I have to agree with Jim on this.
The preffered setup is to have a firewall between your ISP (with or without router/modem) and your NethServer.
This way you have an extra layer of protection for your setup.
Also. DO NOT relay on the security features of the ISP provided modem/router. Most of the time the firmware in that device is obsolete and most probably is full of holes.
Think of it just as a media converter from Fiber or ADSL or Cable to your Ethernet but that is all.
If you really want exposure to your NS you can forward your request on ports to your NS but it is best practice to filter them .
NS = firewall, so why have another firewall?
Because the first FW will be dedicated only to Firewall and Gateway
So that means that any missconfiguration or error in the config or bug will not expose your entire server / data to the “bad people”.
I understand your concern and why you place the firewall between internet and router. Unfortunately not in every country you get the credential from the ISP as @robb mentioned.
Another problem is the physical situation. If you have a coaxial cable which connect you to the ISP how will you realise this on a computer/firewall?
Your proposed physical setup would need two computers. One for the firewall and one as a server. Or is it possible to realise it on one physical computer but logical separated via virtual machines?
If you aware that the modem/router could have a safety risk you can search for an update or if you are skilled you install an open source OS on it. Anyway, how likely is it to hack the modem/router and go further trough the firewall in your private network?
From my point of view a small business, which will not or can’t pay for a system admin, needs an infrastructure which is clear how to setup and simple to manage. My understanding of Nethserver intention is exactly this. A server software for non Linux guurus Easy to setup and to manage with the nice GUI
The physical setup of @Renan_Azedo_de_Olive would improve the safety situation compare with a modem/router, switch and many windows computer connected to the switch. No firewall, no backup, no right management, shared folders between the computers. Many small companies working in this way and without any large problem since years. They don’t see why they should invest in additional computers and time.
The best would be to have a setup wizard which guide you to different scenarios.
A. Graphic design company with let say 5 people. They need a work group environment, shared storage space, backup, firewall, email spam and virus filter and some right management for data related to the management/human resources.
B. Shop with some employees working in the shop, some working on the catalogue and internet shop, management, one accounting. They need storage space for the current products, for the products which will come later, accounting, HR, point of sales, backup, firewall, email spam and virus filter.
C. Home server for central storage, maybe email spam and virus filter, distribution of music and videos, backup and firewall.
This would cover 80%-90% of the necessary settings. If other options are required this would be done via the GUI of NS with the help of the documentation. If we integrate your pictures in the documentation for the different scenarios this would be an improvement.
I understand your situation.
I want to use your router for the coaxial connexion. Whait is the model?
With tihis, your have two paths yet:
Probably you can turn it is a brigde.
In this case, the NethServer can acr as firewall, Dns, dhcp and proxy, and control the wan.
you let your routeur do the job as is. And put the Nethserver behind, configuring the dns server, the dhcp, the proxy.
For the network the Nethserver will act as firewall/ gateway.( on the GREEN side), and will be client on the RED side.
If I configure the modem/router as a bridge the device is accessible directly from the internet. I don’t see any different is the risk that someone hack the modem/router.
This sounds good. This would be the proposed setup of @Renan_Azedo_de_Olive but with a fix IP address on the RED network from NS to the modem/router as @robb mentioned.
Is it possible to use the same computer with NS also as a storage server with e.g ownCloud?
Would you recommend to have virtual machines toe separate the different jobs (firewall, gateway, storage, etc)?
No the RED can be in dhcp client, the ip is distribued by the router., exactly as @Renan_Azedo_de_Olive show us.
Yes, of course is it possible, NethServer is designed for this purpose
Fine. Than we come back to my first question.
If I setup the network as @Renan_Azedo_de_Olive proposed I have two NIC. One for RED and one for GREEN. Let say the modem/router has the IP address 192.168.0.1 than will be the gateway address for RED 192.168.0.1. Is this correct?
What has to be the gateway address for GREEN?
For your lan clients it will be the Green IP address.
For NS there is none to be entered.
For the GREEN put 192.168.1.0 for exemple.
And the gateway address will be itself.
Edit: like this you can consider the RED LAN 192.168.0.0/24 as the WAN
And the GREEN LAN 192.168.1.0/24 as your safe lan. Configure the DHCP server to server an ip range for the GREEN Subnet, and all you clients will get an ip address 192.168.1.x with the gateway 192.168.1.0
@Ctek and @Jim
Thank you. Now I understand this point.
You are welcome and glad that we could help
Coming back to another question from the beginning.
Why is the default IP address in the setup window 188.8.131.52?
This is just a convention. This was chosen when the setup has been pre-completed by the devs.
Usually you set the GW address as high or as low you can.
This is because for example your DHCP pool address will start from 1 to 100.
In this way you are making sure that the user that wants to add a manual IP to the network, will chose something close to the IP he sees the other machines are getting and will not choose by mistake the address that conflicts with the Server/Gateway.
A lot of users that added their laptops to the network with manual set IP’s had the IP address 192.168.1.1.
They choose that ip from various reasons, one of the reasons was that they thought .1 was getting a larger bandwidth
So this is just a convention. You can set it to whatever you need to be.
If you consider my questions as one as an newbie you see the source for confusion.
If it’s ok I would add an explanation in the documentation to make it clear. I propose an example like my simple setup with the example IP address to show how it would look like.
No worries, any question is a good question.
I’ve explain about the convention chosen just as example. Because any other distro can have their own conventions that may or may not fit the user preferences.
In such case the user has to make the needed adjustments.
There is no perfect fit for any case / scenario.
Yes, I agree. If you setup a simple network with a router, server, switch and some client you need other settings than when you have a firewall, router, some gateways and switches, some different servers and clients.
My intention was to add an example where the “admin” can see and find out the right setting for his application. If you did it many time you don’t need it but if you do it the first or second time, I presume you are not a network guru, you are not sure about all the settings. For this situation the help menu should deliver the necessary explanations and tips.
I worked with different high level software and one of the main different was how good was the documentation, explanations and examples to make the different. As an example one documentation has many examples included. First the theory and than a step by step instructions which number you have to right where but no explanations why you have to. I did the example and got the right results but I was not able to setup my own task. The other software has to many documentation parts an example with explanations why you and which is a good way if you are not sure in the beginning. I understood it and was able to make the right setting at my next task.
Coming back to the Nethserver documentation. Many times there is only an information for what the field is but no explanations or tip which would a common setting or an example based on you can figure out the right setting in your situation.
Of course, we have to expand such part. There are many discussions about it, maybe a wiki could be a nice solution writing some examples that integrate manuals. Would you like to help us? Your point of view is really important, we need a doc more complete and straightforward.
We must organize the doc
Does the Github wiki is really shit?
Explaining e-smith layer - learning by doing
If I can find the time I would like to help with the documentation. I have to run my one person company and if I don’t do my job no money will come in. So I have to organise my time.
This morning (Australian time) I red the post
and created an account for the wiki.