I'd had this working at home for a while but we're setting up at an Airsoft site which is a fairly dense wood with large changes in elevation. There's also an assortment of fake buildings bashed together from wood and for some reason, old aluminium garage doors.
The site is roughly 90 acres in size and while we won't be using all of it we are going to be using the areas that have buildings. The radio tech I used last year really struggled with propagation through the trees and ended up with about a 50-100m range. This doesn't really cut it so it was imperative that I tested the new setup.
Each node is a plastic storage box filled with the following.
- Fortigate firewall, I had two 50Bs and two 60ADSLs. Old ones like this are plentiful and cheap on eBay and I already had these. I work with these professionally so I'm 100% comfortable configuring them. You get pretty much everything you might want from a firewall/router appliance even when forced to run very old versions of FortiOS. These SOHO models even have a small network switch integrated.
- Huawei E160G USB 3G modem. These slightly old 3G modems are also plentiful on eBay and I know they 100% work with FortiOS. Simply plug them into a USB port of the firewall and with a few lines of config you're ready to go.
- Netgear WG102 wireless access point. I just happened to have picked four up previously and they support a point-to-multpoint bridging mode that could connect all the nodes. They're old and only support 802.11b/g over 2.4Ghz but performance isn't the thing we need.
- 4W 2.4Ghz Wifi amplifier from China. We're working in a remote area with nobody to interfere with and I really needed the range this would give.
- 30AH 12V sealed lead-acid battery, another thing I had four of lurking at home. With all the components working off external PSUs that supply 12V then the ~12.5-13V these kick out meant I didn't have to mess around with any other DC-DC conversion to power things.
For those interested in the config, here's what I put on each firewall. It was done as a base script you can just copy and paste on then a second one to modify it specifically for each node. This could also mostly be done through the firewall GUI but making a command line script helps with making four identical nodes.
Then for each node I then had something like this.execute batch startconfig system adminedit "admin"set password XXXXXnextendconfig system globalset admintimeout 90set hostname nodeXset timezone 25set dst enableendconfig system ntpset ntpsync enableset syncinterval 30config ntpserveredit 1set server pool.ntp.orgnextendendconfig system modemset status enableset dial-on-demand disableset auto-dial enableset idle-timer 1set redial 10set phone1 "*99#"set distance 100endconfig system interfaceedit "internal"set mode staticunset ipset allowaccess ping https sshnextedit wan1set mode staticunset ipset allowaccess ping https sshconfig secondaryipedit 1set detectserver "0.0.0.0"set ip 192.168.0.1 255.255.255.0nextendnextedit wan2set mode staticunset ipset allowaccess ping https sshnextedit "wifi_clients"set vdom rootset type vlanset vlanid 2set interface wan1set mode staticunset ipset allowaccess ping https sshnextedit "modem"set allowaccess ping httpsset ddns enableset ddns-server dyndns.orgset ddns-domain "XXXXXXXXXX.homeip.net"set ddns-username "XXXXXXXXXXXXXX"set ddns-password XXXXXXXXXXXXXXXXXnextendconfig system dhcp serverdelete "internal_dhcp_server"edit "internal"set default-gateway 10.254.1.1set start-ip 10.254.1.2set end-ip 10.254.1.254set dns-server1 8.8.8.8set interface "internal"set netmask 255.255.255.0nextedit "wan1"set default-gateway 10.0.0.254set start-ip 10.0.0.5set end-ip 10.0.0.254set dns-server1 8.8.8.8set interface "wan1"set netmask 255.255.255.0nextedit "wifi_clients"set default-gateway 10.254.3.1set start-ip 10.254.3.2set end-ip 10.254.3.254set dns-server1 8.8.8.8set interface "wifi_clients"set netmask 255.255.255.0nextendconfig system dhcp reserved-addressedit "ap1"set ip 10.0.0.5set mac 00:1b:2f:96:2b:cbnextedit "ap2"set ip 10.0.0.6set mac 00:1b:2f:96:29:abnextedit "ap3"set ip 10.0.0.7set mac 00:1b:2f:98:40:d1nextedit "ap4"set ip 10.0.0.8set mac 00:1e:2a:15:a4:4anextendconfig vpn ipsec phase1-interfaceedit "tunnel"set interface "modem"set dpd enableset nattraversal enableset proposal 3des-sha1 3des-md5set mode aggressiveset remote-gw 1.2.3.4set psksecret XXXXXXXXXXXXXset localid XXXXXXXXXset peertype oneset peerid XXXXXXXXXXXnextendconfig router staticdelete 1endconfig firewall policydelete 1endconfig system zoneedit this_nodeset interface "internal" "wifi_clients"set intrazone allownextedit elsewhereset interface "modem" "tunnel"set intrazone allownextedit meshset interface "wan1"set intrazone allownextendconfig firewall addressedit "mesh"set subnet 10.0.0.0 255.255.255.0nextedit "wifi_clients"set subnet 10.1.0.0 255.255.255.0nextedit "node1"set subnet 10.1.0.0 255.255.0.0nextedit "node2"set subnet 10.2.0.0 255.255.0.0nextedit "node3"set subnet 10.3.0.0 255.255.0.0nextedit "node4"set subnet 10.4.0.0 255.255.0.0nextedit "ap_default"set subnet 192.168.0.229 255.255.255.255nextendconfig firewall addrgrpedit "this_node"set member "node2"nextedit "other_nodes"set member "node1" "node3" "node4"nextendconfig vpn ipsec phase2-interfaceedit "tunnel"set phase1name "tunnel"set keepalive enableset pfs enableset proposal 3des-sha1 3des-md5set src-addr-type nameset dst-addr-type nameset src-name "this_node"set dst-name "other_nodes"set auto-negotiate enablenextendconfig router ospfconfig areaedit 10.0.0.0set authentication md5nextendconfig networkedit 1set area 10.0.0.0set prefix 10.0.0.0 255.255.255.0nextendconfig redistribute "connected"set status enableendset router-id 10.0.0.254set default-information-originate enableset passive-interface tunnel internalendconfig firewall policyedit 1set srcintf this_nodeset dstintf elsewhereset srcaddr this_nodeset dstaddr other_nodesset service ANYset action acceptset schedule alwaysset nat disablenextedit 2set srcintf this_nodeset dstintf elsewhereset srcaddr this_nodeset dstaddr allset service ANYset action acceptset schedule alwaysset nat enablenextedit 3set srcintf elsewhereset dstintf this_nodeset srcaddr other_nodesset dstaddr this_nodeset service ANYset action acceptset schedule alwaysset nat disablenextedit 4set srcintf elsewhereset dstintf elsewhereset srcaddr other_nodesset dstaddr other_nodesset service ANYset action acceptset schedule alwaysset nat disablenextedit 5set srcintf elsewhereset dstintf elsewhereset srcaddr other_nodesset dstaddr allset service ANYset action acceptset schedule alwaysset nat enablenextedit 6set srcintf "this_node"set dstintf "mesh"set srcaddr "this_node"set dstaddr "ap_default"set action acceptset schedule "always"set service "ANY"set nat enablenextedit 7set srcintf "this_node"set dstintf "mesh"set srcaddr "this_node"set dstaddr "other_nodes"set action acceptset schedule "always"set service "ANY"set nat disablenextedit 8set srcintf "this_node"set dstintf "mesh"set srcaddr "this_node"set dstaddr "mesh"set action acceptset schedule "always"set service "ANY"set nat enablenextedit 9set srcintf "mesh"set dstintf "this_node"set srcaddr "mesh" "other_nodes"set dstaddr "this_node"set action acceptset schedule "always"set service "ANY"set nat disablenextedit 10set srcintf "mesh"set dstintf "elsewhere"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ANY"set nat enablenextendconfig log memory settingset status enableendconfig log memory filterset event enableset admin enableset auth enableset cpu-memory-usage enableset dhcp enableset ha enableset ipsec enableset ldb-monitor enableset pattern enableset ppp enableset sslvpn-log-adm enableset sslvpn-log-auth enableset sslvpn-log-session enableset system enableend
There's no real attempt at security or firewalling the Fortinet's just being used as a router with basic OSPF and a VPN plus a couple of local networks at each node. I may tidy it up later.config system globalset hostname node1endconfig system interfaceedit "internal"set ip 10.1.1.1 255.255.255.0nextedit "wan1"set ip 10.0.0.1 255.255.255.0nextedit "wifi_clients"set ip 10.1.2.1 255.255.255.0nextedit "modem"set ddns-domain "XXXXXXXXX.homeip.net"nextendconfig router ospfset router-id 10.0.0.1endconfig system dhcp serveredit "internal"set default-gateway 10.1.1.1set start-ip 10.1.1.2set end-ip 10.1.1.254nextedit "wan1"set default-gateway 10.1.0.1nextedit "wifi_clients"set default-gateway 10.1.2.1set start-ip 10.1.2.2set end-ip 10.1.2.254nextendconfig vpn ipsec phase1-interfaceedit "tunnel"set psksecret XXXXXXXXXXXXXXXXXXset peerid Hub1set localid Node1nextendconfig system interfaceedit "tunnel"set ip 10.253.0.2 255.255.255.255set remote-ip 10.253.0.1set allowaccess ping https sshnextendconfig router staticedit 1set device "tunnel"set dst 10.2.0.0 255.255.0.0set distance 128nextedit 2set device "tunnel"set dst 10.3.0.0 255.255.0.0set distance 128nextedit 3set device "tunnel"set dst 10.4.0.0 255.255.0.0set distance 128nextendconfig firewall addrgrpedit "this_node"set member "node1"nextedit "other_nodes"set member "node2" "node3" "node4"nextendexecute batch end
At the other end they connect to there's config like this.
config vpn ipsec phase1-interfaceedit "Node1"set type dynamicset interface "portA1"set peertype oneset mode aggressiveset proposal 3des-sha1 3des-md5set localid "Hub1"set peerid "Node1"set psksecret XXXXXXXXXXXXXXXXXX
nextedit "Node2"set type dynamicset interface "portA1"set peertype oneset mode aggressiveset proposal 3des-sha1 3des-md5set localid "Hub2"set peerid "Node2"set psksecret XXXXXXXXXXXXXXXXXXnextedit "Node3"set type dynamicset interface "portA1"set peertype oneset mode aggressiveset proposal 3des-sha1 3des-md5set localid "Hub3"set peerid "Node3"set psksecret XXXXXXXXXXXXXXXXXXnextedit "Node4"set type dynamicset interface "portA1"set peertype oneset mode aggressiveset proposal 3des-sha1 3des-md5set localid "Hub4"set peerid "Node4"set psksecret XXXXXXXXXXXXXXXXXXnextend
config firewall address
edit "Node1"
set subnet 10.1.0.0 255.255.0.0
next
edit "Node2"
set subnet 10.2.0.0 255.255.0.0
next
edit "Node3"
set subnet 10.3.0.0 255.255.0.0
next
edit "Node4"
set subnet 10.4.0.0 255.255.0.0
next
end
config vpn ipsec phase2-interface
edit "Node1"
set dst-addr-type name
set phase1name "Node1"
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-name "Node1"
set src-name "Node 2,3,4"
next
edit "Node2"
set dst-addr-type name
set phase1name "Node2"
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-name "Node2"
set src-name "Node 1,3,4"
next
edit "Node3"
set dst-addr-type name
set phase1name "Node3"
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-name "Node3"
set src-name "Node 1,2,4"
next
edit "Node4"
set dst-addr-type name
set phase1name "Node4"
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-name "Node4"
set src-name "Node 1,2,3"
next
end
config firewall policy
edit 1000
set srcintf "Node1"
set dstintf "Internet"
set srcaddr "Node1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 2000
set srcintf "Node2"
set dstintf "Internet"
set srcaddr "Node2"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 1002
set srcintf "Node1"
set dstintf "Node2"
set srcaddr "Node1"
set dstaddr "Node2"
set action accept
set schedule "always"
set service "ANY"
next
edit 2001
set srcintf "Node2"
set dstintf "Node1"
set srcaddr "Node2"
set dstaddr "Node1"
set action accept
set schedule "always"
set service "ANY"
next
edit 1003
set srcintf "Node1"
set dstintf "Node3"
set srcaddr "Node1"
set dstaddr "Node3"
set action accept
set schedule "always"
set service "ANY"
next
edit 2003
set srcintf "Node2"
set dstintf "Node3"
set srcaddr "Node2"
set dstaddr "Node3"
set action accept
set schedule "always"
set service "ANY"
next
edit 3000
set srcintf "Node3"
set dstintf "Internet"
set srcaddr "Node3"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 3001
set srcintf "Node3"
set dstintf "Node1"
set srcaddr "Node3"
set dstaddr "Node1"
set action accept
set schedule "always"
set service "ANY"
next
edit 3002
set srcintf "Node3"
set dstintf "Node2"
set srcaddr "Node3"
set dstaddr "Node2"
set action accept
set schedule "always"
set service "ANY"
next
edit 23
set srcintf "Node1"
set dstintf "Node4"
set srcaddr "Node1"
set dstaddr "Node4"
set action accept
set schedule "always"
set service "ANY"
next
edit 24
set srcintf "Node2"
set dstintf "Node4"
set srcaddr "Node2"
set dstaddr "Node4"
set action accept
set schedule "always"
set service "ANY"
next
edit 25
set srcintf "Node3"
set dstintf "Node4"
set srcaddr "Node3"
set dstaddr "Node4"
set action accept
set schedule "always"
set service "ANY"
next
edit 26
set srcintf "Node4"
set dstintf "Internet"
set srcaddr "Node4"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 27
set srcintf "Node4"
set dstintf "Node1"
set srcaddr "Node4"
set dstaddr "Node1"
set action accept
set schedule "always"
set service "ANY"
next
edit 28
set srcintf "Node4"
set dstintf "Node2"
set srcaddr "Node4"
set dstaddr "Node2"
set action accept
set schedule "always"
set service "ANY"
next
edit 29
set srcintf "Node4"
set dstintf "Node3"
set srcaddr "Node4"
set dstaddr "Node3"
set action accept
set schedule "always"
set service "ANY"
next
end
No comments:
Post a Comment