cyberstudent with basic questions about interface configurations

Gertjan

@cyberstudentnewbie

If you have somewhere "60" minutes left : Sending digital information over a wire.

When finish watching the 13 episodes, let it sink in for a while. Then, when needed, get back to each of them (this is called the learning phase).
In the nineties, last century, knowing all that, it would have brought you close to a "network engineering degree". These days : it's just "network basics" but as it is used by one of world's most widely used infrastructures, known as the Internet, it should be made mandatory knowledge - IMHO. After all, all it takes is is just a couple of hours .....

edit : if you can follow the Eater guy, look at his other other videos : he made a fully working "micro" (maxi ?!) processor using just off the shelves old school TTL chips (each less the a $). You can even make your own ! "Look, Mam, I execute my own micro code !"
Now you have enough knowledge to start to understand what's going on in a I9Intel core. And yes, things are as easy as he showed it.

JonathanLee

@cyberstudentnewbie The class I took they covered many different topics. We covered different vendor firewalls and we also covered base Linux topics like iptables all the way to Windows Server firewall settings, as well as pfSense all the way to PaloAlto major releases. Or school had student versions that PaloAlto had for us. After that we used pen testing software within the ethical hacking class to break into the equipment (I took both classes at the same time). Those classes will really help you get your foundational knowledge built. After I purchased an official pfSense firewall just to learn more with it is a puzzle. I am sure you know not many firewall tools are available for cyber security students to learn and work with like this. pfSense fits that need as it's opensource and it comes with an enterprise class web cache proxy if you really want to push yourself. Again, its proxy configuration is really complex, it's no joke with the need for certificate use and everything that needs to be configured for it to work. I purchased my official Netgate appliance while taking the ethical hacking class so I could really learn with it we even we used pfSense in the finals the instructor had it all set up for us to configure with. I was really happy that I got a grant that paid for my 2100-MAX, I thought it's what's needed for me to advance my knowledge. Keep in mind, because it is open source, I am still learning stuff with it, I am a computer science student, so I am now playing with the code on it. I cannot wait until I get my C+ class done, I have only learned Python, Java and Assembly code so far. I really need to take that C+ class so I can really get into the code for it. The tools really advance the direction of cyber security.

When I was younger, back in the 2000's taking classes Cisco Mars and Cisco Pix products where the major player in cyber security. Again, not many tools were available to study with, you could never take an appliance home with to research and study on with unless you had thousands and thousands of dollars. So Netgate really fits the need today, it was my cyber security go to tool.

This community also is so helpful if you get stuck.

I recommend you start off with ports and access control lists on it and after start learning about packages as you gain more knowledge. The TPC/UDP ports IP Classes and address with access control lists were what firewalls were back in the 2000s. We didn't even have a GUI back then just Cisco's global config mode command line.

Don't give up and do not be afraid to use office hours, the professors want to help you they are paid to help you, so use the office hours they set aside when you get stuck also.

cyberstudentnewbie

Awesome and great info from both of you guys. Ill definitely be checking out the eater guy, looks very cool.
Im saving up for an official netgate appliance as we speak. I already have an older appliance which seems to work great with pfsense but have been hesitant to really play with it as of yet.

i'm used to the configurations on the ubiquity and tp links, its just a little harder to get used to pfsense but i'm definitely all about learning it specifically because it has all the capabilities to run the separate packages. I'm especially interested in the HIDS tools i can run with.
But first i have to learn the basics. I'm really confused on using secondary routers and secondary firewalls to use for setting up a web server in a dmz zone (or separate from the internal network)

Okay here is a couple of totally basic questions for you guys.

1.) The serial port option to connect the appliance to a device (which it seems is not used to often, i think at least in home lab setups) Is that cable that will connect to and old computer with a serial input, does it just run the web browser gui? just another way to connect to it like with an Ethernet cable?

and 2.) In my original post, i was instructed to create another sub-net on OPT1 and route my ubiquity to it by setting the gateway on the ubiquity
secondary router. does that second LAN i create on OPT1 considered a VLAN and is separate and isolated from the network coming off my LAN output port? I'm just confused on the difference between a VLAN and a subnet.

and 3.) its pointless to purchase an 1100 instead of a 2100 to really maximize the software capabilities?

JKnott

@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:

1.) The serial port option to connect the appliance to a device (which it seems is not used to often, i think at least in home lab setups) Is that cable that will connect to and old computer with a serial input, does it just run the web browser gui? just another way to connect to it like with an Ethernet cable?

The only way to run a browser over a serial cable is if PPP is run over it. This sort of thing is covered in the CCNA about things like frame relay or T1 lines, where you have to use PPP.

Gertjan

@cyberstudentnewbie

1. On head-less devices like this one there is no VGA or hdmi port. there isn't even a graphocs chips inside such a device. It's a router after all, not some desktop device.
   So : no screen

Now, what happens when, for some reason, the NIC drivers refuse to load ? That means : none of your NICs work.
Know you know why every seriious router firewall (switch, low bud Amzon camera, coffee machine, the computer in your car, etc etc etc have more or less secret serial interface (of comparable interface).
TO get in in case of 'emergcy'.
I call the serial access on my 4100 the "God mode access" : if that serial port doesn't work, the system is dead at a BIOS level, or higher (lower).
You never need this access, but the day you need, you need it badly.

Btw : the cable is often a serial to sub cable, so any recent device/PC with an USB port can be used.

@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:

In my original post, i was instructed to create another sub-net on OPT1 and route my ubiquity to it by setting the gateway on the ubiquity
secondary router. does that second LAN i create on OPT1

Did you activate a second physical "LAN" port - called OPT when you initially created it ? Or did you create a OPT VLAN using the LAN ?
Lol, tell us how you've set it up and we'll tell you how you've set it up ^^

Btw : remember the old story about how the earth etc was created in 7 days ? As a guide line, stick to that story.
VLAN, etc were created on day "181" ...... so do what needs to be done at day 8 9 etc (don't skip them) When you reach day "181", you will know what VLAN are and how to deal with them.

@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:

to really maximize the software capabilities?

None of the two.
1100 or 2100 together with the word "maxima" : I see two occasions here : very low power consumption, as these devices are very low power arm processor based. And also a maximum in 'simple setup' as you can't do much with them.
They will route an entire household just fine, though.

For all the other "maxima" : this one. And don't take the "16 Gbytes disk space version". The moment you start that package that need huge resources, you run out of disk space ... (1 Gbytes is "nothing" these days).

stephenw10

And to be clear that requires a ppp server at the pfSense end which is not configured.

To use the serial console in pfSense you need to use a actual serial connection and then use a serial terminal program in the host to connect across it.

So for most users that means using a USB serial adapter of some sort since not too many people have a laptop with a real serial port these days!

Some appliances, like the ones we sell, have a USB serial console where the USB/serial interface is on-board. That means you can connect to it with a standard USB cable.

https://docs.netgate.com/pfsense/en/latest/hardware/connect-to-console.html#connecting-to-a-serial-console

Steve

cyberstudentnewbie

oh ok good to know...
1.)only as a last resort totally makes sense for the serial cable question.

2.)as for the setup on for the LAN's
cable Modem provides public ip address to pfsense on WAN
LAN interface in set to 192.168.40.15/24
OPT1 interface is set to 192.168.50.20/32
LAN goes into a switch for 3 workstations receiving addresses from pfsense 192.168.40.20, 192.168.40.21, 192.168.40.22

Now i know OPT1 192.168.50.20/32 is a sub-net cause of the /32 right?
if i just use a another regular switch on OPT1 Sub-net by default is the OPT1 sub-net a separate isolated network?
The goal is to have two isolated networks that cannot communicate with each other and am confused on the difference between subnetting and VLANS other than VLANS happen at the switch (layer 2) level.

i learned VLANS accomplish segmenting networks... just confused if having a separate subnet (like the /32 sub-net), does it also isolate the networks. I have read a ton on it but cannot grasp the difference just yet in terms a 5 year old can understand.

3.) okay so i can afford the appliance just yet ;(

If number 2 is still confusing ill post up pictures of the configuration for you guys. And thanks for the help on the basics...

My firewall class starts in 2 weeks for the summer semester but im taking the COMPTIA NETWORK+ again, (almost passed first time out) next week and want all the info i can get now..

johnpoz

@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:

just confused if having a separate subnet (like the /32 sub-net)

/32 isn't really a subnet, /32 is 1 IP address.

Lets say you have

192.168.0.0/25 = 192.168.0.0 - 192.168.0.127

and

192.168.0.128/25 = 192.168.0.128 - 192.168.0.255

Those would be different networks, but doesn't mean they are isolated at layer 2.. Which is what you would use vlans for, to actually isolate the 2 networks on different layer 2 networks.

The mask just tells you what IPs are in the layer 3 network. Setting an interface to anything/32 would not really be viable for an interface that wants to talk to anything, because that really isn't network, its a specific single IP.. Those would only really be valuable as a loopback address. Or a firewall rule, not really as mask for an IP that is on an interface that wants to talk to something else.

Gertjan

@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:

OPT1 interface is set to 192.168.50.20/32

A /32 isn't possible.
As that would mean that that IP "192.168.50.20" is the only IP usable on that "OPT1" network.

Sneak peak how LAN is set up : 192.168.1.1/24 - you see that 24 ? That means IP 1 to 254 are usable.
256 is 2^8 or /24

Also, with a /32 you can't activate the DHCP server on OPT1, as there is only 1 IP in that "192.168.50.20" network .... and you've already used it.
So when you connect a device to that OPT NIC : it wont reply on any DHCP request. As it has none to offer .... (and the DHCP isn't working anyway on that interface ...)

And, please : don't do that : "192.168.50.20".
Use "192.168.50.1" of the pfSEnse OPT1 IP, or "192.168.50.254" if you have to.
For every other IP, be ready to receive the ......"don't do that - many have tried - they all ...."
Well, we never saw them again.

johnpoz

@Gertjan said in cyberstudent with basic questions about interface configurations:

Use "192.168.50.1" of the pfSEnse OPT1 IP, or "192.168.50.254" if you have to.

While I agree with you from a common practice point of view, using the first or last IP in a network is common practice as the gateway IP. But there is nothing saying you have to do that. I use for example .253 for all my pfsense IPs.

Mostly because devices tend to default to .1 or .254 as their IP when setting up.. And if I connected a new device to any of my networks I didn't want them by accident stepping on my routers IP. I don't run any common networks 192.168.0 or 192.168.1 or 10.0.0 for example - but not using .1 or .254 is habit from when used those common networks.

But agree, someone new to networking, common to use the .1 or the .254 as your routers IP in the network when using /24 networks.

stephenw10

@Gertjan said in cyberstudent with basic questions about interface configurations:

Sneak peak how LAN is set up : 192.168.1.1/24 - you see that 24 ? That means IP 1 to 254 are usable.
256 is 2^8 or /24

Yes the /24 means 24bits out of the 32bit address are fixed. Leaving 8 bits that can be defined for addresses in the subnet. And, yes 2^8 means 256 addresses.
But here you can't use 0, that's the network address, and you can't use 255, that's the broadcast address.

JonathanLee

/24 is the cider version over using the 255 octets for your subnet mask 192.168.1.1 255.255.255.0 or just 192.168.1.1/24

You have your host address your network, and a broadcast address. this occurs on the private ip class. You have different class addresses also like class a, b, c, for the private addresses. check out subnet calculator. I had to do all this stuff by hand when it was taught at the College. You have to learn how to subnet by hand but the calculator can help you get a start on it.

johnpoz

@JonathanLee said in cyberstudent with basic questions about interface configurations:

You have different class addresses also like class a, b, c

This hasn't been used in 30 years.. Why they still come up is beyond me.. I learned class because well cidr wasn't even a thing yet when I got into networking. But why it still comes up is just nuts..

stephenw10

Good to know it existed. At some point you're bound to find some ancient documentation referring to it.

JKnott

@JonathanLee said in cyberstudent with basic questions about interface configurations:

You have different class addresses also like class a, b, c, for the private addresses

Address classes have been obsolete for about 30 years, replaced by CIDR.

JKnott

@stephenw10 said in cyberstudent with basic questions about interface configurations:

Good to know it existed.

And it's also good to know, many years ago, computers were built with vacuum tubes. However, that's totally irrelevant to today's computing. If you want even more "good", we can't forget that before classful addresses, every address was what became known as class A, that is 8 bit network address and 24 bits for the host.

johnpoz

We use to use candles and whale oil lamps for light as well ;)

JonathanLee

@johnpoz well I feel old now… it still feels like cutting edge technology. I mean 10baseT was the hottest thing since sliced bread a couple years ago… token ring… BNC connectors. Don’t forgot HUBs, I mean what’s a switch we rock massive collision domains here haha.

I was servicing a random site’s network equipment a couple years ago and they still had equipment racked in for an ancient IBM network design topology. It was no longer used and unplugged. But it had epic huge lock in plugs. I had never seen it before. Pre dated BNC stuff. Pre Ethernet. It was wicked cool.

The IBM Multistation Access Unit

johnpoz

@JonathanLee said in cyberstudent with basic questions about interface configurations:

I mean 10baseT was the hottest thing since sliced bread a couple years ago

It was a bit longer than a couple of years.. But yeah as you get older, 20 years seem like just last week ;)

Doesn't seem like that long ago was installing tcp/ip on the old windows 3.11 machines via a bunch of floppies..

JonathanLee

What we need is to build a firewall on Xenix it has a tcp stack hahaha, use that new April 4th release of pfSense.