OpenVPN interface + IDS/IPS

Started by elektroinside, January 17, 2018, 07:57:44 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 19, 2018, 02:09:29 PM #15
My device has two modes: router and bridge. In router mode, it has a working wifi interface, and works just as any commercially available wifi routers, and it is NAT-ing. In bridge mode (this is how it works now) it's basically a fiber media converter (fiber to ethernet), which is not NAT-ing...

Yes, i did have a conversation with them (the ISP). It is possible, but only for legal entities, to sign a contract for a symmetric link with static IP addresses (no PPPoE). The costs are significantly higher though, and the bandwidth lower...
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
January 22, 2018, 11:27:09 AM #16
I suppose you do have the same Huawei "all-in-one" crap as I have, doing Media Conversion (from fiber to UTP) + GW/ NAT + DNS FWD + DHCP + Wi-Fi (2.4 GHz only, crappy throughput).

Again, just to be clear (and again, I might be the one who's wrong), but instead of
QuoteMy device has two modes: router and bridge
you have

My device has two modes: GW/ FW/ NAT and bridge

Again (did I say "again" for the third time? :) ), as far as I know, a router never does NAT or port forwarding (PAT) - hence FW stuff - it only routes every packet from one interface (IP address) to another interface (IP address). Am I correct? Or maybe I'm not, and with or without NAT/ PAT, there is only one thing, and it's named "routing"?!?!

PS. I bring up that even in OPNsense, you have the option to disable "Firewall", which states in the help comments that

Warning: This will convert into a routing-only platform!
Warning: This will also turn off NAT!
If you only want to disable NAT, and not firewall rules, visit the Outbound NAT page.

This, again, makes me conclude that a router is a router, and only routes packets from one interface to another based on routing rules - but not FW/ GW/ NAT/ PAT rules - never replacing the source IP address (NAT) and/ or source port (PAT) of the originating packet.
January 22, 2018, 01:05:11 PM #17
Oh, sorry, I did not make myself sufficiently clear.
I have a Fiberhome something device (not a Huawei, as my older Huawei lost 70+% of its packets on its way to the internet after 2-3 days of uptime - so they changed it with this Fiberhome crap).

From its web interface (no ssh access), you only have:
- the wifi interface (On/OFF/SID etc) settings page
- there's a PPPoE settings page (for username or password)
- and a "port forward" page
- some administrative stuff (WebGUI user/password)

Nothing else. You can't change anything else.

You can call RDS and ask the support to change one mode with the other. However, you have only 2 modes to choose from:
- RDS calls it "router mode", which has NAT enabled (whether I like or not... and... you can't disable anything, they can't disable anything, the firmware is supposedly locked) -> I will (because they do) call this mode "RDS router mode"
- and there's the bridge mode

I never saw any other options on my RDS devices in "RDS router" mode, I never used this mode (for more than 5 minutes). But in those 5 minutes of using their "RDS router" mode, I had no access to disable nothing except wifi.

All of my business clients (all legal entities of course) are using their devices in bridge mode, and all have static IP addresses without PPPoE, so I couldn't really say what settings RDS exposes for them if I switch to "RDS router" mode. Maybe there you can disable FW/NAT.

So, concluding, I thought all residential RDS devices behave like this, and that's why I didn't explicitly say you cannot use the devices as a routing platform (because you can't, with mine at least). And because they call GW/ FW/ NAT the "router mode", I also used their description, hence the confusion :)
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
January 22, 2018, 01:25:05 PM #18
Clear now!

In another beam of light, I wonder what should most of users around here think about us, especially reading your signature stating 1 Gb/s download, 0.5 Gb/s upload, since we keep on firing "crappy devices" our ISP is using for residential. :)
January 22, 2018, 03:20:49 PM #19 Last Edit: January 22, 2018, 03:23:56 PM by elektroinside
Indeed, but we also have some advantages though, fiber cables in our homes, gigabit-ish bandwidth everywhere (not just in the country), DDNS (without software clients), most places the link quality is above average...
And I really do have these speeds most of the times, as in my signature, even though they are "best effort" links.

I can't really complain. If only they could drop this PPPoE crap...

I had to know, so I called them again, asked about the business links and devices, routing only modes etc. They use the same devices and firmware and modes for them as well. Oh well..

OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
January 23, 2018, 12:06:42 PM #20
QuoteIndeed, but we also have some advantages though, fiber cables in our homes, gigabit-ish bandwidth everywhere (not just in the country), DDNS (without software clients), most places the link quality is above average...
And I really do have these speeds most of the times, as in my signature, even though they are "best effort" links.

Exactly! This is the reason I said what other people around here would think of us since we are complaining and qualifying as "craps" services and devices that offer like 10 to 20 times the medium bandwidth of Europe & America (as continents). And for less than 10$ NETO (final price). :D

QuoteI had to know, so I called them again, asked about the business links and devices, routing only modes etc. They use the same devices and firmware and modes for them as well. Oh well..

No, they're not: I know for sure that business clients I service have a simple and straight Media Converter with only 2 ports: UTP and OF (and power supply, of course). No Wi-Fi antennae, no Web UI, no network services (DHCP, DNS etc...). MCs made to work in bridge mode only.
For residential services it's somehow understandable to use cheap, all-in-one devices, since without them 1) clients would perceive the service as incomplete (gone are the days we used a single UTP internet link connected directly in a PC or Laptop), and 2) 99.9% of residential clients would buy even more crappy devices, like Tenda or Netis, since most of them are not choosy, nor experienced enough to tell the difference.

But I guess we're quite off-topic and quite for a while, so let's get beck to VPN + IDPS (or close the case) :)
January 23, 2018, 01:32:40 PM #21
My clients all have Huawei boxes (in bridge mode). Wasn't sure about the firmware though for business clients.

Yeah, you're probably right, we're off topic. Considering the topic closed :D
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
Print
Go Up Pages 1 2
User actions