├── images ├── gateway-luci-vlans.png ├── netgear-luci-ssid.png ├── netgear-luci-switch.png ├── gateway-luci-firewall.png ├── gateway-luci-banip-sources.png └── gateway-luci-banip-blacklist.png ├── .gitignore ├── configs ├── netgear │ └── etc │ │ └── config │ │ ├── dropbear │ │ ├── firewall │ │ ├── ntpclient │ │ ├── dhcp │ │ ├── system │ │ ├── network │ │ └── wireless └── gateway │ └── etc │ ├── hotplug.d │ └── iface │ │ └── 99-google │ └── config │ ├── ntpclient │ ├── system │ ├── dhcp │ ├── firewall │ └── banip ├── ntpclient.md ├── banip.md ├── LICENSE └── README.md /images/gateway-luci-vlans.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/gateway-luci-vlans.png -------------------------------------------------------------------------------- /images/netgear-luci-ssid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/netgear-luci-ssid.png -------------------------------------------------------------------------------- /images/netgear-luci-switch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/netgear-luci-switch.png -------------------------------------------------------------------------------- /images/gateway-luci-firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/gateway-luci-firewall.png -------------------------------------------------------------------------------- /images/gateway-luci-banip-sources.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/gateway-luci-banip-sources.png -------------------------------------------------------------------------------- /images/gateway-luci-banip-blacklist.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cydergoth/openwrt_vlan/HEAD/images/gateway-luci-banip-blacklist.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled 2 | *.elc 3 | 4 | # Packaging 5 | .cask 6 | 7 | # Backup files 8 | *~ 9 | *.bak 10 | 11 | # Undo-tree save-files 12 | *.~undo-tree 13 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/dropbear: -------------------------------------------------------------------------------- 1 | 2 | config dropbear 3 | option PasswordAuth 'on' 4 | option Port '22' 5 | option Interface 'lan' 6 | 7 | config dropbear 8 | option PasswordAuth 'on' 9 | option Interface 'wifi0' 10 | 11 | -------------------------------------------------------------------------------- /configs/gateway/etc/hotplug.d/iface/99-google: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | [ "${ACTION}" = "ifup" -a "${INTERFACE}" = "google" ] && { 3 | logger -t hotplug "Device: ${DEVICE} / Action: ${ACTION} google enable performance mode" 4 | /sbin/ip link set eth0.2 type vlan id 2 egress 0:3 5 | } 6 | -------------------------------------------------------------------------------- /ntpclient.md: -------------------------------------------------------------------------------- 1 | # NTP Client 2 | 3 | NTP Client runs on the gateway and WiFi access point, and is installed 4 | via LuCI or the `opkg` command line. 5 | 6 | There are two packages which can be installed 7 | 8 | * ntpclient - the core software 9 | * luci-app-ntpc - the LuCI plugin to allow you to use the gui for configuration 10 | 11 | Config file is: 12 | 13 | * [ntpclient](configs/gateway/etc/config/ntpclient) 14 | 15 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/firewall: -------------------------------------------------------------------------------- 1 | 2 | config defaults 3 | option syn_flood '1' 4 | option input 'ACCEPT' 5 | option output 'ACCEPT' 6 | option forward 'REJECT' 7 | option flow_offloading '1' 8 | option flow_offloading_hw '1' 9 | 10 | config forwarding 11 | option src 'lan' 12 | option dest 'wan' 13 | 14 | config include 15 | option path '/etc/firewall.user' 16 | 17 | config rule 18 | option dest '*' 19 | option name 'Upstream' 20 | option target 'ACCEPT' 21 | 22 | config rule 23 | option target 'ACCEPT' 24 | option src '*' 25 | 26 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/ntpclient: -------------------------------------------------------------------------------- 1 | config ntpserver 2 | option hostname '0.openwrt.pool.ntp.org' 3 | option port '123' 4 | 5 | config ntpserver 6 | option hostname '1.openwrt.pool.ntp.org' 7 | option port '123' 8 | 9 | config ntpserver 10 | option hostname '2.openwrt.pool.ntp.org' 11 | option port '123' 12 | 13 | config ntpserver 14 | option hostname '3.openwrt.pool.ntp.org' 15 | option port '123' 16 | 17 | config ntpdrift 18 | option freq '0' 19 | 20 | config ntpclient 21 | option interval 600 22 | #option count 10 23 | #option interface wan 24 | -------------------------------------------------------------------------------- /configs/gateway/etc/config/ntpclient: -------------------------------------------------------------------------------- 1 | config ntpserver 2 | option hostname '0.openwrt.pool.ntp.org' 3 | option port '123' 4 | 5 | config ntpserver 6 | option hostname '1.openwrt.pool.ntp.org' 7 | option port '123' 8 | 9 | config ntpserver 10 | option hostname '2.openwrt.pool.ntp.org' 11 | option port '123' 12 | 13 | config ntpserver 14 | option hostname '3.openwrt.pool.ntp.org' 15 | option port '123' 16 | 17 | config ntpdrift 18 | option freq '0' 19 | 20 | config ntpclient 21 | option interval 600 22 | #option count 10 23 | #option interface wan 24 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/dhcp: -------------------------------------------------------------------------------- 1 | 2 | config dnsmasq 3 | option domainneeded '1' 4 | option localise_queries '1' 5 | option rebind_protection '1' 6 | option rebind_localhost '1' 7 | option local '/lan/' 8 | option domain 'lan' 9 | option expandhosts '1' 10 | option readethers '1' 11 | option leasefile '/tmp/dhcp.leases' 12 | option localservice '1' 13 | list notinterface 'lan' 14 | list notinterface 'work' 15 | list notinterface 'guest' 16 | list notinterface 'iot' 17 | 18 | config dhcp 'lan' 19 | option interface 'lan' 20 | option start '100' 21 | option limit '150' 22 | option leasetime '12h' 23 | option dhcpv6 'server' 24 | option ra 'server' 25 | option ra_management '1' 26 | 27 | config dhcp 'wan' 28 | option interface 'wan' 29 | option ignore '1' 30 | 31 | config odhcpd 'odhcpd' 32 | option maindhcp '0' 33 | option leasefile '/tmp/hosts/odhcpd' 34 | option leasetrigger '/usr/sbin/odhcpd-update' 35 | option loglevel '4' 36 | 37 | config dhcp 'wifi0' 38 | option start '100' 39 | option leasetime '12h' 40 | option limit '150' 41 | option interface 'wifi0' 42 | 43 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/system: -------------------------------------------------------------------------------- 1 | 2 | config system 3 | option ttylogin '0' 4 | option log_size '64' 5 | option urandom_seed '0' 6 | option zonename 'America/Chicago' 7 | option cronloglevel '5' 8 | option log_proto 'udp' 9 | option conloglevel '8' 10 | option timezone 'CST6CDT,M3.2.0,M11.1.0' 11 | option hostname 'Netgear' 12 | 13 | config timeserver 'ntp' 14 | list server '0.openwrt.pool.ntp.org' 15 | list server '1.openwrt.pool.ntp.org' 16 | list server '2.openwrt.pool.ntp.org' 17 | list server '3.openwrt.pool.ntp.org' 18 | 19 | config led 'led_usb1' 20 | option name 'USB 1' 21 | option sysfs 'r7800:white:usb1' 22 | option trigger 'usbport' 23 | list port 'usb1-port1' 24 | list port 'usb2-port1' 25 | 26 | config led 'led_usb2' 27 | option name 'USB 2' 28 | option sysfs 'r7800:white:usb2' 29 | option trigger 'usbport' 30 | list port 'usb3-port1' 31 | list port 'usb4-port1' 32 | 33 | config led 'led_wan' 34 | option name 'WAN' 35 | option sysfs 'r7800:white:wan' 36 | option trigger 'switch0' 37 | option port_mask '0x20' 38 | 39 | config led 'led_esata' 40 | option name 'eSATA' 41 | option sysfs 'r7800:white:esata' 42 | option trigger 'ide-disk' 43 | 44 | -------------------------------------------------------------------------------- /banip.md: -------------------------------------------------------------------------------- 1 | # BanIP 2 | 3 | This software runs on the gateway and is installed using LuCI software 4 | manager or the command line tool `opkg` 5 | 6 | One of the more important pieces of software I run on my gateway is 7 | `banIP`. This package is similar to the popular "fail2ban" package 8 | many other systems use. The role it performs is to monitor the log 9 | files for suspicious activity - in this case determined as multiple 10 | failed SSH login attempts - on the external interface (`google`) 11 | 12 | Once it sees one, it adds that address to a 'blacklist' of IPs. 13 | 14 | ![Blacklist](images/gateway-luci-banip-blacklist.png) 15 | 16 | In addition to this auto-generated list of potential threats, it may 17 | also use one or more of a number of curated lists to pre-populate the 18 | ban tables. 19 | 20 | ![Blacklists](images/gateway-luci-banip-sources.png) 21 | 22 | It is not installed or configured by default in OpenWRT but may be 23 | easily applied via the `opkg` command line tool or via LuCI. 24 | 25 | My config is available: 26 | 27 | * [banip config](configs/gateway/etc/config/banip) 28 | 29 | Note: In order for banIP to work, the utilities it watches must have 30 | their log files enabled. 31 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/network: -------------------------------------------------------------------------------- 1 | 2 | config interface 'loopback' 3 | option ifname 'lo' 4 | option proto 'static' 5 | option ipaddr '127.0.0.1' 6 | option netmask '255.0.0.0' 7 | 8 | config globals 'globals' 9 | option ula_prefix 'fd55:eb08:e0e7::/48' 10 | 11 | config switch 12 | option name 'switch0' 13 | option reset '1' 14 | option enable_vlan '1' 15 | 16 | config interface 'wifi0' 17 | option proto 'static' 18 | option netmask '255.255.255.0' 19 | option ipaddr '192.168.5.1' 20 | 21 | config switch_vlan 22 | option device 'switch0' 23 | option vlan '1' 24 | option vid '1' 25 | option ports '0t 5t' 26 | 27 | config interface 'lan' 28 | option proto 'dhcp' 29 | option type 'bridge' 30 | option ifname 'eth0.1' 31 | 32 | config interface 'guest' 33 | option type 'bridge' 34 | option proto 'dhcp' 35 | option ifname 'eth0.3' 36 | 37 | config switch_vlan 38 | option device 'switch0' 39 | option vlan '2' 40 | option ports '0t 5t' 41 | option vid '3' 42 | 43 | config interface 'iot' 44 | option proto 'dhcp' 45 | option type 'bridge' 46 | option ifname 'eth0.4' 47 | 48 | config switch_vlan 49 | option device 'switch0' 50 | option vlan '3' 51 | option ports '0t 5t' 52 | option vid '4' 53 | 54 | config interface 'work' 55 | option type 'bridge' 56 | option ifname 'eth0.5' 57 | option proto 'dhcp' 58 | 59 | config switch_vlan 60 | option device 'switch0' 61 | option vlan '4' 62 | option ports '0t 5t' 63 | option vid '5' 64 | 65 | -------------------------------------------------------------------------------- /configs/gateway/etc/config/system: -------------------------------------------------------------------------------- 1 | config system 2 | option hostname 'LEDE' 3 | option timezone 'UTC' 4 | option ttylogin '0' 5 | option log_size '64' 6 | option urandom_seed '0' 7 | 8 | config timeserver 'ntp' 9 | option enabled '1' 10 | option enable_server '0' 11 | list server '0.lede.pool.ntp.org' 12 | list server '1.lede.pool.ntp.org' 13 | list server '2.lede.pool.ntp.org' 14 | list server '3.lede.pool.ntp.org' 15 | 16 | root@LEDE:/etc/config# cat network 17 | 18 | config interface 'loopback' 19 | option ifname 'lo' 20 | option proto 'static' 21 | option ipaddr '127.0.0.1' 22 | option netmask '255.0.0.0' 23 | 24 | config interface 'lan' 25 | option type 'bridge' 26 | option proto 'static' 27 | option netmask '255.255.255.0' 28 | option _orig_ifname 'eth0' 29 | option _orig_bridge 'true' 30 | option ipaddr '192.168.4.1' 31 | option ifname 'eth1 eth3.1' 32 | 33 | config interface 'google' 34 | option proto 'dhcp' 35 | option ifname 'eth0.2' 36 | 37 | config interface 'guest' 38 | option proto 'static' 39 | option ipaddr '192.168.3.1' 40 | option netmask '255.255.255.0' 41 | option ifname 'eth3.3' 42 | 43 | config interface 'iot' 44 | option proto 'static' 45 | option ipaddr '192.168.6.1' 46 | option netmask '255.255.255.0' 47 | option ifname 'eth3.4' 48 | 49 | config interface 'work' 50 | option proto 'static' 51 | option ifname 'eth3.5' 52 | option ipaddr '192.168.2.1' 53 | option netmask '255.255.255.0' 54 | -------------------------------------------------------------------------------- /configs/netgear/etc/config/wireless: -------------------------------------------------------------------------------- 1 | 2 | config wifi-device 'radio0' 3 | option type 'mac80211' 4 | option channel '36' 5 | option hwmode '11a' 6 | option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0' 7 | option htmode 'VHT80' 8 | 9 | config wifi-iface 'default_radio0' 10 | option device 'radio0' 11 | option mode 'ap' 12 | option key 'XXXXXXXXXXXX' 13 | option encryption 'psk2' 14 | option network 'wifi0' 15 | option ssid 'BadgerMeNot' 16 | 17 | config wifi-device 'radio1' 18 | option type 'mac80211' 19 | option channel '11' 20 | option hwmode '11g' 21 | option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0' 22 | option htmode 'HT20' 23 | 24 | config wifi-iface 'wifinet2' 25 | option encryption 'psk2' 26 | option device 'radio1' 27 | option mode 'ap' 28 | option network 'lan' 29 | option ssid 'BadgerNetBase' 30 | option key 'XXXXXXXXXXXXXX' 31 | 32 | config wifi-iface 'wifinet3' 33 | option ssid 'BadgerNetGuest' 34 | option device 'radio0' 35 | option mode 'ap' 36 | option key 'XXXXXXXXXXXXX' 37 | option isolate '1' 38 | option encryption 'psk2' 39 | option network 'guest' 40 | 41 | config wifi-iface 'wifinet4' 42 | option ssid 'BadgerNet5' 43 | option encryption 'psk2' 44 | option device 'radio0' 45 | option mode 'ap' 46 | option network 'lan' 47 | option key 'XXXXXXXXXXXX' 48 | 49 | config wifi-iface 'wifinet5' 50 | option device 'radio1' 51 | option mode 'ap' 52 | option ssid 'BadgerNetIot' 53 | option encryption 'psk2' 54 | option key 'XXXXXXXXXXXX' 55 | option network 'iot' 56 | 57 | config wifi-iface 'wifinet6' 58 | option device 'radio0' 59 | option mode 'ap' 60 | option ssid 'BadgerNetW' 61 | option encryption 'psk2' 62 | option key 'XXXXXXXXXXXX' 63 | option network 'work' 64 | 65 | -------------------------------------------------------------------------------- /configs/gateway/etc/config/dhcp: -------------------------------------------------------------------------------- 1 | config dnsmasq 2 | option domainneeded '1' 3 | option localise_queries '1' 4 | option rebind_protection '1' 5 | option rebind_localhost '1' 6 | option local '/lan/' 7 | option domain 'lan' 8 | option expandhosts '1' 9 | option authoritative '1' 10 | option readethers '1' 11 | option leasefile '/tmp/dhcp.leases' 12 | option resolvfile '/tmp/resolv.conf.auto' 13 | option localservice '1' 14 | option nonwildcard '0' 15 | option serversfile '/tmp/adb_list.overall' 16 | list server '8.8.8.8' 17 | list server '4.4.4.4' 18 | 19 | config dhcp 'lan' 20 | option interface 'lan' 21 | option leasetime '12h' 22 | option ra 'server' 23 | option ra_management '1' 24 | option start '50' 25 | option limit '175' 26 | 27 | config dhcp 'wan' 28 | option interface 'wan' 29 | option ignore '1' 30 | 31 | config odhcpd 'odhcpd' 32 | option maindhcp '0' 33 | option leasefile '/tmp/hosts/odhcpd' 34 | option leasetrigger '/usr/sbin/odhcpd-update' 35 | 36 | config host 37 | option mac '00:D2:6D:9F:A6:92' 38 | option ip '192.168.4.202' 39 | option name 'msi' 40 | option dns '1' 41 | 42 | config dhcp 'veth2' 43 | option leasetime '12h' 44 | option interface 'veth2' 45 | option start '90' 46 | option limit '99' 47 | 48 | config dhcp 'guest' 49 | option start '100' 50 | option leasetime '12h' 51 | option limit '150' 52 | option interface 'guest' 53 | 54 | config dhcp 'iot' 55 | option start '100' 56 | option leasetime '12h' 57 | option limit '150' 58 | option interface 'iot' 59 | 60 | config dhcp 'work' 61 | option interface 'work' 62 | option start '100' 63 | option limit '150' 64 | option leasetime '12h' 65 | -------------------------------------------------------------------------------- /configs/gateway/etc/config/firewall: -------------------------------------------------------------------------------- 1 | 2 | config rule 3 | option name 'Allow-DHCP-Renew' 4 | option src 'wan' 5 | option proto 'udp' 6 | option dest_port '68' 7 | option target 'ACCEPT' 8 | option family 'ipv4' 9 | 10 | config rule 11 | option name 'Allow-Ping' 12 | option src 'wan' 13 | option proto 'icmp' 14 | option icmp_type 'echo-request' 15 | option family 'ipv4' 16 | option target 'ACCEPT' 17 | 18 | config rule 19 | option name 'Allow-IGMP' 20 | option src 'wan' 21 | option proto 'igmp' 22 | option family 'ipv4' 23 | option target 'ACCEPT' 24 | 25 | config rule 26 | option target 'ACCEPT' 27 | option src 'wan' 28 | option proto 'tcp' 29 | option dest_port '22' 30 | option name 'External SSH' 31 | 32 | config rule 33 | option target 'ACCEPT' 34 | option src 'guest' 35 | option name 'Allow DNS/DHCP for Guest' 36 | option dest_port '67 68 53' 37 | list proto 'tcp' 38 | list proto 'udp' 39 | 40 | config defaults 41 | option syn_flood '1' 42 | option input 'ACCEPT' 43 | option output 'ACCEPT' 44 | option forward 'REJECT' 45 | 46 | config zone 47 | option name 'lan' 48 | option input 'ACCEPT' 49 | option output 'ACCEPT' 50 | option forward 'ACCEPT' 51 | option network 'lan' 52 | 53 | config zone 54 | option name 'wan' 55 | option input 'REJECT' 56 | option output 'ACCEPT' 57 | option forward 'REJECT' 58 | option masq '1' 59 | option mtu_fix '1' 60 | option network 'google googlev6' 61 | 62 | config include 63 | option path '/etc/firewall.user' 64 | 65 | config forwarding 66 | option dest 'wan' 67 | option src 'lan' 68 | 69 | config zone 70 | option name 'guest' 71 | option output 'ACCEPT' 72 | option network 'guest' 73 | option input 'REJECT' 74 | option forward 'REJECT' 75 | 76 | config forwarding 77 | option dest 'wan' 78 | option src 'guest' 79 | 80 | config zone 81 | option name 'iot' 82 | option input 'REJECT' 83 | option network 'iot' 84 | option output 'ACCEPT' 85 | option forward 'REJECT' 86 | 87 | config forwarding 88 | option dest 'wan' 89 | option src 'iot' 90 | 91 | config rule 92 | option target 'ACCEPT' 93 | option name 'Allow DNS/DHCP for IOT' 94 | option dest_port '53 67 68' 95 | option src 'iot' 96 | list proto 'tcp' 97 | list proto 'udp' 98 | 99 | config zone 100 | option name 'work' 101 | option input 'REJECT' 102 | option output 'ACCEPT' 103 | option forward 'REJECT' 104 | option network 'work' 105 | 106 | config forwarding 107 | option src 'work' 108 | option dest 'wan' 109 | 110 | config rule 111 | option name 'Allow DNS/DHCP for Work' 112 | option src 'work' 113 | option dest_port '53 67 68' 114 | option target 'ACCEPT' 115 | list proto 'tcp' 116 | list proto 'udp' 117 | 118 | config include 'miniupnpd' 119 | option type 'script' 120 | option path '/usr/share/miniupnpd/firewall.include' 121 | option family 'any' 122 | option reload '1' 123 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /configs/gateway/etc/config/banip: -------------------------------------------------------------------------------- 1 | 2 | config banip 'global' 3 | option ban_basever '0.3' 4 | option ban_enabled '1' 5 | option ban_automatic '0' 6 | option ban_realtime 'true' 7 | option ban_iface 'google googlev6' 8 | 9 | config banip 'extra' 10 | option ban_debug '0' 11 | option ban_maxqueue '4' 12 | option ban_nice '0' 13 | option ban_backupdir '/tmp' 14 | option ban_sshdaemon 'dropbear' 15 | 16 | config source 'whitelist' 17 | option ban_src '/etc/banip/banip.whitelist' 18 | option ban_src_6 '/etc/banip/banip.whitelist' 19 | option ban_src_desc 'Always allow these IPs (IPv4/IPv6)' 20 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add whitelist \"\$1}' 21 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add whitelist_6 \"\$1}' 22 | option ban_src_settype 'net' 23 | option ban_src_ruletype 'src+dst' 24 | option ban_src_on '1' 25 | option ban_src_on_6 '0' 26 | 27 | config source 'blacklist' 28 | option ban_src '/etc/banip/banip.blacklist' 29 | option ban_src_6 '/etc/banip/banip.blacklist' 30 | option ban_src_desc 'Always deny these IPs (IPv4/IPv6)' 31 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add blacklist \"\$1}' 32 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add blacklist_6 \"\$1}' 33 | option ban_src_settype 'net' 34 | option ban_src_ruletype 'src+dst' 35 | option ban_src_on_6 '0' 36 | option ban_src_on '1' 37 | 38 | config source 'bogon' 39 | option ban_src 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt' 40 | option ban_src_6 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt' 41 | option ban_src_desc 'Bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned to ISPs (IPv4/IPv6)' 42 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add bogon \"\$1}' 43 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add bogon_6 \"\$1}' 44 | option ban_src_settype 'net' 45 | option ban_src_ruletype 'src+dst' 46 | option ban_src_on '0' 47 | option ban_src_on_6 '0' 48 | 49 | config source 'DoH' 50 | option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt' 51 | option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt' 52 | option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)' 53 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}' 54 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}' 55 | option ban_src_settype 'net' 56 | option ban_src_ruletype 'src+dst' 57 | option ban_src_on '0' 58 | option ban_src_on_6 '0' 59 | 60 | config source 'tor' 61 | option ban_src 'https://check.torproject.org/exit-addresses' 62 | option ban_src_desc 'List of Tor Exit Nodes (IPv4)' 63 | option ban_src_rset '/^(ExitAddress ([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add tor \"\$2}' 64 | option ban_src_settype 'ip' 65 | option ban_src_ruletype 'src' 66 | option ban_src_on '0' 67 | option ban_src_on_6 '0' 68 | 69 | config source 'threat' 70 | option ban_src 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt' 71 | option ban_src_desc 'Emerging Threats (IPv4)' 72 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add threat \"\$1}' 73 | option ban_src_settype 'net' 74 | option ban_src_ruletype 'src' 75 | option ban_src_on_6 '0' 76 | option ban_src_on '1' 77 | 78 | config source 'debl' 79 | option ban_src 'https://www.blocklist.de/downloads/export-ips_all.txt' 80 | option ban_src_6 'https://www.blocklist.de/downloads/export-ips_all.txt' 81 | option ban_src_desc 'Fail2ban reporting service (IPv4/IPv6)' 82 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add debl \"\$1}' 83 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add debl_6 \"\$1}' 84 | option ban_src_settype 'ip' 85 | option ban_src_ruletype 'src' 86 | option ban_src_on '0' 87 | option ban_src_on_6 '0' 88 | 89 | config source 'myip' 90 | option ban_src 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt' 91 | option ban_src_6 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt' 92 | option ban_src_desc 'IP blacklist provided by myip.ms (IPv4/IPv6)' 93 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add myip \"\$1}' 94 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add myip_6 \"\$1}' 95 | option ban_src_settype 'ip' 96 | option ban_src_ruletype 'src' 97 | option ban_src_on '0' 98 | option ban_src_on_6 '0' 99 | 100 | config source 'yoyo' 101 | option ban_src 'https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext' 102 | option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)' 103 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}' 104 | option ban_src_settype 'ip' 105 | option ban_src_ruletype 'src' 106 | option ban_src_on '0' 107 | option ban_src_on_6 '0' 108 | 109 | config source 'sslbl' 110 | option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv' 111 | option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)' 112 | option ban_src_rset 'BEGIN{FS=\",\"}/(([0-9]{1,3}\.){3}[0-9]{1,3},).*/{print \"add sslbl \"\$2}' 113 | option ban_src_settype 'ip' 114 | option ban_src_ruletype 'src' 115 | option ban_src_on '1' 116 | option ban_src_on_6 '0' 117 | 118 | config source 'ransomware' 119 | option ban_src 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt' 120 | option ban_src_desc 'Ransomware Tracker by abuse.ch (IPv4)' 121 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add ransomware \"\$1}' 122 | option ban_src_settype 'ip' 123 | option ban_src_ruletype 'src' 124 | option ban_src_on '1' 125 | option ban_src_on_6 '0' 126 | 127 | config source 'feodo' 128 | option ban_src 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt' 129 | option ban_src_desc 'Feodo Tracker by abuse.ch (IPv4)' 130 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add feodo \"\$1}' 131 | option ban_src_settype 'ip' 132 | option ban_src_ruletype 'src' 133 | option ban_src_on '1' 134 | option ban_src_on_6 '0' 135 | 136 | config source 'dshield' 137 | option ban_src 'https://feeds.dshield.org/block.txt' 138 | option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)' 139 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}' 140 | option ban_src_settype 'net' 141 | option ban_src_ruletype 'src' 142 | option ban_src_on '1' 143 | option ban_src_on_6 '0' 144 | 145 | config source 'proxy' 146 | option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset' 147 | option ban_src_desc 'List of Open Proxies (IPv4)' 148 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add proxy \"\$1}' 149 | option ban_src_settype 'ip' 150 | option ban_src_ruletype 'src' 151 | option ban_src_on '0' 152 | option ban_src_on_6 '0' 153 | 154 | config source 'iblocklist' 155 | option ban_src 'https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz' 156 | option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)' 157 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}' 158 | option ban_src_settype 'net' 159 | option ban_src_ruletype 'src' 160 | option ban_src_on '0' 161 | option ban_src_on_6 '0' 162 | 163 | config source 'drop' 164 | option ban_src 'https://www.spamhaus.org/drop/drop.txt' 165 | option ban_src_6 'https://www.spamhaus.org/drop/dropv6.txt' 166 | option ban_src_desc 'Spamhaus drop compilation (IPv4/IPv6)' 167 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add drop \"\$1}' 168 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add drop_6 \"\$1}' 169 | option ban_src_settype 'net' 170 | option ban_src_ruletype 'src' 171 | option ban_src_on_6 '0' 172 | option ban_src_on '1' 173 | 174 | config source 'edrop' 175 | option ban_src 'https://www.spamhaus.org/drop/edrop.txt' 176 | option ban_src_desc 'Spamhaus edrop compilation (IPv4)' 177 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add edrop \"\$1}' 178 | option ban_src_settype 'net' 179 | option ban_src_ruletype 'src' 180 | option ban_src_on '1' 181 | option ban_src_on_6 '0' 182 | 183 | config source 'firehol1' 184 | option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset' 185 | option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)' 186 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}' 187 | option ban_src_settype 'net' 188 | option ban_src_ruletype 'src' 189 | option ban_src_on '1' 190 | option ban_src_on_6 '0' 191 | 192 | config source 'firehol2' 193 | option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset' 194 | option ban_src_desc 'Firehol Level 2 compilation. Contains blocklists that track attacks, during the last 48 hours (IPv4)' 195 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol2 \"\$1}' 196 | option ban_src_settype 'net' 197 | option ban_src_ruletype 'src' 198 | option ban_src_on '1' 199 | option ban_src_on_6 '0' 200 | 201 | config source 'firehol3' 202 | option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset' 203 | option ban_src_desc 'Firehol Level 3 compilation. Contains blocklists that track attacks, spyware and viruses (IPv4)' 204 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol3 \"\$1}' 205 | option ban_src_settype 'net' 206 | option ban_src_ruletype 'src' 207 | option ban_src_on '1' 208 | option ban_src_on_6 '0' 209 | 210 | config source 'firehol4' 211 | option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset' 212 | option ban_src_desc 'Firehol Level 4 compilation. May include a large number of false positives (IPv4)' 213 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol4 \"\$1}' 214 | option ban_src_settype 'net' 215 | option ban_src_ruletype 'src' 216 | option ban_src_on '0' 217 | option ban_src_on_6 '0' 218 | 219 | config source 'country' 220 | option ban_src 'https://stat.ripe.net/data/country-resource-list/data.json?resource=' 221 | option ban_src_6 'https://stat.ripe.net/data/country-resource-list/data.json?resource=' 222 | option ban_src_desc 'Build a dynamic IPSet by country iso codes based on RIPE data (IPv4/IPv6)' 223 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add country \"\$1}' 224 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add country_6 \"\$1}' 225 | list ban_src_cat 'de' 226 | option ban_src_settype 'net' 227 | option ban_src_ruletype 'src' 228 | option ban_src_on '0' 229 | option ban_src_on_6 '0' 230 | 231 | config source 'asn' 232 | option ban_src 'https://stat.ripe.net/data/announced-prefixes/data.json?resource=' 233 | option ban_src_6 'https://stat.ripe.net/data/announced-prefixes/data.json?resource=' 234 | option ban_src_desc 'Build a dynamic IPSet by ASN numbers based on RIPE data (IPv4/IPv6)' 235 | option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add asn \"\$1}' 236 | option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add asn_6 \"\$1}' 237 | list ban_src_cat '32934' 238 | option ban_src_settype 'net' 239 | option ban_src_ruletype 'src' 240 | option ban_src_on '0' 241 | option ban_src_on_6 '0' 242 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Openwrt with Vlans for home networking 2 | 3 | How I setup my in-home network with VLans using OpenWRT 4 | 5 | ## Introduction 6 | 7 | As a professional in the devops and software development fields, I 8 | spent a fair amount of my own time keeping up to date with the 9 | developments in the field. I also enjoy hacking around with systems. 10 | 11 | As such, I have spent a lot of time following the OpenWRT router 12 | project. This project provides open source firmware for many varieties 13 | of router. I have my home configured with a couple of OpenWRT 14 | installations which allow me to do some more sophisticated than normal 15 | network configurations. 16 | 17 | Several of my friends and colleages have asked me about my 18 | configuration, so I have documented it here. Please note: The usual 19 | caveat about modifying your own hardware applies - this is an example 20 | and should not be used verbatim. I can not be held responsible if you 21 | brick your router or lock yourself out! 22 | 23 | If you are not interested in advanced home networking, or you lack 24 | computer skills this guide probably isn't for you. 25 | 26 | ### What is OpenWRT? 27 | 28 | [OpenWRT](https://openwrt.org/) is a suite of tooling and packages 29 | which allow you to replace stock firmware on a commerical home or soho 30 | router with a customized version. This is a very good thing if you are 31 | a professional in the software or IT space, or just have an interest in 32 | leveraging more sophisticated firmware. It is also (despite recently 33 | found issues) widely regarded as being more secure than default vendor 34 | firmware as that has been plagued by backdoors, default credentials, 35 | out of date packages with known vulnerabilities etc. 36 | 37 | OpenWRT uses a Linux kernel and a userspace, along with a highly 38 | sophisticated "buildroot" toolchain which provides many hundreds of 39 | pre-packaged applications. Part of the toolchain is an "imagebuilder" 40 | tool which allows you to easily make customized images for your 41 | hardware. 42 | 43 | OpenWRT supports an optional GUI called "LuCI" which although not 44 | required, makes it somewhat easier to understand complex setups. 45 | 46 | For a brief time OpenWRT was known as LEDE, and sometimes you will see 47 | that name in this guide. At the time of writing I am using `19.07.1` 48 | of OpenWRT. 49 | 50 | ### What is a VLan and why do I care? 51 | 52 | A VLan is a Virtual Network (Software defined network) running on top 53 | of your physical network layer. VLan packets are normal Internet 54 | Protocol (IP) packets with an additional field in the header 55 | containing a VLan number. VLans are isolated from each other such that 56 | packets on VLan 1 will not be seen by VLan 2. See 57 | [VLans](https://en.wikipedia.org/wiki/Virtual_LAN) for more 58 | information. 59 | 60 | This allows, for example, separation of my personal and work computers 61 | by putting them into different VLans. The VLan containing my work 62 | computer is allowed to reach out to the internet but not to open a 63 | connection to my personal PC, and vice versa. In the event that one of 64 | them became infected by a virus, then the other would be isolated from 65 | it thus limiting the "spash damage" of the infection. 66 | 67 | VLan ports appear under linux as a virtual port `.x` after the 68 | ethernet port number, e.g. `eth0.2` is VLan 2 on port `eth0`. A packet 69 | without a VLan tag sent to `eth0.2` will automatically be tagged with 70 | VLan ID 2 then exit physical port `eth0`, and a packet received on 71 | port `eth0` with a VLan ID tag of 2 will exit `eth0.2`. 72 | 73 | Physical ports like `eth0` with multiple VLan ports are called "VLan 74 | trunks" and are often used between routers or switches. This is how 75 | VLans are preserved across my network of the gateway (SFF), WiFi AP 76 | and managed switches as their interconnections are configured as VLan 77 | trunks. 78 | 79 | ### What is a VPN? 80 | 81 | A VPN is a different form of Virtual Private Network. Like a VLan it 82 | is a software defined overlay network, but unlike VLans it uses 83 | encyption to traverse untrusted 3rd party networks. VPNs are often 84 | used to connect a business computer from your home to office, or 85 | between geographically distributed sites over the internet. 86 | 87 | ## How is my network configured? 88 | 89 | I am lucky enough to have a Google Fiber 1G up/down symmetrical fiber 90 | connection. This connection enters my house as fiber and is 91 | immediately converted to 1G ethernet via a dumb fiber-to-ethernet 92 | converter. One advantage of that is that I can bin the Google head 93 | unit/router/wifi and replace it with my own. So that is what I did. 94 | 95 | ### Firewall/Gateway router 96 | 97 | I used a SFF X86 PC similar to this one: 98 | 99 | ![SFF PC Image](https://images-na.ssl-images-amazon.com/images/I/71e%2BCVuYOxL._AC_SL1500_.jpg) 100 | 101 | [Protectli Vault 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core, AES-NI, 8GB RAM, 120GB mSATA SSD 102 | by protectli](https://www.amazon.com/dp/B07G9NHRGQ/ref=cm_sw_em_r_mt_dp_U_6MZMEbBEDB98D) 103 | 104 | These are sold barebones (no RAM, SSD, or software), populated but 105 | without software, or often with pfSense. pfSense is an alternative 106 | firmware for customized firewalls, and widely regarded as easier to 107 | use than OpenWRT. As, however, I was partly using this as a learning 108 | exercise I wanted to use the less friendly version. I also wanted to 109 | use a consistent router OS across my lan (more on this later). 110 | 111 | If you buy one, make sure it supports the AES-NI instructions as they 112 | help accelerate some functions like VPNs. 113 | 114 | Installing OpenWRT on this box is trivial, boot the box off a USB 115 | stick with linux on, download the x86-64 image from OpenWRT, and image 116 | it onto the internal drive. Remove the USB stick and 117 | reboot. Conveniently, these SFF boxes have a VGA out so you can 118 | connect a screen and troubleshoot if anything goes wrong. More details 119 | [from 120 | OpenWRT](https://openwrt.org/docs/guide-user/installation/openwrt_x86) 121 | 122 | If you have a large SSD, you may want to consider partitioning it or 123 | expanding the file system to match. 124 | 125 | In order to have this work with the Google fiber connection, Google 126 | needs two "magic" numbers setting on the port connected to their 127 | service. 128 | 129 | VLAN = 2 130 | Ethernet QoS = 3 131 | 132 | These two magic numbers need to be set in OpenWRT, and this is where 133 | the first part of customization begins (see below). 134 | 135 | ### VLan capable managed switches 136 | 137 | The next component in my home LAN is a 1G x 8 managed switch. Mine are similar to these 138 | 139 | ![Netgear Managed Switch Image](https://images-na.ssl-images-amazon.com/images/I/61TAP3WjZyL._AC_SL1500_.jpg) 140 | 141 | [NETGEAR 8-Port Gigabit Smart Managed Plus Switch (GS308E) 142 | by Amazon.com](https://www.amazon.com/dp/B07PLFCQVK/ref=cm_sw_em_r_mt_dp_U_B0ZMEb3T0PQNG) 143 | 144 | The important characteristics to note are the switch MUST be "managed" 145 | and MUST support "Basic VLAN & QoS". These switches are also available 146 | with Power-Over-Ethernet (PoE) which is particularly useful for 147 | devices like security cameras, or can power a Raspberry Pi 4 computer. 148 | 149 | I have two of these, and I will explain the configuration below. 150 | 151 | ### WiFi access point and Router 152 | 153 | The last component in my home network is a WiFi router. Note that the 154 | SFF PC does not have WiFI capability. Some do, but don't do it as well 155 | as commercial ones. I chose my home router very carefully as I wanted 156 | to ensure that all the components are well supported by OpenWRT. 157 | 158 | ![NETGEAR Nighthawk X4S Smart WiFi Router Image](https://images-na.ssl-images-amazon.com/images/I/511vIJ3EhLL._AC_SL1370_.jpg) 159 | 160 | [NETGEAR Nighthawk X4S Smart WiFi Router (R7800) - AC2600 Wireless 161 | Speed (up to 2600 Mbps) | Up to 2500 sq ft Coverage & 45 Devices | 4 x 162 | 1G Ethernet, 2 x 3.0 USB, and 1 x eSATA 163 | ports](https://www.amazon.com/dp/B0192911RA/ref=cm_sw_em_r_mt_dp_U_i6ZMEbBK613V5) 164 | 165 | The first thing I did after unboxing and powering on this router is 166 | use the built-in firmware upgrade function to replace the firmware 167 | with OpenWRT. This was an extremely easy and quick process. As a 168 | bonus, I can use one of the onboard USB ports to power the 169 | fiber-to-ethernet converter and get rid of a wall-wart. 170 | 171 | ### Uninterruptable Power Supplies 172 | 173 | It is important in the region I am in to have an Uninterruptable Power 174 | Supply (UPS). All of my routers and switches and my main PC are all on 175 | UPS. This allows me to continue working during short power outages, 176 | protects the equipment from surges, and allows for a controlled 177 | shutdown for longer outages. 178 | 179 | ## Configuration 180 | 181 | My desired configuration is to have multiple VLans in the house, each of which is isolated from the others. 182 | 183 | * VLan-2 is required by Google for the upstream link. All packets exiting the SFF router to the fiber-to-ethernet adapter are required to be tagged with VLan-2, QoS-3 184 | * VLan-3 is my guest network. Devices on this network may only access the internet and not devices on the other VLans. 185 | * VLan-4 is my Internet-of-Things (IoT) network. This is where I put all of my devices like Nest Thermostats, Security Cameras etc. 186 | * VLan-5 is my work network, where my corporate provided Macbook lives 187 | 188 | Although IPv6 is enabled on my configuration, I will keep this configuration to IPv4 only for simplicity. 189 | 190 | Each VLan also has corresponding WiFi SSID on the 2.4Ghz and 5Ghz 191 | wavelengths on the WiFi access point. Whilst it is possible to also 192 | run a WiFi AP signon page, my guest network uses a WiFi password which 193 | is known to my friends. 194 | 195 | ### Firewall/Internet Gateway Router configuration 196 | 197 | #### Core configuration 198 | 199 | The ethernet port mapping and network configuration is as follows: 200 | 201 | ![Gateway GUI Showing VLans](images/gateway-luci-vlans.png) 202 | 203 | My gateway system configs are: 204 | 205 | * [System Config](configs/gateway/) 206 | 207 | Notes: 208 | 209 | * Ethernet port `eth1` is the wired lan 210 | * The WiFi access point is connected to ethernet port `eth3` 211 | * The `eth1` and `eth3` are in a bridge for the LAN 212 | * The `eth1` and `eth3` ports are configured as 213 | VLan Trunks. This means they support multiple VLans for ingress, and 214 | for egress they have VLan virtual interfaces like `eth3.1` 215 | * The network has several subnets. `192.168.4.1` is the primary lan, 216 | but the guest network is on `192.168.3.1`. This allows us to 217 | separate them in the firewall. 218 | 219 | #### Firewall configuration 220 | 221 | ![Gateway GUI showing Firewall Zones](images/gateway-luci-firewall.png) 222 | 223 | Note that the firewall rules between zones prohibit traffic. This is 224 | overriden by extra rules to ensure that only the correct VLan routes 225 | are enabled. DHCP is specifically enabled so that all the 226 | VLans/Subnets may access the DHCP server. 227 | 228 | * [Firewall config](configs/gateway/etc/firewall) 229 | 230 | #### Google Upsteam link 231 | 232 | In order to communicate correctly with the Google upstream servers, 233 | every boot the SFF PC needs to set the VLan and QoS on the network 234 | interface, in my case `eth0` is the one connected to the Google fiber, 235 | so I aliased it to `google`. 236 | 237 | This script achieves it. You also need to enable the full version of 238 | the `ip` tool as OpenWRT defaults to a cut-down simpler version. This 239 | can be done from the LUCI GUI System/Software menu or from the command 240 | line. I am using SSH to the gateway here, that can also be configured 241 | in LUCI, I recommend not doing that on the WAN interface at this 242 | point. 243 | 244 | ```shell 245 | root@LEDE:/etc/hotplug.d/iface# opkg update 246 | Downloading http://downloads.openwrt.org/releases/19.07.1/targets/x86/64/packages/Packages.gz 247 | Updated list of available packages in /var/opkg-lists/openwrt_core 248 | Downloading http://downloads.openwrt.org/releases/19.07.1/targets/x86/64/packages/Packages.sig 249 | Signature check passed. 250 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/base/Packages.gz 251 | Updated list of available packages in /var/opkg-lists/openwrt_base 252 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/base/Packages.sig 253 | Signature check passed. 254 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/luci/Packages.gz 255 | Updated list of available packages in /var/opkg-lists/openwrt_luci 256 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/luci/Packages.sig 257 | Signature check passed. 258 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/packages/Packages.gz 259 | Updated list of available packages in /var/opkg-lists/openwrt_packages 260 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/packages/Packages.sig 261 | Signature check passed. 262 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/routing/Packages.gz 263 | Updated list of available packages in /var/opkg-lists/openwrt_routing 264 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/routing/Packages.sig 265 | Signature check passed. 266 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/telephony/Packages.gz 267 | Updated list of available packages in /var/opkg-lists/openwrt_telephony 268 | Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/telephony/Packages.sig 269 | Signature check passed. 270 | root@LEDE:/etc/hotplug.d/iface# opkg install ip 271 | Package ip-full (5.0.0-2.1) installed in root is up to date. 272 | ``` 273 | 274 | Create the script in the hotplug.d/iface directory and it will be 275 | executed every time the `google` interface comes up. 276 | 277 | ```shell 278 | root@LEDE:/etc# cd hotplug.d/iface/ 279 | root@LEDE:/etc/hotplug.d/iface# ls -l 280 | -rw-r--r-- 1 root root 155 Jan 29 16:05 00-netstate 281 | -rw------- 1 root root 336 Jan 29 16:05 20-firewall 282 | -rw-r--r-- 1 root root 1618 Feb 11 12:41 20-ntpclient 283 | -rw-r--r-- 1 root root 990 Feb 20 08:17 50-miniupnpd 284 | -rwxr-xr-x 1 root root 204 Feb 11 12:41 95-ddns 285 | -rwxr-xr-x 1 root root 220 Feb 17 01:02 99-google 286 | root@LEDE:/etc/hotplug.d/iface# cat 99-google 287 | #!/bin/sh 288 | [ "${ACTION}" = "ifup" -a "${INTERFACE}" = "google" ] && { 289 | logger -t hotplug "Device: ${DEVICE} / Action: ${ACTION} google enable performance mode" 290 | /sbin/ip link set eth0.2 type vlan id 2 egress 0:3 291 | } 292 | ``` 293 | 294 | ### Switch Configuration 295 | 296 | I have two managed switches in my network, one downstairs (#1) and one 297 | upstairs (#2). The first switch #1 has one port connected to the SFF 298 | Gateway port `eth3`, and that port is configured as a VLan Trunk port 299 | on both sides. The second switch is connected to port 8 of the first, 300 | although I could have used a port on the SFF gateway this was slightly 301 | more convenient for me. 302 | 303 | Remember, VLan-2 is reserved for Google uplink. 304 | 305 | So the configuration on that switch is as follows: 306 | 307 | Port | VLans 308 | ---- | ------ 309 | 1 | 1,3,4,5 - Uplink VLan trunk to gateway `eth3` 310 | 2 | 3 - Guest 311 | 3 | 4 - IOT - Solar Power controller 312 | 4 | 4 - IOT - Switch TV 313 | ... | ... 314 | 7 | 1 - LAN 315 | 8 | 1,3,4,5 - Downlink VLAN trunk to switch #2 316 | 317 | Switch #2 is configured similarly with Port 1 being its uplink to switch 318 | #1 319 | 320 | Note that any device plugged into a port with a single VLan tag will 321 | have all its packets tagged with that VLan. This is how non-VLan aware 322 | devices are introduced into a VLan enabled network. Similarly, as a 323 | packet tagged with the VLan exits that port, the VLan tag will be 324 | _removed_ . 325 | 326 | ### WiFi AP configuration 327 | 328 | The WiFi Access Point I use (Netgear Nighthawk X4S R7800) is a very 329 | sophisticated and expensive piece of equipment. Needless to say, I 330 | violated the warranty immediately. 331 | 332 | This device has a [Dual core ARMv7 processor at the heart, 512M of RAM 333 | and 128M of flash](https://openwrt.org/toh/netgear/r7800). It is a 334 | beast! It is also extremely well supported by OpenWRT. Once very nice 335 | feature is a built in fallback mode which makes it very easy to 336 | recover if you "brick" it during flashing OpenWRT. 337 | 338 | In addition to the core CPU, it has a dual band WiFi radio and an 339 | internal/external 1G switch with 4 external ports, 2 CPU ports and a 340 | WAN uplink port. The WiFi radios are attached to the CPU internal PCI 341 | bus. 342 | 343 | As per the switch configuration on the managed switches, the "WAN" 344 | port on the Netgear is configured as a VLan trunk port and is attached 345 | to the `eth1` port on the gateway SFF. Note that in the Gateway bridge 346 | configuration the `lan` bridge contains the `eth1` port not `eth1.x`, 347 | so the bridge includes *all* the VLans on `eth1`. This also means that 348 | the VLan tags are preserved and not stripped like they would be for a 349 | `ethx.y` interface. 350 | 351 | ![Switch config luci](images/netgear-luci-switch.png) 352 | 353 | [Switch config](configs/netgear/etc/config/network) 354 | 355 | It is configured with multiple SSIDs, one per VLan. Each SSID tags the 356 | packets with the corresponding VLan ID as it is bridged with the 357 | corresponding VLan virtual port on the uplink trunk connector. For 358 | example, Guest SSID is configured to be bridged to `eth0.3` where 359 | `eth0` is the WAN port connected to the gateway. So the gateway will 360 | see any WiFi client connected to "Guest" SSID as VLan 3. 361 | 362 | ![Netgear SSIDs](images/netgear-luci-ssid.png) 363 | 364 | 365 | * [Network config](configs/netgear/etc/config/network) 366 | * [Wireless config](configs/netgear/etc/config/wireless) 367 | 368 | All traffic is routed to the gateway so that I can keep my firewall 369 | rules centralized. 370 | 371 | * [Firewall Config](configs/netgear/etc/config/firewall) 372 | 373 | ## Captain's Log, supplemental 374 | 375 | Here I list some additional configuration I have in my network. 376 | 377 | On the gateway 378 | 379 | * [banip](banip.md) A utility to autoban IPs from which multiple login attempts are made 380 | * [ntpclient](ntpclient.md) Keep your clocks in sync, very useful for log aggregation 381 | 382 | --------------------------------------------------------------------------------