I do not wholly recommend these though - there were some configuration issues with the Netgear R7000 + DD-WRT that I could not anticipate ahead of time that would have changed my mind had I known. I would continue using my existing 24-port unmanaged switch and switch the AirPort Time Capsule to be a Time Capsule only. I ultimately settled on two new pieces of hardware: a Ubiquiti EdgeRouter PoE and a Netgear R7000. Firewall controls to block or allow access from one VLAN to another as desired.Distinct 5 GHz and 2.4 GHz SSIDs for the wireless to help with the interference problem (I would have done away with 2.4 GHz entirely, but certain devices I have only support that frequency range).Support for at least three distinct networks (VLANs) on the same set of hardware.Given these new considerations, I had a list of things I wanted: It’s not uncommon to see an SSID list with 25-30 entries. In addition to that, more residents in this neighborhood have set up wireless access points of their own, and the congestion from those had begun to impact the dependability of my own. What was once a couple computers and a printer now encompasses multiple computers, printers, security cameras, iPads, iPhones, and several other network-dependent devices. This setup worked fine for a while, but as the years have passed, my fleet of devices has grown as have the demands on the network. All of the terminations for these were centralized into a closet at the center of the house, which houses a small patch panel, an unmanaged switch, and an AirPort Time Capsule providing routing services. When we built this house, I had the opportunity to put in the physical infrastructure I wanted: at least two Cat 5e + RG-6 runs to every room with extra to the room that would eventually be my office. I wanted to fully isolate and lock down everything IoT or otherwise untrusted. It was the sign I needed to finally make the move from thinking about improvements to my home network to actually building it out. In recent weeks this has come to fruition, first with a DDoS against and later with a DDoS against Dyn’s name servers. The iptables rules can be added to a startup script if needed.Over the past few years, security industry experts have been warning that the internet of things (IoT) is wildly insecure. Sudo iptables -A VYATTA_FW_LOCAL_HOOK -i l2tp+ -p tcp -dport 443 -j DROP To drop SSH and HTTPS for example: sudo iptables -A VYATTA_FW_LOCAL_HOOK -i l2tp+ -p tcp -dport 22 -j DROP You can however, filter the traffic using iptables and the l2tp+ wildcard interface. It is not currently possible to apply firewall policies to the L2TP interface(s) using the standard CLI/GUI commands. Set interfaces ethernet ethx firewall out name LAN_OUT Set firewall name LAN_OUT rule 20 destination address Set firewall name LAN_OUT rule 20 source address Set firewall name LAN_OUT rule 20 description 'deny l2tp' Set firewall name LAN_OUT rule 20 action drop Set firewall name LAN_OUT rule 10 protocol tcp_udp Set firewall name LAN_OUT rule 10 destination port Set firewall name LAN_OUT rule 10 destination address Set firewall name LAN_OUT rule 10 source address Set firewall name LAN_OUT rule 10 description 'permit l2tp' Set firewall name LAN_OUT rule 10 action accept In order to block the VPN access to the LAN devices, you can add a LAN_OUT firewall rule in the egress direction on all LAN ports (VIFs).įor example: set firewall name LAN_OUT default-action accept
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |