I’ve installed a nethserver with multiple WANs just for easy routing between GREEN ifaces to other different RED ifaces.
The problem I’m facing is that when i do changes to the firewall or any other nethserver for that matter it sometimes changes my active WAN iface so that I can’t reach it from where I am right then and there. I then need to go and connect physically to that network just to reach it and activate the right WAN again.
Is there some way to just use single WAN instead and not risking nethserver changing my WAN?
I have tried change all but the WAN i want to DMZ or BLUE ifaces, but I can’t figure out how where to route the traffic with static routes to get it working… Am I missing something?
I have one GREEN iface and seven RED ifaces at the moment.
The thing is that I don’t want seven red interfaces.
The only reason they are red today is because of the routing
from green to red is done automatically in nethserver and I need to reach everything on six of these seven red interfaces, thats the only reason.
Today we have different production VLANs that needs to be reachable from one single network just so that we
don’t need to give all the client computers all these VLANs just to reach all they need to reach in our network.
Here I want everyone that connects to VLAN 2 to also have access to VLANs 10,20,30,40.
This is just how I want it, but I dont VLAN 10,20,30,40 to be RED interfaces.
I would like them to be BLUE or ORANGE instead, but then I can’t seem to route
the traffic so that the GREEN interfaces gets access to those BLUE or ORANGE networks.
One more question, where does the (default) router of your networks fit in this picture
(or in other words do you plan to use Nethserver as router or an other dedicated router ?)
You are right one can not route GREEN <> ORANGE (DMZ), ORANGE can only route to RED.
GREEN > BLUE is possible , however by default BLUE can route to RED. (So this would not fit your needs)
And AFAIK you can make a FW-rule to block all BLUE networks to RED however not configure this per BLUE network.
To make this rule you need to install the “Basic Firewall” from the Software center then go to > Applications and click the blue “settings” button of the Firewall
(tip: while you are in applications you may want to hit the 3 dots and make a shortcut, the Firewall module should show up in the left menu)
Not being an network expert this configuration hit’s my knowlage and it even may hit NS’s possibilities…
This being said hope others will chip in and the following could be wrong
Put VLAN 10,20,30,40 on a BLUE Network,
make static routes from GREEN (VLAN 2) to the BLUE networks
If the BLUE networks should not to have Internet access make a FW-rule to drop all requests (any) from BLUE to RED and vice-versa.
AFAIK one needs to create a static route between GREEN networks too, meaning without this route two (or more) GREEN networks are isolated too.
So, if you want (as an example VLAN 10) to have I-net access give it a GREEN role; NOTE this network has access to the services of the Netserver.
I have changed some of them to BLUE networks now and made static routes from GREEN to BLUE but it still doesn’t work…
I don’t know what I’m doing wrong. In my world this should work too.
Ok, @lonnestig… what would you want to achieve?
What are production vlans for you? Have you a project about the network that any vlan should reached and being reached from?
I thing I want to achieve is that I want a client computer to connect to VLAN 2 and then automatically have access to VLAN 10,20,30,40 through that connection without having to connect with a VPN or a physical ethernet cable to reach those networks.
So I want to have routes from GREEN to those BLUE interfaces.
It works if they are RED but then I get problem that sometimes nethserver change which RED interface that should be active, so I can’t have them being RED interfaces.
Both can ping 8.8.8.8 and google.com (DNS works)
I am able to ping and ssh in 192.68.99.138 (on Blue) from 10.0.9.141 (on Green) , not vice-versa
I am able to ping and ssh in debvm01 form Green , so dns works too
The BLUE has not router. It’s static on all clients. I can reach them from nethserver terminal when I ping for example 192.168.203.10, but when I ping from eth1 which is the GREEN interface I timeout. ping -i eth1 192.168.203.10
Summoning @giacomo for a bit more insights…
Creating a Blue network segment, even without DHCP enabled, should trigger routing and standard firewall creation… Am I wrong?