thank you so much for your feedback. this is my first work my background previously was mostly theoretical
You’re welcome. Feel free to ask if you have questions.
another thing from my studying security comes with multiple layer of protection. i found many network maps that connect the clients of the LAN to the router directly which is in most case an ISP provided router with very limited firewall capabilities. in your opinion which one of those maps i put here does provide better security, management, and control? and what is the advantage of each one over the other?
I’d prefer the first one (and not only because I can see it much better ).
I don’t get second one but maybe if you have wlan on the adsl router and need to use it for internal network? What system is the firewall between internet and adsl router? A bridge firewall? Why do the WLAN/VPN clients have a separate firewall? Do you have some more examples/links of such configs?
My home setup as example:
Internet and VPN clients - Provider router (cable modem) - NethServer firewall/gateway/proxy/IPS/VPN (two interfaces) - NethServer DC/mail/webapps (only green)
I set my Nethserver gateway as DMZ host on my cable modem so any network traffic is forwarded from modem to my gateway This way I have full control on the Nethserver firewall and don’t have to reconfigure my modem for every port forward etc.
If I just may. Since you’ll be the administrator, why not control the access? Have them view the cams/dvrs from a VPN connection? Much work for you for configuration of VPN but much more secure. I wouldn’t want my corporate/business/especially home CCTVs and DVRs to be open for public viewing.
Nothing is preventing you to open your port and forward it to the device, mine is just a suggestion.
The other thing I see from your original diagram is double NATting, firstly to the 192,168.0.024 network and then to 10.10.0.0/24 which could possibly cause even more issues.
yes i am considering vpn connection for the cameras and remote desktop. can you give me some ideas about the best way to do that??
what do you suggest then?? i want to seperate the interal LAN from the internet. and in futer if i need a web server i want to put it on the red zone
i got some new info about the current implementation. the factory is 3 levels and each level has 2 routing switches and 1 POE for cameras. the overall number of cameras is 66 and the number of computers curently attached is 10 devices 3 in ground level and 4 in 1 level and 3 in the last level. most of the switches are used for the cameras. so any diffrent suggestion or you advice me to stick with my plan?. and for cameras if i want to make a vpn server for it what is the best way to do it in my suggested model??
Create an openvpn server on your Nethserver.
If you have a router in front of Nethserver port forward the vpn port to NethServer.
Connect via openvpn client to the server. This way you should reach your cams easily.
thank you for the feedback. another little thing i notice that the people who do the infrastructure place routers instead of switches. i dont think this was necessary and i think i should turn of routing and any other services from the routers except the main one , am i right?
It’s enough to have one Nethserver with its firewall/routing functions.
You might want to review it. The infra people who put in the routers instead of servers might have the following agenda which may or may not have been implemented:
- The network is or should have been segmented/VLANed, thus in need of routing.
- They have routers but routing/dhcp server is disabled, effectively making it a switch. If this is the case, I’m thinking that there’s no switch/es available but there’s plenty of routers or these routers are consumer grade making it cheaper.
In anyways, it’s yours now, just do proper documentation.
another question if i may. if i want to have 2 diffrent subnets in the private network one for the pcs and printers and one for cameras. is it possible to do that in nethserver?
Yes, it is.
You may just setup two green networks so clients may reach each other:
so when i have one NIC for the private i should create logical interface ? to create VLans?
or how i can make 2 green networks. in case of bond with the physical NIC, i would put the ip address as the new subnet addresses and the gateway as the server ip of the red zone? right?
In the case of only one adapter you need VLANs. Just add a “New logical interface”:
Setup your VLANs…
thx, if i make a level 2 vlan on one single subnet does it prevent vlans from getting to the nethserver if it was a gateway?? i just got confused by the restriction of vlan does it apply to the gateway?
I found some VLAN setups here, you may use it as configuration example/howto:
I’m using a similiar setup for a Hotel, we only have about 12 cameras at the moment, but more are planned.
I’m using mrmarkuz setup described here:
One problem you may run into is that reverse-proxy can’t correctly handle just forwarding something like:
http://nethserver.cdomain.com/cam01/, and say http://nethserver.cdomain.com/cam02/, as the actual target gets redirected to a folder /view/ (At least for the Axis cams we’re using here…), which would also have to be entered as a redirect. That would only work for one camera…
all pointing to the external adress of my clients Nethserver.
The NethServer has no such entries, only normal A-entries for each camera in it’s DNS.
The actual redirecting of domains is done using mrmarkuz how-to above…
This is working now for all cameras!
This image shows 2 cameras (Hotel-Reception) inside Zabbix, another Project running in NethServer! This monitors all systems here, including cameras…
My 2 cents, including a hat-tip to mrmarkuz for his great work!