Server with NICs in different VLANs: separation/routing

Discussion in 'Linux Networking' started by Jan Lausch, Jul 7, 2009.

  1. Jan Lausch

    Jan Lausch Guest

    I need to realise sth here where I am confident that it is possible in
    principle but the details are somewhat blurry to me:
    I need to have a server that also doubles as a router:

    It shall have :
    - 1x WAN Interface
    - 2x LAN Interfaces, two VLANs (either tagged
    (one NIC/cable) or untagged (two NICs/cables)
    - provide some basic services to the LAN (SAMBA etc) and VPN to WAN.

    Now the fun thing is:

    Devices in one VLAN should not be able to connect to devices in the other
    But however from both VLANs access to the server (SAMBA) shall be
    possible and also the access via the server out to the WAN.

    I do know /proc/sys/net/ipv4/ip_forward
    but that setting seems to be a little too "global" for me, right?

    Would I do the details in iptables or...?

    - Can I keep the VLANs clearly seperated even though common access to the
    server and WAN?
    - What would in your opinion be a good distribution to manage those
    things easy? How would you approach this problem?
    - tagged VLANs or untagged with seperated NICs?

    - One additional benefit would be granting different rights for use of
    the WAN. Any ideas here?

    Jan Lausch, Jul 7, 2009
    1. Advertisements

  2. You'll need forwarding enabled for routed access to the Internet from
    the internal LANs.
    The internal interfaces, whether they're VLAN encapsulated or not, are
    just different interfaces. You can control (in your case, prohibit)
    traffic between them using iptables/netfilter. iptables won't care
    whether they're 802.1q or not, as long as you get their names right in
    the iptables config.

    Whether you use VLANs or not is mostly a matter of bandwidth needs and
    cabling preference. Since you're prohibiting traffic between internal
    LANs, the only real question is if the Internet connection is faster
    than one unencapsulated internal connections. It's probably not, but if
    it is, then you'd potentially be limiting your Internet access to the
    speed of one internal interface for both LANs rather than twice the
    speed, once for each LAN. Personally, I use VLANs because it keeps the
    hardware simpler.

    Granting access to the WAN depends on how your network is set up and
    what kind of access you mean. If your internal machines have fixed
    addresses, then you can limit access based on IP address. If they have
    dynamic addresses, but you only need web access, then block Internet
    access by everything other than a proxy server and require
    authentication at the proxy server. Set more complex policies on the
    proxy server. It depends on what you really want and need.

    Just about any distro can do all these things. Every major distro
    certainly can.
    Allen Kistler, Jul 7, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.