oxbrbtx/PrimAITE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged PR 272: #2205 - Firewall Node

Browse Source 
## Description:

This pull request introduces the Firewall class and extends the ACLRule functionality within PrimAITE to provide comprehensive network traffic management and security capabilities. These enhancements enable detailed control over data flow through network simulations, mimicking real-world firewall operations and ACL configurations. The updates focus on the addition of a Firewall node that extends the Router class functionalities and the enhancement of ACLRule to support IP ranges through wildcard masking, thus offering granular traffic filtering based on IP addresses, protocols, ports, and more.

## Key Features:

**Firewall Class:** A new class that extends the Router class, incorporating firewall-specific logic for inspecting, directing, and filtering traffic between the internal, external, and DMZ (De-Militarized Zone) network interfaces. The Firewall class supports configuring network interfaces and applying Access Control Lists (ACLs) for inbound and outbound traffic control.

**Enhanced ACLRule:** The ACLRule class has been updated to support IP ranges using wildcard masking. This allows for more flexible rule definitions, enabling users to specify broad network ranges or individual IP addresses in ACL rules.

**Comprehensive ACL Configuration:** Six distinct ACLs (internal inbound, internal outbound, DMZ inbound, DMZ outbound, external inbound, and external outbound) provide meticulous control over traffic flow, ensuring robust network security. Examples included in the documentation illustrate how to configure ACLs for common scenarios, such as blocking external threats, permitting specific services, and restricting access to sensitive internal resources.

**Intuitive Interface and ACL Management:** Simplified methods for configuring firewall interfaces and ACL rules enhance usability. The Firewall class offers intuitive functions for rule management, including adding, removing, and listing ACL rules.

**Detailed Documentation and Examples:** Accompanying the code updates, comprehensive documentation and example configurations are provided, detailing the use and configuration of the Firewall node and ACL rules within PrimAITE simulations.

## Impact:

The introduction of the Firewall class and the enhancement of ACLRule significantly broaden PrimAITE's capabilities for simulating realistic network security scenarios. Users can now accurately model the behavior of firewalls in their network simulations, applying complex ACLs to control traffic flow and enforce security policies. This update enables more detailed network security analyses, teaching, and experimentation within the PrimAITE environment.

## Test process
Extensive unit tests have been added to cover the new functionality, ensuring reliability and correctness. Tests include scenarios for firewall configuration, ACL rule application, traffic filtering based on various criteria, and interaction between different network zones.

## Checklist
- [X] PR is linked to ...
This commit is contained in:
Christopher McCarthy
2024-02-13 13:56:56 +00:00
parent a6f3c458d5 7b64d99a63
commit 9835b31dc5
14 changed files with 2606 additions and 270 deletions
Download Patch File Download Diff File Expand all files Collapse all files

432
docs/source/simulation_components/network/nodes/firewall.rst Normal file
View File

@@ -0,0 +1,432 @@
.. only:: comment
© Crown-owned copyright 2023, Defence Science and Technology Laboratory UK
########
Firewall
########
The ``firewall.py`` module is a cornerstone in network security within the PrimAITE simulation, designed to simulate
the functionalities of a firewall in monitoring, controlling, and securing network traffic.
Firewall Class
--------------
The ``Firewall`` class extends the ``Router`` class, incorporating advanced capabilities to scrutinise, direct,
and filter traffic between various network zones, guided by predefined security rules and policies.
Key Features
============
- **Access Control Lists (ACLs):** Employs ACLs to establish security rules for permitting or denying traffic
based on IP addresses, protocols, and port numbers, offering detailed oversight of network traffic.
- **Network Zone Segmentation:** Facilitates network division into distinct zones, including internal, external,
and DMZ (De-Militarized Zone), each governed by specific inbound and outbound traffic rules.
- **Interface Configuration:** Enables the configuration of network interfaces for connectivity to external,
internal, and DMZ networks, including setting up IP addressing and subnetting.
- **Protocol and Service Management:** Oversees and filters traffic across different protocols and services,
enforcing adherence to established security policies.
- **Dynamic Traffic Processing:** Actively processes incoming and outgoing traffic via relevant ACLs, determining
whether to forward or block based on the evaluation of rules.
- **Logging and Diagnostics:** Integrates with ``SysLog`` for detailed logging of firewall actions, supporting
security monitoring and incident investigation.
Operations
==========
- **Rule Definition and Management:** Permits the creation and administration of ACL rules for precise traffic
control, enabling the firewall to serve as an effective guard against unauthorised access.
- **Traffic Forwarding and Filtering:** Assesses network frames against ACL rules to allow or block traffic,
forwarding permitted traffic towards its destination whilst obstructing malicious or unauthorised requests.
- **Interface and Zone Configuration:** Provides mechanisms for configuring and managing network interfaces,
aligning with logical network architecture and security zoning requisites.
Configuring Interfaces
======================
To set up firewall interfaces, allocate IP addresses and subnet masks to the external, internal, and DMZ interfaces
using the respective configuration methods:
.. code-block:: python
firewall.configure_external_port(ip_address="10.0.0.1", subnet_mask="255.255.255.0")
firewall.configure_internal_port(ip_address="192.168.1.1", subnet_mask="255.255.255.0")
firewall.configure_dmz_port(ip_address="172.16.0.1", subnet_mask="255.255.255.0")
Firewall ACLs
=============
In the PrimAITE network simulation, six Access Control Lists (ACLs) are crucial for delineating and enforcing
comprehensive network security measures. These ACLs, designated as internal inbound, internal outbound, DMZ inbound,
DMZ outbound, external inbound, and external outbound, each serve a specific role in orchestrating the flow of data
through the network. They allow for meticulous control of traffic entering, exiting, and moving within the network,
ensuring robust protection against unauthorised access and potential cyber threats. By leveraging these ACLs both
individually and collectively, users can simulate a multi-layered security architecture.
Internal Inbound ACL
^^^^^^^^^^^^^^^^^^^^
This ACL controls incoming traffic from the external network and DMZ to the internal network. It's crucial for
preventing unauthorised access to internal resources. By filtering incoming requests, it ensures that only legitimate
and necessary traffic can enter the internal network, protecting sensitive data and systems.
Internal Outbound ACL
^^^^^^^^^^^^^^^^^^^^^
The internal outbound ACL manages traffic leaving the internal network to the external network or DMZ. It can restrict
internal users or systems from accessing potentially harmful external sites or services, mitigate data exfiltration
risks.
DMZ Inbound ACL
^^^^^^^^^^^^^^^
This ACL regulates access to services hosted in the DMZ from the external network and internal network. Since the DMZ
hosts public-facing services like web and email servers, the DMZ inbound ACL is pivotal in allowing necessary access
while blocking malicious or unauthorised attempts, thus serving as a first line of defence.
DMZ Outbound ACL
^^^^^^^^^^^^^^^^
The ACL controls traffic from DMZ to the external network and internal network. It's used to restrict the DMZ services
from initiating unauthorised connections, which is essential for preventing compromised DMZ services from being used
as launchpads for attacks or data exfiltration.
External Inbound ACL
^^^^^^^^^^^^^^^^^^^^
This ACL filters all incoming traffic from the external network towards the internal network or DMZ. It's instrumental
in blocking unwanted or potentially harmful external traffic, ensuring that only traffic conforming to the security
policies is allowed into the network. **This ACL should only be used when the rule applies to both internal and DMZ
networks.**
External Outbound ACL
^^^^^^^^^^^^^^^^^^^^^
This ACL governs traffic leaving the internal network or DMZ to the external network. It plays a critical role in data
loss prevention (DLP) by restricting the types of data and services that internal users and systems can access or
interact with on external networks. **This ACL should only be used when the rule applies to both internal and DMZ
networks.**
Using ACLs Together
^^^^^^^^^^^^^^^^^^^
When these ACLs are used in concert, they create a robust security matrix that controls traffic flow in all directions:
into the internal network, out of the internal network, into the DMZ, out of the DMZ, and between these networks and
the external world. For example, while the external inbound ACL might block all incoming SSH requests to protect both
the internal network and DMZ, the internal outbound ACL could allow SSH access to specific external servers for
management purposes. Simultaneously, the DMZ inbound ACL might permit HTTP and HTTPS traffic to specific servers to
provide access to web services while the DMZ outbound ACL ensures these servers cannot make unauthorised outbound
connections.
By effectively configuring and managing these ACLs, users can establish and experiment with detailed security policies
that are finely tuned to their simulated network's unique requirements and threat models, achieving granular oversight
over traffic flows. This not only enables secure simulated interactions and data exchanges within PrimAITE environments
but also fortifies the virtual network against unauthorised access and cyber threats, mirroring real-world network
security practices.
ACL Configuration Examples
==========================
The subsequent examples provide detailed illustrations on configuring ACL rules within PrimAITE's firewall setup,
addressing various scenarios that encompass external attempts to access resources not only within the internal network
but also within the DMZ. These examples reflect the firewall's specific port configurations and showcase the
versatility and control that ACLs offer in managing network traffic, ensuring that security policies are precisely
enforced. Each example highlights different aspects of ACL usage, from basic traffic filtering to more complex
scenarios involving specific service access and protection against external threats.
**Blocking External Traffic to Internal Network**
To prevent all external traffic from accessing the internal network, with exceptions for approved services:
.. code-block:: python
# Default rule to deny all external traffic to the internal network
firewall.internal_inbound_acl.add_rule(
action=ACLAction.DENY,
src_ip_address="0.0.0.0",
src_wildcard_mask="255.255.255.255",
dst_ip_address="192.168.1.0",
dst_wildcard_mask="0.0.0.255",
position=1
)
# Exception rule to allow HTTP traffic from external to internal network
firewall.internal_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTP,
dst_ip_address="192.168.1.0",
dst_wildcard_mask="0.0.0.255",
position=2
)
**Allowing External Access to Specific Services in DMZ**
To enable external traffic to access specific services hosted within the DMZ:
.. code-block:: python
# Allow HTTP and HTTPS traffic to the DMZ
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTP,
dst_ip_address="172.16.0.0",
dst_wildcard_mask="0.0.0.255",
position=3
)
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTPS,
dst_ip_address="172.16.0.0",
dst_wildcard_mask="0.0.0.255",
position=4
)
**Edge Case - Permitting External SSH Access to a Specific Internal Server**
To permit SSH access from a designated external IP to a specific server within the internal network:
.. code-block:: python
# Allow SSH from a specific external IP to an internal server
firewall.internal_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
src_ip_address="10.0.0.2",
dst_port=Port.SSH,
dst_ip_address="192.168.1.10",
position=5
)
**Restricting Access to Internal Database Server**
To limit database server access to selected external IP addresses:
.. code-block:: python
# Allow PostgreSQL traffic from an authorized external IP to the internal DB server
firewall.internal_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
src_ip_address="10.0.0.3",
dst_port=Port.POSTGRES_SERVER,
dst_ip_address="192.168.1.20",
position=6
)
# Deny all other PostgreSQL traffic from external sources
firewall.internal_inbound_acl.add_rule(
action=ACLAction.DENY,
protocol=IPProtocol.TCP,
dst_port=Port.POSTGRES_SERVER,
dst_ip_address="192.168.1.0",
dst_wildcard_mask="0.0.0.255",
position=7
)
**Permitting DMZ Web Server Access while Blocking Specific Threats*
To authorize HTTP/HTTPS access to a DMZ-hosted web server, excluding known malicious IPs:
.. code-block:: python
# Deny access from a known malicious IP to any DMZ service
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.DENY,
src_ip_address="10.0.0.4",
dst_ip_address="172.16.0.0",
dst_wildcard_mask="0.0.0.255",
position=8
)
# Allow HTTP/HTTPS traffic to the DMZ web server
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTP,
dst_ip_address="172.16.0.2",
position=9
)
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTPS,
dst_ip_address="172.16.0.2",
position=10
)
**Enabling Internal to DMZ Restricted Access**
To facilitate restricted access from the internal network to DMZ-hosted services:
.. code-block:: python
# Permit specific internal application server HTTPS access to a DMZ-hosted API
firewall.internal_outbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
src_ip_address="192.168.1.30", # Internal application server IP
dst_port=Port.HTTPS,
dst_ip_address="172.16.0.3", # DMZ API server IP
position=11
)
# Deny all other traffic from the internal network to the DMZ
firewall.internal_outbound_acl.add_rule(
action=ACLAction.DENY,
src_ip_address="192.168.1.0",
src_wildcard_mask="0.0.0.255",
dst_ip_address="172.16.0.0",
dst_wildcard_mask="0.0.0.255",
position=12
)
# Corresponding rule in DMZ inbound ACL to allow the traffic from the specific internal server
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
src_ip_address="192.168.1.30", # Ensuring this specific source is allowed
dst_port=Port.HTTPS,
dst_ip_address="172.16.0.3", # DMZ API server IP
position=13
)
# Deny all other internal traffic to the specific DMZ API server
firewall.dmz_inbound_acl.add_rule(
action=ACLAction.DENY,
src_ip_address="192.168.1.0",
src_wildcard_mask="0.0.0.255",
dst_port=Port.HTTPS,
dst_ip_address="172.16.0.3", # DMZ API server IP
position=14
)
**Blocking Unwanted External Access**
To block all SSH access attempts from the external network:
.. code-block:: python
# Deny all SSH traffic from any external source
firewall.external_inbound_acl.add_rule(
action=ACLAction.DENY,
protocol=IPProtocol.TCP,
dst_port=Port.SSH,
position=1
)
**Allowing Specific External Communication**
To allow the internal network to initiate HTTP connections to the external network:
.. code-block:: python
# Permit outgoing HTTP traffic from the internal network to any external destination
firewall.external_outbound_acl.add_rule(
action=ACLAction.PERMIT,
protocol=IPProtocol.TCP,
dst_port=Port.HTTP,
position=2
)
The examples above demonstrate the versatility and power of ACLs in crafting nuanced security policies. By combining
rules that specify permitted and denied traffic, both broadly and narrowly defined, administrators can construct
a firewall policy that safeguards network resources while ensuring necessary access is maintained.
Show Rules Function
===================
The show_rules function in the Firewall class displays the configurations of Access Control Lists (ACLs) within a
network firewall. It presents a comprehensive table detailing the rules that govern the filtering and management of
network traffic.
**Functionality:**
This function showcases each rule in an ACL, outlining its:
- **Index**: The rule's position within the ACL.
- **Action**: Specifies whether to permit or deny matching traffic.
- **Protocol**: The network protocol to which the rule applies.
- **Src IP and Dst IP**: Source and destination IP addresses.
- **Src Wildcard and Dst** Wildcard: Wildcard masks for source and destination IP ranges.
- **Src Port and Dst Port**: Source and destination ports.
- **Matched**: The number of times the rule has been matched by traffic.
Example Output:
.. code-block:: text
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - External Inbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 1 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | PERMIT | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 2 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - External Outbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 0 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | PERMIT | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 2 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - Internal Inbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 1 | PERMIT | ANY | ANY | ANY | 123 (NTP) | ANY | ANY | 123 (NTP) | 1 |
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 0 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | DENY | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - Internal Outbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 1 | PERMIT | ANY | ANY | ANY | 123 (NTP) | ANY | ANY | 123 (NTP) | 1 |
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 1 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | DENY | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - DMZ Inbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 1 | PERMIT | ANY | ANY | ANY | 123 (NTP) | ANY | ANY | 123 (NTP) | 1 |
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 0 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | DENY | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
+---------------------------------------------------------------------------------------------------------------+
| firewall_1 - DMZ Outbound Access Control List |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| Index | Action | Protocol | Src IP | Src Wildcard | Src Port | Dst IP | Dst Wildcard | Dst Port | Matched |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
| 1 | PERMIT | ANY | ANY | ANY | 123 (NTP) | ANY | ANY | 123 (NTP) | 1 |
| 22 | PERMIT | ANY | ANY | ANY | 219 (ARP) | ANY | ANY | 219 (ARP) | 1 |
| 23 | PERMIT | ICMP | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
| 24 | DENY | ANY | ANY | ANY | ANY | ANY | ANY | ANY | 0 |
+-------+--------+----------+--------+--------------+-----------+--------+--------------+-----------+-----------+
The ``firewall.py`` module within PrimAITE empowers users to accurately model and simulate the pivotal role of
firewalls in network security. It provides detailed command over traffic flow and enforces security policies to safeguard
networked assets.

193
docs/source/simulation_components/network/nodes/wireless_router.rst Normal file
View File

@@ -0,0 +1,193 @@
.. only:: comment
© Crown-owned copyright 2023, Defence Science and Technology Laboratory UK
######
Router
######
The ``WirelessRouter`` class extends the functionality of the standard ``Router`` class within PrimAITE,
integrating wireless networking capabilities. This class enables the simulation of a router that supports both wired
and wireless connections, allowing for a more comprehensive network simulation environment.
Overview
--------
The ``WirelessRouter`` class is designed to simulate the operations of a real-world wireless router, offering both
Ethernet and Wi-Fi connectivity. This includes managing wireless access points, configuring network interfaces for
different frequencies, and handling wireless frames transmission.
Features
--------
- **Dual Interface Support:** Supports both wired (Ethernet) and wireless network interfaces.
- **Wireless Access Point Configuration:** Allows configuring a wireless access point, including setting its IP
address, subnet mask, and operating frequency.
- **Frequency Management:** Utilises the ``AirSpaceFrequency`` enum to set the operating frequency of wireless
interfaces, supporting common Wi-Fi bands like 2.4 GHz and 5 GHz.
- **Seamless Wireless Communication:** Integrates with the ``AirSpace`` class to manage wireless transmissions across
different frequencies, ensuring that wireless communication is realistically simulated.
Usage
-----
To use the ``WirelessRouter`` class in a network simulation, instantiate it similarly to a regular router but with
additional steps to configure wireless settings:
.. code-block:: python
from primaite.simulator.network.hardware.nodes.network.wireless_router import WirelessRouter
from primaite.simulator.network.airspace import AirSpaceFrequency
# Instantiate the WirelessRouter
wireless_router = WirelessRouter(hostname="MyWirelessRouter")
# Configure a wired Ethernet interface
wireless_router.configure_port(port=2, ip_address="192.168.1.1", subnet_mask="255.255.255.0")
# Configure a wireless access point
wireless_router.configure_wireless_access_point(
port=1, ip_address="192.168.2.1",
subnet_mask="255.255.255.0",
frequency=AirSpaceFrequency.WIFI_2_4
)
Integration with AirSpace
-------------------------
The ``WirelessRouter`` class works closely with the ``AirSpace`` class to simulate the transmission of wireless frames.
Frames sent from wireless interfaces are transmitted across the simulated airspace, allowing for interactions with
other wireless devices within the same frequency band.
Example Scenario
----------------
This example sets up a network with two PCs (PC A and PC B), each connected to their own `WirelessRouter`
(Router 1 and Router 2). These routers are then wirelessly connected to each other, enabling communication between the
PCs through the routers over the airspace. Access Control Lists (ACLs) are configured on the routers to permit ARP and
ICMP traffic, ensuring basic network connectivity and ping functionality.
.. code-block:: python
from primaite.simulator.network.airspace import AIR_SPACE, AirSpaceFrequency
from primaite.simulator.network.container import Network
from primaite.simulator.network.hardware.nodes.host.computer import Computer
from primaite.simulator.network.hardware.nodes.network.router import ACLAction
from primaite.simulator.network.hardware.nodes.network.wireless_router import WirelessRouter
from primaite.simulator.network.transmission.network_layer import IPProtocol
from primaite.simulator.network.transmission.transport_layer import Port
network = Network()
# Configure PC A
pc_a = Computer(
hostname="pc_a",
ip_address="192.168.0.2",
subnet_mask="255.255.255.0",
default_gateway="192.168.0.1",
start_up_duration=0,
)
pc_a.power_on()
network.add_node(pc_a)
# Configure Router 1
router_1 = WirelessRouter(hostname="router_1", start_up_duration=0)
router_1.power_on()
network.add_node(router_1)
# Configure the connection between PC A and Router 1 port 2
router_1.configure_router_interface("192.168.0.1", "255.255.255.0")
network.connect(pc_a.network_interface[1], router_1.router_interface)
# Configure Router 1 ACLs
router_1.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.ARP, dst_port=Port.ARP, position=22)
router_1.acl.add_rule(action=ACLAction.PERMIT, protocol=IPProtocol.ICMP, position=23)
# Configure PC B
pc_b = Computer(
hostname="pc_b",
ip_address="192.168.2.2",
subnet_mask="255.255.255.0",
default_gateway="192.168.2.1",
start_up_duration=0,
)
pc_b.power_on()
network.add_node(pc_b)
# Configure Router 2
router_2 = WirelessRouter(hostname="router_2", start_up_duration=0)
router_2.power_on()
network.add_node(router_2)
# Configure the connection between PC B and Router 2 port 2
router_2.configure_router_interface("192.168.2.1", "255.255.255.0")
network.connect(pc_b.network_interface[1], router_2.router_interface)
# Configure the wireless connection between Router 1 and Router 2
router_1.configure_wireless_access_point(
port=1,
ip_address="192.168.1.1",
subnet_mask="255.255.255.0",
frequency=AirSpaceFrequency.WIFI_2_4
)
router_2.configure_wireless_access_point(
port=1,
ip_address="192.168.1.2",
subnet_mask="255.255.255.0",
frequency=AirSpaceFrequency.WIFI_2_4
)
# Configure routes for inter-router communication
router_1.route_table.add_route(
address="192.168.2.0", subnet_mask="255.255.255.0", next_hop_ip_address="192.168.1.2"
)
router_2.route_table.add_route(
address="192.168.0.0", subnet_mask="255.255.255.0", next_hop_ip_address="192.168.1.1"
)
# Test connectivity
print(pc_a.ping(pc_b.network_interface[1].ip_address))
print(pc_b.ping(pc_a.network_interface[1].ip_address))
This setup demonstrates the `WirelessRouter` class's capability to manage both wired and wireless connections within a
simulated network environment. By configuring the wireless access points and enabling the appropriate ACL rules, the
example facilitates basic network operations such as ARP resolution and ICMP pinging between devices across different
network segments.
Viewing Wireless Network Configuration
--------------------------------------
The `AirSpace.show()` function is an invaluable tool for inspecting the current wireless network configuration within
the PrimAITE environment. It presents a table summarising all wireless interfaces, including routers and access points,
that are active within the airspace. The table outlines each device's connected node name, MAC address, IP address,
subnet mask, operating frequency, and status, providing a comprehensive view of the wireless network topology.
Example Output
^^^^^^^^^^^^^^^
Below is an example output of the `AirSpace.show()` function, demonstrating the visibility it provides into the
wireless network:
.. code-block:: none
+----------------+-------------------+-------------+---------------+--------------+---------+
| Connected Node | MAC Address | IP Address | Subnet Mask | Frequency | Status |
+----------------+-------------------+-------------+---------------+--------------+---------+
| router_1 | 31:29:46:53:ed:f8 | 192.168.1.1 | 255.255.255.0 | WiFi 2.4 GHz | Enabled |
| router_2 | 34:c8:47:43:98:78 | 192.168.1.2 | 255.255.255.0 | WiFi 2.4 GHz | Enabled |
+----------------+-------------------+-------------+---------------+--------------+---------+
This table aids in verifying that wireless devices are correctly configured and operational. It also helps in
diagnosing connectivity issues by ensuring that devices are on the correct frequency and have the appropriate network
settings. The `Status` column, indicating whether a device is enabled or disabled, further assists in troubleshooting
by quickly identifying any devices that are not actively participating in the network.
Utilising the `AirSpace.show()` function is particularly beneficial in complex network simulations where multiple
wireless devices are in use. It provides a snapshot of the wireless landscape, facilitating the understanding of how
devices interact within the network and ensuring that configurations are aligned with the intended network architecture.
The addition of the ``WirelessRouter`` class enriches the PrimAITE simulation toolkit by enabling the simulation of
mixed wired and wireless network environments.