Help for setting a complete network bridge for two lans

Support
,
1

NethServer Version: latest 7.7
Module: cups-network-firewall
Hello everyone, I’m new here and new for Nethserver. I’m Italian so please don’t laugh for my english :slight_smile:
I’m trying to create a network config for my little office, but I don’t know how to do. This is the result I want to get: Prt Infrastructure
Nethserver will be used like raw print server and bridge for two lan with some conditions:

  1. the lan 192.168.111.x (LAN1) must not see the other lan 192.168.51.x. (LAN2)
  2. some IPs from LAN2 have to go out in internet through LAN1 and his router
  3. a couple of IPs from LAN2 can reach one or more IPs in LAN1 to use a “scan folder” on file server
    I think I have to set some firewall rules to achieve this goal, but now the problem is that the LANs don’t see each other. Nethserver has IP 192.168.111.5 in LAN1 and 192.168.51.5 in LAN2. I can ping the IF on “the other side” with a pc in the LAN1 and LAN2. But I cannot ping the router or a MFP from the other LAN. Is there a way to tell Nethserver to do a “complete bridge” for the LANs and after shape the traffic as I told? Thank you a lot.
2

Hello

Bienvenuto a forum NethServer! (Excuse my italian!)

I’m a network consultant in Switzerland, and I run about 20-30 NethServers for SME (Small & Medium Enterprises) clients.

I’d say your network is way too complicated for what you’re trying to achieve…
While all your Win10 workstations can work fine with just the default gateway of the router in your 192.168.111.0/24 network, the fileserver would need an additional route pointing to your 2nd network, the 192.168.51.0/24 network.

Having the NethServer as a “Bridge” would simply not work. It can act as a router, but not as a bridge. It would be easier putting in a second nic into the fileserver than trying to bridge two IP networks.

Actually, why not just forget the fileserver altogether and just use your NethServer as a fileserver?
Just for your information, an italian state institution in Switzerland, and NethServer replaced their ols Win2000 as fileserver about 5 years ago. There are about 30 users in Zurich, and about 8 in Geneva, and another 3 in Lugano all using this NethServer as File, Mail, NextCloud server. And this NethServer is running virtualized in Proxmox, and is still VERY stable and fast acting as a file server, and as AD, and as NextCloud…

Scenario:

Internet - Router - Switch - NethServer LAN1 <-> NethServer LAN2 - Switch LAN2
PCs PCs

A simple text sketch of what I’m suggesting.

Even better - closer to best practices - would be replacing your router with one that has two LAN and one Internet NICs, like an OPNsense available from eg here:
https://www.applianceshop.eu/?___store=de

I use these boxes at almost all my clients - I like to keep firewalling away from my NethServer to keep routing and firewalling simple & secure.

I hope this is “understandable” gibberisch… :slight_smile:

Don’t hesitate to ask further questions!

My 2 cents
Andy Wismer

2 Likes
3

I think you’re missing a static route on your router for LAN2 (192.168.51.0/24) to point to the Nethserver IP (in LAN1).
If you map both interfaces to green role they should be able to ping each other.

1 Like
4

Two network segments = no bridge, router.
Same network segment = bridge
Pick up one.
(NethServer do not act as a bridge)

1 Like
5

Hello Andy, thank you for your help. Got it. Good idea. I didn’t though a solution like this.

The actual fileserver was installed few years ago by a “premium, ultra, godlike enterprise” and is untouchable. It also carry a large amount of disk space (near 16 TB) in raid 5 or something like this…
And for what you suggest, OPNsense, I’ve a really thin budget. Nethserver, used only for cups and filtering the LANs, doesn’t need so much computational power, I think, and I’m using a medium level machine to do this… finally, the goal is to permit to print only to a some users and block the others. There’s a alternation of users in this office and I found some photos of holidays printed in colour, my boss went out of his head for this.

:slight_smile: Thank you a lot. Google translator helped so much.
Trying also to reply to Mrmarkuz and Pike, that I want to thank, yes, my fault, I used wrong terms. I need a route, not a bridge. Both LANs are green, I added a static route on the machines on both LANs to point each other. But still the PCs I’m using to test the config, can’t see each other.
Another little thing… You said “My 2 cents” and Pike said “Pick up one”… there’s something I don’t know? What are you talking about, please? O_O

6

@SanLostSoul

Hello Mauro

OPNsense is FREE, like NethServer. You can use a PCengines board for about 100-130€.
It is a fork of PFsense, itself a fork of M0n0wall. The developer of Monowall suggests to use OPNsense. It can also run on any PC - if you have enough NICs for what you need (also good to know in an emergency…). It just works! :slight_smile:

I understand about such “untouchable” things. The invisible elefants in the room… You don’t see them, no one talks about them, but they’re there. And… ever tried moving an elefant? :slight_smile:

As to adding a static route in the router - that’s absolutely correct by any networking standards! Unfortunately, not all clients respect a router given additional route. Windows, depending on patch level is one of them…
That’s why i suggested a second NIC in the file server - or adding a route on that box, so it’s accessible for clients on LAN2.

The Term “my 2 cents” is an old english / french saying, equivalent to the german saying “adding my mustard”. It’s a way of saying: “In my opinion…” or “My addition” to the discussion.

“Pick up one”, as @pike used is not quite correct english - “pick one” would be correct, and implies choosing one of the two options he mentionned. (selection may be better understandable!).

By the way, i’m located in Switzerland. Where are you based? (Always interested!)

Andy

1 Like
7

Hello Andy, wow you’re so reactive! :sunglasses:
So you mean the “software” not the appliances, for OPNsense. Yes, I know M0n0wall and also Zeroshell, I love Linux firewalls :slightly_smiling_face: But the problem is sharing a couple of MFP and filtering the users and permit these MFP to reach the file server for scanning and internet, for the “toner low” alerts. Thinking about install a solution like OPNsense, I need to select which user can print. I don’t know if I can install Cups or any other print server and define a list of privileged users. I need both functionality.
Actually, Nethserver acts as a separate domain controller, with a list of users and some others things. As you probably have already guessed, I’m not an expert. And now I have time to try some config, I’m like in jail at home, due the covid-19 pandemic. All I can do is a list of fake situations, just to understand the correct way to do it after in office.

IMG_20200319_092641
IMG_20200319_0926412080×4160 2.34 MB

It’s sad, but it’s true… :unamused:
I live in Genoa, Italy (I forgot, sorry) small sad and bad city :upside_down_face: where the traffic is the main problem. Small city, small roads, huge traffic… imagine the scene… Thank you for your time

8

Bon giorno Marco!

As you might know, almost all Swiss love bella Italia! And I’ve been to Genua - it’s been a few years back, but I do recall Brignole and PP, the stations where I landed or left Genova… :slight_smile:

I can understand italian fairly well, can also speak a bit - and write even less!

I too am working from home office, since Monday we have a lockdown here. Not quite as strict as in Italy, but only food shops are open, public transport at least 50% less. All restaurants, bars, even hairdressers are closed. Roads are fairly empty. We don’t need to have to “walk the dog” to go outside, as i hear is becoming popular in Italy at the moment.

Hope you guys can control the corona as fast a China was able to do… Wish you guys all the best!
Hey, we swiss love having vacation in bella Italia, and you guys do understand something about Dolce Vita!!! And vacation is coming up fast…

I’d keep the Nethserver, i use both for most of my clients. I like having the doorkeeper (firewall) do nothing else, to keep routing and firewalling simple. In all my clients networks, NethServer is running the AD, and that alone tends to make routing / firewalling more complicated. The AD is basically a Linux Container/Jail with it’s own IP, running in NethServer. Sure NethServer CAN handle this situation, I just prefer having it separate…

Just for your info: There are some great software out there for printing solutions… Like PaperCut, which runs very well on NethServer. It’s free for up to 3 users, but there are almost equal open source (and completly free) software for this… I use it mainly for architects and engineers, most also use plotters, and they bill their clients by the square cm (cm2)… (!).
Your problem would stop VERY fast, if your boss were to deduct the printed expenses from what the people are printing! :slight_smile:

Nethserver with Zabbix can give you nice monitoring, and also usage stats.

But NethServer with Cups is a very good basis!

PS: One of my clients is also the Italian state, an organization with about 40-50 people, in Zurich, Geneva and Lugano. They’re also running NethServer as AD and as file server (And Nextcloud, and, and, and!)…

My 2 cents
Andy

1 Like
9

Buongiorno a te, André :slightly_smiling_face:
Well, thank you again. Now I’ve some things to try, I’ve just done a “network-recovery” and I’m redoing all from scratch. I’ll try PaperCut you mention and I’ll do some searches to find any SW like this. But first of all, I have to solve the routing problem. Nice to read you, and all who helped. I’ll be back (is not a threat :smile: ) Bye
P.S. Genoa has deeply changed from the time you probably were here. Thank you for your words. I never was in Swiss, with my big regret. Maybe one day … :slightly_smiling_face: And thank you for your cents

10

Always welcome! I love motivating people using NethServer, or open source. And getting their bosses to see what value Open Source can bring to any organisation…

If you’re stuck, or need a hint or tip, don’t hesitate to drop a line!

Even though it’s been several years, I still am a bit current on Genova. The steel factory at Cornliagiano for example, slowly closing down since 2003… Or the bridge…

And the traffic jams… I think they started when the second car arrived in Genova! :slight_smile:

Andy

1 Like
11

Maybe not exactly what you are looking for but you can take a look at SavaPage. I’m pretty sure @robb and @rijkr will be glad to help if you have any doubts about it.

3 Likes
12

SavaPage is a very nice option to manage your printers. It is even recommended to put the printers in a separate subnet or VLAN, so the SavaPage host is the only one being able to access the printers.
I saw you were looking for Papercut? SavaPage and Papercut can work seamlessly together. @rijkr is an absolute specialist when it comes to managed printservices. I recommend to contact him and ask him for some more info.

2 Likes
13

That’s exactly what I was thinking of, but the name slipped my mind… :slight_smile:

14

Hello all, thank you for your help.
Edit: I reinstalled Nethserver from scratch, no domain, no FW rules, inverted the nics.
No way. I can reach LAN 2 from LAN1, not the reverse. Let me explain: my actual home test config:
Test config

IF config on Nethserver:
Lan Config

Results, ping from pc on LAN1 to LAN2:

Ping from PC LAN1 to LAN2
Ping from PC LAN1 to LAN2708×648 112 KB

Ping from pc in LAN2 to LAN1:

Ping to from LAN2 to LAN1
Ping to from LAN2 to LAN1710×803 125 KB

(don’t know why I cannot post this in plain text, copy&paste make the text in bold, sorry)

Any ideas? Or the only solution is a box of beer and forget? :smile:
Thank you, Mauro

15

As I read, the routing on both PCs (LAN1 / LAN2) seems correct to me.

The PC on LAN2 doesn’t specifically NEED a route to LAN1, as LAN1 is behind the default gateway as seen from the PC in LAN2.

The PC on LAN1 has a needed route pointing back to LAN2, AND the default gateway pointing to your internet router.

We have here 3 elements, the internet router is actually irrelevant, as the PC in LAN1 has it’s own route to LAN2:

  • PC in LAN1
  • NethServer
  • PC in LAN2

Now, if one and three are set up correctly, that only leaves with B, your NethServer.

From this, I assume that your NethServer is running in NAT mode?
Can you show relevant screenshots from your NethServer Firewall config?

Thx
Andy

Three options:

Short Term: A sixpack
Middle range: one or two kegs
Long Term: Multitasking Server:

Sun_Beer-Server

(From when SUN was still the Dot in Dot.net!)

2 Likes
16

IMVHO there’s a couple of design flaws into this way to solve the issue (manage the access to printers). NethServer could be also not necessary, if any of the embedded web servers are firewall enabled, with DHCP reservation AND IP/Mac Binding (for avoid smartbus who want to spoof the ip address).

By nethserver perspective, currently, there is a RED interface: 192.168.111.5.

17

@pike

It’s almost as easy to “spoof” a MAC Adress as an IP.

Just see Proxmox: two clicks changes an Intel NIC (with Intel MAC Adr) into a Realtec - but still with the same Intel MAC Adress…

:slight_smile:
Andy

18

Ok. OpenVPN client. Seems an overkill but i think that it will can get the job done :wink:

19

Add in vLANs for each and every printer, just to be on the secure side…

:slight_smile:

20

I’d still recommend to use the static route on the router instead of adding routes to several client devices.

I know Windows is crap by design but at which patchlevel it is not able to follow simple routing?

For command line output you may use the ```text tag like

```text
pasted cli text
```

…for code there’s a <code> tag too.

2 Likes