In Steve Gibson 3 router architecture, how do I allow the office access to the IoT

[Michel Trahan]

I tried the Steve Gibson 3 router architecture and locked everybody out except the office and it works great. See the PDF to get the diagram and all the rules included.

I have tried to add static routes to no avail (in red in the pdf). I am quite new to routers ... and networking ... I understand that I need a route from the office to the border with a destination adress into the IoT, and another one from the border to the IoT with a source address from the office ...

Can anybody point me in the right direction ? Everything works great but the office does not have access to the IoT domain ... grrrr ... I'm positive it is something simple that I am missing but what ...

I have 2 cnc on a private LAN, and a personnal Cloud that only the office can access, which is what I want. But locking the routers made the IoT unaccessible from the Office ... how can I correct that ?

Thanks in advance for you patience (the drawing is complex and we are lucky to have zoom)

Mike.

 

[Michel Trahan]

Oh and don't mind the switches near the portable and the linux AI ... they are there to aleviate some limitations of the Multicam CNC ... I need to be in the same domain as it ... I can access the linux CNC from the office no problem ... not the Multicam but that was by design on their part so ... I live with it !

 

[Michel Trahan]

I just thought of something ... NAT masquerade ... I have it on eth1 on all of the router ... maybe I should not do that between the IoT and Border as well as between Office and Border ... since, correct me if I'm wrong, the masquerade will happen on the exit of the Border no ?

Need help on that ...

 

[Wallace_n_Gromit]

Hi, I have been following Steve Gibson for years. Know about the basic idea of the 3 "dumb" router architecture (basically achieving sound hard-wired network segmentation on the cheap). Don't have specific recommendations other than perhaps showing a link to the basic layout from Steve's website so an informed person might get the gist to help further? BTW, your pdf looks really cool.

Just a thought: I haven't brushed up on Steve's theory lately, but it seems to me that the nature of his idea was to Segment a Critical Subnet (computers to do banking) from another less critical Subnet (ie. IoT devices). Why not have all your IoT devices on one subnet?

 

[coxhaus]

I think a layer 3 switch with 1 router would be a better setup but that is me. So many people don't understand layer 3 switches. I would also think a layer3 switch would be cheaper than 3 extra routers including the lab. That can all be run out of 1 layer 3 switch plus more networks if you want to or find a need later on for additional networks.

I also think not having all those NATs on the routers would be a lot cleaner and easier to maintain.

 

[Michel Trahan]

Here is a link to Steve Gibson talk (the only one I found, but I was not really looking)

https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/

(now watching the 2hrs video on it ...

)

As for the routers ... I already have them all lol I do know about layer 3 switch but ... I want to understand what I can do to have the office talk to the IoT while locking everything else ... something like that

And by the way, all my IoT are on the IoT side of things ... what did you see that made you think it was not ? The LAB is for a specific project in python and MQTT ... raspberry, pyboards and all ... you haven't seen what I did on that one lol separation of concern to the extremes lol But it was easy since on one router only ...

 

[coxhaus]

As for the routers ... I already have them all lol I do know about layer 3 switch but ... I want to understand what I can do to have the office talk to the IoT while locking everything else ... something like that

And by the way, all my IoT are on the IoT side of things ... what did you see that made you think it was not ? The LAB is for a specific project in python and MQTT ... raspberry, pyboards and all ... you haven't seen what I did on that one lol separation of concern to the extremes lol But it was easy since on one router only ...

Much easier to setup using a Cisco L3 switch than any multi-router setup. Plus the L3 switch has way more bandwidth than any router.

 

[Michel Trahan]

Much easier to setup using a Cisco L3 switch than any multi-router setup. Plus the L3 switch has way more bandwidth than any router.

Missing the point I would say ... I am not looking for the right equipment for the job but I want to work with what I have ...

Am I right in saying that on the 2 routers connected to the border (using eth1 on both), I should not use masquerade ? to help the Border know what to do if it is for internal use ? That is what I need help in ...

 

[Michel Trahan]

Why not have all your IoT devices on one subnet?

Subnets are my next learning curve

It will be for the devices in the escape room ... all of it tied to the Lab router ... the project will use one router with 10 ports and many vlans ... one for the MQTT Broker, another for the master, etc ... but inside the rooms, I want to have subnets to separate the gadgets chatter ... work in progress ... started this 2 weeks ago ... new to the domain ...

 

[coxhaus]

I hope you have business class routers if you are going to run all those subnets.

With all those subnets you might want to think about a routing protocol. It will make the network easier to manage.

 

[abailey]

I just thought of something ... NAT masquerade ... I have it on eth1 on all of the router ... maybe I should not do that between the IoT and Border as well as between Office and Border ... since, correct me if I'm wrong, the masquerade will happen on the exit of the Border no ?

Need help on that ...

Generally you only do NAT masquerade on your internet facing firewall and not your internal routers. I would turn off the NAT on both internal routers and use rules and ACL's to control what has access to what in your network (in conjunction with VLAN's and subnets).

 

[Michel Trahan]

I hope you have business class routers if you are going to run all those subnets.

With all those subnets you might want to think about a routing protocol. It will make the network easier to manage.

Right now I am alone with my two cnc and my linux AI ... building a python MQTT project but with little items connected say max 20 (raspberries and all) and they will be on different subnet when I learn how ...

There will be a vlan for the observers (2 stations, max 4) and another one for the operators (2 stations max) ... there will be the MQTT broker and the main computer (separate entities) ... having vlans helps to separate who sees what (my point of view, remember I'm a newbie, got my stuff 2 weeks ago and I know nothing about networking ... just using it lol).

I may be overkilling it but it seemed a great design ... If I could understand my errors ... I'm drawing something to help ... Firewall setup diagram for the 3 routers (just like the layman's version) ... and I already see problems with my rules so it's a good start lol

I'll play with removing the NAT rules on some router see what it does ... but I'll do that when I don't need the internet ... (nights and weekends that is) I do realise that I configured the 3 routers like they were alone ... and simply get the internet from the border but that is wrong ... I know ... just have to experiment more lol (man this stuff is not easy for newbies that want something complicated )

 

[coxhaus]

The simple way to handle subnets is create a VLAN and assign a network to each VLAN. To allow all the different networks to talk to each other you need a layer 3 device like a router. or a layer 3 switch. Most consumer routers can't do this. It usually takes a small business router. Firewalls just complicate the networking process so turn them off on the internal network until you get everything talking then restrict access. This is the easy way to start learning networking.

 

[coxhaus]

If you don't have the right routers and you have a spare PC you could do all this using pfsense. Create a VLAN for each router then restrict access using ACLs in pfsense. You would need to create a trunk port with all the VLANs defined to 1 Ethernet port which will feed a smart VLAN switch. The layer 2 switch will keep all the traffic isolated and pfsense will route all the networks. If you need more than 1 switch then trunk the switches together so all the VLANs will be passed. You need to become an expert pfsense person. There are many on this site. Any of the small business routers can also do this.

Of course I would use Cisco small business gear and a Cisco layer 3 switch like the SG350 switches. Pick the switch with the right number of ports.

PS
I think Steve Gibson's 3 router setup is a clumsy way to build a multi-network setup.

 

[Michel Trahan]

If you don't have the right routers

I have EdgeRouter-X by ubiquiti ... they work fine and don't cost much ...

 

[Michel Trahan]

The simple way to handle subnets is create a VLAN and assign a network to each VLAN. To allow all the different networks to talk to each other you need a layer 3 device like a router. or a layer 3 switch.
...
Firewalls just complicate the networking process so turn them off on the internal network until you get everything talking then restrict access. This is the easy way to start learning networking.

The setup is working great ... everybody can get the internet but only the office has access to everything ... well not everything and that is my problem ... I closed too many doors I think lol

As for the 3 router architecture by Steve Gibson ... It sounded very good ... mainly because of IP sniffers that can catch broadcast about who has the gateway for this ... and be the man in the middle ... but ... I am a newbie so I can be wrong ... anyway ... it works I just need to tweek it a tad lol

 

[JohnB_123]

this is a classic problem with the "3 dumb router" architecture -- where does one put display adaptors (Chromecast or Apple TV)? How would one access IoT devices to turn them on/off via Siri/Alexa? You inevitably end up poking holes between networks or switching networks just to do basic stuff. Having seen this in practice in several environments, there's inevitable kludginess that accompanies it -- all in the name of "security."

The reality is the cloud services and corporations will be likely breached long before your home network, provided you are following best practices (complex passwords, WPA2/3, etc). They are simply bigger targets with deeper pockets to pay ransoms.

 

[Michel Trahan]

The reality is the cloud services and corporations will be likely breached long before your home network

We agree on that lol It might be a physicist reflex ... I just want to understand how it works and how to make it do what I want

 

[JohnB_123]

We agree on that lol It might be a physicist reflex ... I just want to understand how it works and how to make it do what I want

There's no way to have both security and agility with this architecture -- it's simply not set up for a "smart home" where all the things interoperate well together and with the users in the home.

 

[Michel Trahan]

it's simply not set up for a "smart home"

Good thing then that it is for my office and a personnal project (the one with the 10 ports) where things will be much simpler since everything will be by design ... (escape room concept) ...

I'm just having fun trying out the 3 routers architecture ... be it a good one or not ... I looked at the pricing (canadian) for managed switching gear ... my budget is not at par ... so routers it was I just need to get a grip on what needs to be done to make it do what I want ...

After only 2 weeks (newbie) I feel I'm quite good lol it works, things are locked up ... but just a tad too much ... that is what I want to understand how to make it work ! Once I understand, and implement it ... it won't change for quite a while lol it's my office, not my home !