Advice on net setup.
Posted: 19. Sep 2008, 23:02
Hi,
I *did* read the manual, but I'm a bit confused nonetheless.
I have a fairly up-to-date ubuntu 8.4 host.
I have two real NICs on my host.
One is connected to a small home net (eth0:192.168.0.x) and the other is connected to my ISP (eth1:192.168.120.x; I need to use an OpenVPN tunnel to get to the Internet).
What I would like to implement is the following:
A)Install a dedicated firewall distribution (pfsense) with three logical NICs:
1) connected to the Internet
2) connected to the home LAN
3) connected to a private DMZ LAN
B)Install a dedicated Web server (Apache+FTPd,+...) with just:
1) logical NIC connected to the DMZ private net.
I understand I should build three bridges (WAN, LAN and DMZ) in the host and four virtual NICs (three for the router/firewall and one for the WebServer), but here I got a few doubts:
a) should I run OpenVPN on the host, creating /dev/tap device and then I should bridge it to the virtual device A1? or can I just attach A1 to the tap device created with OpenVPN? Can this be done? or should I just bridge the ISP NIC (eth1) to the router/firewall VBox and run OpenVPN there?
b) is there a way to prevent the host from using the created tap device? I would like to avoid bypassing the firewall!
c) DMZ should be clear: create one bridge (brDMZ) and two host interfaces (DMZ0 & DMZ1) and then bind them together.
in /etc/network/interfaces:
auto brDMZ
iface brDMZ inet dhcp
bridge_ports
then:
VBoxAddIF DMZ0 mauro brDMZ
VBoxAddIF DMZ1 mauro brDMZ
d) The LAN interface should also be clear:
in /etc/network/interfaces:
auto brLAN
iface brLAN inet dhcp
bridge_ports eth0
then:
VBoxAddIF LAN0 mauro brLAN
e) how do I make sure the ISP interface (192.168.120.x) is used only by OpenVPN? can I do this?
f) Is this correct? Will any of this work?
Thanks in Advance
ZioNemo
I *did* read the manual, but I'm a bit confused nonetheless.
I have a fairly up-to-date ubuntu 8.4 host.
I have two real NICs on my host.
One is connected to a small home net (eth0:192.168.0.x) and the other is connected to my ISP (eth1:192.168.120.x; I need to use an OpenVPN tunnel to get to the Internet).
What I would like to implement is the following:
A)Install a dedicated firewall distribution (pfsense) with three logical NICs:
1) connected to the Internet
2) connected to the home LAN
3) connected to a private DMZ LAN
B)Install a dedicated Web server (Apache+FTPd,+...) with just:
1) logical NIC connected to the DMZ private net.
I understand I should build three bridges (WAN, LAN and DMZ) in the host and four virtual NICs (three for the router/firewall and one for the WebServer), but here I got a few doubts:
a) should I run OpenVPN on the host, creating /dev/tap device and then I should bridge it to the virtual device A1? or can I just attach A1 to the tap device created with OpenVPN? Can this be done? or should I just bridge the ISP NIC (eth1) to the router/firewall VBox and run OpenVPN there?
b) is there a way to prevent the host from using the created tap device? I would like to avoid bypassing the firewall!
c) DMZ should be clear: create one bridge (brDMZ) and two host interfaces (DMZ0 & DMZ1) and then bind them together.
in /etc/network/interfaces:
auto brDMZ
iface brDMZ inet dhcp
bridge_ports
then:
VBoxAddIF DMZ0 mauro brDMZ
VBoxAddIF DMZ1 mauro brDMZ
d) The LAN interface should also be clear:
in /etc/network/interfaces:
auto brLAN
iface brLAN inet dhcp
bridge_ports eth0
then:
VBoxAddIF LAN0 mauro brLAN
e) how do I make sure the ISP interface (192.168.120.x) is used only by OpenVPN? can I do this?
f) Is this correct? Will any of this work?
Thanks in Advance
ZioNemo