New ISP, New Firewall

Recently, we switched from Comcast 75Mbps cable modem internet to AT&T 600+Mbps fiber internet. The biggest difference is that AT&T requires you use their router/firewall. It’s not optional. So you can either simply trust their device to never get hacked, or setup your own NAT firewall inside the AT&T router, and nat everything twice. But if you do that, the firewall gets an IPv6 address, but nothing inside the firewall can access IPv6. The AT&T router has no option to request any a larger IPV6 subnet, so the firewall could use the rest.

So, I decided to switch from a routed firewall, to a bridged firewall. I tried to reconfigure my pfsense FreeBSD UNIX based firewall, but failed to get it to work properly. It was strange how the BSD bridge was blocking ARPs traffic between network segments. I gave up on pfsense and rebuilt my firewall box with CentOS 7 Linux, and installed Shorewall firewall software, which I’ve used before.

Where as a routed firewall has an IP interface on each network segment, and each segment is part of an independent IP network, a bridged network is one where you only have 1 IP network, with the firewall acting as if it were an ethernet switch, routing traffic from interface to interface, based on the dest MAC address. But shorewall gives you control based on the segments the traffic is coming from and going to, instead of the IP addresses, so, for example, guests can get to the AT&T router and the internet, but not any internal computers.

Setting up basic bridging on Linux is no problem for me, except it turns out my firewall has 5 ports, but they aren’t named in the same order as they appear on back of the box. That took too long to figure out. Shorewall fully supports bridging mode, but documentation is a little light, because far more people use the routed mode. But there is enough to figure it out.

Shorewall can seem at first a little complex to setup, but it’s not too bad, really. I started by creating 5 zones, each representing one of the five segments of our ethernet network – wired lan, lab lan, wifi, guest wifi, and internet. Then I edited the interfaces file, where you assign the 5 physical interfaces to the 5 zones. Then I edited the policy file to define default access rules. Lastly, I edited the rules file, to add any exceptions to the default policy, like allowing guests to access the printer.

So, because I broke our LAN into 5 segments, I can do things like setup an SSH gateway inside my lab, and allow friends to login across the internet into my lab, while being reasonably sure they won’t be able to get from there into our home computers, because they are on a different segment. The “guest” network is where all of our “internet of things” devices are connected. Our wifi thermostat, dropcam web camera, chromecast, as well as any visitors to our house will be able to access the Internet, but not anything else inside the house, so if they get hacked, they can’t get to anything important.

Next I plan to install arptables, which will let me setup rules to block ARP traffic from any particular MAC address. Someday I’ll run cat5e cable between the floors, so we can get the whole 600 Megabit speeds upstairs, and get rid of this cable running on the floor from our office to the bedroom.