Best implementation neth -> existing home net


(Kyle Phillips) #1

I have setup neth on my home esxi6.5 box with very healthy amounts of CPU/RAM + 2 NICs. The box has 3 physical NICs and one was being used with securityonion as a span interface being mirrored all my home network traffic. I am not planning to use SO after neth integration. Basically end goal is to condense my services and storage and IPS/firewall into one place while using the web proxy and cache to speed up browsing. As a nethnoob I’m not yet ready to toss my edgerouter lite from the scheme until I’ve worked out all the kinks and even then I was hoping to get a lab segment going and it might come in handy there.
Is there any best practice info I should know before going at this and are there any write ups for a similar use case that are out there I might not have stumbled on? I have not been successful so far trying to make neth the gateway for my home network in front of the ERL as gateway to the internet. I tried moving dhcp and dns to the neth in an attempt to use it as a gateway without doing any wire changes. It seemed to work for most things but my Unifi AP and chromecasts didn’t seem to play nice. I blame user error here obviously and can’t seem to find any topics that both match my setup hopes and go into better detail about how they were successful so I can’t yet get a good idea exactly where I’m going wrong. Thanks for any help. Very excited to utilize neth and love the snappy web interface so far.

NethServer Version: your_version
Module: your_module

(Rob Bosch) #2

I can explain you how my network is set up. And I think it is not far from your setup.
Only difference is that I use Proxmox as virtualization layer instead of ESXi.
I have 2 instances of NethServer running:

  • gateway with firewall IDS/IPS etc having 2 (virt) interfaces: RED and GREEN
  • DC + all other services having 1 interface: GREEN

First the layout:

Internet - ISP Router - Red interface of NS7GW - Green Interface of NS7GW - switch - Internal LAN
Internal Lan consists of 2 Accesspoints, 1 printer and several wifi clients (laptops and android phones) and of course the NethServer instance that serves AD + Fileserver + networking services for the LAN.

The easiest way would be if you can put your ISP router in transparent mode. Then your RED interface for your NS GW instance will get an external IP address. If that is not possible, you need to ‘double-NAT’ your network.

I would advice against condensing storage and service together with GW/Firewall. Better would be to use 2 instances of NethServer instead of 1.

Besides the use of a virtualization layer this is all quite basic networking. Since you have 3 interfaces, you can use the 3rd interface as a blue ‘lab’ interface. So your blue lab environment can not reach your green LAN environment.

I have used Unifi accesspoints for a long time. And instead of installing the controller on NethServer I opted for a small container (proxmox can do containers too) with debian server 8 and installed the controller on that instance. Instead of a container, you can choose to install a (small) VM.

(Kyle Phillips) #3

Thanks for the reply.
Sounds like pulling the ERL would make things easier on myself. I would think there is a way to make it transparent but I was wanting to keep it because I love how well it does adblocking/IP blacklist on the firewall which can all obviously be done using neth anyway.

I have my unifi controller running in a docker container on one of my odroid boards. It might be better to do what you did instead. I could have had it all right and just didn’t wait long enough for the AP and the controller to provision before going back in and changing settings.

The chromecasts being google devices refuse to do much of anything unless they are allowed to call “home”. :wink:
Thanks for the help.

(Rob Bosch) #4

You still can put the ERL in front of NethServer.

(Kyle Phillips) #5

I’m about to try it with a destination NAT rule on the ERL for the red interface of the nethserver VM.