Hi there

The way we have always approached our network topology is to have the following infrastructure on every exit node of the network - which is a node that also shares an ISP uplink:

ISP router [LAN port] <eth> [WAN port] VPN router [LAN port] <eth> [WAN port] LiMe router [LAN port] <eth> [WAN port] HOME router

And this instead is the infrastructure on every other [non-exit] LiMe node:

LiMe router [LAN port] <eth> [WAN port] HOME router

Of course the final part of the exit node config is the same as the non-exit node config

LiMe nodes that are not in a specific house or office [or those which are but their owner doesn’t need a home network] don’t have a home router attached to them of course.

This way:

1] Every exit node uses the internet uplink without exposing its IP address, therefore protecting the exit node owner for legal issues
2] Every LiMe node [exit or not] can have a Home network that is entirely private to them but also has a reliable LiMe network uplink
3] The shared SSID is always reachable in every part of the network, but when the user is home they can use their home SSID

The home network is only - I repeat - for those who request it.

In any event, since we’re talking about it, I must specify the way I see things related to this topic [philosophical alert].

I strongly believe that this old-days assumption that the network is secure and that devices can be vulnerable and are unsafe in public networks must come to an end. The network is not secure, just like your neighbourhood’s roads aren’t [and if you think they are right now, just wait until the city grows] and you, as a human, walking down them must be able to handle foreigners and other “dangers" you encounter. Exactly like that, devices must be able to protect themselves every day in every environment. The only way to have a pseudo-secure digital lifestyle is to harden your device, employ device-specific techniques to protect your traffic [always-on VPN at a system level, Tor for specific applications], and understand that the future will make networks vaster and vaster every day. As community networks rise, and persistent layers of multi-technology ever-present connectivity become mainstream, towards the dream of the entire network, in all its layers, being decentralised and - hopefully one day - distributed, every device will be exposed to “THE INTERNET” itself [in the sense of all other devices around it] every instant of every day, at home and also everywhere else.

Home networks are a temporary fix, but should not be treated as a long term substitution for education on this topic and shifting this old and outdated frame of mind.

</ot> ;]

Nk

On 11 August 2017 at 12:11:44, Gio (gio@diveni.re) wrote:

On Wednesday, 9 August 2017 16:03:33 CEST Amuza wrote:
> Hi,
>
> Sometimes I explain what this community network thing is to someone in
> my district. They likes the idea and they has an ISP router. Then I ask
> them if they would like to share their Internet connection and they says
> "yes, why not?". But then they asks if users in the community network
> could have access to their private home network. I answer they could,
> but it can be avoided in different ways -create different VLANs in the
> ISP router, configure a firewall, closing ports in the computers...
>
> Then they stops liking this community network thing.
>
> It is frustrating, because many people do not share their Internet
> connection because of this, and so we lose the resources we need.

Well it seems they have a curious idea of community... but i can understand it
in the current situation, with media talking of "hackers" all the time...


> I was wondering if there would be a way that LiMe could come
> preconfigured in such a way that, when an Internet gateway is added, it
> could only communicate to that ISP router, and no other host in that
> private network. I mean to automatically create the proper firewall
> rules so that the LiMe network could not access hosts in private networks.
>
> That would not be real security, as that configuration could be removed
> by any administrator in the community network, but we would be able to
> start our answer saying "by default LiMe cannot enter into your private
> network", and then explain what they could do to improve their security.
>
> What do you think of it?

I believe it is easy to do but i won't do this by default, you could
eventually create a community profile (ask Pau for the correct naming) with
this enabled by default, but ATM is not on top of my priority stack

>
> Have you found this obstacle?
>
> What would you reply to that person?

Yeah, and I have answere that their computer are exposed to the internet
anyway, so give a little of trust to your neighbours could be the first step to
create a community


>
> Is my proposal doable?

It is pretty easy I would say


> If so, should I open a Github issue? Where? In lime-packages?

It is not an issue, more a "feature" request I would say

Cheers!

_______________________________________________
lime-users mailing list
lime-users@lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users