[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Networking book recommendation

On 5/4/22 09:07, john doe wrote:
> Here are some comments in addition to this thread:
> - Do not use the router capability provided by your ISP.
> This is mainly to avoid letting your ISP remotely control the thing and
> disable the firewall for example.
>
> If you can, use your own router.
>
> If your ISP requires to work with their router put the ISP thing in
> 'bridge'/modem only mode, this will allow to get your public IPv4
> address to your own gateway.
As per the OP, I also have AT&T residential service. I use a router-behind-router configuration -- an AT&T residential gateway between the Internet and what is effectively a DMZ, and a UniFi Security Gateway 3P between the DMZ and the LAN. Advantages of this configuration include:
1. The AT&T DMZ is available (wired and Wi-Fi) when the UniFi LAN is down for maintenance or modification. My wife and children need Internet connectivity 24x7, regardless of my "experiments".
2, I can connect a laptop to the DMZ and configure/ test/ verify/ trouble-shoot UniFi from the outside (notably laptop VPN connectivity). 


On 5/5/22 07:34, Tom Browder wrote:

> ... given a properly passwordless ssh connection, is there anything
> extraordinarily dangerous versus a VPN, or is it the redundancy you favor? 
> (I am the only superuser, and usually the only user of my network.)
AIUI SSH with passwords disabled and strong passphrase-protected keys is secure. 


AIUI VPN with strong pre-shared keys and strong passphrases is secure.
My primary use-case for SSH is CVS. This can be accomplished via port forwarding on the gateway. (The router-behind-router topology means I need to do this twice.) The challenge is when you want to access multiple LAN hosts via SSH. Options include adding (and translating) non-standard ports, and using an SSH jump host. (Lucas recommends the latter.)
A VPN connection means that my laptop can see all hosts and services on the LAN when I am remote. My primary use-case is accessing the file server (Samba) using a GUI file manager application. I can also SSH directly into any host. UniFi provides the network tools for the VPN, and Windows and macOS provide the client tools for the VPN. I have never succeeded configuring a VPN client on Debian. 


> BTW, regarding pfsense, I forgot it runs on BSD, so I plan to get their
> small appliance to hang off the ISP router.
Prior to UniFi, I variously used PC's with general-purpose (Red Hat, Debian) and purpose-built Linux (IPCop) and BSD (pfSense) distributions, and commercial routers (Netgear) with stock and FOSS (OpenWRT) firmware as Internet gateways/ routers. Raw Linux was configured via the console. All the others had web control panels. Then I added a Wi-Fi access point. Now I needed to keep two device settings in sync via two web control panels. It was tedious. Then I added a remote site, dynamic DNS, and connected the two sites with a VPN. Management became a PITA.
I currently have one site with one UniFi security gateway (USG) and three UniFi Wi-Fi access points. Management is via one UniFi web control panel running on a purpose-built VPS. The UniFi controller manages and synchronizes the settings on individual devices based upon higher level abstractions ("Software Defined Networking"), such as networks. I defined a network, followed the protocol to adopt hardware devices, and it just works. Management is easy. UniFi provides many additional features, including port-forwarding and VPN's.
Note that UniFi hardware products run embedded Linux. When I encounter a difficult trouble-shooting problem, UniFi technical support guided me to a console roll-up cable for the USG, and helped me configure system logging to a network host. 


David
Reply to: