Jan Lausch wrote:
> Hi,
> I need to realise sth here where I am confident that it is possible in
> principle but the details are somewhat blurry to me:
> I need to have a server that also doubles as a router:
>
> It shall have :
> - 1x WAN Interface
> - 2x LAN Interfaces, two VLANs (either tagged
> (one NIC/cable) or untagged (two NICs/cables)
> - provide some basic services to the LAN (SAMBA etc) and VPN to WAN.
>
> Now the fun thing is:
>
> Devices in one VLAN should not be able to connect to devices in the other
> VLAN.
> But however from both VLANs access to the server (SAMBA) shall be
> possible and also the access via the server out to the WAN.
>
> I do know /proc/sys/net/ipv4/ip_forward
> but that setting seems to be a little too "global" for me, right?
You'll need forwarding enabled for routed access to the Internet from
the internal LANs.
> Would I do the details in iptables or...?
>
> - Can I keep the VLANs clearly seperated even though common access to the
> server and WAN?
> - What would in your opinion be a good distribution to manage those
> things easy? How would you approach this problem?
> - tagged VLANs or untagged with seperated NICs?
>
> - One additional benefit would be granting different rights for use of
> the WAN. Any ideas here?
The internal interfaces, whether they're VLAN encapsulated or not, are
just different interfaces. You can control (in your case, prohibit)
traffic between them using iptables/netfilter. iptables won't care
whether they're 802.1q or not, as long as you get their names right in
the iptables config.
Whether you use VLANs or not is mostly a matter of bandwidth needs and
cabling preference. Since you're prohibiting traffic between internal
LANs, the only real question is if the Internet connection is faster
than one unencapsulated internal connections. It's probably not, but if
it is, then you'd potentially be limiting your Internet access to the
speed of one internal interface for both LANs rather than twice the
speed, once for each LAN. Personally, I use VLANs because it keeps the
hardware simpler.
Granting access to the WAN depends on how your network is set up and
what kind of access you mean. If your internal machines have fixed
addresses, then you can limit access based on IP address. If they have
dynamic addresses, but you only need web access, then block Internet
access by everything other than a proxy server and require
authentication at the proxy server. Set more complex policies on the
proxy server. It depends on what you really want and need.
Just about any distro can do all these things. Every major distro
certainly can.
|
Similar Threads
Linear Mode
