21 Jun
2016
21 Jun
'16
6:59 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have my private home network connected to the Internet and then the
LiMe network I am deploying. In order to let the LiMe network access
the Internet, I connect the WAN port of a LiMe router to a switch port
(LAN) of my private home router. And it just rocks, double NAT works,
and routers spread the Internet all around the mesh.
But now I am trying to deny any traffic from LiMe hosts (10.x.x.x) to
my private home network (192.168.x.x).
I have been playing with the LuCI web interface of my private home
router but somehow I do not manage to restrict the undesired traffic.
This is what I've tried:
1. I assign a static IPv4 address to the LiMe router (I did not manage
do it with IPv6).
2. I create a traffic rule which DROPS ANY traffic coming from the
statically assigned IPv4 address (192.168.A.A) of the connected LiMe
router (which is in the LAN zone and with a defined source MAC
address) with destination ANY LAN zone -so that they can access only
the Internet (WAN).
3. I enable the rule and put it up to the top of the list
Why can I still reach my home private router from the LiMe network?
Is this "zone" thing working?
How should I configure it?
Please let me know. Either through the LuCI web interface or the
command line -step by step, please.
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJXaY5xAAoJEF2FWO6p8n2e3L0P/0zA+85HqWvFAc1ahlSXRafd
i3vk/qH1s1lvyviy3+bwE7E00L+I+yzOg+UQGOVgD3Q0nHoNNOk8nYFlRnC0pWy8
+c+6gphh4wsaCxXQw5pBYRK0b/mhbgqp+3GBncI3Y3qBOyeM8jDBKtYMwfQfHAvU
v3T2qpeivQcoP1rnDOo20hH5eJgJOS40pSz1XRE0KiyelHjl1W7pdnLARyY0NAAX
fcJO3PDFtYnyU1JHiGZQSTrSQiGu9HojUp1olmuRWhTAEpU3rsrwA2GM5/4v8fwd
f7c9vzW+FKUYoXDp+eRY6DH+hKDwEeff1BDRhYOtwdqh+8KdkF1gmAK50L0e0NJ1
RSxOeksUxjgmGZv+jJx3cgLRZUz9jUaZwot4rILAI3Do1mZZeSJvApVPD7zTt+qa
tiyeEItEwKZJ7dRM/lVghULY9OitY8myduxfhXk6wExb0w0mqwo0cw3iCrWfAjV+
dwK8c05KJoD/+7Q5/9JYyhClE/gSfYwy6z4f99H8xo3mOqyeheNLjfTf78mNIJJo
1lT+mjoa4KP72n3m10WDsnOd63ReDxrA2uay6aiLiuldwu0THzjXtmTV3inVUJpH
7jA6yhpb/iA+icqzaUTydfiXJYFyimXIry2lIds5qF1gLhj83CyMz1tF1+ASl2ng
IQB9P0+jMgBkWCiuuIMZ
=xt5v
-----END PGP SIGNATURE-----
22 Jun
22 Jun
10:38 p.m.
On 06/21/2016 08:59 PM, Amuza wrote:
Hi,
Hi Amuza!
I have my private home network connected to the
Internet and then the
LiMe network I am deploying. In order to let the LiMe network access
the Internet, I connect the WAN port of a LiMe router to a switch port
(LAN) of my private home router. And it just rocks, double NAT works,
and routers spread the Internet all around the mesh.
Yeah!
But now I am trying to deny any traffic from LiMe
hosts (10.x.x.x) to
my private home network (192.168.x.x).
Have you verified that this doesn't already happen?
For example trying to ping a 192... machine while connected with a 10... IP?
I have been playing with the LuCI web interface of my
private home
router but somehow I do not manage to restrict the undesired traffic.
This is what I've tried:
1. I assign a static IPv4 address to the LiMe router (I did not manage
do it with IPv6).
Mmh... So, are you setting this directly in LiMe or in your main router
DHCP server?
I have no experience with the LiMe web interface, but from the terminal
interface you can specify the IPv6 address (as well the IPv4) in the
/etc/config/lime (taking inspiration from /etc/config/lime.example).
2. I create a traffic rule which DROPS ANY traffic
coming from the
statically assigned IPv4 address (192.168.A.A) of the connected LiMe
router (which is in the LAN zone and with a defined source MAC
address) with destination ANY LAN zone -so that they can access only
the Internet (WAN).
3. I enable the rule and put it up to the top of the list
Why can I still reach my home private router from the LiMe network?
"reach the router"?
If I got it correctly the router is your gateway, so it's good if you
can reach it... The problem comes with other devices on the LAN side.
Did I get it correctly?
Is this "zone" thing working?
How should I configure it?
I'm not experienced with OpenWrt firewall configuration, sorry :/
Please let me know. Either through the LuCI web
interface or the
command line -step by step, please.
Thank you!
Bye!!
Ilario
23 Jun
23 Jun
2:08 p.m.
Hey Ilario!
1. Thanks for your reply! It made me understand that I might need to
configure a transparent (Layer 2) firewall if I keep wanting to solve it
just by configuring my private home router. I am not sure though. If
anyone could confirm... And I do not know how to configure that, I guess
I would have to face once and for all the scary world of iptables -if
that's how OpenWRT filters packets, I'm not even sure : /
2. Another solution -easier- I've just thought of, it would be to
configure the firewall in the LiMe router (the one directly connected to
my home router). But then I would need to know what is applied first
when traffic originated from a host in the LiMe network has the Internet
as destination: NAT or Packet Filtering. I need to know if NAT is
applied before packet filtering or the other way around so that I can
properly define the firewall rules. Does anybody know the order?
3. By the way, Am I too paranoid? Am I the only one worried about
protecting my home LAN? Or maybe you guys do not use this double NAT
architecture? How do you do it? Maybe through VLANs?
On jue, 2016-06-23 at 00:38 +0200, Ilario Gelmetti wrote:
On 06/21/2016 08:59 PM, Amuza wrote:
Hi,
Hi Amuza!
I have my private home network connected to the
Internet and then the
LiMe network I am deploying. In order to let the LiMe network access
the Internet, I connect the WAN port of a LiMe router to a switch port
(LAN) of my private home router. And it just rocks, double NAT works,
and routers spread the Internet all around the mesh.
Yeah!
But now I am trying to deny any traffic from LiMe
hosts (10.x.x.x) to
my private home network (192.168.x.x).
Have you verified that this doesn't already happen?
For example trying to ping a 192... machine while connected with a 10... IP?
I have been playing with the LuCI web interface
of my private home
router but somehow I do not manage to restrict the undesired traffic.
This is what I've tried:
1. I assign a static IPv4 address to the LiMe router (I did not manage
do it with IPv6).
Mmh... So, are you setting this directly in LiMe or in your main router
DHCP server?
I have no experience with the LiMe web interface, but from the terminal
interface you can specify the IPv6 address (as well the IPv4) in the
/etc/config/lime (taking inspiration from /etc/config/lime.example).
2. I create a traffic rule which DROPS ANY
traffic coming from the
statically assigned IPv4 address (192.168.A.A) of the connected LiMe
router (which is in the LAN zone and with a defined source MAC
address) with destination ANY LAN zone -so that they can access only
the Internet (WAN).
3. I enable the rule and put it up to the top of the list
Why can I still reach my home private router from the LiMe network?
"reach the router"?
If I got it correctly the router is your gateway, so it's good if you
can reach it... The problem comes with other devices on the LAN side.
Did I get it correctly?
Is this "zone" thing working?
How should I configure it?
I'm not experienced with OpenWrt firewall configuration, sorry :/
Please let me know. Either through the LuCI web
interface or the
command line -step by step, please.
Thank you!
Bye!!
Ilario
_______________________________________________
users mailing list
users(a)lists.libre-mesh.org
https://lists.libre-mesh.org/mailman/listinfo/users 
2:15 p.m.
On Thursday 23 June 2016 16:08:07 Amuza wrote:
Hey Ilario!
1. Thanks for your reply! It made me understand that I might need to
configure a transparent (Layer 2) firewall if I keep wanting to solve it
just by configuring my private home router. I am not sure though. If
anyone could confirm... And I do not know how to configure that, I guess
I would have to face once and for all the scary world of iptables -if
that's how OpenWRT filters packets, I'm not even sure : /
2. Another solution -easier- I've just thought of, it would be to
configure the firewall in the LiMe router (the one directly connected to
my home router). But then I would need to know what is applied first
when traffic originated from a host in the LiMe network has the Internet
as destination: NAT or Packet Filtering. I need to know if NAT is
applied before packet filtering or the other way around so that I can
properly define the firewall rules. Does anybody know the order?
3. By the way, Am I too paranoid? Am I the only one worried about
protecting my home LAN? Or maybe you guys do not use this double NAT
architecture? How do you do it? Maybe through VLANs?
I just try that everything can ping everything, "mesh all the things".
Security doesn't pertain to lower layer of networking stack, moreover you are
supposed to run a community network, not a walled garden :p
Ciao!
On jue, 2016-06-23 at 00:38 +0200, Ilario Gelmetti wrote:
> On 06/21/2016 08:59 PM, Amuza wrote:
> > Hi,
>
> Hi Amuza!
>
> > I have my private home network connected to the Internet and then the
> > LiMe network I am deploying. In order to let the LiMe network access
> > the Internet, I connect the WAN port of a LiMe router to a switch port
> > (LAN) of my private home router. And it just rocks, double NAT works,
> > and routers spread the Internet all around the mesh.
>
> Yeah!
>
> > But now I am trying to deny any traffic from LiMe hosts (10.x.x.x) to
> > my private home network (192.168.x.x).
>
> Have you verified that this doesn't already happen?
> For example trying to ping a 192... machine while connected with a 10...
> IP?>
> > I have been playing with the LuCI web interface of my private home
> > router but somehow I do not manage to restrict the undesired traffic.
> > This is what I've tried:
> >
> > 1. I assign a static IPv4 address to the LiMe router (I did not manage
> > do it with IPv6).
>
> Mmh... So, are you setting this directly in LiMe or in your main router
> DHCP server?
> I have no experience with the LiMe web interface, but from the terminal
> interface you can specify the IPv6 address (as well the IPv4) in the
> /etc/config/lime (taking inspiration from /etc/config/lime.example).
>
> > 2. I create a traffic rule which DROPS ANY traffic coming from the
> > statically assigned IPv4 address (192.168.A.A) of the connected LiMe
> > router (which is in the LAN zone and with a defined source MAC
> > address) with destination ANY LAN zone -so that they can access only
> > the Internet (WAN).
> >
> > 3. I enable the rule and put it up to the top of the list
> >
> > Why can I still reach my home private router from the LiMe network?
>
> "reach the router"?
> If I got it correctly the router is your gateway, so it's good if you
> can reach it... The problem comes with other devices on the LAN side.
> Did I get it correctly?
>
> > Is this "zone" thing working?
> > How should I configure it?
>
> I'm not experienced with OpenWrt firewall configuration, sorry :/
>
> > Please let me know. Either through the LuCI web interface or the
> > command line -step by step, please.
> >
> > Thank you!
>
> Bye!!
> Ilario
>
> _______________________________________________
> users mailing list
> users(a)lists.libre-mesh.org
> https://lists.libre-mesh.org/mailman/listinfo/users
3112
days inactive
3114
days old
lime-users@lists.libremesh.org
3 comments
3 participants
participants (3)
-
Amuza -
Gio -
Ilario Gelmetti