I think it might be helpful to have a user experience of a user, that knows other (firewall) solutions (Cisco, IPFire, Sophos UTM), is a professional IT-Administrator (Virtualization/Windows Server), has not much knowledge about Linux and never heard of Nethserver before.
My first thoughts about Nethserver were: Why I never read a line about this stuff?
I was searching for a UTM Gateway, that can handle more than one green subnets. My first view on Nethserver was, that it is possible to do nearly everything you might need. My most important features were (and are) Firewall, Routing, DNS, virtual Host/Reverse Proxy and VPN. I decided to try Nethserver because of the stuff, that it is able to do more than just Firewall and Routing - especially Monitoring (Nagios) and OwnCloud were the features I will try later.
I planned to run Nethserver virtualized on HyperV (2012 R2) on a Server with direct access to the internet. I configured the virtual Machine (Gen1, 2 CPU, up to 2GB dynamic Memory, 2 NICs (non-legacy)) and started from the ISO. After I installed Nethserver (pew, that was easy!), I setup red and green interfaces.
Because the HyperV-Server is used by three different people hosting their server, I will setup four different Subnets:
10.0.0.0 for the hosting infrastructure (HyperV-Host, first Gateway Address, Backupserver, …)
10.1.0.0 for the virtual Machines of the first person (me)
10.2.0.0 for the virtual Machines of the second person (a friend of mine)
10.3.0.0 for the virtual Machines of the third person (prior a friend of mine but we are searching for a new guy…)
Each subnet will be GREEN and should not be able to communicate with the other subnets except there is a rule, that allows this.
My first attempt to configure this configuration was to assign the four GREEN IP-addresses to one Interface. 10.0.0.1 for the primary address and the other ones (10.x.0.1) as Alias IPs. I did this followed by installing the Firewall-Softwarepack and I tried to setup the firewall rules using the GUI for RDP, HTTP(S) and so on. I ran into my first problem: Firewall problem: Unknown destination zone (alias)
After we found the reason (pretty fast, thanks @Nas!) I was able to add the rules and it worked. But that should be something, that cannot happen.
After that I installed a new Machine with the IP 10.1.0.101. I want to check, if the rules are working - and they did.
Now I installed the Webserver-Pack to configure the virtual Host/Reverse Proxy. I missed the possibility to configure anything using the UI. For users without any Linux/SSH-Knowledge not good. And even for users that just like simple UIs to configure stuff (like me) it can be a real killer. OK, but for the virtual Host stuff, I know how to configure Apache, so I connected to Nethserver using WinSCP and added my virtual Host configuration to the conf.d folder and fired the signal-event nethserver-httpd-update. First I configured only one virtual Host, that is located in 10.0.x-Subnet for testing. It worked. After that I changed the IP to my new server in 10.1.x-Subnet. It didn’t work! Maybe it is again something like at the firewallstuff with the alias-IPs.
I decided to replace the AliasIPs by separate interfaces. So I shutdown Nethserver, added three new Interfaces, removed the AliasIPs and gave each Interface its own 10.x.0.1-IP-Address. And voilá: My virtual host is working now.
After that I added a second virtual host to the config to test the resolving of the requested hostname and if the queries are split between the two different hosts: Worked.
My next steps for now are:
- Implement Reverseproxy/SSH for virtual Hosts maybe by using Let’s Encrypt
- Create VPN-Connections
- Install and configure Monitoring
- Install and configuring Owncloud
- Going live (replace current UTM-Solution)
What is my opinion about Nethserver so far:
- Many functions
- active Community
- Free to use
- Easy to install
- Many things only via Console (so far)
- Missing UI for features (like above)
What I expect:
- More intutive GUI-Features
- More self-explaining GUI or examples in the GUI
So my conclusion:
Brilliant peace of Software so far, but more UI please to make it easier for newbies and non-command-line-/non-linux-guys. For me most of the stuff is OK, but I would say I am the 20% of users, that can arrange with this