Subnets on other side of Firewall

craigcurtin-dev commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing open and closed issues

Am I willing to test this? 🧪

[X] I will do my best to test this feature on the netlertx-dev image when requested within 48h and report bugs to help deliver a great user experience for everyone and not to break existing installations.

Can I help implement this? 👩‍💻👨‍💻

[X] Yes
[ ] No

Is your feature request related to a problem? Please describe

I am running the latest Version (Docker) as of 12/7. I have multiple VLANs and multiple subnets on my network. Two of the VLANs and subnets are only accessible by going through my Firewall (OpnSense) i.e. my docker host does not have a direct connection to these (IOT devices and IP Cameras) - it would be good if there was a way when setting up a network to give it a next hop status/Gateway to get to that network.

Describe the solution you'd like

When adding a new network/subnet - much the same as the VLAN tag - give the ability to insert a gateway tag to denote it is a remote subnet

Describe alternatives you've considered

The only real other option is to either deploy remote Probes or to enable VLAN access to these subnets from my docker host (which is not going to happen as they are isolated for security purposes)

Anything else?

No

jokob-sk commented 1 month ago

Hey,

I'm not a network expert, so please bear with me.

How would the arpscan command look like?

Alternatively, have you thought about complementing your scans with the SNMP or dhcp.leases plugins to gain visibility of those subnets?

FlyingToto commented 1 month ago

Indeed, several probes won't work properly across routers especially with NAT (like opnsense is likely configured). That's also something I wanted to setup and test but haven't had a chance yet. for instance, arp will mark all the IPs behind a router with the MAC address of the router's interface facing the LAN's arp probe. This will be a particularly annoying to NAX because it uses the MAC as a unique key (same problem as VIP). Furthermore, when NAT is enabled, even the IP addresses behind the firewall will be hidden and NAX will only see 1 single device.

There are actually 2 options to achieve this though: 1) install NAX on the router itself and configure the scan to each interfaces connected to each LAN. note this should work even for a router with NAT enabled. 2) install multiple NAX instances (1 per LAN) and have them aggregate their data. (I haven't tried but it seems possible).

note: if you are referring to VLANs, another thing I havent setup and tested yet, theoretically, NAX should be able to probe any VLAN that it is a member of... (but again can't go across L3routers/bridges/... only within L2 switches)

jokob-sk commented 1 month ago

Regarding 1: I trust @FlyingToto on his assessment here 😅 Regarding 2: There is a plugin for multi-instance synchronization called Sync Hub (SYNC): https://github.com/jokob-sk/NetAlertX/blob/main/front/plugins/sync/README.md

jokob-sk commented 1 month ago

No activity for 2 weeks -> closing for now

jokob-sk / NetAlertX