[CentOS] Networking Question

Fri Nov 27 19:56:37 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 11/26/2015 07:43 AM, Alice Wonder wrote:
> What I would like to do with it, I want to make sure it is possible and
> sane before I buy it.

In general, it's possible.  It's sane if you want to study networking, 
but otherwise it's a little over the top.

Most of the time you just need three zones:  untrusted, DMZ, and 
trusted.  Each zone has full access to a zone of lower trust metric, but 
limited or none to more trusted networks.  The internet is part of the 
untrusted zone, and guest WiFi networks typically are, too.  The 
untrusted zone has limited access (in your case, via port forwards) to 
the DMZ.  The DMZ can access the internet, but not the trusted zone. 
The trusted zone has mostly unlimited access to everything.  All zones 
should have egress filtering to prevent sending malicious traffic, or at 
least traffic with a bad source address.

I'd agree with Steven that for study's sake, VLANs might be a better 
choice than multiple NICs for a few reasons:  If you're studying 
networking for professional reasons, you *will* need some experience 
with VLANs.  Managed switches can be fairly reasonable.  I like the HP 
1810-8G (or 16G, or 24G, depending on how many ports you need).  If you 
use multiple interfaces on your firewall, you'll typically need switches 
for each one.  If you use VLANs instead, you can dynamically assign 
ports to different broadcast domains.

As far as security goes, typically managed switches allow you to assign 
access to each VLAN per port.  Because access to a virtual LAN is 
assigned to the port, and not to an IP address or MAC address, spoofing 
isn't generally a concern.

> A will have a NAS. I can reach it from Internet (via port forwarding)
> and B and C (routing table) but from it, I can not connect to Internet
> or B, C, D. That network which likely will only have a few devices can
> not initiate connection to Internet or the other networks.

You're proposing that you set up hosts which are accessible by the 
internet (the least trusted zone) but don't have internet access to 
retrieve and apply security updates.  That's not a good idea at all.

> B is my trusted home network. It can connect to Internet (NAT) and to A
> (port forwarding) but can not reach C or D

That's possible, but iI can't think of a good reason to use port 
forwarding, there.  NAT is a crutch to compensate for a lack of 
addresses in the IPv4 network.  You should only use it when there's no 
other choice.

> C is untrusted home network. Things like my TV and Bluray player that
> need Internet access but that I don't want to have the ability to reach
> anything on B, but I do want them to be able to talk to NAS on A via
> port forwarding. I'm always paranoid about those devices on my network,
> I don't trust what they are doing. Call it tin foil but I don't trust
> them. Yet they don't work right without access to Internet (updates /
> netflix)

I wouldn't argue that you should trust those devices.  You definitely 
shouldn't.  But consider what you're protecting.  If you put them on the 
same network as the NAS, are you making it more exposed to attack?  It's 
already connected to the internet.  Are you protecting those devices 
from the NAS, if it gets compromised?  If so, what would an attacker 
gain by targeting those devices?  Or maybe the guest WiFi network would 
be a good fit for those devices.

I'd encourage you to think about that carefully, because if you start 
segmenting your network without a specific need to do so, you'll end up 
isolating each device individually.