/tech/ - Technology★

>>914720 (OP)

>I have 7 devices at home: 3 wireless shits and wireless ones.

What?

>>914722

Yeah, I accidentally the sentence there. I meant "3 wireless shits and 4 wired ones".

That doesn't sound overengineered to me. Looks like you'd like stuff like soekris (expensive) or pcengines. Install OpenBSD on it. I'm not sure how easily available it is outside Europe and what the alternatives are.

install gentoo

>>914749

When I mentioned the setup to a network engineer friend of mine, he told me I was insane. Certainly not a conventional home network setup, but oh well.

I have heard of PC Engines. Pretty cool machines overall, but it seems they don't go down from 100 euros. I probably won't find anything else in that price range that isn't complicated as all fuck to install something in it and has 3 (!!!) RJ45 connectors and is basically a fully featured PC, but I was still hoping for something cheaper, like an Orange Pi R1 (maybe too cheap) or a Pine A64 with a USB network adapter; wouldn't be half as cool and powerful as an APU 2c2. Do you happen to know any trustworthy website in which I can order one of those? 2C2 seem to cost around 130 euros (and who knows how much does it cost shipping to my third world European country), but then there is this place where they sell the 2C2 for 100 euros, but then they also sell a 3C2 which doesn't even exist on PC Engines' website.

https://www.landashop.com/cmp-apu-3c2.html

>>914783

The 3c2 is an actual model, it's just not listed on the official website for some reason.

https://www.pcengines.ch/apu3c2.htm

Also, according to https://www.pcengines.ch/newshop.php?c=2 , 2c2 are shipping in a week, and that distributor is charging pretty much the amount it costs to them. It's the other distributors that charge almost half as much as it costs them. relly maeks u think

>>914783

>When I mentioned the setup to a network engineer friend of mine, he told me I was insane

He sounds like a filthy casual.

The PC Engines units look interesting, but you need to seriously question if you're going to be using it long enough to offset $100 or whatever of electricity, which is a lot. My fileserver is an ancient Core 2 system with a lot of spinning platters, and I've estimated it only eats $10/month of electricity, which makes replacing it not really worth it.

I'd recommend finding an old low-end desktop and using that to start, then upgrade to some dedicated hardware after you're satisfied with how it turns out. If electricity is really that expensive, or you don't have access to free hardware, consider the rock64 (https://www.pine64.org/?page_id=7147), since it has gigabit + 100Mb/s, and should do the trick.

My advice is to use pfsense, since it makes it easy to get started, and is just freebsd underneath, so you can do more advanced things as you need.

You should be using vlans.

Wireless on one, wired on another, server on both.

Let the upstream devices deal with firewalling and segmentation.

From there, the server can act as a secure mediator of wlan and lan, as well as host whatever the fuck you want.

>>914881

VLANs aren't really pointful here, because if you can't trust the device on the other end, you have to stick them on a dedicated tagged port, which means either you have to have a switch that supports VLANs, which is more expensive than bunch of random $5 NICs, or you need dedicated NICs on the firewall/router, at which point you might as well just use isolated LANs, skip the virtual.

I once lived in a dorm for a few months. The shitty administrator there kept fucking up the wifi, so I ran a network cable from the modem to one of my laptops. But I also wanted to use my other laptop and I didn't have another network cable with me. So I made a hotspot on my android phone and connected both laptops to it. Then I SSHed into the one which was connected to internet and made a socks proxy (-D <port>), and then socksified my system with tsocks.

For some reason I still stick with this system even when I have a proper working wireless router. I guess I'm too lazy to remove all the shit I set up for it to all go through the SSH connection. Whenever I take my computer elsewhere, I replace the internal IP of the internet-connected laptop with its external IP and everything still works (it functions like a VPN then). It would work great with tor I think.

>>914943

>because if you can't trust the device on the other end, you have to stick them on a dedicated tagged port,

lrn2read. What's to stop the botnet in blue to decide to tag themselves into green's VLAN? VS for no real extra expense, stick a $5 broadcom NIC into the server, and you have a router.

>Because you're not doing any layer 3 routing, nearly anything can handle a network that size.

2 problems with that statement. First, if you're not doing layer 3, the VLANs aren't going to be able to communicate. Second, nearly everything can do a gigabit of routing. You can do ~4Gb/s per thread on any decent hardware from this decade.

>vlans are step #1 in securing a lan.

Lol. Step 1 is starting from the bottom and understanding what you're doing, not jumping straight to some cargo-cult security of "VLANs will fix everything". Start with the basics, like setting up a meaningful firewall, organizing your network and getting control of DHCP, and locking down your server. VLANs come much later.

There's plenty of purposes for VLANs, but for security, a config error doesn't accidentally bridge 2 separate ethernet cables, but it will knock out your VLANs, so for the beginner, buy a $5 NIC and skip the pitfalls.

t. my job title is senior systems administrator

>>914961

>t. my job title is senior systems administrator

if that's true then you need to relearn some networking dude.

Layer 2 can still talk between each other, you just need a router to do so.

> What's to stop the botnet in blue to decide to tag themselves into green's VLAN?

I don't even get this, do you setup VLANS where all ports are tagged with all VLANs?

An elcheapo computer running 2 NICs plus a L2 switch will do what you want WITH more control.

>>915040

Routers are Layer 3 by definition. Fuck, there are Layer 3 switches and most network guys will tell you that's just a fancy name for a stripped down router.

>>915070

What does this have to do with the core network concept that anything on the same VLAN can communicate with each other without a piece of Layer 3 hardware?

>>915040 was saying:

>talk between each other

Educate us on the difference between 192.168.1.33/24 and 393.129.2.69, then apply that same concept to VLANs.

I'll save you some time and post the answer:

A transmission crossing networks requires an intermediary, like a server connected to both networks, or a route between the networks.

Data can't cross a VLAN unless there's an intermediary in the form of a server connected to both networks, or a route between the networks.

>>915040

>Layer 2 can still talk between each other, you just need a router to do so.

Thus defeating the entire point of having the VLANs in the first place. Put the server between the networks, and you have the exact same logical layout, but is much simpler for a beginner, which is what I've been saying from the beginning.

>>915032

>>What's to stop the botnet in blue to decide to tag themselves into green's VLAN?

><First, if you're not doing layer 3, the VLANs aren't going to be able to communicate.

Think before you post. First, re-read your post. You did nothing to isolate the secure side of the network from the insecure, and I'm not sure what tagging a single port to a single computer is supposed to accomplish. Second, while yes you can just bridge the VLANs, you just joined the broadcasts domains and all the computers now have the same subnet, which makes ARP hijacking possible, means there's no easy way to differentiate between the secure and insecure sides in your NAT and firewall configs. So you're going to want to route between the subnets.

>>915040

>I don't even get this, do you setup VLANS where all ports are tagged with all VLANs?

I think I read the other guy's tagging plans backwards, but, if your plan is to use an old router as a switch that can do VLANs, most only passively support it IIRC, so frame tagging has to be done in software, and that's going to drop your throughput to a crawl. If your plan is to rely on random devices supporting VLANs, I'm just going to sit here and laugh at you. Also, you're relying on a random shitty consumer router being secure, which is pretty silly.

>>915095

So for OP's situation, I'd suggest the following:

Split the secure and insecure sides of the network and have each on a separate port on the server.

If your internet is DSL, you can have it come into the secure side and set the modem/router combo into bridged mode and pass the PPP traffic to the server and run pppd there.

If not, you just have the ISP supplied modem on a third port of your server.

Now all you need to do is to set the server as the gateway for both subnets, set up NAT and a firewall on the server, and lock it down.

You can get all this started with an old desktop and a couple of cheap NICs. Power consumption will be a bit high, but that's offset by the low capital cost (would be $10 in my country's monopoly money). From there, once you're satisfied with how it works, find yourself a nice cheap low powered miniITX board and a couple SSDs and you should be able to do this in < 20W

>>915113

>Nope

Care to back that with something that doesn't smell like your down syndrome ass? Most consumer switching hardware can barely handle a gigabit of throughput, and now you're saying that a router-on-a-stick arrangement + passing half the frames to the processor for tagging is going to have no performance impact? Try the fuck again.

>you have to tag all frames on wire to use vlans

Yeah you fucking do, unless you plan on either trusting the untrusted devices to do their own vlans (or even support vlans for that matter), so you're stuck tagging everything to in one of the 2 nets to the appropriate VLAN.

>inb4 hurr just leave the insecure devices untagged so they can access all the switchports and are indistinguishable from traffic that hasn't yet been tagged.

This is supposed to be a secure network setup, not a kafkaesque autism simulator. What I said was not that it's impossible to do this with VLANs, but that it's needlessly complicated to do so, and here you are proving me right.

>>I think I read the other guy's tagging plans backwards, but,

>THANKS FOR LETTING US KNOW YOU DIDN'T NEED TO POST AGAIN

>Look mom, he admitted making a minor mistake, therefore everything I said is right!

I almost had to take your post seriously, but then I saw that you recycled a reaction image. Better luck next time kiddo.

><Open source software isn't secure even when locked down and thoroughly tested for 10+ years in production on known hardware

>DDWrt can totally paper over hardware security flaws/backdoors in random chinese routers

>And if you think otherwise, you must be a cisco shill

What the fuck. The Party is displeased with your work Zhang, next time don't be so obvious to the western devils. You get plastic rice in your ration today.

Also, I find this doubly ironic, since you promote surplus business grade hardware a few lines down in your post. At least attempt some consistency you cock gargling moron.

And last but not least:

>OP mentions having expensive euro electricity

>datacenter surplus

Go find an imageboard that's in whatever 3rd world bark-speak your brain operates in, and come back when you're literate in english. Or just not at all preferably.

>>915382

Ok, since you clearly don't understand how VLANs/switching/routing/english works, here's a breakdown of what you're proposing: (assumption is that this is all consumer hardware)

A frame comes in on the access port from one of the isolated segments, and is destined for the router (this is probably 90% of traffic)

It needs a VLAN tag added so it can go out the trunk to the router, so it makes one trip through the switch to go to the management plane, gets a tag added

It then goes through the switch again to go from the management plane to the trunk port and is sent to the router

So it has to make twice as many trips through the switching hardware.

Additionally, if the internet connection comes into the switch in question, it has to make 2 more trips through the switch to get the VLAN tag removed

>You can max out gigE on 4 year old netgear or dlink unmanaged switches.

Yes, that's what a gigabit of throughput means. The problems start when you have 2 or more streams trying to use that gigabit of throughput, you're not going to get a gigabit on each port. Hell, mid-range commercial switches will only have ~5Gb/s of throughput for a 12 port gigabit switch. Or less if you're enough of a sucker to buy HP

So once you get the amplification effect of having to pass frames to the management plane and/or making a round trip out to the router, you start to eat up the throughput rather quickly.

><libreboot that strips intel me can't paper over hardware security flaws/backdoors in random chinese computers

You have options, like using discrete NICs, removing the ME, using an AMD CPU that predates the PSP, or the raspberry pi, since broadcom can't into following the GPL.

Explain what you're going to do about the vendor-provided stage 1 bootloader that can talk to the NICs on your consumer router.

><power efficient hardware doesn't exist in a datacenter

>t. have never bought datacenter surplus.

It's efficient, yes, but it also has a very long service life, so what you're buying surplus was considered power efficient in 2010. It's also large scale, so while you can get systems with a good perf/watt, the power consumption is still high. So it's efficient if you need all that performance, not so much if your performance needs can be met with an 5 year old embedded celery.