I thought I would ping the TWW hivemind (such as it is these days) to see if anyone has any ideas for how to approach my particular networking problem.

I have a bunch of Raspberry Pis acting as IoT devices that record data. I've been having them rsync that data to my lab's servers on NCSU campus. I run my own pfsense firewall for my lab to keep the king of England out of my servers. I have a whitelist for SSH connections that uses FQDNs. The devices use Duck DNS as their dynamic DNS service and the FQDNs from Duck DNS are what's in the whitelist.

My problem come from putting on of my Pis on the NCSU eduroam WiFi network. Devices on that network appear to the internet to have 152.* addresses. However, when devices on the eduroam network route to something at NCSU, like one of my servers, they have a 10.* address.

My problem is I don't know how to let these things through my firewall without letting all local traffic through. The IP address that they update with Duck DNS aren't what my firewall sees when they try to rsync.


Anyone have ideas about how I should approach this problem? Please keep in mind that I'm a scientists and not a networking professional. I can't change anything about how NCSU's network works. I would like to make no changes to the Pis if possible. I can adjust pfsense however I'd like.

1/15/2019 9:33:42 AM

Can you not ask OIT to make sure the Eduroam addresses assigned to the Pis (based on their MACs, maybe) are static or at least within a small known range?

1/15/2019 1:59:01 PM

I'll ask but I doubt it. I fine OIT to typically be unhelpful.

One, they couldn't even tell me how to get the Pi's on the network since their automated configuration tool didn't support Debian based OSes. I had to figure that one out on my own. NCSU uses TLS for their eduroam implimentation and just about everyone else on the planet uses PEAP or TTLS.

Two, the Pis technically aren't in compliance with the University's antivirus and endpoint protection policies. They are probably just as likely to blacklist the devices from the network than to help me.

1/15/2019 2:20:40 PM

Well, certainly don't tell them what the devices are if they don't ask. And if they do ask, consider lying.

1/15/2019 2:25:02 PM

Can pfSense not filter by MAC after the local addresses are allowed? I've never used it.

1/15/2019 2:31:03 PM

It doesn't look like it. I've found some forum threads grumbling about lack of MAC filtering support.

1/15/2019 2:44:17 PM

Ug. It looks like I'm about to learn a lot about implementing a VPN.

1/15/2019 2:57:45 PM

I'm just curious, and this has nothing to do with a solution for you, but are you at liberty to say what kind of data you're collecting?

1/15/2019 4:09:00 PM

atmospheric pressure

1/15/2019 4:24:53 PM

That's pretty cool. So this is probably a very simple question as I'm sure your working with pretty complicated equipment, but would it be possible to turn my Pi into a barometer?

Right now it's just running an emulating OS for old games.

1/15/2019 4:29:54 PM

It's not complicated.

https://www.adafruit.com/product/2652

1/15/2019 4:36:55 PM

Oh lort, they got a breadbox

1/15/2019 4:47:50 PM

How many sensors? Where are they? What other data are you collecting? How long have you been collecting? What are you doing with the data?

Tell us more!

1/15/2019 9:49:53 PM

I'll start a new thread to answer the sensor questions.

I'm still looking for solutions. Whoever staffs the OIT help desk doesn't seem to know a lot about how their own network works. But, they seem open to helping me if they can figure out how.

1/16/2019 11:09:24 AM

I'd allow all 10.0.0.0/8 addresses since you also have the additional layer of protection of SSH. you've filtered out everything but NCWREN, which is almost all of the malicious internet anyway. I'm sure you're also filtering broadcast and icmp ingress at the pfsense layer anyway so you've also got security by obscurity.

1/16/2019 12:09:02 PM

That's my last resort. I'm not sure I'd classify the 10.0.0.0/8 addresses as non-malicious.

1/16/2019 12:36:33 PM

smoothcrim you are banished from this thread for being simple

1/16/2019 1:32:43 PM

This network stuff make me feel like a kid who's found a wizard's grimoire. The spells are all in a language I half understand and I've never confident that I'm not going to inadvertently summon a daemon.

1/16/2019 1:58:38 PM

ISWYDT

1/16/2019 3:35:26 PM

I whitelisted 10.0.0.0/8 for ssh access. I feel so dirty. At least if I'm hacked, I'll know it came from NCSU.

1/16/2019 3:42:35 PM