<div dir="ltr"><div class="gmail_default" style="font-size:small">I am guessing that we will want some form of overlay admin network potentially using VLANS and VPN access of some form?</div><div class="gmail_default" style="font-size:small">I have been working recently to get OpenVPN up and running with various client platforms to Mikrotik routers with some success.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">-Doug-</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <<a href="mailto:me@bartk.us">me@bartk.us</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I'd like to kick off discussion about HamWAN security with a relatively <br>
high level problem statement.<br>
<br>
We need to limit access to our control infrastructure (routers, <br>
switches, modems, hypervisors, iLOs, etc) while still allowing easy <br>
reliable access for amateur administrators to control that <br>
infrastructure. We also need to support the case of a person on a tower <br>
with a cell phone being able to easily login it to a modem to get <br>
real-time signal readings for dish alignment.<br>
<br>
The current network is mostly a single flat OSPF routing domain. We <br>
have a couple peering points, and some IPsec tunnels. Our routers are <br>
mostly RouterOS flavor, which supports a pretty wide set of <br>
capabilities. We may want to look at switching the edge routers to VyOS <br>
though.<br>
<br>
What general high level design would be useful in keeping access easy, <br>
while moving the control points out of public reach?<br>
<br>
--Bart<br>
<br>
_______________________________________________<br>
SecOps mailing list<br>
<a href="mailto:SecOps@hamwan.org" target="_blank">SecOps@hamwan.org</a><br>
<a href="http://mail01.fmt.hamwan.net/mailman/listinfo/secops" rel="noreferrer" target="_blank">http://mail01.fmt.hamwan.net/mailman/listinfo/secops</a><br>
</blockquote></div>