Using an RPi 3B+ as a "post office" between two subnets ?

Hello all,
I've got a few computers in seperate subnets which I do not allow to
communicate with each other.
When I need to transfer data between computers in those subnets I use an USB
stick.
Somehow my thoughts went to if it would be possible to use an RPi 3B+ as a
kind go-between.
The first problem would be that I would need to add another (or more)
ethernet connection (so the 'puters on one subnet cannot reach 'puters on
the other one). Is that at all possible (at a usable speed) ?
The second would be to how to transfer data from one subnet to the other.
For that I could imagine a kind of "post office" solution, where 'puters on
both subnets can leave messages for each other and ofcourse read each others
replies, but never directly talk to each other. (both 'puters connect to a
known port on the RPi).
Does anyone know if such a sulution or project (and tutorial?) for such a
thing exists ?
Regards,
Rudy Wieser
Reply to
R.Wieser
Loading thread data ...
Dana Tue, 23 Jun 2020 19:34:05 +0200, R.Wieser napis'o:
You can use additional USB LAN card. Then you can setup an ftp server that could be used from both networks.
Reply to
Nikolaj Lazic
On Tue, 23 Jun 2020 17:42:00 -0000 (UTC), Nikolaj Lazic declaimed the following:
sFTP is already running, in my experience.
Setting up periodic monitoring to find new files (and since one wants complete files, the transfer to the middleware should probably rely on sending using a file name with some flag extension, and only after the file is transferred do a rename to the actual extension. The monitoring task would ignore any file with the flag.
Or, rather than sFTP, rsync may be easier to use
formatting link

--
	Wulfraed                 Dennis Lee Bieber         AF6VN 
	wlfraed@ix.netcom.com    http://wlfraed.microdiversity.freeddns.org/
Reply to
Dennis Lee Bieber
You can use a VLAN capable switch to extend the Ethernet into separate virtual LANs. The Linux box has to be connected to a switch port trunked to both VLANs.
I'm using Zyxel GS-1200 switches to expand the Pi Ethernet port to several outputs. Their cost was pretty reasonable and the VLAN setup goes easily with Web interface.
--

-TV
Reply to
Tauno Voipio
Dana Tue, 23 Jun 2020 17:42:00 -0000 (UTC), Nikolaj Lazic napis'o:
Or set up a git repository on that machine...
formatting link
Reply to
Nikolaj Lazic
It's quite easy to configure ssh to do this sort of thing, if you put the configuration in ~/.ssh/config then the actual command line to do it can be quite straightforward.
Since rsync uses ssh by default as its transport machanism once you have ssh set up to do this rsync will work as well so you can copy files with rsync.
I have incoming ssh connections to my home system set up like this, the firewall on my home system only allows incoming ssh from a specific IP address so when connecting from the outside world I first have to ssh to the 'bridge' system (the one with the specific IP address) and then from there to my home system. To facilitate this I have the following (well, changed a bit to protect the innocent!) in ~/.ssh/config :-
host home ProxyCommand ssh bridgesystem.co.uk nc -q0 homesystem.co.uk 22
bridgesystem.co.uk is the intermediate bridge system which has the IP address allowed to connect to my home system homesystem.co.uk. I have just a user ssh account on bridgesystem.co.uk.
When I connect I just get asked for two passwords, one after the other.
--
Chris Green
Reply to
Chris Green
Hi,
Is that "have not (yet)" or "will not (ever)" allow them to communicate with each other? ? I'm guessing that the computers currently can't communicate with each other via TCP/IP (et al.). But are you willing to (re)configure things so that they can communicate with each other via TCP/IP? Or do you want to forbid that?
What precisely does "communicate" mean in this context? ? Does storing a file in an intermediary location for the far end system to pick up count as "communication"? Or are you specifically referring to something like end-to-end TCP/IP connections?
I ask these questions because I've had client's have different answers and they effect the solution(s).
This tells me that you are okay with them accessing files through some intermediate system / device?
Quite likely.
Now it sounds like you might be willing to allow end-to-end TCP/IP connections. Be it routing, NATing, or something more exotic.
Yes.
It depends what you consider to be a usable speed.
This is traditionally done with IP routing, possibly in combination with NATing.
As others have indicated, a common way point, or post office, is certainly possible. How functional it is depends on what technology you use.
Do you mean physical port? TCP port? Something else?
Also, does it matter, do you care, what port they connect to if things work the way that you want?
I know exactly what I would use if I wanted computers on different networks to exchange messages / files / commands with each other without being able to establish end-to-end connections between them.
I'd use UUCP over SSH. (You can use UUCP over TCP or serial too.)
UUCP will provide a way for computer A to send messages / files / commands to computer C via computer B. Both ends can initiate a push or a pull request to / from the other. (If you want them to.)
You can easily support file copy, email, news, remote command execution, and many other things through UUCP. As in you can use industry standard clients on both computers A and C. The clients just talk to local servers which then send things through B with UUCP.
Yes, I think that a Raspberry Pi, even the original, could easily fulfill this role. The only limitations that I see are the network speed, storage capacity, both of which are only an issue if you want to send some really big files /
messages.
--
Grant. . . . 
unix || die
Reply to
Grant Taylor
What an incredibly stupid answer
What you need is of course a router with at least two ports, one for each subnet. You could build one out of a pi with an extra interface, but really almost any router that is capable of handling an ethernet presentation of the internet (cable or fiber to the premises, both of which use modems that end in an ethernet socket) can be used here. Yiou should be able to turn off NAT and set up[ a basic firewall on any old gash broadband router you have lying around that would work pn cable for example.
--
Renewable energy: Expensive solutions that don't work to a problem that  
doesn't exist instituted by self legalising protection rackets that  
 Click to see the full signature
Reply to
The Natural Philosopher
Grant,
I think this is one of the few instances where a single "yes" is appropriate. :-)
I have not ever, nor do I intend to have them ever communicate with each other over ethernet.
Correct.
Nope and yes. Thats why I placed them on their own subnets.
[quote=me] For that I could imagine a kind of "post office" solution, where 'puters on both subnets can leave messages for each other and ofcourse read each others replies, but never directly talk to each other. (both 'puters connect to a known port on the RPi). [/quote]
I think the above quote answers it. :-)
Nope. I thought about that, but consider it to be too dangerous - unless I would only allow only a very small range of ports thru, with zero firewall-intelligence (opening other ports when the "inside" 'puter asks for it). But that would mean I would need to be very sure that no port in the allowed range would be used by any of the 'puters default, or later installed programs/services. As I can't be I decided that the "postoffice" way of handling stuff would be best.
I have been considering hooking up two 'puters thru a classic RS232 connection (DB9 connectors). Alas, even on their highest speeds, 128000 bps, it islaughably slow in comparision to a LAN connection.
I don't know anything about UUCP, and have to look into it.
Though the programs are less of a problem. I enjoy programming, and have no problem with trying my hand at writing stuff for both the (Windows) 'puters as well as the RPi (even though I'm a very much a novice on the latter).
The biggest issue is if the RPi allows for electrically & programmatically seperated ethernet connections, and allows me adress the ethernet interfaces seperatily.
I'm not really considering (very) big files, but would like to be able to move a gig or so without having to wait for the better part of a day (as I would need to when using an RS232 connection).
Regards, Rudy Wieser
P.s. I just realized I should take a peek at USB-to-RS232 converters. Those might well have a much higher thruput than what the UART offers.
Reply to
R.Wieser
I already answered for that:
- get a virtual LAN capable switch - separate the switch ports to three groups: -- one port for RPi, -- one group for net A, assign VLAN number a to it -- one group for net B, assign VLAN number b to it - configure the Pi port to be trunk member of VLANs a and b - access net A from Pi with eth0.a (substituting the VLAN number) - access net B from Pi with eth0.b (substituting the VLAN number)
A 5 port switch like gs1200-5 makes thus Pi see up to four separate Ethernet connections. As an example:
Configure port 1 to VLAN 10 with port ingress ID 10, configure port 2 to VLAN 20 with port ingress ID 20, configure port 3 to VLAN 30 with port ingress ID 30, configure port 4 to VLAN 40 with port ingress ID 40, configure port 5 a trunk member of VLANs 1, 10, 20, 30 and 40
Connect Pi to port 5, and set up interfaces eth0.10, eth0.20, eth0.30 and eth0.40
You can use the VLAN interfaces as separate Ethernets at the Pi. If IP forwarding or bridging is not set up, the virtual ethernets do not see each other.
Note: A 'port' in switch parlance is a connector at the switch and the associated electronics. It has nothing to do with TCP and UDP ports.
--

-TV
Reply to
Tauno Voipio
Tauno,
I have one (with support for USB storage), and noticed that it doesn't make a difference on which port (read: vlan) I put my static-IP 'puter - it can reach the intarwebz every time. I do not like that kind of fake seperation (I expect mis-matching IPs to be killed). So, I added a LAN switch-with-firewall after it. Alas, that seems to make mince-meat of the reachability of the one port that I had set up to be shared between the subnets (it forwards to a single IP).
Regards, Rudy Wieser
Reply to
R.Wieser
Why ? The switch knows nothing about IP addresses all it knows is ethernet frames and VLAN headers.
In most smart switches there are separate controls for VLAN tagging and port-port visibility, used properly they provide every bit as much isolation as two NICs in the same host ... right up to the moment you lose the switch config and suddenly everything is visible to everything else and the VLANs have vanished.
When you use two NICs and physical wires to different LAN switches nothing ever forgets what is supposed to be connected to what. When it really matters (like boundary routers) multiple NICs and physical separation is the way to go - VLANs are great for models and test labs.
--
Steve O'Hara-Smith                          |   Directable Mirror Arrays 
C:\>WIN                                     | A better way to focus the sun 
 Click to see the full signature
Reply to
Ahem A Rivet's Shot
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ?????
^^^^^^^^^^^^^^^^^^^^^^
Did you configure the ports to be on seperate VLANs?
The above makes me _think_ that you don't understand what a VLAN is, and perhaps there is some confusion in terms here?
Reply to
Jim Jackson
Are you sure that it is a switch, and not a router/server? The USB storage stinks here.
A LAN switch/firewall very probably uses a VLAN capable physical interface chip internally, but it usually does not allow you to define the virtual LANs associated to the cable ports. Please post the make and model of the box, so we can check it.
Have a look at e.g. Zyxel gs-1200 series switches. The manuals are available from the Net.
--

-TV
Reply to
Tauno Voipio
On Fri, 26 Jun 2020 11:15:35 +0200, "R.Wieser" declaimed the following:
Not really...
The key is that the A is for "asynchronous"... Each byte is sent as a discrete entity -- in 8n1 configuration, each 8 bit byte is sent as a 10 bit entity (start bit, 8 data bits, stop bit) [If you use parity with 8 data bits, you'll end up sending 11 bits total].
Ethernet is a synchronous system... there are a few bytes for synchronizing, but then the entire information packet gets sent without the start/stop bits between bytes. True, there is some overhead for IP/port information, and over that for the MAC address information. Also, the packets have a checksum for error detection.
At one time, one could find USART chips, which could handle asynchronous or synchronous transmissions (but in those days, a high-speed USART was around 38400 bps ).
If you have an R-Pi 3B+ and a WiFi router you may already have a test case you can perform... Use a CAT-5/CAT-6 cable from the R-Pi to one of your separated networks, and configure the R-Pi WiFi to connect to the other network with the WiFi router. Then try SSH connections from each network to the R-Pi.
--
	Wulfraed                 Dennis Lee Bieber         AF6VN 
	wlfraed@ix.netcom.com    http://wlfraed.microdiversity.freeddns.org/
Reply to
Dennis Lee Bieber
Dennis,
....
I'm aware of that But as USB speeds are much higher I could imagine that some of that translates to higher serial speeds too. Like the below link already shows a 3.5 times higher speed than a regular UART.
formatting link

:-) Nope. Both will be wired (like all my connections), or nothing goes.
Regards, Rudy Wieser
Reply to
R.Wieser
Assuming that everything is internal, and you don't have massive security issues, why not try ftp (vsftpd is good). Set up 2 network ports, one for each network - one internal, one wifi (or, better, usb). Make sure you have forwarding off. You could put some iptables rules to limit filter inputs.
Set up /var/ftp/pub where anyone can drop the file(s) of interest - from either network and run a cron job to check for differences in the file list of /var/ftp/pub. Use a nullmailer then to send an email message to all the possible recipients saying something like fileXYZ is available for pickup. Note: you need an mua and mta or the receiving machines.
You could have several directories, each associated with either a sending computer or a sending user and/or a receiving computer/user.
--

Chris Elvidge, England
Reply to
Chris Elvidge
Guys (Ahem, Jim, Tauno),
This is about establishing a safe connection (if it may be called that) between two subnets. With an RPi. I have zero intention to muck around with or replace any devices my 'puters ethernet cables are, directly or indirectly, connected to (whatever those devices function names might be). Sorry.
If it helps, just imagine that the subnets are coming from two seperate internet connections.
Regards, Rudy Wieser
Reply to
R.Wieser
You only have to read different manufacturers' documentation on VLANs to discover that many manufacturers don't really understand VLANs either. In fact I doubt if some routers and switches from different manufacturers will actually interwork correctly.
--
Chris Green
Reply to
Chris Green
Ay? Surely it's rather fundamental that you will have to do something to the connections between devices to provide a link between two subnets.
--
Chris Green
Reply to
Chris Green

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.