I’m planning to install Nethserver in a small Hotel-Restaurant.
Actually my need is:
A window server where there’s the hotel management software and the restaurant management software in one subnet lan1.
In one place, four computers in another subnet lan2, we need access all the internet, and lan1
In another place two computers at the reception, subnet lan3, need a restricted and filtered access at the internet and access the lan1.
For some redundancy, sometime, computers in the lan2 need access to a printer on this lan3.
Near the Reception, another computer wich need all access on the internet.
In another place, another two computers in the restaurant, in lan3, need access the lan1 and no access to internet, excep occassionally for teamviewer maintenance.
And finally, the lan 4, the wifi for the clients, better filtering to save bandwith, no access to lan 1, lan2, lan3
Is Nethserver capable to filter differents subnets with differents levels of filter?
Can I convert an existing iptable table in a shorewall rules?
I don’t think you need all those different subnets/zones/etc. It doesn’t seem like NethServer is setup to have a lot of customization between multiple like zones.
What I would do is setup a pretty standard red, green, blue network with your default web filter policy set to “block all, allow selected content” and allow “remote control” category.
Then setup DHCP reservations and IP range firewall objects for the other groups of PCs that need more internet access and apply new content filter policies to those IP ranges. If you don’t want the hassle of DHCP reservations, you could use separate zones/subnets and define a different IP range for each one for the policies.
For more security, you could put your server in the DMZ zone, but if your server is configured properly, that’s not necessary.
I don’t see any bandwidth settings per zone/ip range. That’s something that would be nice to have for making sure visitors don’t use all of your bandwidth. As a work around, another NS box/VM dedicated to the blue network could have a bandwidth limit set.
