NSDC to different VLAN

rihokirss · December 3, 2022, 11:31am

Hello,

I have currently Nethserver up and running in default VLAN 1 (192.168.1.0/24). Interface br0.
I want to move all staff computers to VLAN20 to have separation. Also I want to move NSDC to that network.
I made a new VLAN 20 (bridge br0.20). It is “green”. But if I try to change the ip of DC (signal-event nethserver-dc-change-ip 192.168.20.250), nothing happens.

I tried to change also the bridge of the NSDC (config setprop nsdc bridge br0.20 status enabled). After that the command “signal-event nethserver-dc-change-ip 192.168.20.250” just hangs.

Is there any possibility to have DC in separate routable VLAN?

Routing is done by standalone router.

pike · December 3, 2022, 2:46pm

I don’t know if this scenario has been considered by the dev team. And actually i did not see this kind of scenario in Windows AD/Windows client environment, neverthless… often the main AD server/DC was at the same time DHCP and DNS server, deliver this server outside the standar clients LAN was quite far from suggested.

Would you please explain why put DC outside the GREEN Interface/zone? What are you trying to achieve? (LAN or vLAN is irrelevant, currently)

rihokirss · December 3, 2022, 7:16pm

I want to make one VLAN20 for staff (computers, printers, etc) to have it segregated.
I have also another company connected to my switch, which is in other VLAN10 (they have windows based DC)
Since nethserver have also some othe tasks (intranet web server, some reverse proxies, VPN server for both companies) I vant to have it in VLAN1 (default VLAN) I can not put it completly to tagged network 20. Otherwise the common stuff is not accessible.
Maybe I shall have just one virtual machine with DC running on it and serving the VLAN20?

Maybe you have some other good ideas?

pike · December 3, 2022, 8:00pm

And rely on a router for access the userbase/authentication process?
Some companies (not that small) can use this approach, but in small environments with controlled access to the cabling system and the switches, I personally don’t see the advantage, considered to the added complexity and the possible problems that might generate.

I find more useful a separate network segment for Wireless Lan based devices, if they don’t need to access with AD login to resources. This can lead to time conditions for access from wireless segment to inner segment (green) and… some network split thanks to reservations.
Is your device part of the company? Your address will allow you to have faster internet, access to green network, printers reachable? Are you a guest? Only some mbit down and few hundreds of KB up of internet, access only to a printer on IPP if you need guest access for few prints. It’ only an idea.

Also… vLAN currently is “not a topic”, because a vLANs are a tool for achieve a network design with less hardware: one switch instead of 3, 4 or more, one network cable/port instead of 2 or 3… add only “more things to do” when translate the design to the real world.

Anyway…
All written above is not the answer to your question, simply questions about the goal of such unusual (in my personal experience) network design.
It’s saturday evening, have a nice weekend and don’t hold your breath.

Andy_Wismer · December 3, 2022, 9:02pm

Hi @rihokirss

And welcome to the NethServer community!

Concerned about security, but letting another company connect to your switch without a firewall in between?
Only security is vLANs?

To be honest, I’d really suggest you learn a few basics about network planning in the sense of best practices. Sorry for being so harsch, but this is one of the most stupid concepts I’ve heard about of in more than 35 years in the business!

Since you seem to be running virtualization (At least one plus point!), why not plan for three subnets in your Hypervisor and use a real firewall like OPNsense (runs great as VM!) to seperate your Networks?
The interconnection can still use existing vLANs - just with a secure defined parameter using a real firewall…

My 2 cents
Andy

rihokirss · December 4, 2022, 6:40am

I explain a bit more
three years ago we had a smaller company. Everything we needed was one Nethserver which made everything: File sharing, Router, Firewall, DC, VPN, E-mail, chat, webserver (company + intranet), name server, DHCP etc… Everything was siting in one /24 subnet…

Now we had a spin-off company and during time I have reduced the number of services our Nethserver is offering. Company web is in commercial datacenter, so is DNS. For e-mail and chat we decided to use Office365. For routing and firewall and DHCP we have now separate Unifiy UDM Pro, whih is also doing VPN.

We now have three floors with office space and each floor have one network switch and about 5AP-s in total. Both companies share the space and network infrastucture.

Now I decided that both companies shall have their “own” network. From router and switches I made VLAN10 for spinoff company, VLAN20 for original company and VLAN30 for guests. Sounds logical?

Spinoff is happy in their VLAN10. They have everything (windows server, clients, printers, etc…) in their environment.

Now I want to move all original company stuff to VLAN20 and leave all network stuff (switches, router, AP-s) in default VLAN1 which will not have DHCP.

What is strange here?

OK that VPN (which nethserver is providing) I will also shut down since Router is doing it too (now L2TP via radius authentication from Nethserver) and it is porf forwarded to nethserver from router until all clients move to the new system…

What would be the best practice? Clients and printers I can move from VLAN1 to 20 easily. DC shall be also in VLAN20, since it is serving that part. Also file sharing could be only there but I prefere that I could configure from NS in which VLAN it is accessible. Currently it is accessible from NS via VLAN 20, 10 and 1, Since NS is sitting in default network and it receives all networks (tagged br0.20 br0.10 and untagged br0).
NS is also still doing reverse proxy to share our intranet (which is running in internal network) to the internet.

Goal is also to disable access to VLAN0 rom 10, 20 and 30

Andy_Wismer · December 4, 2022, 7:45am

Hi @rihokirss

It’s still early here on a Sunday, but I’ll provide some feedback…

This concept does NOT have a network for each company. Rather, both companies use the same wiring, devices (Switches, Routers, Servers…). The ONLY separation is using vLAN, something ANY client can change if they wanted. Security by obscurity? Any rogue employee could bring along a private notebook, play around with vLANs and sniff all traffic from all networks - and you’ld never know it!

In their environment, but NOT in their own Network!

In a secure environment using vLANs (eg Schools, Universitys, etc), vLAN 1, which is NOT supposed to have any “clients” should have a DHCP, providing a scope of exactly one IP. If that DHCP IP is used, that triggers an alarm!

I’ll provide more feedback later, my coffee level is still way below normal operating levels…

My 2 cents
Andy

rihokirss · December 4, 2022, 8:08am

With networks I ment vLANs

Andy_Wismer · December 4, 2022, 9:43am

As said, a vLAN is NOT equal to a network.
If connected to a Network, your AD (NethServer, but also valid for a Windows Server) has only one used NIC and also logically only one used vLAN NIC).
Using vLANs like you are means you need plenty of local firewall rules (On NethServer or Windows AD) - and this is generally a big headache in both.

Using multi vLANs also require defining which of the several “virtual networks” has the default gateway?
A TCP/IP system has one default gateway, no matter if Windows or Linux…

An AD is easiest to maintain if it has exactly one NIC! All traffic from outside the company LAN (eg a “partner” company in the same building) is routed via a firewall / router to the AD…
This way, the AD does AD, does not have to worry about firewalling. The router / firewall does exactly that, providing the network structure and allowing traffic to where it’s needed.

NethServer can handle this kind of environment just using iz’s Cockpit GUI (using eg trusted networks…), but NethServer can’t handle using a vLAN or several for your AD with GUI alone. And if any modifications are update-safe remain to be seen.

Yes, it can be done, but you don’t really want to.
Like jumping from an open window on the tenth floor…It can be done, and besides leaving the room, nothing will happen.
Your landing is a different matter… (!).

My 2 cents
Andy