- Messages
- 258
- Location
- NA
Most of these things might be fine, providing it's personal use and you're not making malware of pirated material publically available (safe havens, indemnification and all that) - it might be something where we will have to review in your case.
I assume this refers mainly to HTTP/FTP. The web server requires authentication globally (only on the external NIC, not LAN since Windows Update is cached and served from here to 5 or 6 home PCs to prevent multiple downloads of the same updates. More on this later.) so the public will only see a login prompt.
TS Gateway I understand - I used to run such a thing myself although I've moved away from that now to Teamviewer so that it's less complicated.
I'm pretty satisfied with TS Gateway as it allows me to directly connect to any PC in my LAN from a public location with the intranet FQDN of the PC. E.g. cerebro.intranet.earth-616.com, where earth-616.com points to my public IP with DynDNS and my home PCs are all in *.intranet.earth-616.com.
Allowing other users to tunnel from another ISP for the purpose of using your connection as a proxy is probably not allowed
This would make me legally liable too, thus SSH/VPN access would be only for myself. Any access granted to others would probably be only for a subfolder or something via HTTP and for a very short duration as and when required.
From your end it shouldn't matter how you connect - the CPE handles all the connections, there's no bridging or dialing up from your PC involved, so using a combination of PPPoE and 802.1x won't affect any port bindings, especially since (I presume) you'll be running some kind of DynDNS client and all you'll have to do is forward the ports in the router.
I'll explain in detail why I want a public IP address directly on my NIC. I don't think our broken conversation on Twitter made anything sufficiently understandable.
I don't intend to use a CPE; only a media converter or a fiber NIC if I can find an affordable one. NAT is unsuitable for me as there are three heavy downloaders at home and the line will choke and latencies will spike.
I bought a cheap dedicated box as a router/download rig which I leave on 24x7. I run all my servers on it including intranet DNS, DHCP, VPN etc. and also use it as the internet gateway for the entire LAN.
I don't use NAT for the LAN PCs; there is no default gateway defined on them. There's only the firewall client installed on each PC that apparently hooks the network stack & transparently routes all connections through the gateway and internet access is granted based on the client's current Windows username/password by automatically authenticating with the gateway (someone technically sound might abhor this draconian method but at home no one will know the difference...so). Thus QoS, maximum simultaneous connections and any other restrictions are applied on a per-user basis and will carry over to any PC in the house where the user logs in. Everything is configured on the gateway.
From what I can tell this is not insecure like a captive portal and cannot be bypassed by any means. All traffic between firewall clients and the gateway also happens to be encrypted so there can be no sniffing of internet destined traffic.
I've got two vlans: vlan1 & vlan2 (yes they are isolated and not simply a different subnet). The gateway has an NIC on each vlan. Most wired PCs and all WiFi access points are in vlan2. vlan2 has no NAT access. Windows PCs in vlan2 must use the firewall client for internet access. My WiFi uses 802.1x so instead of a WPA key users must enter their Windows username/password which is authenticated against the RADIUS server on the gateway. Once connected to the WiFi, they are put in vlan2 and must use the firewall client and have a valid internet-enabled Windows username/password to gain internet access.
Linux PCs/mobile phones etc. which can't run the firewall client must first connect to vlan2 (physically wired/WiFi), and then PPP or VPN into the gateway. VPN requires logging in with a valid Windows username/password and the gateway recognizes them as that user and their same internet access policy applies as if they had used the firewall client directly from vlan2. Due to the nature of VPNs, no spoofing/sniffing can be done and the internet access policy cannot be bypassed.
vlan1 has NAT access (through another NIC on the same gateway box). Other devices like the PSP, PS3 etc. which can only connect via NAT must be physically plugged into vlan1 switch ports or connect to a non-broadcasting WPA protected access point that is plugged into vlan1 who's existence is known only to me.
Correct addresses for each vlan are assigned via the same DHCP server depending on the incoming NIC. The gateway also does LAN routing beween the two vlans and an appropriate static route for the two subnets is distributed along with the DHCP response.
The ADSL modem is plugged into vlan1 (to prevent vlan2 users messing with it) and is only configured as an EoA bridge to expose the ISP side ethernet to the local network. The gateway then connects via PPPoE since it can now see the PPP server on the ISP. Ideally I think I should be using a separate NIC on the gateway to connect the modem since now the ISP can potentially access vlan1, but I don't really care about my PS3 traffic and since vlan1 is physically under my control no one is going to secretly dial a PPPoE connection to the ISP either and bypass the firewall.
The reason I need a public IP directly on my NIC is I want some servers and services to bind only to the public IP. This is not possible with PPPoE since it doesn't quality as an NIC. For example I need the web server to require NTLM authentication on the public interface, but not on the lan interface. If you had 802.1x authentication, I would directly enter my Hayai username/password in the network adapter properties and it would authenticate against the same RADIUS servers that you use for PPPoE. There would be no dialing or other nonsense. The internet would register as a proper network, as it SHOULD. It's also so much easier to release/renew IP with a script and automate the process in jDownloader for link-removed etc. I pay for DynDNS pro and for Custom DNS servers so I would also be able to instantly update my A records using TSIG instead of having that stupid 10 minute delay of the official client because PPPoE disconnections can't be monitored properly.
AFAIK you will already need to provide this kind of connection method to corporate clients, either allowing them to authenticate via 802.1x or by using some kind of intermediate device running wpa_supplicant that automatically performs authentication and then bridges the pre-authenticated network to their switch. I presume any mid-range linux based CPE will have wpa_supplicant. Why do you want an additional tunnel inside your ethernet connection anyway? It's not like it's ATM and you need to tunnel EoA. When the WAN port on the CPE is ethernet, I take it the preferred method of authentication must be one from the ethernet protocol suite.
You must think I'm insane to have this setup at home 😀
After administering the above, would you go back to a NAT CPE?
I assume this refers mainly to HTTP/FTP. The web server requires authentication globally (only on the external NIC, not LAN since Windows Update is cached and served from here to 5 or 6 home PCs to prevent multiple downloads of the same updates. More on this later.) so the public will only see a login prompt.
TS Gateway I understand - I used to run such a thing myself although I've moved away from that now to Teamviewer so that it's less complicated.
I'm pretty satisfied with TS Gateway as it allows me to directly connect to any PC in my LAN from a public location with the intranet FQDN of the PC. E.g. cerebro.intranet.earth-616.com, where earth-616.com points to my public IP with DynDNS and my home PCs are all in *.intranet.earth-616.com.
Allowing other users to tunnel from another ISP for the purpose of using your connection as a proxy is probably not allowed
This would make me legally liable too, thus SSH/VPN access would be only for myself. Any access granted to others would probably be only for a subfolder or something via HTTP and for a very short duration as and when required.
From your end it shouldn't matter how you connect - the CPE handles all the connections, there's no bridging or dialing up from your PC involved, so using a combination of PPPoE and 802.1x won't affect any port bindings, especially since (I presume) you'll be running some kind of DynDNS client and all you'll have to do is forward the ports in the router.
I'll explain in detail why I want a public IP address directly on my NIC. I don't think our broken conversation on Twitter made anything sufficiently understandable.
I don't intend to use a CPE; only a media converter or a fiber NIC if I can find an affordable one. NAT is unsuitable for me as there are three heavy downloaders at home and the line will choke and latencies will spike.
I bought a cheap dedicated box as a router/download rig which I leave on 24x7. I run all my servers on it including intranet DNS, DHCP, VPN etc. and also use it as the internet gateway for the entire LAN.
I don't use NAT for the LAN PCs; there is no default gateway defined on them. There's only the firewall client installed on each PC that apparently hooks the network stack & transparently routes all connections through the gateway and internet access is granted based on the client's current Windows username/password by automatically authenticating with the gateway (someone technically sound might abhor this draconian method but at home no one will know the difference...so). Thus QoS, maximum simultaneous connections and any other restrictions are applied on a per-user basis and will carry over to any PC in the house where the user logs in. Everything is configured on the gateway.
From what I can tell this is not insecure like a captive portal and cannot be bypassed by any means. All traffic between firewall clients and the gateway also happens to be encrypted so there can be no sniffing of internet destined traffic.
I've got two vlans: vlan1 & vlan2 (yes they are isolated and not simply a different subnet). The gateway has an NIC on each vlan. Most wired PCs and all WiFi access points are in vlan2. vlan2 has no NAT access. Windows PCs in vlan2 must use the firewall client for internet access. My WiFi uses 802.1x so instead of a WPA key users must enter their Windows username/password which is authenticated against the RADIUS server on the gateway. Once connected to the WiFi, they are put in vlan2 and must use the firewall client and have a valid internet-enabled Windows username/password to gain internet access.
Linux PCs/mobile phones etc. which can't run the firewall client must first connect to vlan2 (physically wired/WiFi), and then PPP or VPN into the gateway. VPN requires logging in with a valid Windows username/password and the gateway recognizes them as that user and their same internet access policy applies as if they had used the firewall client directly from vlan2. Due to the nature of VPNs, no spoofing/sniffing can be done and the internet access policy cannot be bypassed.
vlan1 has NAT access (through another NIC on the same gateway box). Other devices like the PSP, PS3 etc. which can only connect via NAT must be physically plugged into vlan1 switch ports or connect to a non-broadcasting WPA protected access point that is plugged into vlan1 who's existence is known only to me.
Correct addresses for each vlan are assigned via the same DHCP server depending on the incoming NIC. The gateway also does LAN routing beween the two vlans and an appropriate static route for the two subnets is distributed along with the DHCP response.
The ADSL modem is plugged into vlan1 (to prevent vlan2 users messing with it) and is only configured as an EoA bridge to expose the ISP side ethernet to the local network. The gateway then connects via PPPoE since it can now see the PPP server on the ISP. Ideally I think I should be using a separate NIC on the gateway to connect the modem since now the ISP can potentially access vlan1, but I don't really care about my PS3 traffic and since vlan1 is physically under my control no one is going to secretly dial a PPPoE connection to the ISP either and bypass the firewall.
The reason I need a public IP directly on my NIC is I want some servers and services to bind only to the public IP. This is not possible with PPPoE since it doesn't quality as an NIC. For example I need the web server to require NTLM authentication on the public interface, but not on the lan interface. If you had 802.1x authentication, I would directly enter my Hayai username/password in the network adapter properties and it would authenticate against the same RADIUS servers that you use for PPPoE. There would be no dialing or other nonsense. The internet would register as a proper network, as it SHOULD. It's also so much easier to release/renew IP with a script and automate the process in jDownloader for link-removed etc. I pay for DynDNS pro and for Custom DNS servers so I would also be able to instantly update my A records using TSIG instead of having that stupid 10 minute delay of the official client because PPPoE disconnections can't be monitored properly.
AFAIK you will already need to provide this kind of connection method to corporate clients, either allowing them to authenticate via 802.1x or by using some kind of intermediate device running wpa_supplicant that automatically performs authentication and then bridges the pre-authenticated network to their switch. I presume any mid-range linux based CPE will have wpa_supplicant. Why do you want an additional tunnel inside your ethernet connection anyway? It's not like it's ATM and you need to tunnel EoA. When the WAN port on the CPE is ethernet, I take it the preferred method of authentication must be one from the ethernet protocol suite.
You must think I'm insane to have this setup at home 😀
After administering the above, would you go back to a NAT CPE?