Best practice/setup for home servers? (re: VLANs, subnets, etc)

[jmk396]

I've been running a small home network on a single (unmanaged) switch and everything including my file server is on the same subnet and I have several ports forwarded from the file server to my public ip (eg. sabnzbd webgui, sickbeard webgui, asp.net file manager, etc).

This has been working fine but it does seem a bit unsafe and I've recently "upgraded" to a managed switch (Netgear GS108T) and I've also switched to a business class internet line with five static ip addresses.

What's the best practice/setup for a small home network like mine?

Here's the kind of systems I have:

* Main PC
* File server
* Web servers (externally accessibly, used for development)
* Wireless (private)
* Game consoles, satellite receivers, etc.

All of the servers (including the file server) are run from my Hyper-V box but it has Intel Pro/1000 NICs that support VLAN tagging so I have quite a bit of freedom.

My goal is to protect the file server as much as possible but I still need some kind of remote access to my file management tools/services (eg. sabnzbd, etc).

Thanks in advance for any kind of advice!

 

[Berg0]

don't NAT anything to your fileserver and use a VPN to access it?

otherwise setup a DMZ for your server, and either VPN into the DMZ, or just put it on it's own VLAN with ACLs allowing minimal access between it and your home network.

 

[jmk396]

Thanks for the reply.

VPN is a good idea... What are my options for VPNs that run strictly over port 443? (SSL VPNs?)

I've been using SSH port forwarding and it works pretty good but a real VPN would certainly be nice too...

 

[Vito_Corleone]

It depends on how nerdy you want to be. A lot of us Cisco guys have ridiculously complex networks for no real reason.

In the end, make it as complex as you want. The only thing I'm really paranoid about is wireless. I have a separate VLAN for wireless running WPA2, but I also have DHCP reservations handed out and only those IPs are allowed access to anything other than the internet.

My servers have static NAT translations from my pool of five public IPs. They're behind my router an outside ACL and CBAC. I changed my SSH and RDP ports on all my servers with NAT translations. That really helps limit the brute force hacks.

 

[jmk396]

The only thing I'm really paranoid about is wireless. I have a separate VLAN for wireless running WPA2, but I also have DHCP reservations handed out and only those IPs are allowed access to anything other than the internet.

How is that setup? Do you have static routes or something?

EDIT: Also, what about restricting wireless by MAC address? (eg. deny all but allow only the known good devices) Is that pretty fool-proof?

 

[Vito_Corleone]

My 3725 is the default for everyone on the network, then OSPF between any other routers/swtiches, no static routes. I'm using an access-list:

ip access-list extended WIFI_IN
 permit ip host 192.168.37.2 any
 permit ip host 192.168.37.80 any
 permit ip host 192.168.37.81 any
 permit ip host 192.168.37.82 any
 permit ip host 192.168.37.83 any
 permit ip host 192.168.37.84 any
 permit ip host 192.168.37.85 any
 permit ip host 192.168.37.86 any
 permit ip host 192.168.37.87 any
 permit ip host 192.168.37.88 any
 deny   ip 192.168.37.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.37.0 0.0.0.255 any
 permit udp any any eq bootps
 deny   ip any any log

Basically this allows my trusted hosts to access anything, then denies any other wireless IP access to my internal network, then allows access to everything else (the internet).

Edit: To answer your edit, MAC filtering isn't too great, at least not by itself. I think WPA2 is what matters most, then maybe MAC filtering or goofy stuff like I have on top.

 

[jmk396]

Is it possible to filter incoming connections by MAC address?

For example, I want to allow my iPhone to connect to my home network via 3G. I don't know what IP address it will have at any given time but it's MAC address won't change so I'm thinking it would be useful to only allow incoming connections to certain ports based on that specific MAC address.

I know that a MAC address can easily be spoofed but an attacker would need to guess the correct one in order to gain access which seems extremely unlikely.

Also, does NAT rewrite the MAC address or is it passed through from my iPhone over 3G (and all the routers) to my home router with the source MAC address intact?

 

[aaronearles]

Also, does NAT rewrite the MAC address or is it passed through from my iPhone over 3G (and all the routers) to my home router with the source MAC address intact?

The source MAC is stripped and replaced at each hop, so no, filtering via MAC address over the internet is not possible.

 

[jmk396]

OK - Thanks.

It seems like a VPN is really the only alternative to just leaving ports accessible to the public.

Even though my ports have password-protected web interfaces it seems like they would be quite easy to defeat.

 

[Vito_Corleone]

Is it possible to filter incoming connections by MAC address?

For example, I want to allow my iPhone to connect to my home network via 3G. I don't know what IP address it will have at any given time but it's MAC address won't change so I'm thinking it would be useful to only allow incoming connections to certain ports based on that specific MAC address.

I know that a MAC address can easily be spoofed but an attacker would need to guess the correct one in order to gain access which seems extremely unlikely.

If your router supports MAC filtering, then yes, you can do this.

And, they don't have to guess the MAC, they just run a sniffer and grab it. This is why encryption is also important.

 

[aaronearles]

you can over wifi, but he's talking over wan (3g)... right?

I'm not big on having a vpn client to get into my home network either, you can always SSH tunnel instead and just carry putty on a flashdrive that's what I do from work.

 

[Berg0]

It depends on how nerdy you want to be. A lot of us Cisco guys have ridiculously complex networks for no real reason.

In the end, make it as complex as you want. The only thing I'm really paranoid about is wireless. I have a separate VLAN for wireless running WPA2, but I also have DHCP reservations handed out and only those IPs are allowed access to anything other than the internet.

My servers have static NAT translations from my pool of five public IPs. They're behind my router an outside ACL and CBAC. I changed my SSH and RDP ports on all my servers with NAT translations. That really helps limit the brute force hacks.

I have two WLANs on seperate VLANs, one uses WPA2 and is in a DMZ and one uses RADIUS auth and has access to my internal network. I use a Cisco aironet AP1131

 

[Vito_Corleone]

you can over wifi, but he's talking over wan (3g)... right?

I'm not big on having a vpn client to get into my home network either, you can always SSH tunnel instead and just carry putty on a flashdrive that's what I do from work.

Oooh, missed all that. I have no idea how that would even work, if I'm understanding him correctly.

 

[Vito_Corleone]

I have two WLANs on seperate VLANs, one uses WPA2 and is in a DMZ and one uses RADIUS auth and has access to my internal network. I use a Cisco aironet AP1131

If I had a Cisco N WAP, I'd be doing something similar. All I have is a 1200b/g, which doesn't work for me.

 

[calvinj]

I have two WLANs on seperate VLANs, one uses WPA2 and is in a DMZ and one uses RADIUS auth and has access to my internal network. I use a Cisco aironet AP1131

I have an 1131 on the way.. This kind of was my plan too. I'll have a guest vlan that only has access to the internet and Will have another WPA2 network that will have access to the LAN.

 

[jmk396]

I have two WLANs on seperate VLANs, one uses WPA2 and is in a DMZ and one uses RADIUS auth and has access to my internal network. I use a Cisco aironet AP1131

I'm not familiar with RADIUS but does that work from across the internet?

The problem is that I need my iPhone (across 3G) to access my internal network's webservers remotely. Ideally I'd like to run an SSH client on my iPhone that supported port forwarding/tunneling but that's not possible on the iPhone.

 

[calvinj]

I thought there was some sort of vpn client that would work on the iphone. If you found something that would work you might be able to use the router as a vpn server.

 

[jmk396]

Yeah, the iPhone supports IPSec and... PPTP I think?

It just seems like a bit of overkill though but it might be my only option. For example, I have a video streaming service on my network that my iPhone connects to. I'm not sure how performance would suffer if I add IPSec on top of it.

As for my web servers, ideally I'd just like a second layer (more secure?) of authentication before letting outside users just access certain internal web servers.

 

[Berg0]

for iPhone just set up an IPsec VPN tunnel and have ACLs allowing you to access the servers from the tunnel. I don't believe that iPhone supports any kind of SSL VPN. At least the iPads don't.