Used to run a virtualized firewall setup. And then one day discovered that somewhere along the lines I had made a change (or an update changed something) that meant proxmox admin interface was being served publicly. That's despite confirming during initial setup that it isn't.
So now I do not do any funky stuff with firewalls anymore. Separate appliance with opnsense bare metal.
Fair enough and I think you have done the right thing - opnsense is pretty decent - and the clear delineation between collision domains helps avoid showing too much ankle to the internet 8)
I think your initial setup was perfectly valid. Then you diagnosed a fault and fixed it with aplomb, in a way that you could verify. The key point is: "in a way you could verify" and you failed safe. Well played.
Proxmox itself has a useful firewall implementation too, although it takes a bit of getting used to because you can set it at the cluster, host and VM levels. I personally love it because it is easier to manage than individual host based firewalls, which I also do, but I'm a masochist! For smaller systems I generally use the cluster level to keep all the rules in one place.
My router is a 16GB n150 mini PC with dual NICs. The actual router OS is within openwrt VM managed by Incus (VM/Container hypervisor) that has both NICs passed through.
One of the NICs is connected to another OpenWrt wifi access point, and the other is connected to the ISP modem.
The n150 also has a wifi card that I setup as an additional AP I can connect to if something goes wrong with the virtualization setup.
Been running this for at least 6 months and has been working pretty well.
Both port specific firewall rules, and web-server IP permissions are important.
For example, bandwidth rate-limiting may be inhibited for admin SSH or package updates, and LAN IPv4 private ranges for your host address pool are set.
Finally, your internal DHCP should statically bind your admin computer MAC to a fixed LAN host IP to further reduce issues.
Personally, I always build my NAS from scratch, as I have lost count of the number of problems web-GUI have caused over the years. =3
Aside from the fact that "a CPE" is grammatically incorrect, you are also semantically wrong. A router is any device connected to multiple networks that can forward packets between them; and consumer-premises equipment includes everything that's directly connected or consumes a service from a telecom provider. Landline phones, set-top boxes and satellite decoders are also examples of CPE.
It would be like me stating "you're not a man, you're a human!" and then expecting you to be in awe of my profound wisdom.
Technically it's an IPv4 router once you enable net.ipv4.ip_forward in step 1, the rest is enabling a whole lot of supplementary services and operations not intrinsic to the definition of a router.
Thank you for informing me that a novel definition of the term "router" has come along since the last time I turned a Linux box into a router. The world changes in strange ways sometimes!
What is "CPE" in this context? It's probably not "Common Platform Enumeration" (my top results for "cpe linux") or "Customer-Premises Equipment." ("cpe networking")
> CPE generally refers to devices such as telephones, routers, network switches, residential gateways (RG), set-top boxes, fixed mobile convergence products, home networking adapters and Internet access gateways that enable consumers to access providers' communication services and distribute them in a residence or enterprise with a local area network (LAN).
I think a CPE could (be/include) a router, but usually it refers to the demarc between the provider's network and the customer's (no matter who owns/manages it).
For a Linux box to be a true CPE you'd likely need somewhat of a specialized card, one that can communicate directly to the next device up the line (e.g, take commercial fiber or cable in, ISDN modem, etc).
If it just shoots out ethernet into some other box next to it, it's likely not a CPE.
> CPE generally refers to devices such as telephones, routers, network switches, residential gateways (RG), set-top boxes, fixed mobile convergence products, home networking adapters and Internet access gateways that enable consumers to access providers' communication services
From my understanding any type of device that is used to extend or facilitate provider services is a CPE. So a router just acting as an extender would still be a cpe, as would a modem, as would anything that is on the customer side and facilitates provider services. Only situation a router wouldn't be a cpe is if it was just for a local lan network.
I didn't see in TFA --although I may have missed it-- where it said it was replacing the ISP's router/CPE. Anything routing traffic is a router.
At home I've got both a CPE given by my ISP and my own router that routes and bridges traffic between two LANs of mine (192. and 10.).
Moreover the lack of IPv6 inside our own LANs is, for many of us, a feature. It doesn't mean we don't have an IPv6 address: it just means we have the choice and did choose to have our own LANs on IPv4 only. And, no, I don't care that it makes some programmers at some megacorp' lives more difficult to "reach" inside my networks.
I'm the boss at my home and my router is IPv4 only.
So now I do not do any funky stuff with firewalls anymore. Separate appliance with opnsense bare metal.
I think your initial setup was perfectly valid. Then you diagnosed a fault and fixed it with aplomb, in a way that you could verify. The key point is: "in a way you could verify" and you failed safe. Well played.
Proxmox itself has a useful firewall implementation too, although it takes a bit of getting used to because you can set it at the cluster, host and VM levels. I personally love it because it is easier to manage than individual host based firewalls, which I also do, but I'm a masochist! For smaller systems I generally use the cluster level to keep all the rules in one place.
My router is a 16GB n150 mini PC with dual NICs. The actual router OS is within openwrt VM managed by Incus (VM/Container hypervisor) that has both NICs passed through.
One of the NICs is connected to another OpenWrt wifi access point, and the other is connected to the ISP modem.
The n150 also has a wifi card that I setup as an additional AP I can connect to if something goes wrong with the virtualization setup.
Been running this for at least 6 months and has been working pretty well.
For example, bandwidth rate-limiting may be inhibited for admin SSH or package updates, and LAN IPv4 private ranges for your host address pool are set.
Finally, your internal DHCP should statically bind your admin computer MAC to a fixed LAN host IP to further reduce issues.
Personally, I always build my NAS from scratch, as I have lost count of the number of problems web-GUI have caused over the years. =3
IPv6 support is not required for a router. You'll note they also fail to offer IPX/SPX or ATM and many more.
It would be like me stating "you're not a man, you're a human!" and then expecting you to be in awe of my profound wisdom.
https://en.wikipedia.org/wiki/Customer-premises_equipment
Given that the Wikipedia definition of CPE includes routers, I don't see how calling it CPE precludes it being a router, as the poster claimed:
> That's not a router, that's a CPE, and one without IPv6 support
For a Linux box to be a true CPE you'd likely need somewhat of a specialized card, one that can communicate directly to the next device up the line (e.g, take commercial fiber or cable in, ISDN modem, etc).
If it just shoots out ethernet into some other box next to it, it's likely not a CPE.
> CPE generally refers to devices such as telephones, routers, network switches, residential gateways (RG), set-top boxes, fixed mobile convergence products, home networking adapters and Internet access gateways that enable consumers to access providers' communication services
From my understanding any type of device that is used to extend or facilitate provider services is a CPE. So a router just acting as an extender would still be a cpe, as would a modem, as would anything that is on the customer side and facilitates provider services. Only situation a router wouldn't be a cpe is if it was just for a local lan network.
At home I've got both a CPE given by my ISP and my own router that routes and bridges traffic between two LANs of mine (192. and 10.).
Moreover the lack of IPv6 inside our own LANs is, for many of us, a feature. It doesn't mean we don't have an IPv6 address: it just means we have the choice and did choose to have our own LANs on IPv4 only. And, no, I don't care that it makes some programmers at some megacorp' lives more difficult to "reach" inside my networks.
I'm the boss at my home and my router is IPv4 only.
And I've got that in addition to my ISP's CPE.