My first week of using Nethserver

Hunv · March 12, 2016, 9:15am

I think it might be helpful to have a user experience of a user, that knows other (firewall) solutions (Cisco, IPFire, Sophos UTM), is a professional IT-Administrator (Virtualization/Windows Server), has not much knowledge about Linux and never heard of Nethserver before.
My first thoughts about Nethserver were: Why I never read a line about this stuff?
I was searching for a UTM Gateway, that can handle more than one green subnets. My first view on Nethserver was, that it is possible to do nearly everything you might need. My most important features were (and are) Firewall, Routing, DNS, virtual Host/Reverse Proxy and VPN. I decided to try Nethserver because of the stuff, that it is able to do more than just Firewall and Routing - especially Monitoring (Nagios) and OwnCloud were the features I will try later.
I planned to run Nethserver virtualized on HyperV (2012 R2) on a Server with direct access to the internet. I configured the virtual Machine (Gen1, 2 CPU, up to 2GB dynamic Memory, 2 NICs (non-legacy)) and started from the ISO. After I installed Nethserver (pew, that was easy!), I setup red and green interfaces.
Because the HyperV-Server is used by three different people hosting their server, I will setup four different Subnets:
10.0.0.0 for the hosting infrastructure (HyperV-Host, first Gateway Address, Backupserver, …)
10.1.0.0 for the virtual Machines of the first person (me)
10.2.0.0 for the virtual Machines of the second person (a friend of mine)
10.3.0.0 for the virtual Machines of the third person (prior a friend of mine but we are searching for a new guy…)
Each subnet will be GREEN and should not be able to communicate with the other subnets except there is a rule, that allows this.

My first attempt to configure this configuration was to assign the four GREEN IP-addresses to one Interface. 10.0.0.1 for the primary address and the other ones (10.x.0.1) as Alias IPs. I did this followed by installing the Firewall-Softwarepack and I tried to setup the firewall rules using the GUI for RDP, HTTP(S) and so on. I ran into my first problem: Firewall problem: Unknown destination zone (alias)
After we found the reason (pretty fast, thanks @Nas!) I was able to add the rules and it worked. But that should be something, that cannot happen.
After that I installed a new Machine with the IP 10.1.0.101. I want to check, if the rules are working - and they did.
Now I installed the Webserver-Pack to configure the virtual Host/Reverse Proxy. I missed the possibility to configure anything using the UI. For users without any Linux/SSH-Knowledge not good. And even for users that just like simple UIs to configure stuff (like me) it can be a real killer. OK, but for the virtual Host stuff, I know how to configure Apache, so I connected to Nethserver using WinSCP and added my virtual Host configuration to the conf.d folder and fired the signal-event nethserver-httpd-update. First I configured only one virtual Host, that is located in 10.0.x-Subnet for testing. It worked. After that I changed the IP to my new server in 10.1.x-Subnet. It didn’t work! Maybe it is again something like at the firewallstuff with the alias-IPs.
I decided to replace the AliasIPs by separate interfaces. So I shutdown Nethserver, added three new Interfaces, removed the AliasIPs and gave each Interface its own 10.x.0.1-IP-Address. And voilá: My virtual host is working now.
After that I added a second virtual host to the config to test the resolving of the requested hostname and if the queries are split between the two different hosts: Worked.

My next steps for now are:

Implement Reverseproxy/SSH for virtual Hosts maybe by using Let’s Encrypt
Create VPN-Connections
Install and configure Monitoring
Install and configuring Owncloud
Going live (replace current UTM-Solution)

What is my opinion about Nethserver so far:
Pros:

Many functions
active Community
Free to use
Easy to install

Cons:

Many things only via Console (so far)
Missing UI for features (like above)

What I expect:

More intutive GUI-Features
More self-explaining GUI or examples in the GUI

So my conclusion:
Brilliant peace of Software so far, but more UI please to make it easier for newbies and non-command-line-/non-linux-guys. For me most of the stuff is OK, but I would say I am the 20% of users, that can arrange with this

Jim · March 12, 2016, 12:57pm

Hi,

Wouaw… Yours thoughs about NethServer are smashing.

Can I ask one things so?
Why do this with a virtualized Nethserver in a Hyper-V ? As Nethserver is a Firewall / Gateway that can be an Hypervisor itself, I don’t understand the Hyper-V role here Nethserver can do the job.

Hunv · March 12, 2016, 3:35pm

Yes, you can ask
There are four reasons:

I know Hyper-V, but absolutely nothing about KVM/Nethserver virtualizing. I will not use such a core-technology on production servers I have no experience with. Because of this I use the stuff I know and how to handle it. Beside of this, it is for “free” because I require Windows-Licenses for Server I am hosting.
I use (HA-)Features of Hyper-V (like Replication, Dynamic Memory and some other management stuff where I don’t know how to realize this with Nethserver)
The Server is already running on Hyper-V. So I have to migrate everything to the new solution.
When I started with Nethserver-Tests I didn’t know that Nethserver can do this

alefattorini · March 15, 2016, 3:29pm

In the first place great post man, thanks for sharing such interesting thoughts
It’s good to know that you’re gone so deeply into the “NethServer Experience”

You’re right, NethServer is not known how it should be. We have discussed it a lot:

Community could play an important role in this case, spreading the word

Good to know, we’d like to improve firewall NethServer features share your ideas and be ready to debate them!
Please open a new topic for each of them!

Refering to the virtualhost stuff I guess that @davidep would be agree with you, as we discussed elsewhere we need to improve the webserver part starting from split it from the shared folder.

Have a nice day!

alefattorini · April 6, 2016, 9:24am

How your first month on NethServer is going?

Hunv · April 6, 2016, 11:37am

Yeah… much to do, but mainly just around the Nethserver itself.
I configured a ReverseProxy including SSL using the build in Apache of Nethserver. That works. But I didn’t take any care of templates and so on.
I tried to configure Let’s Encrypt also, but I failed. The motivation to get this working is not high at the moment because I already have valid SSL-Certificates, so it is getting more important beginning of next year. Maybe Let’s Encrypt and/or Nethserver itself solved my problems I had with configuring it.

I also decided to install two Nethservers.
1 Nethserver only as a Gateway and related Services (Firewall, VPN, ReverseProxy, DNS)
1 Nethserver for the other Services as a kind of Applicance (Owncloud, Nagios, maybe Mail)

The reason for this are my problems I had with my first shot, where the firewall started blocking all traffic. Because I have to avoid this (I also serve virtual machines of customers through this Nethserver), I decided to split them up.
Currently I am setting up my last Applications where two applications are talking to each other, but they cannot if they are behind a reverse Proxy with HTTPS. The Applications are Jira and Bitbucket Server. I have some ideas how it may be fixed, but this has nothing to do with Nethserver.

Everything else seems to work currently and if I fixed the problem with my applications, I will replace the current UTM-Solution with the Nethserver.