On Wednesday, January 22, 2003, at 06:31 AM, Martyn Hill wrote:
Dear allHello Martyn:
I'd be very grateful for any insights you could share...
Our school network continues to grow. Different departments within the
school wish to piggy-back their windows machines on to our broadband
internet connection, via our 100Mbps wired LAN within the building. Before I
can allow anymore machines on, I need to put a measure of security in
place - principally between the school Admin and Curriculum 'networks' and
also between the other 3 departments who share the site with us. I was
thinking along the lines of subnetting our existing network and applying a
firewall between each sub-net.
Currently, our setup comprises of two FreeBSD (4.5RELENG) boxes - one acting
as a gateway/firewall between our private network (10.x.x.x/8) and the ADSL
router, the other as a fileserver/web proxy/redirector and email server to
our 40 or so Windows clients. DHCP and DNS is provided by the gateway.
The gateway currently runs with two NICs - one to a switch, the other to the
ADSL router. All other machines, including the fileserver hang off the
switch. The ADSL router has another 3 10Mbps ports available for direct
connection.
The Admin and Curriculum users need to share the fileserver (for now, at
least.) The other new users simply need the broadband connectivity (with or
without the web-proxy facility that currently sits on the fileserver.)
Questions:
Do I consider placing more NICs into the gateway in order to create (along
with a few switches) the new sub-nets, placing a firewall (ipfw) between
each interface?
Is it even possible to run >1 ipfw on the same box?
Do I build a couple of cheap boxes (like the P90 I'm using for the current
gateway) with FreeBSD and set them up for bridging along with ipfw?
Do I buy a few hardware routers with firewall facility and build my sub-nets
that way?
Do I use ifconfig to alias the one internal NIC in the present gateway to
create virtual sub-nets?
Is a firewall really what I need to restrict particular traffic (like SMB
browsing) across the sub-nets?
Or, am I barking up the wrong tree (spanning, or otherwise...)?
Thanks in advance.
Martyn Hill
ICT Teacher and IT Coordinator
St James Independent School
London
As I understand it, you are attempting to limit traffic between various groups of users behind your firewall. In order to do this, I would recommend a mix of your solutions.
1) VLAN segmentation - use 802.1Q VLAN's to isolate the broadcast domains of your pass-through Internet users and your back-office servers and users.
2) IP Segmentation - this will be necessary if users are on different VLAN's because each VLAN is its own broadcast domain.
3) Firewall rulesets - now that you have separate routed segments, you can apply further filters at Layer 3 between your Internet and Internal users.
In order to accomplish this, you will need an 802.1Q capable NIC on your firewall as well as 802.1Q capable switches at any point where both types of users will be on the same ethernet device. Your network would looks something like this:
Inet -> ADSL ->
FreeBSD BOX (802.1Q NIC) ->
Trunk with VLAN's 100 and 200 to ->
Switch -> VLAN 100 -> Internal Users and VLAN 200 -> Internet Users
Mike
------------------------------------------------------------------------ --
Michael K. Smith NoaNet
206.219.7116 (work) 206.579.8360 (cell)
[EMAIL PROTECTED] http://www.noanet.net
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
