Commandline to Limit Certain NICs to LAN?

(cb) #1

NethServer Version: 7.4
IPs: 192.168.1.x

I have 3x 1GBe Nics in my server:

  • Intel I217V - IP:
  • 2x Realtek 8111

What I would like to do is team the 2x Realtek nics together to get 2GBe (my router supports teaming/aggregation) AND limit them to only LAN traffic. In other words I want file xfers/etc from other clients on my LAN to pass through this connection but NO internet traffic from the server out to WAN.

I would like to have my Intel NIC allow internet traffic server <-> WAN but not any LAN traffic.

Ultimately what I plan on doing is turning on the Intel NIC connection only when I need to run updates or work with content external to my network, but having the 2x realtek NIC’s handle all my LAN traffic 24/7.

Note: While this may be possible and easier via the web GUI, I am very much interested in learning how to do this via terminal. I would prefer not to install additional software just to do this if possible, my guess is that wouldnt be required anyhow.

Thanks

(Saito Benkei) #2

All three NICs are connected to the same router or Intel NIC is connected to a router (The internet router) and 2 Realtek NICs are connected to another switch?

If the NICs are connected to different Router/Switch:

You can bond the two Realtek NICs As GREEN in

“Network” -> Button “New Logical Interface” -> Role “Green” -> Type “Bond” -> Select all two Reltek Nics -> Mode (Select your bond type) -> Button “Next” -> Configure Green IP address/Netmask -> Button “Next” -> Button “New logical interface”

Configure your Intel NIC as RED in

“Network” -> button “Configure” near Intel NIC -> Role “Red” -> thick “Static” -> Configure RED IP addrss/Netmask/Gateway -> Button “Submit”

Create a firewall rule that block all green network to internet/red interface

(cb) #3

All 3 are to the same router which has a built in 8 port GBe Switch (ASUS RT‑AC88U). The router lets me team 2 ports on it to get 2GBe, which I used with Windows Server 2016 on the same hardware Nethserver is on now.

(Saito Benkei) #4

How do you now separate the local network from the Internet on the same router? with vlan?

(cb) #5

I do not currently separate them.

All client machines should continue to function as they have, on both lan and wan.

The only changes I want to make are server side.

  • Team 2x realtek nics
  • Have the teamed nics only work on LAN
  • Have 3rd nic, the Intel, allow only internet traffic to the server.

My topology is basically:

Internet to router, router to server and all client machines (server isnt doing anything in terms of network services, no vlans, no IPS, etc). Just to put it out there this is a home setup, nothing fancy. I am just going to use Nethserver as a file server and for backups, nothing more at this time.

(Saito Benkei) #6

Can you please write the IPs of the server NICs and gateway?
I have an idea but I don’t know if it will work (an I suspect some loop).

(cb) #7

Intel - 192.168.1.70
RT1 - 192.168.1.71
RT1 - 192.168.1.72

GW is 192.168.1.1 for all 3 (which is the IP of the router)

(Saito Benkei) #8

Ok, I don’t know if this works (I have no responsibility blah blah blah):

Create a bonding with two RT:

Network -> Click on “New Logical Interface” -> Role “LAN (Green)” -> Thick “Bond” -> Select two RT NICs -> Mode “Select which type of bonding you want to use” -> Click on “Next” -> IP Address “192.168.1.71” -> Subnet Mask “255.255.255.0” -> Gateway “Leave Empty” -> Click on “Next” -> Click on “New Logical Interface”

Configure Intel

Network -> Click on “Configure” near Intel NIC -> Role “LAN (Green)” -> Thick “Static” -> IP Address “192.168.1.70” -> Subnet Mask “255.255.255.255” -> Gateway “192.168.1.1” -> Click on “Submit”

Create routing

Static routes -> Click on “Create New” -> Network Address “192.168.1.0/24” -> Router Address “192.168.1.1” -> Device “br0 (the RT bond)” -> Click on “Submit”

Static routes -> Click on “Create New” -> Network Address “0.0.0.0/0” -> Router Address “192.168.1.1” -> Device “The Intel NIC” -> Click on “Submit”