uTalk

Official forum for Utopia Community

You are not logged in.

#1 2021-01-26 08:46:49

Drassen
Member
Registered: 2021-01-11
Posts: 71

How to isolate a home server from the local network?

Hi, I have a reasonably simple home network set up - see dia below.

I have a Raspberry Pi3 (RPi3) set up as a web/chat server in the DMZ. The rest of the machines are connected - either wired or wireless - to a switch that is running DD-WRT - dia.

I would like to set things up so that the RPi3 home web/chat server is completely isolated from the rest of my home network, so that if it is compromised it can't be used as a gateway to gain access the other machines on the network.

Though I would still like to be able to access the home web server to perform maintenance tasks via SSH.

Can anyone give me advice me how to approach setting things up to allow for an internet available heme server, while maintaining the security of my home network?

Thanks

Offline

#2 2021-01-26 19:16:15

Dr-Hack
Moderator
Registered: 2020-11-20
Posts: 70

Re: How to isolate a home server from the local network?

you will need to isolate your pi from rest of the server, none of your other devices should be able to connect to your pi through the lan, but only through the wan , that is one way of keeping things tight.
you will need to monitor and apply hardened network policies. Asking a friend to probe your network will allow you to find the weak spots if any

Offline

#3 2021-01-27 10:25:26

HanBaoCinch
Member
Registered: 2021-01-11
Posts: 93

Re: How to isolate a home server from the local network?

Hmm, to isolate the Home web server it can not connect to that local network at all. This means if you can VPN, SSH or such to it from your local network then it is not isolated.

I worry that this is not really what you meant to ask or want to do.

Offline

#4 2021-02-02 13:30:01

Drassen
Member
Registered: 2021-01-11
Posts: 71

Re: How to isolate a home server from the local network?

Thanks - that's helpful.

Have you got any suggestions regarding best practice for configuring an internet available home web server on a home network from a security perspective?

For example, could I create two separate networks (I'm not sure how this would be accomplished): one exclusively for the web server, that I could connect to with with my laptop when I want to SSH into it, and; a second for my home devices?

Thanks for your help.

Offline

#5 2021-02-02 13:55:10

HanBaoCinch
Member
Registered: 2021-01-11
Posts: 93

Re: How to isolate a home server from the local network?

Why won't access control and routing do the job here?

I mean you can setup your web servers as you wish and on the router put the ports you need Internet service into the router's port forward table.

Since the server is secured with your choice why the extra disconnect from the LAN? How about changing the server's netmask to exclude LAN addresses other than the router?

Offline

#6 2021-02-02 13:58:53

HanBaoCinch
Member
Registered: 2021-01-11
Posts: 93

Re: How to isolate a home server from the local network?

Best practice?

That's access control, firewalls and only allowing what ports you actually need. If it's on a LAN then netmask goes a long way to blocking folk on a LAN from connecting to the server.

Offline

#7 2021-02-04 08:46:47

Drassen
Member
Registered: 2021-01-11
Posts: 71

Re: How to isolate a home server from the local network?

I've done a little research into Netmasks, which is when you split the network into segments, right? That would probably do the trick.

The reason I want to isolate the Raspberry Pi 3B+ web server is that I had it set up with Freedombox, NextCloud and Wordpress and someone hacked into it and changed the web root's index.html file. There wasn;t anything sensitive on the Pi, but did did freak me out that it could be a possible way to break into the local network and start SSH brute forcing other accessible machines on the local network.

Yes, I agree firewalls go a long way. But I don't really want to have to turn into a paranoid sys admin having to open and close ports on local machines all the time. I would at least rather start with a robust network configuration and then worry about each machine on the local network as best I can.

I'm testing a setup using two routers and two separate DHCP fire-walled networks, based on the concept described here and tutorial here (though I'm not using VPN). See the attached image for a visual layout of the set up I'm testing - any advise comments regarding if my set up makes sense, or about weaknesses or strengths are much appreciated.

From information I have found it seems that network two (IP: 192.168.11.x - the "inner" network) can reach out to network one (IP: 192.168.10.x - the "outer" network) and to the internet. But the outer network can't (easily) get past the second routers firewall and into the inner network.

This works because data is passed back though the NAT to the originating address and all other traffic is stopped by the firewall.
So local machines on the inner network can reach out and SSH into the server on the outer network, but the server can't break through the inner firewall to reach the local machines on the inner network.
I tested and I can SSH from the inner network to the server on the outer network. But I don;t seem to be able to SSH from the server to a machine on the inner network, so it and this does seem to be the case.

I am new to all of this though, so I could be missing something obvious here.

Does my set up this make sense in the way I have described what I want?

Offline

#8 2021-02-05 14:18:17

HanBaoCinch
Member
Registered: 2021-01-11
Posts: 93

Re: How to isolate a home server from the local network?

Your choices.

For me I could use netmask (that's singular) to virtually sequester this server from other computers on a LAN. It's simple, effective and uses a basic skill networkers know.

-> Since you have your own design that works (otherwise you would not be using it) why not call it solved?

Offline

#9 2021-02-08 13:41:19

Drassen
Member
Registered: 2021-01-11
Posts: 71

Re: How to isolate a home server from the local network?

HanBaoCinch;269 wrote:

Your choices.

For me I could use netmask (that's singular) to virtually sequester this server from other computers on a LAN. It's simple, effective and uses a basic skill networkers know.

-> Since you have your own design that works (otherwise you would not be using it) why not call it solved?

Thanks. Yes, maybe netmask is the way to go. I need a second device on my network anyway to give me more ports so I had the DD-WRT router already hooked up.

I'm not a networker so getting my head around netmasks has been a bit of a challenge and a bit of research. I'm still not completely sure that I understand.

My understanding of netmasks now is that netmask is essentially to do with the binary nature of network addressing. In my case I would "borrow" bits from further down the local address and essentially split the addressing into 4 parts. The down side is that you loose a few possible addresses. The up side is you get four separated networks. Is this about right?

The more I research networking the more I find out how much there is know and how little I understand it all Sad

I'm happy to mark this as solved, but as I say, I'm not a networker and I would appreciate any comments concerning if my system really does add security for machines on both my local network "outer" and "inner" networks? And regarding the pros and cons of my set up vs netmask?

Thanks again.

Offline

Board footer

Powered by FluxBB