JP Vossen on 6 Jan 2008 13:51:33 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Sharing an Internet Connection

> Date: Sun, 6 Jan 2008 10:45:58 -0500
> From: holdenergy <>
> Hi - What might be the quickest/cheapest/easiest way to securely share an
> internet connection.

M0n0wall (or probably pfsense) can do that with a few NICs.		FreeBSD-based, web GUI	M0n0wall-based, different goals

Ideally, you'd have {# of entity} + 2 NICs =
	One for each entity [required]
	One for the WAN [required]
	One for a dedicated syslog/management net [recommended]

One of the great things about either of these is that the entire system 
configuration (OS, firewall, everything) is a single XML file.  That 
means you can trivially do change control & backouts, upgrades, 
downgrades, whatever with a single file in a simple revision control 
system.  VERY nice.

One of the other great things about either of these is that the entire 
system is pre-built.  No worries about what to install or configure, it 
just works out of the can.  It's also tiny, being intended to run on 
CF-card in embedded systems.  I've run on a hard drive in an old Dell 
desktop for years.  (More space for NICs.)

> Let me explain. In a shared community with only one DSL connection, multiple
> different entities connected through one DSL connection but requiring that
> records be kept for each port, so that in the extreme case of a visit from
> FBI/RIAA etc only that port is an issue. Ideally getting 2 IPs from the DSL
> provider would be perfect but that adds $$ if they'd even do it.

Enable logging to a (ideally dedicated) syslog host.  There are lots of 
log parsers to slice and dice the output for all kinds of reporting too.

> Furthermore, we don't want one entity soaking up all available bandwidth, so
> what would be the device to throttle each port to a certain percentage of
> available, and we actually want to maintain a certain port dedicated for
> VOIP to ensure quality of service even if the DSL is otherwise at capacity.

Enable and configure the built-in traffic shaper.

> I have not seen these features in consumer grade routers and I am not sure
> how far we have to step up to get it, or is there a Linux solution for which
> I'd be happy to re-purpose an old PC or laptop.

Multi-port NICs are pretty cheap on ebay.  I have 8 ports in my M0n0wall 
(IIRC).  But as other responders have noted, there are 
cheap/fast/easy/flexible/secure issues.

M0n0wall is free, you probably have the PC, that leaves NICs, which 
depend in part on space in the PC.  They are probably cheap or free.

Fast/easy depend on your network and security skills.  The networking 
and logging sides are straightforward, assuming that logging firewall 
rule hits is good enough (doubtful for HIPPA, etc.).  The actual FW 
policy (rules) and traffic shaping might be a challenge, especially if 
you enforce strong egress filters, which you should.

M0n0wall is pretty flexible, but it can't handle dual *WAN* interfaces, 
while pfsense can.  YMMV.

This will be reasonably "secure" unless you really screw up the rules or 
the network segmentation or routing.  But "secure" is defined here as 
protecting the entities from the Internet and each other, and logs for 
who (or at least which entity/network) did what.

But it all is a single point of failure, as someone else previously 
noted about ISP ToS issues, DoS, DDoS, etc.

JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --