I'd like assistance creating a new network layout *again*

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

vvbudh

Member
Oct 1, 2020
21
11
So, every few months or so, I like messing with my network. Adding new devices that I scrounge from the dust bins, spinning up new and improperly configured services on my LAN, and every once in a while buying a new gem that's actually worth something, which leads us to my segment called: F with VV's NETWORK!

I'd like to discuss my LAN, but I don't believe I should discuss it on an open forum. Would anyone care to shoot the breeze and talk about LAN setups with me?


I would like to have my home network be ridiculous.

I want IPv6, and OSPF running all in the same house with multiple routers and switches in the mix. I'm honestly thinking about getting some Pi3s and using them as extra end devices. I'd also like to have it all on DHCPv6. I don't want to use SLAAC so I can learn more about how to properly subnet IPv6. It also must do prefix delegation, I have the prefix my ISP provided to me after listening with Wireshark.

But like I said I'm just shooting the breeze here and just thinking about it. The reason I'm thinking about buying hardware and not just using Cisco Packet Tracer is because...well, I like getting up and moving. I don't like sitting in my desk the whole day. Hardware is cool! It's fun! And it's so much more interesting to work with hardware than an emulation. Also probably better experience too.


TLDR: I want to setup new equipment on my LAN, and learn OSPF + IPv6 with actual hardware. Talk to me.
 
  • Like
Reactions: Vela Nanashi
Sounds like a fun project @vvbudh though I think I am way out of the loop with all that new stuff and setting up a sort of mini corporate network like it sounds like you are planning, I am old and rusty. You sound a lot more knowledgeable than me about networking stuff.

What I know is that I want at least one router acting as firewall between me and the internet, and if I ever go nuts and decide to have servers running that are not maintained by me (internet of things) then I need to consider them hostile and set the network up so that they can't do harm, that would mean at least one more layer of routers, ideally also the wireless network should be considered unsafe as well, and on its own shielded off area, even if it does not contain any IoT devices.
 
  • Like
Reactions: Barry Wallis
Hmm that's a good idea, I never wanted to get IOT devices because I always felt like they were vulnerable and I'd get worried about em'. But I like your idea Vela about separating them from the network. Very prudent I'd say.

So we're up to two routers then. Good, I already have two!
 
If you are planning to use IPv6 on your ISP connection remember that all your devices could be exposed to the internet. The first thing to sort out would be a firewall, whether a specific device, or configuration on your external router. Depending on what software your router is running, that may also be vulnerable to external attacks, so a specific hardware firewall is probably a good idea.
 
Okay, because I'm not actually sure, is it wise to just list off what I have here?
 
One thing I might suggest regarding your IoT devices is to VLAN them off, instead of dedicating a router/firewall to them as long as all your devices support VLAN (802.1Q).

It acts as a separate LAN, and your firewall will apply any rules you might have. Now, if you don't have such devices, then you will need to build separate LANs for each class of device.

Also, you can divide your IPv6 assignment using SLAAC, as well as DHCPv6. It depends on what you want to do there. Do keep in mind that DHCPv4 and DHCPv6 are completely different beasts and do not work the same way.
 
I'd like to discuss my LAN, but I don't believe I should discuss it on an open forum. Would anyone care to shoot the breeze and talk about LAN setups with me?

@vvbudh I'm sure lots of people here would be glad to talk to you. And, it's a very interesting topic. But, just be aware this IS an open forum. I just logged out and was still easily able to see this thread. Don't know for sure whether Google can index it.

Also, this quote is from the terms of use:

"Do not submit any Content that you consider to be private or confidential."

As @AlanD said, I don't recommend passing IPV6 either in or out through your edge router unless you have a need to. As I understand it, and y'all can correct me if I'm wrong, since there are enough IPV6 addresses to count all the stars, they don't go through any NAT (network address translation). They just go straight in and straight out of the network. With IPV4, you have a certain private set of addresses inside the edge router, like 192.168.20.2-254 and each outbound packet gets translated to have a single WAN IP address. The private addresses are not routeable on the internet. This helps prevent unsolicited packets from coming in.

Just something to think about.

Ron
 
Last edited:
Oh and if you use two routers to isolate IoT, make sure the outer router is the one that has the IoT devices connected to it, and the inner most secure router has your important things behind it:

internet <-> outer router (maybe with wireless) <-> IoT devices & inner router (most secure) <-> important things

You can count the outer router and the IoT devices as internet wilderness, and the inner router should be secure if placed on the internet in this setup.

You don't want the other way around because compromised IoT devices may reach the admin interface of the router they are behind or the router the router is behind and so forth.

Ideally you would also have a separate router to put servers you want to expose to the internet behind that can be both protected from the IoT and not be on the important secure inner network, in that case you get a Y configuration of three routers.

But that is enough babbling from me for this post :)

I think there has been some security now episodes that cover secure router configurations too, and mention some routers that will allow simplifying this a bit since their ports are completely separate from each other (Ubiquity Edge router is one, and various boxes that can run pfsense was also mentioned I think).
 
  • Like
Reactions: Barry Wallis
Okay, so Idea. Let's make a super user's house.
Let's say root has three IOT devices, and plans on getting many more. He's got an automated ventilation system in his home that he controls with his phone. He's got, Amazon Echo's or dots that play music all across the house for him. He's also got a family, wife, and 3 kids, so each person in the house has a computer too. Including gaming systems. They'd also like a NAS for the family with some video game servers as well. So let's say this.


###IoT
3x Amazon Echos.
Ventilation System.
Dining room lights

####Family Devices.
Xbox 1
PS4
NAS
5 desktops.
5 mobile phones.

###Services
Video Game servers.
Web server.
DHCP V6


This is what we have so far for our example. Let's just say, we understand the risk of IPv6 that we don't have NAT anymore, so the house admin has everyone update each Tuesday, and we'll be adding firewalls where appropriate down the line.

Let's make a topography now.

We've got our ISP modem.
->Family Devices VLAN​
ISP modem -> Root's Firewall ->Switch -> Services VLAN
->IoT VLAN​


We'd have a separate router for each of them, like in the video provided by @blaq (Thank you.)

Now how should we address them all? I would like IPv6 addressing, it's good practice. I believe the IoTs should be SLAAC. But I'd like the family network to be allocated with DHCPv6.
 
Last edited:
Sadly I don't know much about IPv6 so I think it is time for me to bow out, but I will keep an eye on things to see if there is anything I can bring to the party.

I do wonder if IPv6 can be ipfiltered in *nix based routers, if so you could replicate the rules that make those routers act like firewalls for IPv4, not that I am particularly good at ipfilter, iirc name of it even...
 
How many routers does the super user have @vvbudh , and what type? I'll try to create a diagram of a setup I would make.

IPv6 Subnetting
For IPv6 addressing, what is the prefix size you're receiving from your ISP? If it is a /64, forget subnetting. That's the smallest size you can assign to a traditional Ethernet-compatible network. The /64 other bits are used for local device addressing.

From my ISP, I have a /56 assignment. This allows me to create 256 subnets (2^(64-56)). In IPv6, an entreprise network would split their assignment in two halves, one is subnet groups (typically, functions like Servers, Users, SAN, etc.), and second is for subnets (e.g.: VLANs) which will follow the 4-bit boundary (/48, /52, /56, /60, /64).
So, from the /56 I get, I can split it in two halves (into multiple /60 delegated subnets distributed using DHCPv6 Prefix Delegation).

It's important to stick to that 4-bit boundary, as it improves readability for us, mere humans. So you will always see multiples of /4 for the subnet mask.

Let's say my ISP assigns me the subnet 2001:db8::/56. I could split it as follows (let's say I have a 3 floor house):
  • 2001:db8::/60: Core network devices
    • 2001:db8:0:1::/64: Switches
  • 2001:db8:0:ff00::/60: DHCPv6-enabled (or SLAAC) subnets for users
    • 2001:db8:0:ff00::/64: Basement
    • 2001:db8:0:ff01::/64: Ground level
    • 2001:db8:0:ff02::/64: 1st level
  • 2001:db8:0:fe00::/60: DHCPv6-enabled (or SLAAC) subnets for IoT
    • 2001:db8:0:fe00::/64: Basement
    • 2001:db8:0:fe01::/64: Ground level
    • 2001:db8:0:fe02::/64: 1st level
It all depends on the devices you have to distribute that network and how you want to structure it.

IPv6 firewall
Then, you set up the firewall rules, which is easier with this kind of structure:
  1. From 2001:db8:0:ff00::/60, allow Internet, allow IoT
  2. From 2001:db8:0:fe00::/60, allow Internet
  3. etc.

@Vela Nanashi: Yes, you can filter IPv6 traffic using ip6tables and probably also using nftables. It's primordial that a network administrator does not filter out ICMPv6 traffic, as that is required to do the path MTU - a required feature in IPv6.
 
Last edited:
  • Love
Reactions: mdSeuss
Wow, that's awesome. Also, @Vela Nanashi That's what this thread is for, so you can learn! I'm just asking the questions so people can learn from it, like me and anyone else interested in IPv6 subnetting.

Now let's say my ISP only hands out a /64. I believe the answer should be. YELL AT THEM UNTIL THEY GIVE YOU MORE. Right?

(I'd use Cisco Packet Tracer if I had it installed, will get it later.)
Okay, let's start with this, Modem -> Main Firewall -> Basement Router -> users computers.

Let's say we have a router for each floor. Is this router going to be the one giving prefix delegation to all the other devices? What is the prefix they'll use? Just this? 2001:db8:0:ff00::/64:

Say for the basement router.
Link Local: FE80:FF00::AA01
IPv6: 2001: DB8:0:FF00::AA01
Or should I have a unique instead?
Are these the appropriate addresses for the basement router?
 
Last edited:
Now let's say my ISP only hands out a /64. I believe the answer should be. YELL AT THEM UNTIL THEY GIVE YOU MORE. Right?
My ISP always handed me a /56 through Prefix Delegation. I simply asked them gently to make it "static". It makes it easier to set it up in pfSense.

Okay, let's start with this, Modem -> Main Firewall -> Basement Router -> users computers.

Let's say we have a router for each floor. Is this router going to be the one giving prefix delegation to all the other devices? What is the prefix they'll use? Just this? 2001:db8:0:ff00::/64:

Say for the basement router.
Link Local: FE80:FF00::AA01
IPv6: 2001: DB8:0:FF00::AA01
Or should I have a unique instead?
Are these the appropriate addresses for the basement router?
You shouldn't mess around with the link-local IP address (fe80::/10). This is determined by the network card and it is used to associate the card with the global unicast address using ICMPv6 Neighbour Discovery. They will always be present, they can't be disabled and they can't be routed.

In the example you gave, here's how I would do it. There are several ways to do it. My method does not make use prefix aggregation for routing protocols. But It makes firewall management somewhat easier to do. Also, I don't use prefix delegation from the firewall downstream, but it's something you could use as well.
Note: 2001:db8::/32 is reserved for documentation purposes, and it cannot be used in networks. I used it in lieu of a subnet provided by an ISP ;)

Diagram1.png
 
  • Like
Reactions: vvbudh
Hmm that's a good idea, I never wanted to get IOT devices because I always felt like they were vulnerable and I'd get worried about em'. But I like your idea Vela about separating them from the network. Very prudent I'd say.

So we're up to two routers then. Good, I already have two!

No need for multiple routers really. VLAN (yes, I know VLANs can be bypassed etc) with either ACLs on the switch or at least inter VLAN routing rules at the firewall. I don't think you would need distribution and access switches, but if you have them, you could have more fun with ACLs etc. Even a simple pfSense router connected to a managed switch is good enough to segregate IOT from the rest of the network with proper rules and if possible ACLs. I do this for all my clients. I do network consulting for other companies and they all groan when I ask what VLAN their cameras are on and they say they are all on 192.168.1.0/24 with the printers, network gear, JACE units, access control, and phones. I can't tell you how many LANs I've consulted on to correct "I'm out of IPs" when they are in a 192.168.0.0/24 subnet and already have 50 cameras.

Sorry for the tangent. I always put IOT devices on either a No Internet VLAN or on a VLAN that can only get to whitelisted IPs on the Internet. No IOT device connection to the production LAN. Sometimes I have to allow routing from the prod LAN to the IOT/Camera/Access Control VLANs, but never to Allow * from * on those VLANs. What port, what IP addresses do I need to allow.
 
  • Like
Reactions: vvbudh and EdwinG
I like what you said Doctor. That would make sense to me.

Also Ed I really appreciate your response, that's exactly what I was looking for. Thank you so much for helping with this.

Also sorry for my late reply I was talking with another member of the forums and they got me SUPER interested in HAM radio and the AX.25 protocol that I went and got me a HAM radio and I'm now I'm prepping to take the actual exam!

But once I finish that I'll be attempting to get my LAN on IPv6 part 2.
 
  • Like
Reactions: EdwinG