Life imitates Work

SIDE NOTE: The features and options on the RV016 make it an incredible device, unfortunately given the year it was designed, the maximum speed on any interface is 100Mbps.After the upgrade was complete, I connected most of the important network items directly to the cable modem, and connected the RV016 as a switch to the cable modem for seldom used devices as this first illustration depicts, but it was powered off most of the time.And it gets interesting

Change comes about to version 1.0 of the network as the result of a call to my ISP during a service outage.  I find out that the provider has full access including passwords in plain text (English readable form) to the configuration of the firewall, WAP (Wireless Access Point), and the ability to view traffic (information) on the inside of the cable modem firewall.  I find it interesting that even at home we are not safe from potential vulnerabilities, even though we pay for these services.

Time for change...again...

Taking what I have learned in the enterprise security and virtualization space, and the newly derived knowledge of my ISP's access, I decided to apply it all to a little home project.  I also decided to do some network zoning similar to the original configuration before the upgrades.  Instead of putting back the old and slow RV016, I opted for a bit fancier solution using VMWare's ESXi product (note 6.0 is the latest edition), a new home built server (see this article), a multi-port network card, and a new gigabit switch.

Using VMWare on the newly built server (host), I took advantage of the multiport card to create a little security zoning on the network.  Why?  Because its a great way to learn, just for fun, because we can, and its free! 

This second illustration depicts the logical configuration of the new network, where the inside switch and network also known as an OZ (Operational Zone) are protected from the PAZ (Public Access Zone) by a firewall.You will also note that there are no longer any devices physically connected to the cable modem except the VMWare host as per the physical diagram below.  Although that is the case physically, logically there is one Linux guest (VM) running Ubuntu 14.04 and Minecraft in the PAZ that can be accessed from the Internet.

I also decided to disable the WAP on the cable modem, and replace it with a dedicated EnGenius EAP350 WAP.  The WAP allows for a total of four SSIDs (I've created a primary & guest SSID), and it supports SSID-to-VLAN (Virtual LAN) tagging to allow for full guest network traffic segregation.  All traffic in this new configuration is fully protected by Zentyal, a Linux based firewall distribution running as a guest on the ESX host.  Services include firewall, DNS, DHCP, file sharing, email and much more; I am only using the firewall, DNS, and DHCP services right now.

This third illustration shows the physical configuration of the network.  The ESX server has one network connection to the cable modem (outside), one to the 24 port switch (inside), and one to the WAP using vlan tagging (outside, inside) for traffic segregation of home and guest users.  This also allows our house guests access to the Internet via the cable modem firewall.

The Zentyal firewall guest VM has two interfaces, inside and outside, and this allows traffic to pass from the inside to the outside, but not the other way.  The NAS guest VM has only an inside interface, and is thus only available to systems on the inside.The Minecraft Linux guest VM has only one network interface, an outside interface, but this exposes the VM to the PAZ.  In order for the Minecraft server to communicate to the users on the inside, all communication is passed through the Zentyal firewall.  This is not the case for users that are on our guest network, or out on the Internet.  For those out on the Internet I have used an option that is available on most cable modem firewalls to do port forwarding which allows information arriving at the cable modem firewall on the outside to be redirected to a specific server and service on the inside.Success is measured in smilesThe systems described above have been in operation for a year now and they have been fine tuned over that same period.  Our friends have been joining us and playing games for almost the same time.  I have since installed the beta version of Minecraft pocket edition server which took some serious work to get functional, and not crash continuously.  I have had to restrict access as my son told one friend and it went through his grade like wildfire.  No ten year old can appreciate the amount of work that goes into a project of this magnitude, but I have been able to measure the usefulness in smiles.  My next article will be on the installation of a Ubuntu 14.04 Linux server (VM), WebAdmin, and Minecraft server.

GamerDadster...