TIP: Click on subject to list as thread! ANSI
echo: rberrypi
to: AHEM A RIVET`S SHOT
from: GRANT TAYLOR
date: 2020-06-28 12:52:00
subject: Re: Using an RPi 3B+ as a
On 6/28/20 11:39 AM, Ahem A Rivet's Shot wrote:
> It also entails more risk.

Yes, a single Ethernet NIC is more risky than multiple Ethernet NICs.
But there are ways to mitigate it with belt and suspender redundancy.
Depending on the OP's neeed, the simplicity and minimal additional risk
might be acceptable.

> Yes it is - but it is even more fragile from a security perspective
> than VLANs.

I don't completely agree.

It's trivial to have a kernel without IPv6 support.  It's slightly more
complicated to have a kernel without IPv4 support.  (At least the last I
looked.)

I think that 802.1Q VLAN tagging is great.  I've done a LOT with it in
my career.  But there are ways around it.

> Apart from promiscuous mode and/or packet injection.

One extremely important thing is do you trust the A & C endpoints?  Or
are you considering them to be hostile and defending against them.  The
latter requires completely different, and likely more complex, solutions
than the former.

> One glitch in the firewall rules and it all falls open.

Not necessarily.

You can put the firewall rules on both systems.
You can add static ARP entries.
You can put the systems in separate subnets without a route.

Yes, all of these things can be overcome.  But that goes back to the
question of trusting A & C.

> The OP explicitly mentions two subnets - so that doesn't fit.

The existence of a DHCP server (or not) is independent of subnets.

Besides, what I'm describing would be two different subnets.

  |-----|          Cable 1 / Subnet A
[A]---[B]---[C]   Hosts A / B / C
        |-----|    Cable 2 / Subnet B

> That is indeed the extra work - my point is that it won't just happen.

(See comment's below.)

> That is of course an option and there are many more.

Yep.

It is highly dependent on what the OP is wanting to do.

> Ouch nasty I've not seen that except on builds meant for routers,
> and not on anything common on a Pi.

But it is decidedly a possibility where the OP can end up with the
system routing traffic without doing any additional action.  ;-)

> For everyone but the hackers yes.

Trust of the devices is extremely important.

Even if there is a hacker on A, C will have to have a route to get back
to A.  The hacker can't always do it without some support on the other
end for bidirectional communications.

I get the impression that the OP is in control of all three systems, and
as such, probably trusts them about the same.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.