Vodafone UFB, Ubuntu Laptop with two NICs, a switch, two APs

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Vodafone UFB, Ubuntu Laptop with two NICs, a switch, two APs

edc

31 posts

Geek

# 180750 20-Sep-2015 21:48

I'm getting Vodafone UFB in about 3 weeks. I'm not sure how I'll setup the network, but this is what I've got planned:

ONT - Ubuntu 14.04.2 LTS Desktop eth0 (Router)
Ubuntu eth0 - Ubuntu eth1
Ubuntu eth1 - switch
switch - Wireless-AP-LowLatency 5GHz
switch - Wireless-AP-HighThroughput 5GHz
switch - Wireless-AP-Legacy 2.4GHz

The Wireless-APs will run on different channels, on different levels of a 3 level house.

eth1 runs services such as ssh, samba, btsync (setup already)
eth0 faces the ONT

Is there a guide for setting Ubuntu up as a router?
(This is a Linux and Networking question)

FYI
These are the interfaces:
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E PCI Express Fast Ethernet controller (rev 05)
03:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS5209 PCI Express Card Reader (rev 01)
02:00.0 Network controller: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)

Thank you

1 | 2

Mr Snotty
8940 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 1390826 20-Sep-2015 23:58

3 people support this post

I would strongly recommend you don't do this sort of setup as if you've got a single thing wrong in your iptables configuration you could risk getting your Ubuntu machine owned. If you however would like to do it then you'll need to look into iptables + NAT (example: http://www.karlrupp.net/en/computer/nat_tutorial).

There are several firewall distributions however I think untangle is what you're looking for: http://www.untangle.com/ - this is a firewall / server distribution that'll do what you need and has a nice web interface for configuration. I do think a better approach to this is to grab a router (like the Edgerouter Lite) and configure that for your firewall putting your server behind the NAT as this will offer better protection.

How I've got it setup is Edgerouter Lite --> TP-Link Smart Switch --> Server (with a Xclaim XI-3 Wireless AP connected to the switch for WiFi) and performance is simply awesome.

sbiddle

28431 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Lifetime subscriber

# 1390888 21-Sep-2015 08:11

3 people support this post

IMHO using a stock standard Ubuntu install as a firewall/router is just s crazy idea. There are distros specifically targeted at this purpose and they're a far better solution.

edc

31 posts

Geek

# 1391516 21-Sep-2015 20:08

I've read the replies, thank you.

How do I set Ubuntu up, with two NICs, to connect to Vodafone UFB please?

sbiddle

28431 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Lifetime subscriber

# 1391528 21-Sep-2015 20:34

3 people support this post

edc: I've read the replies, thank you.

How do I set Ubuntu up, with two NICs, to connect to Vodafone UFB please?

I don't want to sound rude but if you have to ask that question you're really looking at the wrong solution and should probably be using a firewall distro that will be vastly easier to configure, and more importantly will be secure.

michaelmurfy

Mr Snotty
8940 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 1391532 21-Sep-2015 20:50

sbiddle:
edc: I've read the replies, thank you.

How do I set Ubuntu up, with two NICs, to connect to Vodafone UFB please?

I don't want to sound rude but if you have to ask that question you're really looking at the wrong solution and should probably be using a firewall distro that will be vastly easier to configure, and more importantly will be secure.

Plus I have already posted how to configure iptables for NAT above. To be honest I don't think anyone here would do such a thing as there are far better solutions.

edc

31 posts

Geek

# 1391547 21-Sep-2015 21:08

In 2000 I was a kid. I had a Slackware/custom kernel/grsecurity gateway. My iptables ruleset I posted on the Internet is still found online.
I also had a custom OpenMosix cluster of my very own (because I had no money for a real computer and a few P166s did the trick).
10 years or so ago I decided to specialise in Finance and Accounting. I can still secure a Linux installation, once I make my iptables script run on boot the system would be secure, services will run on eth1. These things I can do, without having to figure it out, but keep in mind IT is a hobby. I want an easy to follow guide that I've not found online yet. I don't have every night to figure these things out anymore. Let's assume I have a Gentoo/grsecurity installation, no services, a F5 load balancer, a OpenBSD in series... to secure my Windows 10 box I'm typing this from.

The VLAN 10 setup guide for Linux please?

MadEngineer

1934 posts

Uber Geek

# 1391563 21-Sep-2015 21:53

apt-get install ros

Haha

Or seriously, install routerOS instead of Ubuntu.

edc

31 posts

Geek

# 1391568 21-Sep-2015 22:20

OK,
routerOS, Gentoo/grsecurity installation, no services, a F5 load balancer, a *NetBSD in series.
Let's assume routerOS hardware doesn't support what I'm going to throw at it, which is why I want to use a Linux server. So we're left with a Gentoo/grsecurity installation, no services, a F5 load balancer, a *NetBSD in series. Turns out I don't own a F5 load balancer, but my Gentoo box is so locked down the only way to access it is to force a hard shutdown, taking the disk out and mouting the encrypted disk on another box and chrooting in to it.

MadEngineer

1934 posts

Uber Geek

# 1392186 22-Sep-2015 20:03

I didn't say to use "routerOS hardware", I said use routerOS, which is software

edc

31 posts

Geek

# 1392188 22-Sep-2015 20:07

Oh, I thought it was hardware locked? I'd prefer a x86 based, generic hardware compatible solution though, no license fees. I'll look in to routerOS

MadEngineer

1934 posts

Uber Geek

# 1392197 22-Sep-2015 20:16

you can get a free trial. the license is worth it if you must use your own hardware, otherwise the hardware would be the cheapest in class.

michaelmurfy

Mr Snotty
8940 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 1392203 22-Sep-2015 20:29

2 people support this post

If you really knew how to Linux you'd have your answer by now.

1) I don't recommend ever using a server as a router, I mean ever.
2) No system is sufficiently secure. I still build systems that are secured with encrypted partitions, mod_security, aide, selinux and really complex firewall rules that still fail a penetration test because I've missed something often simple.
3) It doesn't matter what OS you use. The security is always in the hands of the person who set it up.

And this is why router distributions like RouterOS, PFSense, M0n0wall etc etc exist. They're designed to be /as secure/ as they can out of the box and be easy to manage.

I've done what you're asking before and soon after culled it.

If you still don't want to adhere to the many people telling you that it is a terrible idea then you'll find the top result of "ubuntu vlan" will be of help with your vast knowledge of iptables: https://wiki.ubuntu.com/vlan

I really hope your server doesn't get owned but if you seriously can't do a quick Google and work these things out for yourself then you shouldn't be doing what you're asking. It is like with me I just moved to an Ubiquiti Edgerouter from a totally different platform. I managed to set it up taking over 6 hours in the process but I gained quite a bit of experience and had fun doing so. There are router distributions that are simple to configure and offer the functionality of what you're trying to do like the one I have quoted above however I would also recommend shoving a software visualization platform on your server and just play around with some products (like the one people have quoted) and if you don't like it you can blast the VM and create a new one without too much risk to your Ubuntu server.

Don't mean to sound rude. I've just said the truth and since I deal with Linux + security as a job I do somewhat know what I am talking about here.

chevrolux

4274 posts

Uber Geek

# 1392206 22-Sep-2015 20:41

2 people support this post

RouterOS is awesome!

If IT is a hobby you will have a lot of funny playing around in RouterOS. It will literally do anything you want. Firewall, VPN, Socks Proxy, Virtual routers, hotspot system, custom scripts and all the debugging tools you could think of. Seriously cool and has a nice learning curve to go with it.

Best bit is you don't need to sit there banging away on the command line!!... unless you want to, in which case there is a fully featured CLI with auto-complete, hints etc to make things easier.

Edit: Sorry not helpful I know.... just wanted to voice an opinion haha

michaelmurfy

Mr Snotty
8940 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 1392210 22-Sep-2015 20:47

chevrolux: RouterOS is awesome!

If IT is a hobby you will have a lot of funny playing around in RouterOS. It will literally do anything you want. Firewall, VPN, Socks Proxy, Virtual routers, hotspot system, custom scripts and all the debugging tools you could think of. Seriously cool and has a nice learning curve to go with it.

Best bit is you don't need to sit there banging away on the command line!!... unless you want to, in which case there is a fully featured CLI with auto-complete, hints etc to make things easier.

Edit: Sorry not helpful I know.... just wanted to voice an opinion haha

Totally agree with you. Every time I have used RouterOS I have been really happy with it. Such a shame the movers lost my Mikrotik >.<

edc

31 posts

Geek

# 1392261 22-Sep-2015 21:58

Alright, thank you for the good advice, I'll give pfSense and ipcop a spin this weekend and keep the current server behind it all. When I last used Slackware in 2000 I thought the default installation was secure enough with a small iptables ruleset applied and didn't expect an Ubuntu machine in 2015 would be a target if no services ran on the public interface.

If anyone is interested:
I found the year 2000 ruleset online after all this time, I'm not sure if it was modified though, I kept a searchable number string in the script to trace where it went after posting it online. I uploaded it to http://pastebin.com/msYp7pXa - blast from the past, IRD helper module... There also was a version that did random kinds of rejections, which resulted in any nmap OS type scans identifying a different fingerprint every time.

1 | 2