• Home
  • Help
  • Search
  • Login
  • Register
Pages: [1]
Author Topic: Using Plugcomputer as a router/firewall?  (Read 5599 times)
pradeep_ghimirey
Newbie
*

Karma: 0
Posts: 2


View Profile
« on: November 13, 2009, 12:53:07 AM »

Dear all,

I just got hold of the plug computer yesterday   Smiley and has been thinking of using it in so many ways  Roll Eyes . I am mainly into wireless networking. So, I was wondering, if there is a possibility of using this as a router/firewall/gateway device? The current sheeva plug development kit has only one ethernet interface.
So, are there any version available with two ethernet interface?
Also, I can get hold of USB-Ethernet converter and use the USB port as a second ethernet device? Does this work?  Huh

Thanks in advance...

 
Logged

DamonHD
Full Member
***

Karma: 4
Posts: 169


View Profile WWW
« Reply #1 on: November 13, 2009, 02:37:00 AM »

The plug can clearly be a firewall between a USB-based device (such as USB-based DSL inbound, or USB-dongle WiFi outbound, or some other USB-based networking) and the built-in Ethernet as-is.

At some point I want to do this myself, and I'm already using iptables as an additional software firewall for the plug itself, and would simply expect to extend the rules and selectively enable routing, DHCP server, etc.

Rgds

Damon
Logged

pradeep_ghimirey
Newbie
*

Karma: 0
Posts: 2


View Profile
« Reply #2 on: November 13, 2009, 05:56:12 AM »

Thanks for the quick reply!
Now as you said I can use the device to create a firewall between USB based device and  the ethernet interface.
But, I also want to use it as a gateway router/firewall for an ISP kind of setup, where both the interface has to be Ethernet..one for the incoming traffic and the other for the outbound traffic. What can I do in this case? Any suggestions? 

Thanks..

Pradeep
Logged

fragfutter
Sr. Member
****

Karma: 12
Posts: 280


View Profile
« Reply #3 on: November 13, 2009, 07:28:42 AM »

use an usb-ethernet dongle.
Logged

amspilot01
Newbie
*

Karma: 0
Posts: 4


View Profile
« Reply #4 on: November 13, 2009, 12:20:50 PM »

Well thats the easy way ..

There is however an other, not so easy way, to extend / increase the ammound of ethernet ports without using the usb port.

This is to use a switch that supports 802.1q (or so called vlan support) by using a tagged port on the switch to the plug and using the 8021q module of the linux kernel you can expand the number of ports of your plug to as many as the switch has ports, you must configure eatch switchpost on a seperate vlan. now you can use inside, outside, dmz1, dmz2 and even mirrored ports for snort IDS if you want to.

There is however one big draw back : the standard compiled kernels do not compile 802.1q support by default. so you have to compile a kernel your self to do this. 

an example of a switch that supports vlans and gigabit ethernet ports is the linksys slm2008 or the linksys slm2005 ranging form 75 euro for the 5 port till 95 euros for the 8 port one. 

it depends on your level of skill and time , the choice is up to you ...

Regards, AMSpilot01

Logged

fragfutter
Sr. Member
****

Karma: 12
Posts: 280


View Profile
« Reply #5 on: November 14, 2009, 02:23:51 AM »

wow. vlan reached consumer switches? For firewalls i still like to have physical interfaces (at least for the outside).
Logged

amspilot01
Newbie
*

Karma: 0
Posts: 4


View Profile
« Reply #6 on: November 14, 2009, 07:05:57 AM »

jep, the vlan support is available on consumer GibiaByte Ethernet equipment ..

And your absolutely correct in stating that you might want to connect the external interface to a separate interface for extra safety.   Now lets investigate this option further how unsave is it to use vlan trunking that includes the outside interface?.

One of the biggest possible tread is vlan hopping. this occurs if you can manipulate the hole package including vlan tags and inject or modify the vlan tag to get from one vlan to the next.

Then Remember that in this solution only one tagged port to the plug will be used.
This means that packages form the internet are normal packages (no vlan tagges)
The switch will add the tag if the traffic is send to the tagged port witch go's to the plug.

conclusion :
If you want a 100% security then cut the internet wire in half .. and even then your not save form Radio freq. snooping ..  using a plug as a firewall is not the ideal solution as well. you need to harden and strip the operating system , use a real firewall configuration iptables, packet inspection till layer7 and adaptable Access list (like moblok) etc.  if you have done this then you will be becoming close to or even surpassing  a commercial solution like Firewall-1 Netscreen or Cisco ASA. witch are all basically unix based boxes with a striped down optimized os. And most of them do not have the same power the sheeva-plus has. ...

Reality check /  The question is can you use the plug as a router / firewall.

answer :
yes, you can if you use a switch and vlan's to expand the number of ports.
In the end you end up with a system that has amazing performance using the gigabyte interface and the processor power. for a amazing prise.   


Regards, AMSpilot01


remark :
never use vlan1 on your switch for the outside because this is the default management vlan. on this vlan you can add and remove other new vlans  use one of the spare ports as out of band management to vlan1.

remark :
make shore that pre-tagged packages from the internet are dropped by the switch (default configuration in all switches)


Note on trying to comprise the solution:
Even if you can send a pretagged package to the plug from the internet then this package will be tagged in hole again by the switch and send to the plug. The plug will strip the vlan-tag that the switch added form the package. now the pretaged package will be handeled as if it was send to a normal interface. A normal interface doesn't know what to do with a pretaggeded package  and will drop the trafic.

The proposed solution is :

the logical layout
---internet--|switch port4-vlan10 member|--|switch port5 -802.1q vlan 10|--|plug wt.8021q (router/firewall)|--|switch port5 vlan70 member|----|switch port1-vlan70 member|---|Internal network - vlan70|

the logical layout for a proxy server will be
---internet--|switch port4->vlan10 member|-|switch port5 -802.1q vlan 10|--|plug wt.8021q (router/firewall)|--|switch port5 vlan50|----|switch port2-vlan50 member|--|DMZ1 - proxy server vlan50|

the logical layout for a mail server will be
---internet--|switch port4->vlan10 member|-|switch port5 -802.1q vlan 10|--|plug wt.8021q (router/firewall)|--|switch port5 vlan60|----|switch port3-vlan60 member|--|DMZ1 - proxy server vlan60|

Logged

linuxgnuru
Newbie
*

Karma: 0
Posts: 1


View Profile
« Reply #7 on: February 17, 2010, 01:41:57 PM »

I'm also working on setting up a router using plug (I live in Africa where power is an issue) and the 5watt can't be beat; especially when powering everything from solar.  Anyway, I've found a plug that has two gigabit ethernet ports at: 
http://www.globalscaletechnologies.com/t-sheevaplugdetails.aspx

I'll be pre-ordering mine (i think feb 28th) to see how well it handles net traffic.  I was curious if anyone has seen other plugs with more than one rj-45 jack.
Logged

Doug Grove
Newbie
*

Karma: 1
Posts: 19


View Profile
« Reply #8 on: February 18, 2010, 08:26:21 AM »

I use my plug as a firewall/router.  I have a USB ethernet adapter for the second interface.  I use ufw to manage the firewall.  I also have a VPN to the office on the plug.  Works just fine.

Hope that helps,

Doug
Logged

Alucard
Newbie
*

Karma: 0
Posts: 10


View Profile
« Reply #9 on: February 21, 2010, 08:41:00 PM »

Anyway, I've found a plug that has two gigabit ethernet ports at: 
http://www.globalscaletechnologies.com/t-sheevaplugdetails.aspx

I too am interested in a dual-ethernet plug computer.  But your link goes to the one-interface SheevaPlug, or am I missing something?
Logged

RandomJoe
Newbie
*

Karma: 0
Posts: 7


View Profile
« Reply #10 on: February 22, 2010, 08:02:13 AM »

One option with two physical Ethernet ports is the OpenRD Client.  It's the same CPU as in the Sheeva Plug, but with more of the built-in features available.  You can't set it up exactly the same way as the Sheeva Plug and there isn't as much info available for it, but it is quite doable.  (Of course, it costs more than a Plug!)

I just went through configuring my OpenRD Client this past weekend.  It is now active as my home firewall, also set up to provide remote access via SSH and OpenVPN, DNS / DHCP, all the usual firewall functions.  I even have a USB sound card plugged in and am streaming a scanner feed using darkice.  CPU usage is around 12-13%.

I flashed it with a newer U-Boot from the Open-RD mailing list, then installed Debian Squeeze to a SDHC card using the Sheeva Plug instructions (only other difference is to use the correct arcNumber).  Had to use tftp to do the U-Boot upgrade.

That's the ultra-short version, I have some notes I made along the way but they're not very coherent right now!
Logged

fragfutter
Sr. Member
****

Karma: 12
Posts: 280


View Profile
« Reply #11 on: February 22, 2010, 08:21:08 AM »

You might be looking for the gurplugs. Anounced for later this year.

http://www.globalscaletechnologies.com/c-4-guruplugs.aspx

@randomjoe
the openrd has an audio out and mic in on board.
Logged

RandomJoe
Newbie
*

Karma: 0
Posts: 7


View Profile
« Reply #12 on: February 22, 2010, 10:46:12 AM »

the openrd has an audio out and mic in on board.

Yes, but the kernel supplied with Debian doesn't have a driver for it.  I'll have to get patches to update the kernel and custom-compile, and I'm not set up for that yet.  Had the USB sound card anyway, and it was plug-and-play!

Not sure if the drivers have made it into the kernel sources yet...
Logged

Pages: [1]
Print
Jump to: