NethSecurity Beta 1 is ready 🛡

pike · February 2, 2024, 7:17pm

Older, yes. Current I don’t think so.
Gigabit ethernet is nowadays mature, reliable, cheap and efficient technology.
However, industrial equipment can be connected via switch; newer have some issues with 10mbps, however never miss a bit on 100mbps.

This should be a router.
Anyway

ToH from OpenWRT reports the supported hardware, which is not the support for NethSpicAndSpan8 (consumer router on steroids), currently only x64 (no. 32 bit now for a perimetral device is a complete no go, there are too many unpatched vulnerabilities.)

pike · February 3, 2024, 10:08am

Test comes a stop to me.
The system I used for testing had an issue considering a Realtek 8139 not an interface, however Realtek 8111 was fine (included into mainboard).
I had a 1gbe realtek card hanging around, slot was free, then plug it in. And i’m sure, kernel does understand the card is there.

However, i were not able to ping the device.
I setup the client from DHCP server to static IP. Can’t ping NethSec again.
Check cables and switch. Port off on the switch. Which is unmanaged, but the cable is connected. I plug the cable into the switch of the other card, 100mbps. Can’t ping NethSec.
Reboot NethSec, looking for the switch port. At power on, integrated adapter went 100MBPS. At some point into the boot process, the led turns off (aka “dead/unplugged” cable).
Shut down again, removed added gigabit card.
Powered on, switch led 100mbs. At a certain point into the boot process, switches to 1GBe. From client i can ping NethSec, and obtain IP address.

Faulty card? Well… Linux detects all cards nicely.

And uses correctly too: 1gbps for both RTL8111, 100MBps for RTL8139, ping and sustained data transfer. The OS is CentOS7 customized, NS7.

Trying to provide something useful: same driver adapter for multiple interfaces/zones has been tested?
Into virtual environment were used only the suggested/default drivers for all the guests?
Could be that the interface management engine do not handle that well omogenuos kind of chips or Realtek ones?
Is there a well known issue for OpenWRT on Realtek adapter?

Andy_Wismer · February 3, 2024, 10:31am

@pike

If I recall correctly, a few months ago you posted an issue and solution for NS on a smaller, firewall type box concerning a Realtek NIC. Maybe it’s the same / similiar issue. Realtek does have quite a few issues as hardware, on several platforms / OSes…

Correct Detection does not mean a working card. I’ve had, in the past, plenty of hardware issues with cards that looked fine, and shown as working (In Windows and Linux). NIC even lit up when active ethernet plugged in, but never got it working. The card failed on 3 different hardware, so it got junked. Such cards are too expensive for me and my clients, even though it may initially have been free (lying around from another hardware…).

My 2 cents
Andy

pike · February 3, 2024, 10:39am

This is the whole story, happened on a similar mother board. On CentOS7. Which has worked for more or less around three years on this hardware.
Now. This hardware works with CentOS 7. Tested.

And the behavior with NethSec is different, on the very same hardware, but with OpenWRT kernel.
Currently, due to this behavior, I’m not able to test NethSec. I don’t have any virtual hardware to allocate, I have currently no other hardware to use for this.

Andy_Wismer · February 3, 2024, 10:46am

Sometimes life is unfair!

Wasted days trying to get a Mac Mini to run proxmox - after doing more than 10 similiar / same Mac Minis.

The only issue was an unusual Broadcom NIC for WLan (Proxmox, as I use it, never has WLan active!) which always crashed the installer.

After several days, i reinstalled MasOS on that box…
Sh*t happens!
Time wasted.

Maybe also learned not to waste more time in a box that costs almost nothing!

My 2 cents
Andy

pike · February 3, 2024, 10:51am

I can get that this hardware might not be suitable to NethSec. However

It checks all boxes.
Intel mainboard, intel chipset, intel CPU, realtek cards. Old stuff, but not “crap” and mostly… very well known hardware, not only for old age.
(I know, Realtek is not “that good” either, but is reliable enough, when the driver works)

Currently the requirements are satisfied, so should work. Or at least, help to create (for what it’s worth) a small user experience for bug solving (if there’s any) or improved system requirement list.

Andy_Wismer · February 3, 2024, 3:27pm

Hi @pike

Does OpenWRT work and recoginze all cards on that box (Out of box install)?
OpenWRTcan boot of USB, so it should be easy to test.

I’m just wondering…

My 2 cents
Andy

pike · February 3, 2024, 3:30pm

If it would be supported for more than 4 months I’d install NS 7.9 plus Firewall-related modules. For something to deliver, not for getting in touch with the new toy
OpenWRT do not interest me currently, and I don’t trust that much as development another firewall distro (which recently gained UEFI superpowers), but currently this other distro do not yet delivered expiration date.

Beta 1 test for me ends here, I hope for better luck in Beta 2.

Andy_Wismer · February 3, 2024, 3:31pm

Hi @pike

I’ve seen german clients insist on a 10 GBE equipped router / firewall.
Their main office has only 100 MBit/S connections (for a few more years!) - but they still want a 10 GBE capable box!

And yes, they have 3x 100 MBit/S bundled via routers for higher transfer speeds…

Amusing, how some people think - and waste their money!

My 2 cents
Andy

pike · February 3, 2024, 3:32pm

I’d probably could do worse then them.
Maybe they don’t want a 10GBe routing switch for internal traffic? IDK. We are OT from few posts now.

Andy_Wismer · February 3, 2024, 3:34pm

Internal?

No, three 10 GBE NICs for their 3 connections, 5 other NICs for Internal. Some of their LANs do have 10 GBE capability. (Productive and Storage, but hardly any traffic between those two!) But the Internet?

pike · February 3, 2024, 3:35pm

Howly schmackos. I did not get that, thanks for the clarification.

oneitonitram · February 3, 2024, 5:10pm

IN relation to Outgoing connections, It may not make sense, but in relation to even internal connections, it makes alot of sense actually.

Also, the fact that they have 3 100 Mbps connections is actually great,

for starters, if separate providers, then they have the advantage of failover,
secondly, the router would future proof on the organization
thirdly, they can do bonding and interesting traffic shaping/load balancing magic, to actually utilize the full 300 Mbps on the 100 Megs each. thats more complex to acheive, but doable, its what wmall ISP in Africa are doing…

Andy_Wismer · February 3, 2024, 10:34pm

In that place, only the national Telekom as provider. Just 3 for more Bandwidth.

And no magic in their LAN, just bad - or really, really bad planning.

A subnet /24 (256 hosts possible) for over 250 hosts.
Enlarged the subnet to /23, but forgot this onb half the hosts.
Also forgot to adapt the DHCP server range, not enough IP.
Then forgot the AD and file servers to adapt the fixed IP subnet - unreachable servers…

A few weeks later on, the same game with /22.

Also forgot half the important stuff (servers, switches, routers…).

And the boss handles this personally, when he is in vacation and does not have control - or is hardly reachable!

Just Chaos!

Sh*t happens

My 2 cents
Andy

giacomo · February 5, 2024, 4:05pm

I’ve create a temporary build: config: add support for some common network cards · NethServer/nethsecurity@7dee4dd · GitHub
If you have time, you can try the image downloading it by the end of the page, click on the x86_64-image artifact.
(Please note that the package will be automatically deleted in 5 days).

pike · February 5, 2024, 4:12pm

I can understand why, but I doubt I will be able to test again before saturday.
This is a UP for anyone that’s willing to use any kind of other adapters in this test setup.

oneitonitram · February 5, 2024, 4:22pm

@pike, download ans store it somewhere, then you have time to test.

giacomo · February 5, 2024, 4:34pm

Yes it is

It’s still a bit rough, but it does it’s basic job: it allows to manage all connected firewall from a central point.

oneitonitram · February 5, 2024, 5:07pm

Hypothetically speaking, Couldn’t one modify this module, somehow and get it to connect to a Nethserver 7 instance, and have them communicating on the same network?! this will use the builtin OpenVPN module in Nethserver 7

From over the top look seems like it can do just that, from inner look. am not sure how complicated it might get.

@giacomo do you think its possible to modify this module to act as an OpenVPN connector between NEthserver 7 and Nethserver 8, so that they ar ein the same network, and AD in nethserver 7 can be reached by nethserver 8 using the internal AD Ip?

Coming to the initial question.

this ns8-nethsecurity controller, it is stated that a single nethserver instance can connect to multiple nethsecurity instances.

WHich is fine…

What about, multiple Nethserver Instances connecting to that NEthsecurity instance.

In this case, instead of using a controller, because those boxes are not acting as controller, we can have an nethsecurity Agent for NS8.

so basically, Add agent to NS8. using the same controller concept inside Nethsecurity, connect to NS8 Agent Node. then Allow for tunneling.

In this case, we are assuming, the 2 nethserver 8 instances are both cluster admin, and so are not connected to one another.

pike · February 6, 2024, 7:12am

File cannot be actually downloaded unless I create a github account?
Or am I too coffee-short this morning and I did not found the correct way to download it?