It appears the AI mesh is still funtional… I may have to test it to see if the ethernet ports still work but I would imagine they do… ok I hope they do…lol
1 Like
Then this is good.
Which firewall did you get?
1 Like
Same as yours… one sec…
1 Like
Nice then im very familiar with it. PAINFULLY familiar lol
In this case looking at your map. Theres no real need for any of that to be on different subnets and IPv6 prefixes… we can still with one. Does that sound like something you would want?
1 Like
If there’s a way to isolate data from the man cave from leaks besides streaming out to fire sticks or smart tv’s… I cant imagine what else I need to Isolate. Anything I run in the lab will probably be VM’s internally connected on the T420… really I’m open to suggestions… Whatever can make it more secure. I will probably shut down external streaming of plex…and possibly shut down any file sharing via the net unless I can find a good way to encrypt it end to end or vpn tunnel…
Isolate how? that devil is in the details here.
1 Like
I have to do that internally I believe. I have a shared drive accessible here at home with some sensitive docs with socials banking records etc… I have to set permissions in ZFS I think to keep it safe.
I just would like to keep access to a minimum. It lives on my Fractal 804 Node on a RAID10Z with hot spare server thats on 24/7 and has a remote B/U I need to set up again with encryption, and dual Local BU on both a WD NAS and the Dell T420 on a ZFS RAIDZ2 partition.
1 Like
I’d say the easiest way to deal with that is firewalls on the server systems themselves to manage what’s open and closed
As for isolating TVs that’s hard. Its usually an all or nothing deal but if you had a dedicated DNS server like pihole you could create DNS groups
In which case you could use DNS to deny access to pages you didn’t want the TV accessing in theory.
Say white list Netflix Hulu and what not but deny all the Phone Home URLs of the manufacturer
It wouldn’t be perfect. It would leak a bit but its a method. But let’s focus on just getting the backbone going first
1 Like
Ok that sounds like a great plan.
I have all the MAC address and no one ever come over so I was hoping to find a way to ONLY allow IP’s or MAC addresses that are known to be able to connect on my network…is that feasible or too much?
I have seen DMZ style networks… is that a useful style for like say a gaming server if I ever decide to host one? Or a webpage? I’m trying to think ahead please reign me in lol
2 Likes
Mac address white listing can be done but its easy to bypass. Very easy
Also it will wreak havoc with any android or apple device that supports WiFi privacy… You’ll need the ability on the devices to select device Mac to deal with the randomization
All my Linux laptops randomize macs for privacy
My AP (BSSID) MAC randomizes as well. Lol so I dont find much use in Mac white or blacklisting
1 Like
got ya… didnt realize…this is why I ask questions lol. Could that be scrambled with a VPN prior to going out the firewall?
I was under the impression MACs were always part of the data stream or packets wether in IP form or some other form.
2 Likes
No reason to scramble a Mac lol…
And no. Macs are permanent. They can be spoofed but the hardware Mac can never permanently be changed particularly with WiFi devices where the standards require them to remain the same (firmware)
Its not a big concern. I wouldn’t worry about Mac white listing and here’s why
If I were to say attack your network. And it kept denying me. I could see the broadcasted denial message about Mac white listing. In which case I’d spoof and continue the attack. Too easy to circumvent… Even with encrypted management frames. Encryption just prevents direct injection
1 Like
Got ya…do you have a fail2ban set up as well… I’ve heard of it but never used it so far.
I really will try to follow your guide and see where I get tripped up.
I’m glad my router at least has a profile setting so I can save and roll back if I need to for when the wife comes home lol.
2 Likes
No. Its a huge PITA. I’m focusing on the other functional bugs ATM.
Fail2ban would have to be someone else’s wheel house
You could make a thread asking what network experience people have to sniff out who the users might be 
1 Like
ROFL my advice. Do it while she’s at work or do it after 1 am … And do some night work.
I have to … Sundays at 230 am…since that’s when nobody is using my stuff
Thats when the glenlivet comes out
1 Like
LOL, well I’m not the only one.
2 Likes
we have all been in that boat. you saw dynamic and I’s discussion about NC and NGINX in the lounge lol
1 Like
That I did. I also need to select a IP range to use, or didnt your guide suggest using IPV6 addressing?
1 Like
wait for the firewall to come before configuring this. Leave your stuff as is unless its arrived
1 Like
Roger it got pushed back… so I’ll probably be installing the OS an such late tonight or early AM tomorrow before chiropractor… then after.
1 Like