FIREWALL OR TAP GUIDANCE

Issues related to configuring your network
Post Reply
1885
Posts: 136
Joined: 2014/10/25 13:33:03

FIREWALL OR TAP GUIDANCE

Post by 1885 » 2020/03/17 21:20:20

I need some guidance.

I'd like to set up a firewall or tap between my router (Ubiquiti Edge) and our network.
I know I can monitor network traffic with our router but I'd like to experiment with setting up a firewall or tap to monitor all network traffic between the public ip router and our private ip

<-<ROUTER TO PUBLIC IP>---<FIREWALL OR TAP WITH 3 NICS>--<LAN 10.183.0.0/16>

I have hardware with a built in nic (1000) and a Cisco duel nic.
So if have 3 network ports that all are recognized using Centos 8.

I have never done anything like this.

Thanks

Please throw me a bone.

Code: Select all

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1c:1b:0d:a9:3e:b1 brd ff:ff:ff:ff:ff:ff
    inet 10.183.5.26/16 brd 10.183.255.255 scope global noprefixroute enp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::f601:68f6:8f2b:12e4/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp8s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:1b:21:52:17:44 brd ff:ff:ff:ff:ff:ff
4: enp8s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:1b:21:52:17:45 brd ff:ff:ff:ff:ff:ff

User avatar
jlehtone
Posts: 2788
Joined: 2007/12/11 08:17:33
Location: Finland

Re: FIREWALL OR TAP GUIDANCE

Post by jlehtone » 2020/03/18 00:33:44

What is a "tap"?

Do you want

Code: Select all

<WAN>--router(ER)--<LAN X/Y>--router(C8)--<LAN 10.183/16>
Do you want NAT on the C8 too?

1885
Posts: 136
Joined: 2014/10/25 13:33:03

Re: FIREWALL OR TAP GUIDANCE

Post by 1885 » 2020/03/18 13:39:30

Thanks for the line.

I do not need NAT on the TAP

This is what I want.
<WAN>--router(ER)[OUR GATEWAY] ---router(C8)--<LAN 10.183/16>

User avatar
jlehtone
Posts: 2788
Joined: 2007/12/11 08:17:33
Location: Finland

Re: FIREWALL OR TAP GUIDANCE

Post by jlehtone » 2020/03/18 15:52:26

Do not leave out essential parts. There are three networks:
* WAN. Its members are the ER and whatever the ISP has.
* Outer LAN. Its members are the ER and the C8.
* Inner LAN. Its members are the C8 and whatever else you have. This subnet is 10.183/16.

I presume that you have a switch that members of inner LAN connect to and one cable from switch to ER.
That cable should go to C8. Then another cable from C8 to ER.

The outer LAN requires its own unique subnet, even though there are only two devices: ER and C8.
The ER needs a static route: to 10.183/16 via IP-of-C8
I would make the ER's DHCP to hand out the persistent IP-of-C8 for the C8.

C8 needs a persistent IP on the inner LAN too. That is the gateway for the others.
C8 can run DHCP for the inner LAN. dnsmasq.service is quite simple to set up.

C8 has to forward, i.e. route. See https://linuxconfig.org/how-to-turn-on- ... g-in-linux

All connections of CentOS 8 are by default on firewalld zone 'public'. That does not allow routing.
Overall, firewalld does not seem to be targeted for a router. One should write nft rules and use nftables.service.
See https://wiki.gentoo.org/wiki/Nftables/Examples

1885
Posts: 136
Joined: 2014/10/25 13:33:03

Re: FIREWALL OR TAP GUIDANCE

Post by 1885 » 2020/03/22 19:40:48

Thank you jlehtone! I've got some reading to do.
I have never configured ip tables.

But I have two gentoo boxes running!
https://wiki.gentoo.org/wiki/Nftables/Examples

Post Reply

Return to “CentOS 8 - Networking Support”