User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Question: WiFi, routing, and my firewall Page [1]  
darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

I thought I would ping the TWW hivemind (such as it is these days) to see if anyone has any ideas for how to approach my particular networking problem.

I have a bunch of Raspberry Pis acting as IoT devices that record data. I've been having them rsync that data to my lab's servers on NCSU campus. I run my own pfsense firewall for my lab to keep the king of England out of my servers. I have a whitelist for SSH connections that uses FQDNs. The devices use Duck DNS as their dynamic DNS service and the FQDNs from Duck DNS are what's in the whitelist.

My problem come from putting on of my Pis on the NCSU eduroam WiFi network. Devices on that network appear to the internet to have 152.* addresses. However, when devices on the eduroam network route to something at NCSU, like one of my servers, they have a 10.* address.

My problem is I don't know how to let these things through my firewall without letting all local traffic through. The IP address that they update with Duck DNS aren't what my firewall sees when they try to rsync.


Anyone have ideas about how I should approach this problem? Please keep in mind that I'm a scientists and not a networking professional. I can't change anything about how NCSU's network works. I would like to make no changes to the Pis if possible. I can adjust pfsense however I'd like.

1/15/2019 9:33:42 AM

FroshKiller
All American
51257 Posts
user info
edit post

Can you not ask OIT to make sure the Eduroam addresses assigned to the Pis (based on their MACs, maybe) are static or at least within a small known range?

1/15/2019 1:59:01 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

I'll ask but I doubt it. I fine OIT to typically be unhelpful.

One, they couldn't even tell me how to get the Pi's on the network since their automated configuration tool didn't support Debian based OSes. I had to figure that one out on my own. NCSU uses TLS for their eduroam implimentation and just about everyone else on the planet uses PEAP or TTLS.

Two, the Pis technically aren't in compliance with the University's antivirus and endpoint protection policies. They are probably just as likely to blacklist the devices from the network than to help me.

1/15/2019 2:20:40 PM

FroshKiller
All American
51257 Posts
user info
edit post

Well, certainly don't tell them what the devices are if they don't ask. And if they do ask, consider lying.

1/15/2019 2:25:02 PM

FroshKiller
All American
51257 Posts
user info
edit post

Can pfSense not filter by MAC after the local addresses are allowed? I've never used it.

1/15/2019 2:31:03 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

It doesn't look like it. I've found some forum threads grumbling about lack of MAC filtering support.

1/15/2019 2:44:17 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

Ug. It looks like I'm about to learn a lot about implementing a VPN.

1/15/2019 2:57:45 PM

rjrumfel
All American
21412 Posts
user info
edit post

I'm just curious, and this has nothing to do with a solution for you, but are you at liberty to say what kind of data you're collecting?

1/15/2019 4:09:00 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

atmospheric pressure

1/15/2019 4:24:53 PM

rjrumfel
All American
21412 Posts
user info
edit post

That's pretty cool. So this is probably a very simple question as I'm sure your working with pretty complicated equipment, but would it be possible to turn my Pi into a barometer?

Right now it's just running an emulating OS for old games.

1/15/2019 4:29:54 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

It's not complicated.

https://www.adafruit.com/product/2652

1/15/2019 4:36:55 PM

rjrumfel
All American
21412 Posts
user info
edit post

Oh lort, they got a breadbox

1/15/2019 4:47:50 PM

A Tanzarian
drip drip boom
9668 Posts
user info
edit post

How many sensors? Where are they? What other data are you collecting? How long have you been collecting? What are you doing with the data?

Tell us more!

1/15/2019 9:49:53 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

I'll start a new thread to answer the sensor questions.

I'm still looking for solutions. Whoever staffs the OIT help desk doesn't seem to know a lot about how their own network works. But, they seem open to helping me if they can figure out how.

1/16/2019 11:09:24 AM

smoothcrim
Universal Magnetic!
18405 Posts
user info
edit post

I'd allow all 10.0.0.0/8 addresses since you also have the additional layer of protection of SSH. you've filtered out everything but NCWREN, which is almost all of the malicious internet anyway. I'm sure you're also filtering broadcast and icmp ingress at the pfsense layer anyway so you've also got security by obscurity.

1/16/2019 12:09:02 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

That's my last resort. I'm not sure I'd classify the 10.0.0.0/8 addresses as non-malicious.

1/16/2019 12:36:33 PM

FroshKiller
All American
51257 Posts
user info
edit post

smoothcrim you are banished from this thread for being simple

1/16/2019 1:32:43 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

This network stuff make me feel like a kid who's found a wizard's grimoire. The spells are all in a language I half understand and I've never confident that I'm not going to inadvertently summon a daemon.

1/16/2019 1:58:38 PM

rjrumfel
All American
21412 Posts
user info
edit post

ISWYDT

1/16/2019 3:35:26 PM

darkone
(\/) (;,,,;) (\/)
11229 Posts
user info
edit post

I whitelisted 10.0.0.0/8 for ssh access. I feel so dirty. At least if I'm hacked, I'll know it came from NCSU.

1/16/2019 3:42:35 PM

 Message Boards » Tech Talk » Question: WiFi, routing, and my firewall Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2019 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.37 - our disclaimer.