NethSecurity Beta 1 is ready 🛡

@filippo_carletti and @giacomo if 100mbps will be cut out I will be sad, disappointed, but think I could get why.

In Italy, slower connections are still under 100mbps (even asymmetrical) then older adapters are perfect for use (on bare metal) slower slots and slower hardware. It’s not power efficient, however it’s a way for not generate more eWaste. And sometimes, on VDSL connections… better to have the older card to take ESD.
For any othe use fast ethernet adapters are simply ready to be recycled, not re-used.

Hint for documentation.
https://docs.nethsecurity.org/en/latest/system_requirements.html
In this page a link to OpenWRT packages/drivers for hardware

Could be useful?

Alot of industrial Equipments are actually running their controllers with 100 Mbps connectivity…

Older, yes. Current I don’t think so.
Gigabit ethernet is nowadays mature, reliable, cheap and efficient technology.
However, industrial equipment can be connected via switch; newer have some issues with 10mbps, however never miss a bit on 100mbps.

This should be a router.
Anyway

ToH from OpenWRT reports the supported hardware, which is not the support for NethSpicAndSpan8 (consumer router on steroids), currently only x64 (no. 32 bit now for a perimetral device is a complete no go, there are too many unpatched vulnerabilities.)

Test comes a stop to me.
The system I used for testing had an issue considering a Realtek 8139 not an interface, however Realtek 8111 was fine (included into mainboard).
I had a 1gbe realtek card hanging around, slot was free, then plug it in. And i’m sure, kernel does understand the card is there.

However, i were not able to ping the device.
I setup the client from DHCP server to static IP. Can’t ping NethSec again.
Check cables and switch. Port off on the switch. Which is unmanaged, but the cable is connected. I plug the cable into the switch of the other card, 100mbps. Can’t ping NethSec.
Reboot NethSec, looking for the switch port. At power on, integrated adapter went 100MBPS. At some point into the boot process, the led turns off (aka “dead/unplugged” cable).
Shut down again, removed added gigabit card.
Powered on, switch led 100mbs. At a certain point into the boot process, switches to 1GBe. From client i can ping NethSec, and obtain IP address.

Faulty card? Well… Linux detects all cards nicely.

And uses correctly too: 1gbps for both RTL8111, 100MBps for RTL8139, ping and sustained data transfer. The OS is CentOS7 customized, NS7.

Trying to provide something useful: same driver adapter for multiple interfaces/zones has been tested?
Into virtual environment were used only the suggested/default drivers for all the guests?
Could be that the interface management engine do not handle that well omogenuos kind of chips or Realtek ones?
Is there a well known issue for OpenWRT on Realtek adapter?

@pike

If I recall correctly, a few months ago you posted an issue and solution for NS on a smaller, firewall type box concerning a Realtek NIC. Maybe it’s the same / similiar issue. Realtek does have quite a few issues as hardware, on several platforms / OSes…

Correct Detection does not mean a working card. I’ve had, in the past, plenty of hardware issues with cards that looked fine, and shown as working (In Windows and Linux). NIC even lit up when active ethernet plugged in, but never got it working. The card failed on 3 different hardware, so it got junked. Such cards are too expensive for me and my clients, even though it may initially have been free (lying around from another hardware…).

My 2 cents
Andy

This is the whole story, happened on a similar mother board. On CentOS7. Which has worked for more or less around three years on this hardware.
Now. This hardware works with CentOS 7. Tested.

And the behavior with NethSec is different, on the very same hardware, but with OpenWRT kernel.
Currently, due to this behavior, I’m not able to test NethSec. I don’t have any virtual hardware to allocate, I have currently no other hardware to use for this.

Sometimes life is unfair!

Wasted days trying to get a Mac Mini to run proxmox - after doing more than 10 similiar / same Mac Minis.

The only issue was an unusual Broadcom NIC for WLan (Proxmox, as I use it, never has WLan active!) which always crashed the installer.

After several days, i reinstalled MasOS on that box…
Sh*t happens!
Time wasted.

Maybe also learned not to waste more time in a box that costs almost nothing!

My 2 cents
Andy

I can get that this hardware might not be suitable to NethSec. However

It checks all boxes.
Intel mainboard, intel chipset, intel CPU, realtek cards. Old stuff, but not “crap” and mostly… very well known hardware, not only for old age.
(I know, Realtek is not “that good” either, but is reliable enough, when the driver works)

Currently the requirements are satisfied, so should work. Or at least, help to create (for what it’s worth) a small user experience for bug solving (if there’s any) or improved system requirement list.

Hi @pike

Does OpenWRT work and recoginze all cards on that box (Out of box install)?
OpenWRTcan boot of USB, so it should be easy to test.

I’m just wondering…

My 2 cents
Andy

If it would be supported for more than 4 months I’d install NS 7.9 plus Firewall-related modules. For something to deliver, not for getting in touch with the new toy
OpenWRT do not interest me currently, and I don’t trust that much as development another firewall distro (which recently gained UEFI superpowers), but currently this other distro do not yet delivered expiration date.

Beta 1 test for me ends here, I hope for better luck in Beta 2.

Hi @pike

I’ve seen german clients insist on a 10 GBE equipped router / firewall.
Their main office has only 100 MBit/S connections (for a few more years!) - but they still want a 10 GBE capable box!

And yes, they have 3x 100 MBit/S bundled via routers for higher transfer speeds…

Amusing, how some people think - and waste their money!

My 2 cents
Andy

I’d probably could do worse then them.
Maybe they don’t want a 10GBe routing switch for internal traffic? IDK. We are OT from few posts now.

Internal?

No, three 10 GBE NICs for their 3 connections, 5 other NICs for Internal. Some of their LANs do have 10 GBE capability. (Productive and Storage, but hardly any traffic between those two!) But the Internet?

Howly schmackos. I did not get that, thanks for the clarification.

IN relation to Outgoing connections, It may not make sense, but in relation to even internal connections, it makes alot of sense actually.

Also, the fact that they have 3 100 Mbps connections is actually great,

for starters, if separate providers, then they have the advantage of failover,
secondly, the router would future proof on the organization
thirdly, they can do bonding and interesting traffic shaping/load balancing magic, to actually utilize the full 300 Mbps on the 100 Megs each. thats more complex to acheive, but doable, its what wmall ISP in Africa are doing…

In that place, only the national Telekom as provider. Just 3 for more Bandwidth.

And no magic in their LAN, just bad - or really, really bad planning.

A subnet /24 (256 hosts possible) for over 250 hosts.
Enlarged the subnet to /23, but forgot this onb half the hosts.
Also forgot to adapt the DHCP server range, not enough IP.
Then forgot the AD and file servers to adapt the fixed IP subnet - unreachable servers…

A few weeks later on, the same game with /22.

Also forgot half the important stuff (servers, switches, routers…).

And the boss handles this personally, when he is in vacation and does not have control - or is hardly reachable!

Just Chaos!

Sh*t happens

My 2 cents
Andy

I’ve create a temporary build: config: add support for some common network cards · NethServer/nethsecurity@7dee4dd · GitHub
If you have time, you can try the image downloading it by the end of the page, click on the x86_64-image artifact.
(Please note that the package will be automatically deleted in 5 days).

I can understand why, but I doubt I will be able to test again before saturday.
This is a UP for anyone that’s willing to use any kind of other adapters in this test setup.

@pike, download ans store it somewhere, then you have time to test.

Yes it is

It’s still a bit rough, but it does it’s basic job: it allows to manage all connected firewall from a central point.