|
Sepist posted:The way we do it in AWS/GCP is I have all the traffic come in through a single Linux instance running FRR which is BGP Peered to however amount of firewalls we need for adequate throughput, and the FRR Router has interfaces in multiple routing tables. This allows us to avoid having to do source NAT on the palos. In AWS we have a lambda function that checks the FRR Router status and changed the route table if there's a problem, in GCP this is handled by the ILB. We've been running it like this for years without any major issue. Thank you. I don't know if FFR is going to work on Azure, though. You can't BGP peer to anything. I think it's supported on some things in public preview but not route tables. I think all NICs on a VM have to be in the same vNet too. I was like 75% of the way through getting this nailed down and then realised I'd have to source NAT all inter-subscription and vnet, on-prem to Azure, and Azure to on-prem traffic no matter if I put it through the same or multiple interfaces. Anything outside of the transit vNet basically so the Azure internal loadbalancers know which firewall to send the return traffic. I don't think I have any choice but to use a typical HA pair in this situation, kind of sucks because of the failover times and not being able to scale-out vs Active/Active with LBs. Can't imagine the headaches and how many things would break if we had do source NATs from remote sites or DC to Azure.
|
#
?
Dec 24, 2021 19:36
|
|
|
|
| # ? Jun 3, 2024 21:11 |
|
|
You can't do BGP in GCP either, I worked around it by creating a GRE tunnel between the FRR Router and the palos. You can use these guys for inspiration. We originally used them for our first transit gateway but they wouldn't work with us on pricing so I built their product using FRR for our use case https://a.aviatrix.com/solutions/next-gen-transit-network-azure.php#panel-firewall Sepist fucked around with this message at 19:42 on Dec 24, 2021 |
|
#
?
Dec 24, 2021 19:38
|
|
|
Oh, I just found this note buried in a deployment guide:quote:Azure networking does not require the use of source NAT on the firewall to enforce symmetry if both directions of the flow pass through the same Azure internal load-balancer front-end IP and back-end pool. The private subnets have UDRs directing east-west traffic to the firewall layer, so NAT is not required. So as long as all my subscriptions/peered vnets and ExpressRoute traffic is all entering via the same front end LB IP, so all subscriptions in the same zone, I won't have to NAT. Kind of sucks not being able to use Zones like on-prem but I was planning to use dynamic objects with tags pulled from ISE anyway. I didn't think about using Azure tags to do the same but our tagging situation is very dire at the moment. Our remote site traffic doesn't pass through the on-prem firewall because our ER peering is with our core switch and not our firewall. I could technically change that so it's VRF'd or something and goes through the firewall and then I could avoid sending traffic from on-prem through the Azure firewall and just using those for intra-Azure traffic (including the VPN), and Azure to internet. But they're probably not going to want to buy a 10gbit physical firewall pair when we're supposed to be out of this building in 2-3 years and have everything-that-can-be in Azure by 2025. uhhhhahhhhohahhh fucked around with this message at 01:21 on Dec 25, 2021 |
|
#
?
Dec 24, 2021 20:29
|
|
|
I think I asked already but what are people using for NAC? We have a Forescout I started reconfiguring. Seems old. Is there anything new in this space or is everything zero trust byod blah blah who even has a lan anymore
|
|
#
?
Jan 22, 2022 03:25
|
|
|
I've just used Forescout personally. It worked well enough for me when I used it. I've sat through the dog and pony show for ISE, and did a bit with it in labs, but it was pretty pricey as I recall and my company never moved forward with it. The newer/cooler NAC stuff seems to be more CASB focused, or do CASB with NAC as a throw in.
|
|
#
?
Jan 25, 2022 13:15
|
|
|
I think I'm missing the correct terminology here, or maybe internet search results are completely polluted these days, but I should be able to do the following. I will have 2 or 4 bastion hosts located in public clouds with public IPs. I have full access to these hosts. I want to have a series of dynamic ipsec tunnels terminate on those bastions. The tunnel endpoint IPs will be arbitrary, and I want to use public-private key's to identify each endpoint. The endpoints will be Juniper SRXs and the cloud bastions will run ubuntu. Originally I was thinking I'd have a series of wireguard interfaces on the servers but as I'm reading more about how wireugard works, I'm not actually sure that an SRX can "speak" wireguard, so I may be forced to use something else on the bastions that I can terminate the IPSec tunnel to. So what is this "something else?" I don't want to use PKI Certs or Pre-shared Keys. I would like to have a generated public/private key-pair on each bastion and on each SRX, and distribute the public-keys between these guys via Chef, and Ansible templates. So basically I should have a list of public keys for the bastions and also for the SRXs and when a new SRX reaches out to a bastion, the bastion should check it's public key list for authenticating the tunnel. These seems like it should be possible to me, but when I'm google searching all I'm finding is self-signed certs which I'd like to avoid because I don't want to depend on a shared DNS or any other external services for this functionality. Nor do I want to manage secrets. e: Apparently the options are only PSK or PKI, which mean generating a bunch of bullshit and most distressingly having to put an expiration date :/ Sigh. ate shit on live tv fucked around with this message at 00:54 on Jan 26, 2022 |
|
#
?
Jan 26, 2022 00:23
|
|
|
Not sure about Juniper, but it is possible to do raw public key authentication for IPsec tunnels without any certificate nonsense on IOS and Linux/strongSwan https://dn42.eu/howto/IPsecWithPublicKeys/CiscoIOSExample https://dn42.eu/howto/IPsecWithPublicKeys/strongSwan5Example
|
|
#
?
Jan 26, 2022 01:12
|
|
|
I think Mikrotik supports wireguard if that's an option st the remote sites? If the SRXs are already in place then I dunno.
|
|
#
?
Jan 26, 2022 01:14
|
|
|
I was originally going with juniper because of the ease of automation via ansible plus I'm a fan of Junos. This is a bit disappointing to say the least.
|
|
#
?
Jan 26, 2022 01:27
|
|
|
The big vendors will be the last to implement wireguard support and it'll probably be not supported on old gear. I just run wireguard on Linux behind a Fortigate myself but this is kind of the reverse of what you want.
|
|
#
?
Jan 26, 2022 01:34
|
|
|
I certainly know little about security stuff but is wiregard an actual rfc standard? If not then I doubt Juniper cares, and I don't blame them.
|
|
#
?
Jan 26, 2022 03:57
|
|
|
falz posted:I certainly know little about security stuff but is wiregard an actual rfc standard? Yea. Wireguard is slick, but probably too new to be of interest to the vendors, but why the lack of public key auth without having to use a CA?
|
|
#
?
Jan 26, 2022 09:54
|
|
|
I mean other vendors may implement it but Juniper won't unless its an actual standard. IDK about the PKI stuff but i also hate cert stuff. I guess consider me traditional and I just have some VMs that use ssh based transport to wrangle our Junos stuff using netconf / pyez / napalm / etc. In our case though everything has public IPs so there's no additional routing hurdle or whatever your main motivation is for VPN tunnels. Also the underlying transport is all our layer1 stuff so less to zero concerned about wiretapping or anything like that.
|
|
#
?
Jan 26, 2022 18:30
|
|
|
Wireguard runs on Opnsense, it claims to have Ansible support, and you can buy appliances. I can't vouch for the Ansible part but the product itself is pretty solid. Very much not like Juniper though.
|
|
#
?
Jan 26, 2022 18:45
|
|
|
Comedy option: run a container on your SRX to terminate the Wireguard traffic.
|
|
#
?
Jan 26, 2022 20:11
|
|
|
tortilla_chip posted:Comedy option: run a container on your SRX to terminate the Wireguard traffic. I wonder if the little SRX320 can do that. God this sucks. I am trying so hard to avoid PSKs, but apparently the only other alternative is a full CA system which for a backup OBM that is to be used only if poo poo hits the fan is less than optimal. CAs suck. They expire after a year, depend on DNS, and reachability to the CA, and can't be dynamically updated on the SRX. Ok so what is the least lovely way to turn up a CA on my ubuntu hub server? I know almost nothing about how to build that.
|
|
#
?
Jan 27, 2022 22:44
|
|
|
ate poo poo on live tv posted:I wonder if the little SRX320 can do that. God this sucks. I am trying so hard to avoid PSKs, but apparently the only other alternative is a full CA system which for a backup OBM that is to be used only if poo poo hits the fan is less than optimal. Generating a self-signed PKI isn't too bad. Put all of this in a shell script. Add as many blocks as you want for client certs. Install the CA cert on everything that will be authenticating a client cert, distribute the client certs however you want. You shouldn't need a real CA server or anything unless I'm missing something. If you were fine with using SSH keys as your auth mechanism then you didn't care about things like CRLs or short expiration dates in the first place. code:
|
|
#
?
Jan 27, 2022 23:35
|
|
|
I have a 'problem' and I don't know if I'm just overthinking this and being dumb. I'm trying to transition our DCs from OSPF and EIGRP to just OSPF in the DC with BGP for ExpressRoute. Today I did the first part of it which was enabling OSPF everywhere and configuring mutual redistribution between OSPF and EIGRP on both our Core switches (with route tags & maps to deny tagged, redistributed routes) other than a few problems I eventually got it finished. I was looking at a route like this one I've diagrammed, 10 hours after i started the work, being advertised and working correctly but to me it seems like it shouldn't be?  Core 2 learns the 10.100/16 prefix over EIGRP Ex, installs it with AD 170. Then that gets redistributed into OSPF. Core 1 is peered with Core 2 using EIGRP and OSPF, so Core 1 installs the OSPF redistributed route as it's AD is 110, vs 170 for EIGRP Ex. Now, wouldn't Core 1 advertise that route back to Core 2 over OSPF? And Core 2 would then install that OSPF AD 110 route and cause a route flap? Or is Core 2 not installing that new OSPF route because of loop prevention in intra-area OSPF/knowing the full linkstate database of every router in Area 0? For some reason I thought that wouldn't apply because it's not installed in the global RIB by OSPF.
|
|
#
?
Feb 19, 2022 22:34
|
|
|
So I have a seemingly goofy design question. Right now we only have a single uplink from our primary ISP. They have a single device on our premise (redundant paths out). I assume we can get an additional port from them, but am just pondering. Here is how we currently connect.  So our connection to them only runs to one firewall in the virtual chassis. If that FW Node 1 drops offline (failure, software updates, whatever), we drop this connection. I was thinking about tossing in a device between my firewall virtual chassis, then that would connect to each of the firewalls in the the VC for failover. Extremely low maintenance device, as I prefer as little downtime as possible for this route. I was originally thinking of just an older L3 switch, and just trunk through the ISP connection to each firewall. But I would still prefer to keep said device updated software wise. Also was looking at the Mikrotik CRS305-1G-4S+IN. The QNAP talk got me thinking more, unmanaged L2 switch. Zero patching, just passin' traffic. https://www.qnap.com/en-uk/product/qsw-1208-8c Would shoving this thing between my ISP and my FW VC be a horrendous idea? It claims it can do 120Gbps of "non-blocking throughput", if we trust their spec sheet. And if we trust this device not randomly failing.
|
|
#
?
Mar 4, 2022 20:35
|
|
|
If you have two fibres coming in from your ISP you can usually get them to terminate on two routers which run VRRP, so I'd ask them. Having the redundant paths is usually the expensive bit so only using a single router seems like a small cost saving for not a great reason. You're right that running this all through a single switch would then introduce another single point of failure. You could do a pair of CRS309 switches, one connected to each ISP router and then create a LAG to each of your firewalls - the MikroTik switches support MLAG now in ROS7. https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group
|
|
#
?
Mar 4, 2022 20:43
|
|
|
You can also just use a VRF/non-routable VLAN on your core switch and do the HSRP through those dumb interfaces. So you'd have two interfaces for your firewall and two for your router going into that VLAN/VRF on the Core.
|
|
#
?
Mar 4, 2022 21:26
|
|
|
Yes I am dumb  . Of course you can do that, I've even done it that way before and just had a brain fart.
|
|
#
?
Mar 4, 2022 21:36
|
|
|
Yeah, the "ISP" isn't really an ISP. It is some sort of utopian regional backbone that a bunch of local governments organized (actually a pretty interesting thing to get redundant backhaul in our area down to an IX). While this site does have physically diverse fiber paths out, there are not currently plans to add in a second "ISP" switch at this location. My virtual chassis on the edge is 2x Juniper SRX1500 firewalls. The "ISP" gear at this site is a Ciena 5170. I was planning on just doing a Redundant Ethernet (RETH) interface on the SRX VC, with a single port on each FW added to it. I shouldn't have to bother setting up VRRP with the "ISP". RETH interfaces share a common MAC address. If the VC fails over the primary device, the other FW will send out a gratuitous ARP request, thus moving traffic over to the new primary device. Unless the Ciena is doing something goofy, a dumb L2 switch between my VC and the Ciena should fit the bill. Edit: Yes, if I get a second pair of fibers coming from the Ciena switch, I could trunk those through my core cluster. I am just scheming up something that doesn't involve getting them to give me a second switchport. Double late edit: If I got two pairs of fiber coming from the Ciena, they would just go straight into each FW. This has been a long week. Moey fucked around with this message at 22:04 on Mar 4, 2022 |
|
#
?
Mar 4, 2022 21:36
|
|
|
It makes sense if you're doing it for redundancy reasons to assist with maintenance, but if it's for availability then you need to be sure that a dumb switch and its power brick are less likely to fail than your primary firewall. Though if it's an option to be offline until someone can get to site you could always just buy two of whatever switch you decide.
|
|
#
?
Mar 4, 2022 21:51
|
|
|
That is very true. I don't know how much I actually trust that QNAP switch or the cheap little wall wart power supply. I'll probably just reach out to the folks who manage this backbone network and see about getting a second uplink. I live way too close to said site, and would be the idiot going in there to scissor kick the dumb switch once it shits the bed.
|
|
#
?
Mar 4, 2022 22:06
|
|
|
A small switch with two ports that fail-to-wire would be ideal, but I have no idea if they exist
|
|
#
?
Mar 4, 2022 22:22
|
|
|
We have ISP's that only give a single port (or want to charge like $5k) so we just split that into 2 using a gigabit 5 port netgear Those things will run for fuckin ever And this way we can still do firmware upgrades and failover firewalls without physically connecting/disconnecting
|
|
#
?
Mar 5, 2022 00:54
|
|
|
If you have firewalls in a cluster, do not single home anything to them. Use your core switch and use a lag that connects each member of the firewall cluster to each core-switch. Connect single homed connections, like ISP links to the core-switch, while the firewall use some kind of virtual interface to run whatever protocols you need to run across that single connection. If you have dual connnections, then you'll do the same thing, but the physical connection will terminate on each core-switch, and the firewall will have some kind of virtual interface to run BGP/VRRP etc across those connections.
|
|
#
?
Mar 5, 2022 04:35
|
|
|
Why would your ISP plug directly into your core, that doesn't make any sense, use an edge switch (or 2) to plug your ISP into and run that to your firewall.
|
|
#
?
Mar 5, 2022 23:00
|
|
|
The isolated VLAN/VRF/Context-like feature your Core has is functioning as the edge switch. Physically it would be: Core -> Firewall -> Core -> ISP Logically, your flow/routing would still be: Core -> Firewall -> ISP
|
|
#
?
Mar 5, 2022 23:20
|
|
|
A "WAN" switch (or switches) to split single links (WAN / ISP / etc) to multiple downstream devices is a pretty common configuration.
|
|
#
?
Mar 6, 2022 00:12
|
|
|
uhhhhahhhhohahhh posted:The isolated VLAN/VRF/Context-like feature your Core has is functioning as the edge switch. Physically it would be: Yeah I mean, I get it, but I wouldn't trust that someone wouldn't gently caress that config up, or the vendor gently caress up, to where it's less secure, I'd prefer to keep an edge switch/stack to separate the edge and LAN.
|
|
#
?
Mar 6, 2022 03:34
|
|
|
What if you have redundant cores? Then you'd be using like 3/3/3/3 and still have to split it
|
|
#
?
Mar 6, 2022 03:59
|
|
|
Is there a canonical diagram of a network with the core, distribution, access setup?
|
|
#
?
Mar 6, 2022 04:00
|
|
|
MF_James posted:Yeah I mean, I get it, but I wouldn't trust that someone wouldn't gently caress that config up, or the vendor gently caress up, to where it's less secure, I'd prefer to keep an edge switch/stack to separate the edge and LAN. I'm assuming that you don't have seperate edge switches, if you do then yea, use those.
|
|
#
?
Mar 6, 2022 20:26
|
|
|
Is it just me or have Cisco's websites been making GBS threads the bed lately? Been having downloads fail over the past couple of days and now the case manager just... isn't loading.
|
|
#
?
Mar 22, 2022 22:24
|
|
|
I just tried to look something up and their site is dead, as is the Meraki partner portal.
|
|
#
?
Mar 22, 2022 22:41
|
|
|
I just logged into our Meraki admin portal successfully. The Meraki app is also working OK.
|
|
#
?
Mar 22, 2022 22:43
|
|
|
Can I have an idiot check for me here: our ISP have given us a new box and told me to configure the ISR ourselves. they provided a WAN subnet of x.x.x.48/30 with their box being x.x.x.49/30, so I connect that to g0/0/0 and set g0/0/0 to x.x.x.50/30. I can ping x.x.x.49 successfully from the router, I set 0.0.0.0/0 to use x.x.x.49 as the default route At first I could ping 8.8.8.8 successfully as a test. I then connected a machine to g0/0/1, made those 10.0.0.1 and 10.0.0.2 and could successfully ping from the machine on 10.0.0.2 to x.x.x.49, but not to 8.8.8.8 as NAT is not enabled. However on the router I can also no longer ping to 8.8.8.8, it just times out. So what stupid obvious thing am I missing?
|
|
#
?
May 13, 2022 18:16
|
|
|
|
| # ? Jun 3, 2024 21:11 |
|
|
Your ISP's router at .49 never should have responded to a ping from 10.0.0.2. I guess it's possible they're routing RFC1918 space back to your router as a way of keeping that off the Internet, but urpf or even null routing it would be better. As for pinging 8.8.8.8 from your router, it's probably trying to ping from gig0/0/1 as the source interface. Try specifying the originating interface on your ping. ping 8.8.8.8 source x.x.x.50.
|
|
#
?
May 13, 2022 19:24
|
|
