SOHO Network

Outline

So in preparation for moving into our new office/house I've been tasked with designing and implementing a network that can function as both a secure business LAN and a private end point for users.

The biggest challenge was finding a way to securely deal with multiple networks and services while keeping costs minimal and avoiding purchasing additional equipment. We could have easily gone with customer supplied gateways into a concentrator as local ISP's allow multiple PPPoE logins over a single link. But since we have HFC available I wanted to try a more elegant solution.

Requirements

Besides basic Internet connectivity here is a list of services customers might require:

  • Telephony
  • Wireless, Guest WiFi
  • Secure separation of business resources from personal networks
  • High speed inside-out access for services, aka loop-back

The decision to go with HFC means telephony must travel over IP or there is no cost savings to using cable. This means we must also become the telco for land-line services. VoIP has several advantages to using POTS, namely significant savings in line rental(As of writing this article the cost per line for direct PSTN access is 4 times the cost of using a remote trunking service), however it is at the expense of increased management and creating a single point of failure.

Care must also be taken to ensure the arrangement meets and exceeds the users demands and expectations of the service and to not encumber access to any functionality otherwise available.

Implementation

Fig 1 - Topkek Topology

Above shows the pseudo layout at the L2 level. Separation is handled via VLAN's naturally, wireless separation is done through DD-WRT bridges, see: VLAN Detached Networks. Phones are locked to ports and ignore broadcast, a change of MAC on one of these ports will immediately disable it until the original device is restored, as a further measure SNMP trap events are sent the moment one of these ports are down. A 'General' port is used between the router and switch to prevent iSCSI traffic (several Gbps) from flooding the router. Only Virtual Machines assigned with an appropriate virtual adapter have access to private networks, VLAN tagging is done by the hypervisor and not by the VM's.

As far as hardware is concerned, the backbone of the network consists of a Dell PowerConnect 5524 with battery backup, this Layer 2 switch handles most of the security enforcement. For routing we have a Juniper SRX210HE, this is in charge of providing the zone based firewall, NAT, DHCPv4, SLAAC, 6in4 tunneling and sFlow for monitoring.

An out of band switch connects IPMI, SNMP and various management interfaces together and can only be accessed physically from the rack or by administrators over VPN.

Layer 3

VLAN100 is confined to the Guest zone, it has an independent firewall and security policies from the main public network, this interface is rate limited to prevent DoS and penetration attempts from Guest to Trust via the internal data plane. Customer VLANs are a mirror image of this.

VLAN1 and 2, which is part of the Trust zone consists of a IPv4 inbound services policy and respective NAT, IPv6 uses a per server policy set. Inter-VLAN routing is provided for 1<->2 access on a case by case basis through the firewall:

from-zone untrust to-zone trust {
    policy trust-services {
        match {
            source-address any-ipv4;
            destination-address any-ipv4;
            application [ junos-http junos-https junos-sip junos-ping softether junos-ssh ];
        }
        then {
            permit;
        }
    }
    policy icmp-v6 {
        match {
            source-address any-ipv6;
            destination-address any-ipv6;
            application junos-icmp6-all;
        }
        then {
            permit;
        }
    }
    policy trust-services-2001_470_24_869_1 {
        match {
            source-address any-ipv6;
            destination-address Vincent;
            application [ junos-http junos-ssh ];
        }
        then {
            permit;
        }
    }
}

VLAN3 carries only VoIP traffic.

Lastly the usual barrage of DoS and brute force attacks from the Internet are dealt with using a screening filter. RPF is enabled on all interfaces with an exception for DHCPv4 broadcasts.

Telephony

A PBX server running FreePBX is used for routing VoIP, everything is SIP end to end until it reaches the PSTN, CoS means little to no latency and no dropped calls, I've tested this extensively on ADSL2+ and even on a problematic line voice is clear and reliable.

Customers are provided with DID(s) at a monthly rate with call excess added on, free voicemail is also available. In the next few weeks I'll write a script to pull CDR from FreePBX and automatically generate invoices, but since there will only be two users initially this is low priority. I'm also considering switching to sipXecs, but it is less supported and will need to be tested extensively.

CoS/QoS

All WAN bound traffic is classified by a rule set, based on the originating zone and type of traffic we can assign packets to an appropriate queue on the egress interface. The switch also prioritizes VLAN3's traffic to insure large LAN transactions like those created by SMB do not affect voice quality.

Remote Access and Authentication

VPN is provided using SoftEther VPN Server, the built in access lists can be assigned to RADIUS accounts allowing the single server instance to provide access to all or some networks.

We use RADIUS where possible for unified sign on, this is managed by the local Active Directory server which of course machines must join before they can access anything interesting.

Conclusion

Besides software configuration we're also moving to a much larger rack (18U -> 40U) and as such need to re-cable everything. It will be nice to have room for cable management and a rack thats properly setup to handle it.

In time I will write some tutorials on JunOS and other network technologies as I'm still learning myself.