Network and security

Connection of the
RASPBERRY controller equipment to the
school's data network infrastructure

 

The following diagram shows how the RASPBERRY machine is connected to one of the school intranets:

 

 

 

  • Connection between the fiber router of the ISP and the m0n0wall router

 

The fiber router of the ISP (Internet server provider) is a router for residential customers, which only offers a local area network. At our school there are other requirements for machines that have internet access. It is necessary to isolate different types of machines. This is the reason why we use a distributor router, which defines 3 separate local area networks.

 

This distributor router is a machine (normal PC) with 4 NIC (network interface card). One of them is used to connect to the fiber router of the ISP, and the other 3 NICs are used to define different local area networks. This machine works with a dedicated operating system called "m0n0wall". Hides the 3 local area networks of the school through NAT-PAT routing (translation of network and port addresses) and performs firewall tasks and other services.

 

In NAT-PAT routers, to allow access from the Internet to a service of a machine within the LAN, it is necessary to open one or more ports. The fiber router of the ISP is also a NAT-PAT router, and from the Internet we only see its external IP address. We can not see anything about IP addresses and internal LANs.

 

We have to configure something like "if someone tries to connect to this external port, go to that internal machine through its IP address and that port". It is necessary to access an SSH server and a VNC server within our infrastructure (they run inside the RASPBERRY machine).

 

In relation to the opening of ports, this is the configuration of the fiber router of the ISP:

 

Protocol

Public IP

Public port

Internal IP

Internal port

TCP

?

60001

10.0.0.2/24

60001

TCP

?

60002

10.0.0.2/24

60002

 

Basically, this router points to the internal router m0n0wall, keeping the same ports. The public IP address is dynamic, so the ISP can change it. In order to have an easy way to access the public IP from the Internet, DDNS (Dinamic Domain Name Server) is used.

 

DNS links a symbolic name (its called Uniform Resource Locator, URL) with one IP address. We use: campanet.ddns.net

 

The fiber router of the ISP has another internal IP address, and is: 10.0.0.1/24. Since the m0n0wall router is another NAT-PAT router, it has its own external IP address, which is: 10.0.0.2/24. This external connection of the m0n0wall router is in the internal local network of the fiber router of the ISP.

 

  • Connection between the m0nowall router and the garden router

 

The RASPBERRY machine is conected to another NAT-PAT router (the garden router). This is a NAT-PAT commercial router, manufactured by TP-LINK. We need to connect the RASPBERY to a wireless local area network, and this router allows us to do so, because it has a built-in wireless access point. In addition, it allows to integrate the connection of all the infrastructure of the garden (we could have more machines at the garden) as if it were simply another computer in the network local area of departaments or teachers.

 

As in the previous connection, the m0nowall router redirects the 2 ports that allow us to access the SSH and VNC servers to the garden router, but the redirection does not maintain the same port numbers. The servers in the RASPBERRY work in the respective standard ports, that is, 22 and 5900. And the ports that we use for external access are different, so at some point we have to make the ports that we have opened abroad (60001 and 60002) go to the ports where the servers really work. And that change is made in this router. It could also have been done in the fiber router of the ISP or in the garden router, but they do not allow it (due to software limitations that manage them).

 

 

The m0n0wall router defines 3 internal local area networks, and the local area network of departaments of teachers uses the IP network 192.168.3.0/24. The m0n0wall NIC on this LAN has the IP address 192.168.3.254/24. And the garden router has its public WAN NIC connected to this network, having the IP address 192.168.3.251/24.

 

In relation to the opening of ports, this is the configuration of the m0nowall router:

 

Protocol

Public IP

Public port

Internal IP

Internal port

TCP

10.0.0.2/24

60001

192.168.3.251/24

22

TCP

10.0.0.2/24

60002

192.168.3.251/24

5900

 

  • Connection between the garden router and the RASPBERRY

 

The garden router establishes a WIFI LAN, with SSID "huerto". This wifi has WPA-PSK security. The router has one public IP address, that connect it to the LAN of departaments of teachers, and is 192.168.3.251/24. The internal IP network for this NAT-PAT router is 192.168.5.0/24, and its IP address here is 192.168.5.1/24. The IP address of RASPBERRY is 192.168.5.200/24.

 

In relation to the opening of ports, this is the configuration of the garden router:

 

Protocol

Public IP

Public port

Internal IP

Internal port

TCP

192.168.3.251/24

22

192.168.5.200/24

The same

TCP

192.168.3.251/24

5900

192.168.5.200/24

The same