACE CARD
 

Similar to Mastering your home network - Do It Yourself

Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577guest854c41d
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoguy
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers3Anetwork com
 
There and back again
There and back againThere and back again
There and back againJon Spriggs
 
Network hardware
Network hardwareNetwork hardware
Network hardwaresnoonan
 
Network devices
Network devicesNetwork devices
Network devicesarpbak
 
Guide to home networking
Guide to home networkingGuide to home networking
Guide to home networkingDilan Gilluly
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2T. J. Saotome
 
Ipv4 tutorial
Ipv4 tutorialIpv4 tutorial
Ipv4 tutorialsaryu2011
 
Webinar ethernet basics part a v1.3
Webinar ethernet basics part a v1.3Webinar ethernet basics part a v1.3
Webinar ethernet basics part a v1.3wilbertl
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSVarinder Singh Walia
 
Using linux as_a_router
Using linux as_a_routerUsing linux as_a_router
Using linux as_a_routerHARRY CHAN PUTRA
 
Convergence of device and data at the Edge Cloud
Convergence of device and data at the Edge CloudConvergence of device and data at the Edge Cloud
Convergence of device and data at the Edge CloudMichelle Holley
 
WiFi Hotspot-Wireless Router
WiFi Hotspot-Wireless RouterWiFi Hotspot-Wireless Router
WiFi Hotspot-Wireless RouterWispot
 
The difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaThe difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaHarikiran Raju
 

Similar to Mastering your home network - Do It Yourself (20)

Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577
 
Domotic dojo!
Domotic dojo!Domotic dojo!
Domotic dojo!
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology Workshop
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers
 
There and back again
There and back againThere and back again
There and back again
 
Network hardware
Network hardwareNetwork hardware
Network hardware
 
Networking
NetworkingNetworking
Networking
 
Network devices
Network devicesNetwork devices
Network devices
 
Guide to home networking
Guide to home networkingGuide to home networking
Guide to home networking
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Ipv4 tutorial
Ipv4 tutorialIpv4 tutorial
Ipv4 tutorial
 
Ipv4 tutorial
Ipv4 tutorialIpv4 tutorial
Ipv4 tutorial
 
Webinar ethernet basics part a v1.3
Webinar ethernet basics part a v1.3Webinar ethernet basics part a v1.3
Webinar ethernet basics part a v1.3
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALS
 
Networking
NetworkingNetworking
Networking
 
Using linux as_a_router
Using linux as_a_routerUsing linux as_a_router
Using linux as_a_router
 
Convergence of device and data at the Edge Cloud
Convergence of device and data at the Edge CloudConvergence of device and data at the Edge Cloud
Convergence of device and data at the Edge Cloud
 
WiFi Hotspot-Wireless Router
WiFi Hotspot-Wireless RouterWiFi Hotspot-Wireless Router
WiFi Hotspot-Wireless Router
 
The difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaThe difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopedia
 
Network
NetworkNetwork
Network
 

More from julien pauli

Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019julien pauli
 
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewPHP 7 OPCache extension review
PHP 7 OPCache extension reviewjulien pauli
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machinejulien pauli
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesjulien pauli
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTSjulien pauli
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performancesjulien pauli
 
PHP 7 new engine
PHP 7 new enginePHP 7 new engine
PHP 7 new enginejulien pauli
 
Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshopjulien pauli
 
Profiling php5 to php7
Profiling php5 to php7Profiling php5 to php7
Profiling php5 to php7julien pauli
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 
PHP7 is coming
PHP7 is comingPHP7 is coming
PHP7 is comingjulien pauli
 
Mysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionMysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionjulien pauli
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshopjulien pauli
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objectsjulien pauli
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13julien pauli
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 

More from julien pauli (20)

Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019
 
Php engine
Php enginePhp engine
Php engine
 
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewPHP 7 OPCache extension review
PHP 7 OPCache extension review
 
Dns
DnsDns
Dns
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machine
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNG
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performances
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTS
 
Tcpip
TcpipTcpip
Tcpip
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performances
 
PHP 7 new engine
PHP 7 new enginePHP 7 new engine
PHP 7 new engine
 
Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshop
 
Profiling php5 to php7
Profiling php5 to php7Profiling php5 to php7
Profiling php5 to php7
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5
 
PHP7 is coming
PHP7 is comingPHP7 is coming
PHP7 is coming
 
Mysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionMysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extension
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshop
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objects
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Here
 

Recently uploaded

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Deliverybabeytanya
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 

Recently uploaded (20)

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤ī¸ 9920874524 👈 Cash on Delivery
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi đŸ’¯Call Us 🔝8264348440🔝
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸĢĻ Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸĢĻ Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸĢĻ Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸĢĻ Vanshika Verma More Our Se...
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 

Mastering your home network - Do It Yourself

  • 1. Mastering your home network stack with SOHO pro hardware
  • 2. Main Course ī‚§ 1°) Throw away your ISP "box", use a basic modem/ONT ī‚§ 2°) Buy a real hardware router ī‚§ 3°) Buy your other network hardware (Wifi AP, switch, wires, adapters, etc...) ī‚§ 4°) Plug-in and master everything ī‚§ VLANs (802.1q) ī‚§ QOS, traffic shaping, load balancing, 802.1p prio ī‚§ Custom routing rules and routing tables, VRF, MPLS ī‚§ VPN to external sites ī‚§ BGP / OSPF advanced dynamic routing ī‚§ ...
  • 4. What, why ? ī‚§ Internet Service Provider (ISP) deliver "BOXes" as Customer Premises Equipment (CPE) of their network ī‚§ They want their customer to plug-and-play ī‚§ Those BOXes, are very cheap and locked hardware ī‚§ In a word, they are poor ī‚§ Don't trust the marketing song of your ISP ī‚§ They work for very basic usages ī‚§ They are usually not very secured ī‚§ https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les- modems-sfrnumericable
  • 5. Why change ? ī‚§ To master things from A to Z ī‚§ To support more devices (IOT, domotic, servers) in your house ī‚§ If you have many devices, better get rid of your box ī‚§ If you need input traffic (self hosted infrastructure) ī‚§ If you want to push security further (IOT ?) ī‚§ If you want to load-balance with several ISP ī‚§ If you want to peer with other trusted people (through VPN) ī‚§ And create/manage your own Internet ī‚§ If you need security (through IPSEC f.e)
  • 8. As a reminder ī‚§ Protocols are open ī‚§ You should be able to change any hardware, by another (from different brand) ī‚§ As soon as it talks the same protocols, it must work ī‚§ Some ISP don't follow RFCs for some protocols ī‚§ That makes you have to use DPA/DPI ī‚§ That makes you have to patch your stack
  • 10. My experience, my knowledge, my shares ī‚§ Actually at home... ī‚§ I own several different Internet provider connections ī‚§ IP failover, advanced routing scenarios, traffic shapping and QOS ī‚§ Dual stack IPV4 and IPV6 ī‚§ Separation of input and output streams ī‚§ I have several machines and wifi networks ī‚§ I have no more "boxes" ī‚§ I'm VPN linked with other guys doing same stuff as me ī‚§ I'm hosting some public Internet services (DNS, HTTP, etc...)
  • 11. Using a modem in place of your box
  • 12. Getting rid of your box ī‚§ To trash your box, you need a modem, depending on the technology provided. ī‚§ ADSL ī‚§ Then you can plug-in an ADSL modem ī‚§ Cable (DOCSIS) ī‚§ You may use a DOCSIS modem ī‚§ Fiber ONT based ī‚§ You can plug-in using RJ45 or SFP ī‚§ Fiber Raw mode ī‚§ You may plug-in using an SFP adapter
  • 13. Notice ī‚§ I talked about modems to manage input ISP stream, not routers ī‚§ Many modem actually can/do route ī‚§ Do not use their router ! ! ī‚§ We must use the modem just to convert the signal, into an RJ45 socket ī‚§ Then, we'll plug our RJ45 RAW Internet cable, into our own router, of our taste ī‚§ Buy the "simplest" modem, if possible, with no router inside ī‚§ Mind the chipset (Broadcom are good)
  • 19. Keeping your box, at a minimum ī‚§ You dont want to buy a modem ? ī‚§ There is a solution of keeping your provider box ī‚§ But only use it as a modem ! ī‚§ Disable anything else, but the modem ī‚§ Especially : disable their shitty slow/unsecure poor router ī‚§ This is called the "bridge mode" (L2 bridge)
  • 20. Box as a modem : bridge mode ī‚§ 2 scenarios (2018) : ī‚§ Your box can be bridged (L2) ī‚§ SFR/NumÊricable LaBox ī‚§ Freebox ī‚§ Everything is then all right ī‚§ Your box cant be bridged (L2) ī‚§ Others (Orange, Bouygues) ī‚§ You'll need to buy a modem ī‚§ Or suffer from horrible network stack (DMZ, or Double-NAT) ī‚§ If fiber technology, you should use ONT or Raw SFP
  • 21. ISP Box Conclusion ī‚§ Ask to run the box as a modem, not a router (bridge mode) ī‚§ If possible : you can keep your box ī‚§ Free - SFR ī‚§ If not possible : you must replace it by custom hardware ī‚§ Orange - Btel ī‚§ Dont use the box router (router mode) ī‚§ Other alternative ISP exist
  • 22. I got my Internet plug ! ī‚§ Bridged-box or custom modem , now , your Internet connexion is arriving through one cable ī‚§ It is time to route it and start doing some network stuff 85.2.208.135* 2a01:ca:b5ee:ed::/56* * : example provider IP
  • 24. Router ī‚§ Pay the price : the heart of your network ī‚§ Too many references on the market ī‚§ Do not choose a general purpose low level brand ī‚§ Linksys, tp-link, netgear, etc... ī‚§ Don't blindly trust marketing ī‚§ Those are not really better than ISP box ī‚§ Poor hardware ī‚§ Not many customization ī‚§ No routing protocol management ī‚§ No VPN possibilities, or weak ones ī‚§ In a word : low-level entry market products (even "advanced" ones)
  • 25. Professional router brands ī‚§ Turn to professional dedicated hardware brands ī‚§ Datacenter hardware is not for your usage and cost ī‚§ SOHO is what you need : Small Office Home Office hardware ī‚§ SOHO are not that much expensive (60â‚Ŧ to 1000â‚Ŧ) ī‚§ The smallest SOHO router starts by about 60-80â‚Ŧ ī‚§ 2 kinds ī‚§ Open , based on Linux or Unix stacks ī‚§ Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ... ī‚§ Closed, based on custom OS (Unix derivated often) ī‚§ Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
  • 26. My experience ī‚§ I run Mikrotik for router and wifi spot ī‚§ Professional hardware ī‚§ "RouterOS" is the name of the OS ī‚§ Not open source ī‚§ Based on Linux Kernel ī‚§ Full of features, stable, maintained ī‚§ Licence pricing is really good ī‚§ Perfect for advanced networking at home or for small businesses (SOHO), with a clearly reasonnable pricing ī‚§ I run Ubiquiti for switch ī‚§ Perfect balance in price / usage for SOHO
  • 27. Ubiquiti routers ī‚§ Ubiquiti is another trade providing Debian based hardwares
  • 28. Turris Omnia router ī‚§ Again, Linux based ī‚§ OpenWRT
  • 29. Mikrotik ī‚§ https://mikrotik.com/ ī‚§ https://routerboard.com/ ī‚§ Size your needs ī‚§ Prices go from 60$ to 4000$ per unit (L3 routers) ī‚§ Basically, the CPU and RAM will increase the price ī‚§ If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM ī‚§ Mind the hardware dimensions ī‚§ Some are small devices, some are 1U rack sized
  • 30. Mikrotik example routers ī‚§ https://routerboard.com/RB2011iL-IN ī‚§ ~ 100â‚Ŧ
  • 32. Mikrotik example routers ī‚§ https://routerboard.com/RB1100AHx2 ī‚§ ~250â‚Ŧ
  • 33. Mikrotik example routers ī‚§ https://routerboard.com/CCR1009-7G-1C-1SplusPC ī‚§ ~450â‚Ŧ
  • 34. Wifi ? ī‚§ Don't fear the wifi. ī‚§ Wifi support will be added to our stack thanks to Access Points (AP) ī‚§ Usually better than embeded router wifi
  • 35. Router quick tour ī‚§ Every port can be wired independently ī‚§ Some devices provide switch chips ī‚§ Some devices provide Wifi ī‚§ It's better to use dedicated hardware for such tasks ī‚§ You basically tell each port what you want it to do ī‚§ 1/ You create L2 and L3 links ī‚§ 2/ You arrange routes ī‚§ 3/ You secure everything with the integrated firewall ī‚§ 4/ You control traffic bandwidth with queues and QOS
  • 39. Dedicated switches ī‚§ The problem with routers is that they are not good switches ī‚§ They may do the job, but take care of not going through the CPU for switching purposes ī‚§ Tip : bridges trafic often go through CPU ī‚§ Buy the right hardware for the right purpose ī‚§ For full L2 switching, nothing beats switch ASICS
  • 40. Using a dedicated switch 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk
  • 41. Even better with 802.1ad LACP 192.168.1.0/29 192.168.0.0/28192.168.0.0/28 93.235.6.18 VLAN trunk LACP
  • 42. More complex setup provider #1 provider #2 provider #1 TV stream provider #2 SIP stream IP cameras computers NAS Iots
  • 44. RouterOS ī‚§ A full Network OS ī‚§ You must familiarize with it ī‚§ You must have strong general networking knowledge (master OSI, master TCP/IP and common protocols at several layers) ī‚§ RouterOS supports ī‚§ Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP - Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS - TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ... ī‚§ In short : many advanced technologies in one box ī‚§ Have a look at the licencing details
  • 45. RouterOS details ī‚§ You may access RouterOS using : ī‚§ Web HTTP-HTTPS access ī‚§ SSH / Telnet, using command line ī‚§ WinBox (Windows GUI tool) ī‚§ Console port (special cable needed) ī‚§ FTP-TFTP for internal storage access ī‚§ An HTTP interface demo exists online ī‚§ At http://demo.mt.lv ī‚§ Documentation ī‚§ https://wiki.mikrotik.com/wiki/Manual:TOC
  • 48. Let's go for our first simple example
  • 49. Let's go for our first simple example Distributing Internet at home
  • 50. Very simple Internet sharing setup Gigabit switch 1 WAN modem PC1 PC2 Ethernet switch 2 (unused)
  • 51. What we need ī‚§ Isolate port 10 (eth10) from switch 2 : this is WAN ī‚§ Use full switch 1 by bridging ports together ī‚§ Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide fixed IP ī‚§ Create an IP and network for the full switch 1 (LAN) ī‚§ Let's choose 192.168.0.0/28 ī‚§ Let's add it a DHCP-server ī‚§ Create a source NAT on eth10 for LAN traffic to be NATed over WAN
  • 52. GO
  • 53. We have a simple setup :-) DHCP client 98.2.245.78 192.168.0.14 network 192.168.0.0/28 DHCP server 192.168.0.1192.168.0.2 NAT masquerade Routing table : 0.0.0.0/0 -> 98.2.245.1 98.2.245.0/24 -> eth10 192.168.0.0/28 -> switch1
  • 54. Linux utilities and network debugging tools ī‚§ mtr ī‚§ ipcalc ī‚§ iperf ī‚§ nmap ī‚§ ethtool ī‚§ And of course : ī‚§ tcpdump / wireshark ī‚§ switch port mirroring ī‚§ TZSP
  • 56. Security foreword ī‚§ If you want to design your own network from scratch , you are responsible of your own security ī‚§ Bad firewall configuration will lead into security breaches in your home, from external , through the wires. ī‚§ Take care ī‚§ Secure your network like your secure your home ī‚§ Lock doors ī‚§ Take care of basement, windows and other ways to reach you ī‚§ Think about everything
  • 57. WAN security ī‚§ Your WAN part is directly connected to Internet ī‚§ You'll then start experiencing attacks to your external IP ī‚§ You must now protect yourself ī‚§ From WAN input traffic , that's the basics (IN) ī‚§ From your own untrusted output traffic, that's optional (OUT) ī‚§ Welcome FIREWALL
  • 58. Firewall filter chains ī‚§ Input ī‚§ Traffic which dest-addr is one of your router's ī‚§ Forward ī‚§ Traffic flowing through your router (which dst-addr is routable and not one of your router's) ī‚§ Output ī‚§ Traffic generated by the router internal OS, which src-addr will be one of your router's ī‚§ "FooBar" ī‚§ You can create as many custom chains as you want
  • 59. Firewall : main rules ī‚§ One rule targets one chain (not zero, not several : one) ī‚§ Input ī‚§ Forward ī‚§ Output ī‚§ Xyzbaz : custom chain (you can add infinite custom chains) ī‚§ For every chain, rules are ordered ī‚§ If rule 3 breaks the chain (by DROPing for example), then rule 4 and others won't be triggered ī‚§ Rules can jump ī‚§ You can say "rule 3, match packets XXXX and jump to chain ZZZZ" ī‚§ You have to carefully follow the packet path into your head ī‚§ Don't get lost !
  • 60. Firewall perf ī‚§ We use connection tracking firewall here ī‚§ Activated by default. Can be setup (connection lifetimes) ī‚§ Raw firewall is available too ī‚§ If you don't organize flows the right way ī‚§ You'll burn your CPU as traffic increases ī‚§ Organize rules (they are ordered in lists) cleverly ī‚§ The most likely to happen should come first ī‚§ To some point, you'll need better hardware (CPU and RAM) ī‚§ Time to upgrade then ī‚§ At 1Gbps per link, that can increase very fast according to needs
  • 61. Let's add our firewall rules
  • 62. Accept ICMP ī‚§ Don't blindly block ICMP ī‚§ Internet Control Message Protocol ī‚§ A good engineer does not blindly block all ICMP traffic ī‚§ ICMP is used to debug your router and networks ī‚§ Mainly using "ping" or "traceroute" ī‚§ ICMP is used to debug IP ī‚§ "network unreachable", "admin prohibited", "frag. needed" ī‚§ Thus ICMP helps router and OSI 4 protocols (TCP) ī‚§ ICMP is mandatory to IPV6 (cant work without it)
  • 63. Or at least, control ICMP ī‚§ You may suffer from ICMP attacks ī‚§ Then you may limit ICMP traffic to some rate ī‚§ Or you may classify ICMP traffic ī‚§ http://www.nthelp.com/icmp.html
  • 64. Drop Invalid ī‚§ Invalid packets are packets which present themselves as being part of a non existant connection ī‚§ Not seen before by con-track firewall ī‚§ Basically : traffic injection attempts / attacks or replays ī‚§ Or networking problems ī‚§ (Advanced routing protocol could suffer from that ī‚§ We don't care at our level )
  • 65. Accept established ī‚§ Established are packets from whom router knows something ī‚§ Basically : this is the way-back return traffic ī‚§ This rule is very useful to match the return traffic and not block it ī‚§ You can blindly assume that you accept packets comming from connections you did create or accept, right ? ī‚§ This rule will as well reduce firewall CPU pressure
  • 66. Accept forwarding ī‚§ As a router, your role is to forward packets from one interface to another ī‚§ Using routing tables ī‚§ Let's accept default forwarding ī‚§ This is by default ī‚§ But adding a rule will allow you to remember that ī‚§ And to collect statistics about it
  • 68. Firewall jail ī‚§ Simple : you program the firewall so that you lock yourself out of the box. ī‚§ Like when you close your front door, with keys in the lock on the other side ī‚§ WARNING ī‚§ It is easy to lock yourself out of your box ī‚§ Always, keep that in mind while firewalling
  • 69. Firewall jail example ī‚§ "For every INPUT , DROP it" ī‚§ You just locked yourself out ! ī‚§ Connection will immediately get lost ī‚§ 4 solutions : ī‚§ Reset your router ( pay the price ! ) ī‚§ Access using console port (you'll need a special console wire) ī‚§ Prevent it by yourself opening a hidden door (a special port) ī‚§ Use an embeded anti-lock system ī‚§ Vendors usually provide anti-lock systems ī‚§ Mikrotik provides two of them
  • 70. Open a "hidden" door by yourself ī‚§ Here, eth9 can be used to connect to any router IP and access your router ī‚§ This assumes you have a physical access to it ī‚§ This assumes you open firewall in input using "in-interface" match
  • 71. Let's protect ourselves ī‚§ Accept Input from trusted 192.168.0.0 network ī‚§ Accept input from your fail-over interface ī‚§ And deny Input from everywhere else ī‚§ Reminder : Input means your router itself, not any else machine
  • 72. Reject Ip private ranges ("bogons") on ISP outputs ī‚§ Also, you may blackhole/reject private IP routes (called "bogons") ī‚§ RFC 1918 ranges and others ī‚§ This may mitigate some DOS attacks and prevent private ranges from leaking to your ISP gateway ī‚§ This is a well known network good practice for routers
  • 73. We are done :-)
  • 75. What we got ī‚§ We got a customized router that ī‚§ Gets its WAN IP using DHCP on a port connected to ISP modem ī‚§ Has an IP on a LAN segment (192.168.0.14/28) ī‚§ Provides a DHCP server on the LAN segment (192.168.0.0/28) ī‚§ Has an src-nat masquerading rule to allow LAN to access Internet ī‚§ We got a customized firewall ī‚§ Allows traffic from the LAN segment and a fail-over interface ī‚§ Denies traffic from everywhere else (including WAN) ī‚§ Detects scan attempts on WAN interface, and ban them ī‚§ Isn't it cool so far ? ;-)
  • 76. Advanced usage and techniques
  • 77. Wifi and VLANs Advanced usage and techniques
  • 78. VLANs ī‚§ Virtual LANs , 802.1Q ī‚§ Allow several LAN to pass through ī‚§ The same switch segment (L2), same switch ports ī‚§ Very useful to isolate traffics ī‚§ But still keep them in the same physical cables ī‚§ High security and performance ī‚§ VLAN A cannot communicate with VLAN B (in L2 , but L3) ī‚§ Each VLAN has its own broadcast domain ī‚§ QOS possible (802.1P) ī‚§ Class Of Service possible / Traffic Priorisation
  • 79. VLAN example ī‚§ Each VLAN shares the same physical switch/ports ī‚§ But two VLAN cant communicate with each other at L2 VLAN200 VLAN100
  • 80. VLAN use case example ī‚§ Let's isolate our 192.168.0.0/28 network for us : private network (untaggued) ī‚§ Any unknown soul connecting will be assigned special VLAN100 ī‚§ Let's connect a wifi AP , distributing those 2 VLANs : ī‚§ SSID "my-private-network" : untaggued ī‚§ SSID "my-public-network" : taggued in VLAN100
  • 82. AP on LAN ī‚§ If you bridge your AP on LAN, it will be given an IP by your DHCP-server ī‚§ And it will serve clients on the LAN segments ī‚§ Just all right 192.168.0.0/28192.168.0.0/28 WAN
  • 83. AP with VLAN public wifi private wifiprivate wifi private LANprivate LAN WAN
  • 84. Adding the VLAN ī‚§ Add a new VLAN on our bridge ī‚§ VLAN ID = 100
  • 85. Adding the IP ī‚§ Add an IP to the router on this VLAN ī‚§ Let's choose 192.168.1.14 ī‚§ Let's choose a network of 192.168.1.0/28
  • 86. Adding the DHCP server ī‚§ Let's add a new DHCP server so that clients connected to this VLAN will be given some network conf ī‚§ 192.168.1.1 to 192.168.1.13 (/28 network)
  • 87. Allow VLAN to access WAN ī‚§ Let's NAT it to give it Internet (WAN) access
  • 89. Connecting to a second ISP (multi-homing) Advanced usage and techniques
  • 90. Connecting to a second ISP ī‚§ If our ISP goes down, we won't have Internet access any more :- ( ī‚§ Why not apply to a second ISP ? ī‚§ Prices are cheap nowadays, we really can afford it ī‚§ Or even more ? 3 ISPs ?
  • 92. A second default route ? ī‚§ ISP == Internet access , let's add then a second default route ī‚§ The route "distance" metric tells which one to use when several routes exist for the same target ī‚§ The smallest distance will be prefered ī‚§ With such a setup, if one ISP goes down, the router will automatically, and transparently route traffic to the other one ī‚§ We got a fail-over setup :-)
  • 93. Security with several ISP ī‚§ Now, pirates have a second door they can fire in ī‚§ A nice solution to that, is to group both ISP interfaces (eth9 and eth10) into an interface group ī‚§ And use this group into the firewall WAN1 WAN2
  • 94. Wait .... ī‚§ Our setup actually has a big problem ...
  • 95. Asymetric routing and connection stickyness ī‚§ If one incoming connection (to one of our server f.e) comes from ISP #1 ī‚§ We must be sure answer will leave our router back to ISP #1 ī‚§ If it leaves through ISP #2 , as we NAT the output, the packet will get dropped by the destination ī‚§ And that will leak our ISP #2 IP to our destination ī‚§ We need sticky connections ī‚§ We'll use the firewall mangle to perform that step
  • 96. Setting up sticky connections ī‚§ Mark for internal network (forward) ī‚§ Mark also for router traffic (input / output)
  • 97. Balancing traffic through ISPs ī‚§ Instead of fail-over, you can also balance the output traffic ī‚§ If you want to balance with no specific rule, use an ECMP route type ī‚§ You add one route, but several gateways for them ī‚§ ROS will balance using an L3 balance policy
  • 98. RouterOS Other ideas and scenarios
  • 99. Children VLAN ī‚§ Children at home connect to their own VLAN ī‚§ Manual config, MAC fixed config or 802.1x advanced authentication ī‚§ Only activate forward to Internet at fixed hours ī‚§ Time for bed ? Internet "disconnects itself" ī‚§ Easy to ban an IP or a MAC for some time ī‚§ "Do your homework first" ī‚§ L7 filter (high CPU needed) ī‚§ Deny L7 keywords : "facebook" , "war", "sex" ī‚§ Deny protocols : p2p, torrent, etc... ī‚§ Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] ) ī‚§ L7 HTTP interception (transparent proxy) and filtering
  • 100. QOS ī‚§ Route TV VLAN and VOIP (phone) VLANs independently ī‚§ QOS traffic at L2 or L3 ī‚§ Allocate bandwidth dynamically ī‚§ Prevent IGMP Snooping broadcasts
  • 101. Automation ī‚§ Add IP Cameras or any full automation system ī‚§ Isolate L2 using VLANS ī‚§ Secure with 802.1X (Radius auth, auto VLAN assignment) ī‚§ Route L3 ī‚§ Implement aggressive security for your IOT ī‚§ Control everything easily , remotely
  • 102. Ideas ī‚§ For this connection, drop one packet out of XXX ī‚§ Script X to be dynamic ī‚§ Randomly drop packets ī‚§ Blackhole IP or even AS ī‚§ Deny access to whole networks at routing level ī‚§ Anti DDOS useful technics ī‚§ Give network access only through specific time spans ī‚§ Detect attacks, block attakers, limit bandwidth with queues
  • 103. Thank you for listening