Router:Linux - Debian - With L2TP Fallback: Difference between revisions

Router:Linux - Debian - With L2TP Fallback (view source)

Revision as of 15:45, 14 April 2020

829 bytes added , 14 April 2020

no edit summary

Wishy

28

edits

Revision as of 12:36, 11 April 2020 (view source) Wishy (talk \| contribs) (Created page with "DSL lines are not perfect, and line resyncs are guaranteed to happen at the most inconvenient moment. Fortunately AAISP provide L2TP for subscriber...")		Revision as of 15:45, 14 April 2020 (view source) Wishy (talk \| contribs) No edit summary Newer edit →
(3 intermediate revisions by the same user not shown)
I investigated PFSense (My current firewall solution) and RouterOS, but neither had very satisfactory scripting abilities. Linux, on the other hand, had no such problem. In this solution, I have chosen to place a Linux solution acting only as a router in front of my PFSense box. This kept a fairly nice GUI for day to day management, but provided it with a more robust way to connect to AAISP via a Linux router, all of which is hosted on an ESXi box. The obvious cost is an extra hop, which requires a bit of extra CPU and causes a bit of extra latency. When measured I found PFSense to need around 10x the CPU of the linux box (~~Although~~Likely SNORT has a lot to do with this, and there will also be a little extra vSwitch load - SR-IOV is supported if you're desperate to avoid this) and an extra 1-2ms latency. Throughout this guide, I'll likely refer to your PFSense box. While a few config tweaks will be needed, the guide should apply to more or less any firewall. = Prerequsites = * a Linux PCmachine with Debian ~~Jessie~~Buster already installed and ~~two~~three network interfaces - one for the connection to the modem, one for the connection to the alternative path router, and one for the connection to your LAN. The machine should be ready for internet facing duties, that means strong password! * a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) * an alternative path router of some type. In my case I am using a Huawei B315 4G router (With ethernet) There are two options for IPv4 ranges. You can either assign a /29 to the handoff interface between the Linux router and the firewall. This would be the "Proper" way to do things, but would waste 3 public IP addresses, which are a precious resource in this day and age. I have instead used RFC1918 private address space as a handoff between the devices, and routed the public /29 block to the private IP of the firewall. The firewall can then be configured with these as virtual addresses, with all 8 addresses kept as usable addresses. = Assumptions and example setup = [[File:Debian L2TP Routing Setup IPv4.jpg\|none\|frame\|IPv4 routing setup used in this example]] ~~(Diagram to follow)~~ [[File:Debian L2TP Routing Setup IPv6.jpg\|none\|frame\|IPv6 routing setup used in this example]] * '''ens256''' is plugged directly into your modem or ONT * '''ens161''' will be attached to your PFsense firewall /sbin/ip -6 route del default dev ppp-aaisp-l2tp scope link fi === Security === Your linux router will get the line /32 address, and sshd will listen on 0.0.0.0, hence will accept ssh connections from the internet. You'll find very quickly /var/log/auth.log fills with automated password attempts. I recommend altering /etc/ssh/sshd_config - either restrict it to binding on the internal IP only ListenAddress 192.168.0.1 ListenAddress 2001:db8:0::1 or configure for ssh key authentication with no password fallback. === Finishing off ===