|
|
| Next: Accepted latex-sanskrit 2.2-5 (source i386) |
| Author |
Message |
Jan Lausch
External
Since: Jul 07, 2009
Posts: 1
|
 Posted: Tue Jul 07, 2009 7:10 am Post subject: Server with NICs in different VLANs: separation/routing
Archived from groups: comp>os>linux>networking (more info?) |
|
|
Hi,
I need to realise sth here where I am confident that it is possible in
principle but the details are somewhat blurry to me:
I need to have a server that also doubles as a router:
It shall have :
- 1x WAN Interface
- 2x LAN Interfaces, two VLANs (either tagged
(one NIC/cable) or untagged (two NICs/cables)
- provide some basic services to the LAN (SAMBA etc) and VPN to WAN.
Now the fun thing is:
Devices in one VLAN should not be able to connect to devices in the other
VLAN.
But however from both VLANs access to the server (SAMBA) shall be
possible and also the access via the server out to the WAN.
I do know /proc/sys/net/ipv4/ip_forward
but that setting seems to be a little too "global" for me, right?
Would I do the details in iptables or...?
- Can I keep the VLANs clearly seperated even though common access to the
server and WAN?
- What would in your opinion be a good distribution to manage those
things easy? How would you approach this problem?
- tagged VLANs or untagged with seperated NICs?
- One additional benefit would be granting different rights for use of
the WAN. Any ideas here?
cheers,
Jan |
|
| Back to top |
|
 |
Allen Kistler
External
Since: Jun 26, 2004
Posts: 367
|
Posted: Tue Jul 07, 2009 3:02 pm Post subject: Re: Server with NICs in different VLANs: separation/routing [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Jan Lausch wrote:
> Hi,
> I need to realise sth here where I am confident that it is possible in
> principle but the details are somewhat blurry to me:
> I need to have a server that also doubles as a router:
>
> It shall have :
> - 1x WAN Interface
> - 2x LAN Interfaces, two VLANs (either tagged
> (one NIC/cable) or untagged (two NICs/cables)
> - provide some basic services to the LAN (SAMBA etc) and VPN to WAN.
>
> Now the fun thing is:
>
> Devices in one VLAN should not be able to connect to devices in the other
> VLAN.
> But however from both VLANs access to the server (SAMBA) shall be
> possible and also the access via the server out to the WAN.
>
> I do know /proc/sys/net/ipv4/ip_forward
> but that setting seems to be a little too "global" for me, right?
You'll need forwarding enabled for routed access to the Internet from
the internal LANs.
> Would I do the details in iptables or...?
>
> - Can I keep the VLANs clearly seperated even though common access to the
> server and WAN?
> - What would in your opinion be a good distribution to manage those
> things easy? How would you approach this problem?
> - tagged VLANs or untagged with seperated NICs?
>
> - One additional benefit would be granting different rights for use of
> the WAN. Any ideas here?
The internal interfaces, whether they're VLAN encapsulated or not, are
just different interfaces. You can control (in your case, prohibit)
traffic between them using iptables/netfilter. iptables won't care
whether they're 802.1q or not, as long as you get their names right in
the iptables config.
Whether you use VLANs or not is mostly a matter of bandwidth needs and
cabling preference. Since you're prohibiting traffic between internal
LANs, the only real question is if the Internet connection is faster
than one unencapsulated internal connections. It's probably not, but if
it is, then you'd potentially be limiting your Internet access to the
speed of one internal interface for both LANs rather than twice the
speed, once for each LAN. Personally, I use VLANs because it keeps the
hardware simpler.
Granting access to the WAN depends on how your network is set up and
what kind of access you mean. If your internal machines have fixed
addresses, then you can limit access based on IP address. If they have
dynamic addresses, but you only need web access, then block Internet
access by everything other than a proxy server and require
authentication at the proxy server. Set more complex policies on the
proxy server. It depends on what you really want and need.
Just about any distro can do all these things. Every major distro
certainly can. |
|
| Back to top |
|
|
Andrew Gideon
External
Since: Mar 17, 2006
Posts: 45
|
Posted: Tue Jul 07, 2009 5:10 pm Post subject: Re: Server with NICs in different VLANs: separation/routing [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Tue, 07 Jul 2009 09:57:58 +0000, Jan Lausch wrote:
> - Can I keep the VLANs clearly seperated even though common access to
> the server and WAN?
Why not have the server in both VLANs? It'll need two different IPs, one
per VLAN.
This assumes a single network port. It must connect to a switchport set
to "dotq" trunking.
If we assume that the interface from the server's perspective is eth0,
and the two VLANs are M and N, then you'll be creating interfaces eth0.N
and eth0.M. These will look like any other interface.
If this is on a Redhat-based distribution, this is all very easy:
o Add VLAN=yes to /etc/sysconfig/network
o Add interface files /etc/sysconfig/network-scripts/ifcfg-eth0.N etc.
If on different distributions, you might actually have to use vconfig.
If the server has two network ports, then each can be connected to the
switch in a single VLAN w/o trunking.
As for WAN access, if you want to have this server acting as a router (as
opposed to a proxy), then you will need to set ip_forward to 1. This
merely enables the behavior. Use iptables (ie. the FORWARD ruleset) to
gain more precise control over what is/is not forwarded ("routed").
- Andrew |
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
Linux