azcrumpty's Site
  • Home
  • Journal
  • Search

Home Network With IPv6 and Wordpress in DMZ

9/3/2012

 
Picture
IPv6 Wordpress Site
I've been enjoying the end to end connectivity I get with IPv6.  For many home networkers, this will be best method of doing a home network.  Just get IPv6 and you have plenty of space for a place on the web!  I have setup a Linux based IPv6 router and a subnet just for the Internet facing servers.  I could filter this subnet out at the router so it can't connect to the hom LAN.  However, I have just begun and have much work to do.

You can view my notes at azcrumpty.mooo.com/, which only works if you have IPv6 setup and working.  If you don't, you may use a gateway azcrumpty.mooo.com.ipv4.sixxs.org/.

My ISP doesn't block the smtp port, 25 on IPv6, so I can run my own mail gateway.  If your provider can send to IPv6, which I find many don't, you can email me at email at ipv6@azcrumpty.mooo.com.  The folks at FreeDNS have graciously allowed my to piggyback on their domain.

I will take this server offline after about a month since the computer it runs on is actually my Linux Mint laptop, which I would like to use for laptop use. It is virtualized, so I can move it should I wish to keep it turned on.

IPv6 Late Launch Day with Dual IPv6 Subnets

8/19/2012

 
Picture
Dual IPv6 Networks in Home Gateway
Dual IPv6 Networks In Home GatewayI have completed adding IPv6 to my home network using both 6in4 and 6to4 transition methods.  The IPv6 guide at the DD-WRT site covers everything you need, but I had one question after I completed 6to4.  Could I add multiple IPv6 network providers?  The answer is yes, and it is very easy to do.  Breaking with the spirit of end to end networking, I decided I wanted my guest network IPv6 network separated from my main network.  This is not necessary with the big /64 network you get from the providers, but I wanted to try it out since I like having a network that I can use to look from the outside in.  Teredo Tunneling is the most painless way to IPv6, but it was the slowest method of using IPv6.

The changes were simple enough, only needing the user to setup the second tunnel using the tunnel provider's instructions and a unique name.  Basically, the router advertisement daemon's config files needed to be changed to announce the 6to4's network, 2002: on the guest interface br1.  The 6to4 start script needed the -p option used to specify a new pid file for the second daemon.  I used the command watch 'netstat -an | grep tcp6 to see what network connections were using IPv6.

The home network uses the 2001:132:d:28a network provided by Hurricane Electric. The radvd.he.conf file only needed to be configured to announce the 2001:132:d:28a::/64 prefix and the start script is the same one you would fine on the DD-WRT IPv6 site.  On starup, the router's route tables and interfaces show the correct settings for the internal interface br0 and the external interface br1. Again, watching the netstat output showed plenty of IPv6 connections.

Both networks checked out with the IPv6 test site.  A tertiary option is to use Teredo tunneling on a host behind another NAT in my my home network which gives me a third network to work with.
 
I put the IPv6 startup scripts into Optware script format along with the config files for radvd.  I do the ipv6 insmod command in the DD-WRT startup.   

So now, my home network has all the benefits of a node having full end to end connectivity with no more pesky NAT preventing me from publishing my own content or directly communicating with another peer on the Internet.  But also note that configuration is completely unnecessary since I have 2^64 addresses available for use and could have divided my block up for each segment.  One radvd process can advertise to both interfaces and the two networks can be part of the same /64.  All I had to do was add an interface address in the block to br1 and the two become connected, but that seemed like normal networking.

Home Web Server with Opera Unite

5/21/2011

 
Picture
Opera Unite Web Server Content
I wrote about using a home based web server in a demilitarized zone within your home a few months ago.  This is a fun and useful task to do, but I left out a strong caution.  Your ISP may prohibit you from doing this as part of your contractual agreement.  Your ISP may even go so far as to filter out the HTTP and HTTPS, ports 80 and 443 respectively, to keep you from running your own home based web server.  So, what can you do?

You can use Opera's Unite system or a competitor home server system such as Tonido.  You should pick a system that agrees to provide the service you want so you don't have to wake up one morning finding your site isn't accessible to the world anymore.  

Picture
Opera Unite With Wordpress
You can find plenty of help with configuring Opera Unite. You can use whatever server you wanted to host your home based web server as your Opera Unite server.

I have found some things with Opera Unite that might be of interest to you.  The URLs can get really long.  Take http://home.azcrumpty.operaunite.com/webserver/content/az/Blog/Blog.html as an example.  This monster URL is configured to use Opera's web server.  The word webserver seems to identify the service I am using.  The word content can be replaced by the word activity for stats.  So two words in the URI are reserved for determining where to retrieve content from.  Finally, your content lies beneath all that in the URL and the path can get really long depending on what you do with your conten.  Opera's built in web server doesn't offer the robust configuration options of Apache or IIS so CGI, plugins, and other functions are nonexistent.

Picture
WordPress URL Needs Rewriting
Opera provides you with a reverse proxy to address your web site's complexity needs.  This gives you complete access to your web server software.  But you may find issues with URLs and need to do some URL rewriting. I found both Wordpress and MovableType hard code some paths into the HTML they generate, however, such things were fixable by Googling or hacking the code. Hard coded host names lead to content not showing up. Internal host names showing up is a general problem that has to be considered when using a reverse proxy.  It seems plenty of sites expect the document root to be available for content.  This is not the case when using Opera Unite's Reverse Proxy.  Opera adds the host name to the URL and shifts the document root over to the right by one path.  This becomes and issue with sites that have URIs that reference the document root.  For example, an image reference href="/images/foo.gif" would look like http://home.azcrumpty.operaunite.com/images/foo.gif.  This would fail since the reverse proxy needs the host name in the URL in order to get the image.  The HTML would have to have the reference as href="/wb/images/foo.gif" or be relative as href="images/foo.gif".  You must check and correct all such links for this problem if you didn't write all the HTML yourself.

Picture
Opera Unite Stats
Performance and security discussions on these services can be found online.  I didn't use performance measurement tools but I watched the images load in on the site and it felt like a dial up modem. This is probably due to the spotty performance I am getting with my ISP right now.  As far as security goes, I would NAT Opera Unite behind pfSense with rules denying access to the internal LAN or I would put the rules on the Opera Unite host itself to minimize the attack possibles should a back door be opened from the Opera browser.  You can also tell your desktop or laptop firewall software to deny all connections from your Opera Unite host. I would only push content to the Opera Unite host that I wanted shared with the world so any unauthorized access to the host would only reveal data I wanted on  the Internet.

Home Network Designs That Didn't Make the Cut

4/11/2011

 
I posted my Home Network with DMZ on my blog a few months ago where I listed how I setup a DMZ in my home network. There are so many different ways to do your home network that I could not describe them all; people like short blog posts. I choose this setup for a two main reasons:

1) My pfSense server is a laptop which is very old (purchased in 2000) and I wanted a design that was easy to swap out the laptop should it fail. I can swap the Linksys router into the edge of the network quickly if the pfSense server fails.

2) The laptop has two PCMCIA ports and a network adapter (NIC) fills each port. I could do more with multiple NICs and would have preferred 8 ports on the laptop.  I didn't want to use a USB network adapter because the laptop uses the slow  USB 1.1 interface.
Picture
Two NAT Devices With Middle DMZ
I contemplated doing a double NAT type configuration, pictured left, with the pfSense router at the network edge in the red zone, a network hub in the middle to service the hosts in the DMZ, and the Linksys router connected via its WAN port. The DMZ servers would be in the green zone between the two routers. The inner router would provide firewall and NAT services to the blue zone. I declined this design because there are enough cables, wires, and lost outlets where the equipment goes. I wanted to keep the design simple and I wanted the design to consume less power. Also, some software works poorly when positioned behind two NAT routers.

Lastly, my preferred choice was to use a filtering bridge, pictured below, in place of the Linksys e3000. The filtering bridge would filter the upper portion of the network (.200) as DMZ servers while leaving the lower portion without filtering. The pfSense box only has two NICs so I would have needed an extra machine or a separate hub. Again, this design offers too much complexity for home use.

Picture
Filtering using one composite LAN
The first design above allows the user to use an older 802.11b or 802.11g router in the design bypassing using pfSense. It is cheap and easy to setup as many people have their old broadband routers laying around somewhere. The second design requires more effort and more parts when you have only two ports on the filtering bridge. It also requires writing filtering rules and possibly bridging two physical LANs together. The best feature of the bridge is that it eliminates the need for the clients in the green zone to pass through two NATs.

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by Create your own unique website with customizable templates.