Koozali.org formerly Contribs.org

3rd Nic

shanen

3rd Nic
« on: July 19, 2005, 11:43:25 AM »
It would be nice to have the option to add another interface to SME for wifi access points or DMZ zones etc.

wsmeurope

3rd Nic
« Reply #1 on: July 23, 2005, 11:21:14 AM »
The 3rd card should be a PCI wireless card ...

shanen

3rd Nic
« Reply #2 on: July 31, 2005, 09:50:59 AM »
I was thinking more along the lines of like ipcop where
1. You have an interface called blue which is used to connect wiress access points to.
2. An orange interface that allows you to isolate servers from the local network and create pinholes as required.

Here is a diagram to give you a rough idea

http://sme-solutions.com.au/ipcop-traffic.gif

Offline arne

  • ****
  • 1,116
3rd Nic
« Reply #3 on: September 04, 2005, 05:02:22 AM »
See:
http://forums.contribs.org/index.php?topic=28778.0

Hope there will be some interrest ..

Arne.
......

3rd Nic
« Reply #4 on: September 08, 2005, 09:08:05 AM »
Quote from: "arne"
See:
http://forums.contribs.org/index.php?topic=28778.0

Hope there will be some interrest ..

Arne.


In that thread, you appear to be suggesting a new firewall implementation, configuration tool, etc.

I think it would be far more useful if you provided patches to the existing firewall templates to enable the 3rd and/or 4th NICs.

I'm sure that such a configuration would be well received.
............

RonM

3rd Nic
« Reply #5 on: September 09, 2005, 07:11:07 AM »
Hi Arne - there has been some work done on adding additional network cards before:

http://no.longer.valid/phpwiki/index.php/How%20to%20add%20an%20additional%20network%20card%20%28including%20a%20Token%20Ring%20one%29%20to%20e-smith%204.1.x

A lot has changed since E-S 4.1 (including some directory locations) but it might be a good place to start.

RonM

Offline arne

  • ****
  • 1,116
3rd Nic
« Reply #6 on: September 12, 2005, 08:32:19 PM »
Thanks for your info RonM and gordonr !

Yes, my idea were to make a complete new firewall/routing implementation. The reson is not that I do not like the sme soulution, but rather that I have no idea how to make an implementation that will fit directly into the sme server "environment".

My problem is that the only small little thing I know a lilltle bit about is the firewall/routing part of it. Because of that my intention were to use a "sme server only installation" and then to modify that up to be a 3 or 4 network adapter installation.

I think that the firewall/routing part of sme 4.1 will be quite different from a simular impementation for sme 6.0/7.0 (2.2.x kernel versus 2.4.x kernel.)

On the other hand the more difficult part of it "how to implement a new firewall arrangement into the sme environment" might be rather simular. The info about the 4.1 is rather interesting.

Anyway, I think that to develop such a "multicard arrangment" will be a two phase project anyhow. First I think you will have to develop a firewall/routing solution, and when this is up and running and is working as expected, then it will come a project phase number two, how to impement this into the sme-server environment, server-manager, etc. To do the both things at the same time, I think will be very difficult.

That's the reason such a project should have more than one person, at least one that know about the iptables/firewall/routing things and at least one that knows about the sme impementation prosess. Somebody who actually need such a "multi security zone implementation" and who could make some testing if the actual requirements are met or not would also be a great resource.

Actually, I don't know for sure if the project can be done and work as expected, but I would believe so. As an example - for a while a go I put rather much work in a project to make a bootable sme USB memory stick installation, but this project newer worked. (An who would need a server that boots from a USB stick .. what a strange project... ) On the other side all other more or less "funny" sme modifications have worked, so I know that things can also work.

Don't know if I will try to do such a multizone project if there is no one exept than myself that want such a project to come true.

I think that there should noot need to be a question alternative 1 or alternative 2, the sme interphase or not, but rather a phase 1 and a phase 2, first the development of the firewall part of it and then the impementation of the firewall part of it into the sme server environment.

The reson why it can be done this way, is that the firewall/routing part of it (phase 1) will affect the configuration of the kernel only (I believe), and it will (should) not affect any of the server installation on a "sme server only", that basically and intentionally dos not have a firewall. (Have not tested 7.0, but I guess this is also the case for this distribution.)

I guess it should be possible to develop a fully working multi securityzone sme server installation (using a iptables configuration script only) and then to integrate this further into the sme server environment (and administration systems) as a next step 2.

By the way which other server do have such a functionality like all the sme server functions combined with a "multi security zone arrangement" ..
Well .. possible a Windows 2003 with a MS ISA server installation and the right configuration...

Just some ideas.  

Best reg Arne.
......

Offline arne

  • ****
  • 1,116
3rd Nic
« Reply #7 on: September 15, 2005, 10:13:24 PM »
Well, just now at the moment I am sitting at the Wan segment made up by a 3'rd NIC an a SME 7.0 beta 2

I think there is absolutely no restriction or difficulty in setting up a 3'rd and a 4'rth NIC on a SME server.

I made it up just by installing a server only with ne NIC. After that I added two more NIC and configured those manually. Then applied a IPTABLES script to controll trafic between the 3 NIC's.

Actually it seams to be a lot more easy than I initially thought about. Reason: When you configure a 3 port Linux firewall, the servers will normally be at the dmz, and it can be tricky to controll trafic from lan and wan to the dmz.

To fit in one of two extra cards on the sme seams to be very aesy as long as the server functions is on the gateway server and not on the DMZ, so you don't have to deal with the forwarding problem to the DMZ. (From lan and wan.)

By the way, the 7.0 seams to be a really great disto and this task to add a NIC or two, is really absoultely nothing compared with the job that is done.

If anybody want a 3'rd or 4'th NIC on the SME server it should just be a question of doing some testing.

One task of cource would be to specify how you want the trafic to flow between the 3 or 4 NIC's

Lets say it is a internet nat connection to the wired lan and eventuelly some forwardning here to lan servers and then an other internet nat connection to a wireless lan ("guests") with no access to the wired lan ("employed"), this should be a rather easy one.

If anybody some time should need such an arrangement and if they ant to give it some workhours (on testing), they should/could leave a msg here.
......

Offline arne

  • ****
  • 1,116
3rd Nic
« Reply #8 on: September 16, 2005, 07:44:50 PM »
OK .. To day the 7.0 installation has 4 nic's. One wan connection and 3 different Lan/DMZ zones.

Looks like it's really no problems at all to run a SME with such a configuration. Actually it looks like it is very, very easy.

The way it can be done (I do it) is to just install a SME server only with only one NIC. Then it is just to intall two or tree more NIC's and apply a shell script that makes the configuration of the aditional 2 or 3 NIC's plus set up firewalling between those forur NIC's as wanted.

As I se it, setting ut a firewall is 99 % testing to check out if it really does the things it should do. (You will need a real network with real clients.)

So if there is anybody there that want to install/check out a 3 or 4 NIC installation some info and ideas will be posted here.
......

Offline arne

  • ****
  • 1,116
3rd Nic
« Reply #9 on: September 18, 2005, 11:23:25 AM »
Correction:

I appears that if you apply a new firewall configuration on a "server only" installation certain typical lan services will not be available on that segments that should work as lan/dmz segments.

The reason for this seems to be that the sme server has a multi level security where the firewall is just the level no 1.

If you on the other hand start up with a "server gateway" intstallation and apply 1-2-3 NIC's extra ont top on that, it seems like things are working.

If you choose the eth0 as external connection and then eth1 as wired lan, then eth2, eth3, eth4 can be used as wireless lan/iptelephone/server etc, but they will not recive "full lan services" (No access for Squid, no access for server-manoager etc)

I believe that the eth1 will work as a "fully normal" lan segment, but I have not really fully tested it out.

If anybody like to start up testing the oportunity of using 1-3 NIC's extra you can do like this:

1. Start up with a gateway/server installation.
2. Apply 1-3 extra NIC's
3. Run a shell script that configures the aditional NIC's and wipe out the old firewall and supply the new firewall.

A simple script to get started with this:


ifconfig eth2 10.0.2.1 netmask 255.255.255.0
ifconfig eth3 10.0.3.1 netmask 255.255.255.0
ifconfig eth4 10.0.4.1 netmask 255.255.255.0


echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush
iptables -t nat -F
iptables -F
iptables -X
iptables -Z

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Note: this script flush out the old and orginal firewall and leavs everything completely open. (I use a nat router/firewall in front while testing this.)

Fron this as a starting point just to set up trafic it will be neccessary to apply new firewall rules to obtain required/wanted security.

By the way. I'm testing with a 5 NIC installation just now, and I believe that the eth1 segment work like a "normal" server gateway installation, but it should be a lot more testing.
......

3rd Nic
« Reply #10 on: November 15, 2006, 11:35:19 PM »
Arne,

  I'm looking at the possibility of adding a 3rd NIC for a second T1.  A school I work with just got a new T1... but they cannot get rid of their old connection yet because they have a contract.... anyway, they'd like to have two outside interfaces.

  1 - Handles inbound connections http/smtp/vpn etc....
  2 - Handles outbound connections... including the students browsing.

Any tips?  Thanks.
Jay Farschman
ICQ - 60448985
jay@hitechsavvy.com