ROBIN -  Open Source Mesh Network Forum Index ROBIN - Open Source Mesh Network
users community forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ADSL network setup

 
Post new topic   Reply to topic    ROBIN - Open Source Mesh Network Forum Index -> Absolute Beginner Talk
View previous topic :: View next topic  
Author Message
Ads






Posted: Tue Sep 26, 2017 11:39 am    Post subject: Ads

Back to top
wowbagger
User
User


Joined: 15 Jun 2011
Posts: 15

PostPosted: Wed Jun 15, 2011 6:22 pm    Post subject: ADSL network setup Reply with quote

Hi All,

Some questions regarding networking. (OM1P & open-mesh/cloudtrax).
I have an incoming internet connection via an ADSL run-of-the-mill adsl/wifi router with 4 extra RJ45 ports.
I guess it's the same everywhere, the ADSL has a internet facing WAN (and adsl connection settings etc), and an internal LAN accessible via the RJ45 ports or via wifi. I generally disable most bells & whistles on the adsl router.
What I do next is hook a OM1P on to the 192.* network via the RJ45 port as the gateway and from there on I put a few repeaters downrange from the gateway to form the mesh network, this works well and all routers hook up to the gateway & sync with the dashboard.
On the ADSL router I configure an incoming port to be forwarded to the gateway node to enable SSH connections via ssl cert to the gateway for config etc. Dashboard shows everything in green.
Via the WAN ip/port I can connect over SSH to my gateway and hop to other online nodes from there. Everything works remarkably well!

Is this the normal way of working or is there another way of doing things when you are limited to a home type of incoming ADSL connection to feed a gateway node?

Thanks!
Back to top
View user's profile Send private message
robgmann
Ultimate User
Ultimate User


Joined: 06 May 2009
Posts: 512
Location: Monterey, California USA

PostPosted: Wed Jun 15, 2011 8:26 pm    Post subject: Reply with quote

I would say that's a fairly normal approach. However, I would suggest that rather than relying on a generic ADSL router, that you use something like a router flashed with dd-wrt or even a Mikrotik 750 router.
Allow ssh access to the router itself, so that as long as the internet connection is up, you can remotely get to that network.
Then, ssh to your gateways from the router.
If you've forwarded ssh to some specific robin gateway, then you'll be out of luck if that device dies or has some problem.
Even if you have to stick with the ADSL router, it might make sense to set some kind of linux mini-server on that LAN, i.e. even just a dd-wrt device that you can ssh into.

Obviously, I'd say you want to assign static IPs to your gateways to make life a lot easier.
Back to top
View user's profile Send private message
ispyisail
Site Admin
Site Admin


Joined: 12 Sep 2008
Posts: 4604
Location: New Zealand

PostPosted: Wed Jun 15, 2011 8:31 pm    Post subject: Reply with quote

What firmware version are you using?

Usually with a home router you just open the SSH port then close it again when not required

VPN is a better option but can be more expensive

_________________
ROBIN-Mesh Wiki:

Only registered users can see links on this forum!
Register or Login on forum!

Test Network:
Only registered users can see links on this forum!
Register or Login on forum!



Please donate to ROBIN by paypal:

Only registered users can see links on this forum!
Register or Login on forum!

!
Back to top
View user's profile Send private message
brecklandit
Ultimate User
Ultimate User


Joined: 23 Mar 2010
Posts: 717

PostPosted: Wed Jun 15, 2011 9:00 pm    Post subject: Reply with quote

As a matter of course now we install termination based ipsec vpn - its an extra $150 on the install, but no issues ever getting SSH access as our firewall has constant routed vpn access to all remote sites.

_________________
Please support the Robin Mesh project by donating via paypal to:

Only registered users can see links on this forum!
Register or Login on forum!

.
Back to top
View user's profile Send private message
ispyisail
Site Admin
Site Admin


Joined: 12 Sep 2008
Posts: 4604
Location: New Zealand

PostPosted: Wed Jun 15, 2011 9:04 pm    Post subject: Reply with quote

Quote:
install termination based ipsec vpn


hardware? Have you got a link to this device?

_________________
ROBIN-Mesh Wiki:

Only registered users can see links on this forum!
Register or Login on forum!

Test Network:
Only registered users can see links on this forum!
Register or Login on forum!



Please donate to ROBIN by paypal:

Only registered users can see links on this forum!
Register or Login on forum!

!
Back to top
View user's profile Send private message
brecklandit
Ultimate User
Ultimate User


Joined: 23 Mar 2010
Posts: 717

PostPosted: Thu Jun 16, 2011 8:45 am    Post subject: Reply with quote

We have a Zywall in the Telehouse and use standard Zyxel ADSL routers that support IP-SEC - i think its the 661h. 661h to 661 also works if only 10 or so VPN links are required.

The 661 are an older router, but you can still get them - although im sure newer models are just as feature rich.

We could probably do away with the Zywall and use another linux box but had the Zywall floating around from a job.

_________________
Please support the Robin Mesh project by donating via paypal to:

Only registered users can see links on this forum!
Register or Login on forum!

.
Back to top
View user's profile Send private message
wowbagger
User
User


Joined: 15 Jun 2011
Posts: 15

PostPosted: Thu Jun 16, 2011 10:59 am    Post subject: Reply with quote

Thanks for the very good points, it didn't occur to me that having an extra, hardwired dd-wrt device behind the adsl router would be more than beneficial but obviously it does and it will be a lifesaver for sure.
I did run for some time a test setup with a gateway behind an adsl router with port forwarding etc and I must say that the OM1P never died on me requiring a hard reboot, but that was a test setup without any real traffic/clients.
Sadly I can't really do much on the adsl router with incoming internet connection because that device belongs to someone else who is willing to share the connection as they hardly use it, but if I can convince the owner "he won't feel a thing" I will swap it with a dd-wrt adsl device as that makes much, much more sense Smile
This mesh isn't going to be a big production, but mainly a setup that will be used for +- 2 months by some people, but it's a long way from where I am and on-site there's no-one there who can do much more than just power cycle a node.

@robgmann
Do you advise to put the gateway/mesh network behind the dd-wrt, or put the dd-wrt & the gateway/mesh on the 192.* network directly behind the adsl router?

@ispyisail
I'm using what came installed on the OM1P's which is r2694-26/nO 0.5.6-r8.
If I want to open/close the ssh port on the adsl router would that mean I have to expose the admin/config page for that router on the wan side to make the open/close change each time I have to ssh to a node or is there another option?

I don't have much say in what type of internet connection is provided, it'll be "as-is" and I'm expecting it won't be much (telefonica/spain).
But, for a next project I'm asked to do in a few months I'll be setting up a real 24/7 production network in a small hostel, and there I'm able to exactly specify what type of adsl & subscription options are required, a static IP and an entry point adsl router running dd-wrt with openVPN seems to be the very basic of what a remote mesh needs.

Thanks already!
Back to top
View user's profile Send private message
wowbagger
User
User


Joined: 15 Jun 2011
Posts: 15

PostPosted: Sat Jun 18, 2011 9:08 am    Post subject: Reply with quote

I think by setting it up with the dd-wrt router in the mix and going about all the extra options I might have answered my own question. I think.
It seems most interesting to have the mesh behind the dd-wrt device and not directly on the ADSL subnet, I can use ssh to the dd-wrt and jump from there to the gateway or nodes and use port forwarding when needed etc while all mesh originated traffic will pass through the dd-wrt router adding another highly configurable layer with complete control over the traffic, while the adsl router just needs to be configured to accept an incoming ssh port, forwarded to the dd-wrt router.
Back to top
View user's profile Send private message
ispyisail
Site Admin
Site Admin


Joined: 12 Sep 2008
Posts: 4604
Location: New Zealand

PostPosted: Sat Jun 18, 2011 9:30 am    Post subject: Reply with quote

Quote:
If I want to open/close the ssh port on the adsl router would that mean I have to expose the admin/config page for that router on the wan side to make the open/close change each time


no

Quote:
is there another option?

yes

_________________
ROBIN-Mesh Wiki:

Only registered users can see links on this forum!
Register or Login on forum!

Test Network:
Only registered users can see links on this forum!
Register or Login on forum!



Please donate to ROBIN by paypal:

Only registered users can see links on this forum!
Register or Login on forum!

!
Back to top
View user's profile Send private message
ispyisail
Site Admin
Site Admin


Joined: 12 Sep 2008
Posts: 4604
Location: New Zealand

PostPosted: Sat Jun 18, 2011 9:32 am    Post subject: Reply with quote

Quote:
while the adsl router just needs to be configured to accept an incoming ssh port, forwarded to the dd-wrt router.


yes

but if you leave this port open for long enough bots will find it and start trying to hack in.

_________________
ROBIN-Mesh Wiki:

Only registered users can see links on this forum!
Register or Login on forum!

Test Network:
Only registered users can see links on this forum!
Register or Login on forum!



Please donate to ROBIN by paypal:

Only registered users can see links on this forum!
Register or Login on forum!

!
Back to top
View user's profile Send private message
wowbagger
User
User


Joined: 15 Jun 2011
Posts: 15

PostPosted: Sat Jun 18, 2011 10:42 am    Post subject: Reply with quote

@ispyisail
Yes, that's my concern too.
It's only accepting key based auth, not with just only a password, so that's at least a little harder to get by, but I know it isn't 100% secure.
But as long as it's just bots trying to hack into the key secured sshd I'm not really worried, I see this quiet a lot on my websites, when it's bots or script based the pattern of attack is a rapid scan of known vulnerabilities and I just add the ip or range to the blacklist, but my worry is when a dedicated hacker starts prying away at it.

What option would you suggest to harden it?

Thanks!
Back to top
View user's profile Send private message
ispyisail
Site Admin
Site Admin


Joined: 12 Sep 2008
Posts: 4604
Location: New Zealand

PostPosted: Sat Jun 18, 2011 11:05 am    Post subject: Reply with quote

* A really long password Smile

* VPN

* Public Key Authentication
Only registered users can see links on this forum!
Register or Login on forum!




How far do you want to go?

_________________
ROBIN-Mesh Wiki:

Only registered users can see links on this forum!
Register or Login on forum!

Test Network:
Only registered users can see links on this forum!
Register or Login on forum!



Please donate to ROBIN by paypal:

Only registered users can see links on this forum!
Register or Login on forum!

!
Back to top
View user's profile Send private message
wowbagger
User
User


Joined: 15 Jun 2011
Posts: 15

PostPosted: Sat Jun 18, 2011 1:48 pm    Post subject: Reply with quote

Quote:
* A really long password Smile

check!
Quote:
* Public Key Authentication

check!
Quote:
VPN

no check Sad

I guess it's possible to setup dd-wrt with openVPN and a client, but I haven't done that config before, but there are some good how-to's.
The thing that put me off on that is that it seems to need some thorough port forwarding on the incoming adsl modem but it would be nice to have a vpn connection into the network.

If you happen to have a good how-to, please let me know and thanks for all the support!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ROBIN - Open Source Mesh Network Forum Index -> Absolute Beginner Talk All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
c d
e



Powered by phpBB © 2001, 2005 phpBB Group

Abuse - Report Abuse - TOS & Privacy.
Powered by forumup.it free forum, create your free forum! Created by Hyarbor & Qooqoa
Confirmed

Page generation time: 0.302