Hacker News new | past | comments | ask | show | jobs | submit login

Yep, exactly. I used to put client devices on a segregated network and tunnel their traffic out to pfSense running on a cheap cloud box somewhere. Worked well.

(I should say that intentional monitoring of my private comms was never a concern for me when I freelanced, but I was somewhat worried about infections in my clients' devices moving laterally to my home network.)




As someone who isn't well versed in networking could you describe your setup in overview? Like, what software/hardware, etc.? Thank you


Mini-rant: people on hacker news frequently undervalue their knowledge and don't consider the things they know to be of much worth. A classic example of this is the "I can't see why dropbox is a thing, simply build a cloud file sync service - easy" post. This poster is running their own semi-professional router (pfsense) on whitebox hardware. I would not want to do that unless I already knew what I was doing or wanted to spend some time learning.

The type of network segmentation being discussed is not rocket science, but it's not trivial either. VLAN segmentation can have tricky edge cases that cause things to break in a non-obvious way, nothing that can't be worked around but for someone who "isn't well versed in networking" would probably be more than you're up for. Also keep in mind that you can't do this with most consumer networking gear becasue it's too complicated to setup and support without some experience and knowledge.

I'd not recommend VLAN segmentation unless you want to become someone who is more versed, which I don't oppose, but it's not a switch you can flip in 5 seconds and never think about it again.


I very much agree with this. I don't think that this is the solution for most home users/consultants working from home.

The more obvious solution would be to get a separate WiFi router and internet connection strictly for work purposes.

At that point you could also consider it a 100% home office expense and it may be tax deductible (talk to your accountant).


Can one use two internet connections from a single phone line?


Yes.


Sure. I didn't actually use a VLAN: I had a spare TP-Link router lying around, so I installed OpenWRT[1] on that and gave it a static IP on the home network side, then plugged it into my broadband provider's box. On the cloud side, I basically followed a guide, maybe [2] but I don't remember exactly. Once I had pfSense installed, I first set it up as an OpenVPN server.

I then went back and configured the OpenWRT box to create a WiFi hotspot and serve DHCP on a different subnet to that used by the home network. I configured an OpenVPN client tunnel from the router to pfSense, then set up a NAT ("masquerade") from the segregated network into the tunnel. I think I actually left a couple of ports open on the OpenWRT from the segregated network, but properly I should have firewalled them off so that the router was only accessible from the home network, since I doubt OpenWRT has been seriously pen tested by anyone. I'd probably also use Wireguard if I did it again.

The above config worked, but the CPU on the TP-Link was too underpowered to get more than a few Mbit/sec throughput. Since I didn't particularly care about having a VPN (I was going to throw this traffic on the internet anyway), I messed around and managed to change the tunnel type to L2TP. L2TP pretty much just takes the packet you give it and adds a UDP header for routing, so that approach gave me full bandwidth. I think I had to mess around a bit more getting MTUs set correctly to account for the L2TP header, and maybe had some trouble with auto-restarting the tunnel on failure.

One of the (flagged) responses to my original comment was "Who the fuck has the time to do that?" I actually think that is a fair comment. This all took a day or two to set up and debug, it isn't something that the casual user is going to do and, to be honest, I probably wouldn't have done it either except that I wanted to play with pfSense.

I'd do it again, though -- it was fun.

[1] https://openwrt.org/

[2] https://silasthomas.medium.com/how-to-import-a-pfsense-firew...


Thank you! Though I agree with the sibling comments that it's probably not something to dabble in unless you're pretty confortable with this... May I ask, is this somewhat in your area of expertise, what kind of development do you do (supposing you're a developer?). Sorry if too inquisitive, just curious :).


I think you should dabble in it! This stuff isn't magic, it's just a bit esoteric in places. That makes it a great (and valuable) skill to learn.

I do cyber/data stuff, often on the network-y end.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: