4. What, why ?
Internet Service Provider (ISP) deliver "BOXes" as Customer
Premises Equipment (CPE) of their network
They want their customer to plug-and-play
Those BOXes, are very cheap and locked hardware
In a word, they are poor
Don't trust the marketing song of your ISP
They work for very basic usages
They are usually not very secured
https://blog.mossroy.fr/2016/03/31/failles-de-securite-sur-les-
modems-sfrnumericable
5. Why change ?
To master things from A to Z
To support more devices (IOT, domotic, servers) in your house
If you have many devices, better get rid of your box
If you need input traffic (self hosted infrastructure)
If you want to push security further (IOT ?)
If you want to load-balance with several ISP
If you want to peer with other trusted people (through VPN)
And create/manage your own Internet
If you need security (through IPSEC f.e)
8. As a reminder
Protocols are open
You should be able to change any hardware, by another (from
different brand)
As soon as it talks the same protocols, it must work
Some ISP don't follow RFCs for some protocols
That makes you have to use DPA/DPI
That makes you have to patch your stack
10. My experience, my knowledge, my shares
Actually at home...
I own several different Internet provider connections
IP failover, advanced routing scenarios, traffic shapping and QOS
Dual stack IPV4 and IPV6
Separation of input and output streams
I have several machines and wifi networks
I have no more "boxes"
I'm VPN linked with other guys doing same stuff as me
I'm hosting some public Internet services (DNS, HTTP, etc...)
12. Getting rid of your box
To trash your box, you need a modem, depending on the
technology provided.
ADSL
Then you can plug-in an ADSL modem
Cable (DOCSIS)
You may use a DOCSIS modem
Fiber ONT based
You can plug-in using RJ45 or SFP
Fiber Raw mode
You may plug-in using an SFP adapter
13. Notice
I talked about modems to manage input ISP stream, not routers
Many modem actually can/do route
Do not use their router ! !
We must use the modem just to convert the signal, into an RJ45
socket
Then, we'll plug our RJ45 RAW Internet cable, into our own
router, of our taste
Buy the "simplest" modem, if possible, with no router inside
Mind the chipset (Broadcom are good)
19. Keeping your box, at a minimum
You dont want to buy a modem ?
There is a solution of keeping your provider box
But only use it as a modem !
Disable anything else, but the modem
Especially : disable their shitty slow/unsecure poor router
This is called the "bridge mode" (L2 bridge)
20. Box as a modem : bridge mode
2 scenarios (2018) :
Your box can be bridged (L2)
SFR/Numéricable LaBox
Freebox
Everything is then all right
Your box cant be bridged (L2)
Others (Orange, Bouygues)
You'll need to buy a modem
Or suffer from horrible network stack (DMZ, or Double-NAT)
If fiber technology, you should use ONT or Raw SFP
21. ISP Box Conclusion
Ask to run the box as a modem, not a router (bridge mode)
If possible : you can keep your box
Free - SFR
If not possible : you must replace it by custom hardware
Orange - Btel
Dont use the box router (router mode)
Other alternative ISP exist
22. I got my Internet plug !
Bridged-box or custom modem , now , your Internet connexion
is arriving through one cable
It is time to route it and start doing some network stuff
85.2.208.135*
2a01:ca:b5ee:ed::/56*
* : example provider IP
24. Router
Pay the price : the heart of your network
Too many references on the market
Do not choose a general purpose low level brand
Linksys, tp-link, netgear, etc...
Don't blindly trust marketing
Those are not really better than ISP box
Poor hardware
Not many customization
No routing protocol management
No VPN possibilities, or weak ones
In a word : low-level entry market products (even "advanced" ones)
25. Professional router brands
Turn to professional dedicated hardware brands
Datacenter hardware is not for your usage and cost
SOHO is what you need : Small Office Home Office hardware
SOHO are not that much expensive (60€ to 1000€)
The smallest SOHO router starts by about 60-80€
2 kinds
Open , based on Linux or Unix stacks
Ubiquiti (Debian based) ; DDWRT, Turris Omnia, others ...
Closed, based on custom OS (Unix derivated often)
Cisco's IOS , Mikrotik's RouterOS , Juniper's Junos, etc...
26. My experience
I run Mikrotik for router and wifi spot
Professional hardware
"RouterOS" is the name of the OS
Not open source
Based on Linux Kernel
Full of features, stable, maintained
Licence pricing is really good
Perfect for advanced networking at home or for small businesses
(SOHO), with a clearly reasonnable pricing
I run Ubiquiti for switch
Perfect balance in price / usage for SOHO
29. Mikrotik
https://mikrotik.com/
https://routerboard.com/
Size your needs
Prices go from 60$ to 4000$ per unit (L3 routers)
Basically, the CPU and RAM will increase the price
If you need VPN, QOS or high traffic firewalling, take care of CPU and RAM
Mind the hardware dimensions
Some are small devices, some are 1U rack sized
34. Wifi ?
Don't fear the wifi.
Wifi support will be added to our stack thanks to Access Points
(AP)
Usually better than embeded router wifi
35. Router quick tour
Every port can be wired independently
Some devices provide switch chips
Some devices provide Wifi
It's better to use dedicated hardware for such tasks
You basically tell each port what you want it to do
1/ You create L2 and L3 links
2/ You arrange routes
3/ You secure everything with the integrated firewall
4/ You control traffic bandwidth with queues and QOS
39. Dedicated switches
The problem with routers is that they are not good switches
They may do the job, but take care of not going through the
CPU for switching purposes
Tip : bridges trafic often go through CPU
Buy the right hardware for the right purpose
For full L2 switching, nothing beats switch ASICS
40. Using a dedicated switch
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
41. Even better with 802.1ad LACP
192.168.1.0/29
192.168.0.0/28192.168.0.0/28
93.235.6.18
VLAN
trunk
LACP
42. More complex setup
provider #1
provider #2
provider #1 TV stream
provider #2
SIP stream
IP cameras
computers NAS
Iots
44. RouterOS
A full Network OS
You must familiarize with it
You must have strong general networking knowledge (master OSI,
master TCP/IP and common protocols at several layers)
RouterOS supports
Firewalling - IPSEC - Routing - Switching - MPLS - VPN - Wireless - DHCP -
Hotspot - Bonding - QOS(HTB/PCQ) - Proxy - SMB - DNS - SNMP - RADIUS
- TFTP - PPP,ISDN - Bridging(STP/RSTP) - Telnet/SSH - Packet Sniffer - Ping
flood - traceroute - Scripting - File fetch - Trafic generator - SOCKS - ...
In short : many advanced technologies in one box
Have a look at the licencing details
45. RouterOS details
You may access RouterOS using :
Web HTTP-HTTPS access
SSH / Telnet, using command line
WinBox (Windows GUI tool)
Console port (special cable needed)
FTP-TFTP for internal storage access
An HTTP interface demo exists online
At http://demo.mt.lv
Documentation
https://wiki.mikrotik.com/wiki/Manual:TOC
49. Let's go for our first simple example
Distributing Internet at home
50. Very simple Internet sharing setup
Gigabit switch 1
WAN modem
PC1 PC2
Ethernet switch 2
(unused)
51. What we need
Isolate port 10 (eth10) from switch 2 : this is WAN
Use full switch 1 by bridging ports together
Associate a dhcp-client to eth10 (Wan) if ISP doesn't provide
fixed IP
Create an IP and network for the full switch 1 (LAN)
Let's choose 192.168.0.0/28
Let's add it a DHCP-server
Create a source NAT on eth10 for LAN traffic to be NATed over
WAN
56. Security foreword
If you want to design your own network from scratch , you are
responsible of your own security
Bad firewall configuration will lead into security breaches in
your home, from external , through the wires.
Take care
Secure your network like your secure your home
Lock doors
Take care of basement, windows and other ways to reach you
Think about everything
57. WAN security
Your WAN part is directly connected to Internet
You'll then start experiencing attacks to your external IP
You must now protect yourself
From WAN input traffic , that's the basics (IN)
From your own untrusted output traffic, that's optional (OUT)
Welcome FIREWALL
58. Firewall filter chains
Input
Traffic which dest-addr is one of your router's
Forward
Traffic flowing through your router (which dst-addr is routable and
not one of your router's)
Output
Traffic generated by the router internal OS, which src-addr will be
one of your router's
"FooBar"
You can create as many custom chains as you want
59. Firewall : main rules
One rule targets one chain (not zero, not several : one)
Input
Forward
Output
Xyzbaz : custom chain (you can add infinite custom chains)
For every chain, rules are ordered
If rule 3 breaks the chain (by DROPing for example), then rule 4 and
others won't be triggered
Rules can jump
You can say "rule 3, match packets XXXX and jump to chain ZZZZ"
You have to carefully follow the packet path into your head
Don't get lost !
60. Firewall perf
We use connection tracking firewall here
Activated by default. Can be setup (connection lifetimes)
Raw firewall is available too
If you don't organize flows the right way
You'll burn your CPU as traffic increases
Organize rules (they are ordered in lists) cleverly
The most likely to happen should come first
To some point, you'll need better hardware (CPU and RAM)
Time to upgrade then
At 1Gbps per link, that can increase very fast according to needs
62. Accept ICMP
Don't blindly block ICMP
Internet Control Message Protocol
A good engineer does not blindly block all ICMP traffic
ICMP is used to debug your router and networks
Mainly using "ping" or "traceroute"
ICMP is used to debug IP
"network unreachable", "admin prohibited", "frag. needed"
Thus ICMP helps router and OSI 4 protocols (TCP)
ICMP is mandatory to IPV6 (cant work without it)
63. Or at least, control ICMP
You may suffer from ICMP attacks
Then you may limit ICMP traffic to some rate
Or you may classify ICMP traffic
http://www.nthelp.com/icmp.html
64. Drop Invalid
Invalid packets are packets which present themselves as being
part of a non existant connection
Not seen before by con-track firewall
Basically : traffic injection attempts / attacks or replays
Or networking problems
(Advanced routing protocol could suffer from that
We don't care at our level )
65. Accept established
Established are packets from whom router knows something
Basically : this is the way-back return traffic
This rule is very useful to match the return traffic and not block it
You can blindly assume that you accept packets comming from
connections you did create or accept, right ?
This rule will as well reduce firewall CPU pressure
66. Accept forwarding
As a router, your role is to forward packets from one interface to
another
Using routing tables
Let's accept default forwarding
This is by default
But adding a rule will allow you to remember that
And to collect statistics about it
68. Firewall jail
Simple : you program the firewall so that you lock yourself out
of the box.
Like when you close your front door, with keys in the lock on the
other side
WARNING
It is easy to lock yourself out of your box
Always, keep that in mind while firewalling
69. Firewall jail example
"For every INPUT , DROP it"
You just locked yourself out !
Connection will immediately get lost
4 solutions :
Reset your router ( pay the price ! )
Access using console port (you'll need a special console wire)
Prevent it by yourself opening a hidden door (a special port)
Use an embeded anti-lock system
Vendors usually provide anti-lock systems
Mikrotik provides two of them
70. Open a "hidden" door by yourself
Here, eth9 can be used to connect to any router IP and access
your router
This assumes you have a physical access to it
This assumes you open firewall in input using "in-interface"
match
71. Let's protect ourselves
Accept Input from trusted 192.168.0.0 network
Accept input from your fail-over interface
And deny Input from everywhere else
Reminder : Input means your router itself, not any else machine
72. Reject Ip private ranges ("bogons") on ISP outputs
Also, you may blackhole/reject private IP
routes (called "bogons")
RFC 1918 ranges and others
This may mitigate some DOS attacks and
prevent private ranges from leaking to
your ISP gateway
This is a well known network good
practice for routers
75. What we got
We got a customized router that
Gets its WAN IP using DHCP on a port connected to ISP modem
Has an IP on a LAN segment (192.168.0.14/28)
Provides a DHCP server on the LAN segment (192.168.0.0/28)
Has an src-nat masquerading rule to allow LAN to access Internet
We got a customized firewall
Allows traffic from the LAN segment and a fail-over interface
Denies traffic from everywhere else (including WAN)
Detects scan attempts on WAN interface, and ban them
Isn't it cool so far ? ;-)
78. VLANs
Virtual LANs , 802.1Q
Allow several LAN to pass through
The same switch segment (L2), same switch ports
Very useful to isolate traffics
But still keep them in the same physical cables
High security and performance
VLAN A cannot communicate with VLAN B (in L2 , but L3)
Each VLAN has its own broadcast domain
QOS possible (802.1P)
Class Of Service possible / Traffic Priorisation
79. VLAN example
Each VLAN shares the same physical switch/ports
But two VLAN cant communicate with each other at L2
VLAN200
VLAN100
80. VLAN use case example
Let's isolate our 192.168.0.0/28 network for us : private
network (untaggued)
Any unknown soul connecting will be assigned special VLAN100
Let's connect a wifi AP , distributing those 2 VLANs :
SSID "my-private-network" : untaggued
SSID "my-public-network" : taggued in VLAN100
82. AP on LAN
If you bridge your AP on LAN, it will be given an IP by your
DHCP-server
And it will serve clients on the LAN segments
Just all right
192.168.0.0/28192.168.0.0/28
WAN
83. AP with VLAN
public wifi
private wifiprivate wifi
private LANprivate LAN
WAN
85. Adding the IP
Add an IP to the router on this VLAN
Let's choose 192.168.1.14
Let's choose a network of 192.168.1.0/28
86. Adding the DHCP server
Let's add a new DHCP server so that clients connected to this
VLAN will be given some network conf
192.168.1.1 to 192.168.1.13 (/28 network)
87. Allow VLAN to access WAN
Let's NAT it to give it Internet (WAN) access
89. Connecting to a second ISP
(multi-homing)
Advanced usage and techniques
90. Connecting to a second ISP
If our ISP goes down, we won't have Internet access any more :-
(
Why not apply to a second ISP ?
Prices are cheap nowadays, we really can afford it
Or even more ? 3 ISPs ?
92. A second default route ?
ISP == Internet access , let's add then a second default route
The route "distance" metric tells which one to use when several
routes exist for the same target
The smallest distance will be prefered
With such a setup, if one ISP goes down, the router will
automatically, and transparently route traffic to the other one
We got a fail-over setup :-)
93. Security with several ISP
Now, pirates have a second door they can fire in
A nice solution to that, is to group both ISP interfaces (eth9 and
eth10) into an interface group
And use this group into the firewall
WAN1
WAN2
95. Asymetric routing and connection stickyness
If one incoming connection (to one of our server f.e) comes
from ISP #1
We must be sure answer will leave our router back to ISP #1
If it leaves through ISP #2 , as we NAT the output, the packet will
get dropped by the destination
And that will leak our ISP #2 IP to our destination
We need sticky connections
We'll use the firewall mangle to perform that step
96. Setting up sticky connections
Mark for internal network (forward)
Mark also for router traffic (input / output)
97. Balancing traffic through ISPs
Instead of fail-over, you can also balance the output traffic
If you want to balance with no specific rule, use an ECMP route
type
You add one route, but several gateways for them
ROS will balance using an L3 balance policy
99. Children VLAN
Children at home connect to their own VLAN
Manual config, MAC fixed config or 802.1x advanced authentication
Only activate forward to Internet at fixed hours
Time for bed ? Internet "disconnects itself"
Easy to ban an IP or a MAC for some time
"Do your homework first"
L7 filter (high CPU needed)
Deny L7 keywords : "facebook" , "war", "sex"
Deny protocols : p2p, torrent, etc...
Traffic limit (Only 3Mbps down and 1 up [, from 11am to 5pm] )
L7 HTTP interception (transparent proxy) and filtering
100. QOS
Route TV VLAN and VOIP (phone) VLANs independently
QOS traffic at L2 or L3
Allocate bandwidth dynamically
Prevent IGMP Snooping broadcasts
101. Automation
Add IP Cameras or any full automation system
Isolate L2 using VLANS
Secure with 802.1X (Radius auth, auto VLAN assignment)
Route L3
Implement aggressive security for your IOT
Control everything easily , remotely
102. Ideas
For this connection, drop one packet out of XXX
Script X to be dynamic
Randomly drop packets
Blackhole IP or even AS
Deny access to whole networks at routing level
Anti DDOS useful technics
Give network access only through specific time spans
Detect attacks, block attakers, limit bandwidth with queues