What is the most complex network anyone has done with NethServer?

(Nitram Oneito) #1

This is just a discussion to understand some of the use case as far as nethserver is concerned.
As far as nethserver is concerned, with is functionality as a DHCP server, a DNS system, a mail and file server, spam, AV, and bruteforce blocking,

What is the complex, local network anyone in the community has setup, for use in their organization, or for a client in any kind of institution.

As far as Public network, or hosted Nethserver instances, what is also the kind of setup. and how in general is nethserver assisting as far as the system administration is concerned.

feel free to contribute

(Rob Bosch) #2

I am using NS quite straightforward. At home I have 2 instances running on top of ProxMox 5.2
1 as gateway with 2 interfaces and 1 “for the rest” of all services on my home network. A 3rd NS instance is running on a Contabo VPS. That one is primary for mail.

I will implement a more or less copy of my home network end of august in a primary school here in Belgium. Currently it is running on Ubuntu 14.04 +qemu-kvm with 2 VM’s: 1 pfSense, 1 Karoshi server (ubuntu server based)
The host will be switched for ProxMox5.2 and 2 VM’s will first be moved from the old KVM server to the new proxmox environment. Since I don’t have new hardware, I will use a temporary spare pc as promox host, test if the VM’s will run and then install proxmox on the “old” server and import the VM’s

I would love to hear more complex configs!

(James Nesbitt) #3

At my home (which doubles as my home office), I have 2 NICs, red and green running DHCP, DNS, file server, Active Directory for user management, miniDLNA, Fail2Ban (basic install).

Haven’t really played much with the mail and IPS as yet due to time constraints.

Could add a blue interface for guests as well as CUPS for shared printers if I really require it.

(Jeroen Visser) #4

TrueNAS exporting NFS links for Proxmox server with 40 cores and 256GB memory, fiber connections between the two and LAGG to switch.

On that baselayer, there are 8 NethServer’s with the following roles:

  1. Samba AD server
  2. Mail server (SOGo based)
  3. FTP(ES)/Samba fileshare/Nextcloud
  4. Typo3 webserver
  5. Firebird database server
  6. Alfresco DMS
  7. OTRS ticketing
  8. Redmine software project management

They all connect to the AD server for authentication, in some cases local authentication is used as well (OTRS for instance, where not every user that submits tickets, needs an AD account)

AD is fully used, including mapped homedrives, some bind mount magic on the fileserver, policies, logon scripts, etc. Between the internet and the local networks is a PFSense firewall.

Clients are all Win10.

The webserver reverse-proxies most other systems, adding a layer of security there. Our own employees had OpenVPN access to the network from wherever, key-users had FTP access and had more rights in our operational systems to be able to automate most processes, and through the use of the AD account, easy to manage with groups, and having effect system wide.

With some proper IT policies and sane management, this could have been used to pass ISO 27001 and 9001, but sanity is a scarce commodity.

Honest to the flying spaghetti monster, I am writing the howto.

(André Wismer) #5

One of my more comlex clients - a Hotel - is running an almost complete virtualized environment on three ProxMox servers (clustered).
The primary server is a NethServer, providing AD, Mail, Proxy, Web, Monitoring with Zabbix, Guacamole for remote access and partners.
The “Applicaion” Server is a Windows 2008 R2 Server, running the Hotel application. This server is a AD Member Server, under NethServer’s AD.
Storage is provided by three NAS, two Synology and one older Thecus. The Synos back up their whole Data and Config to the Thecus using Synology’s Hyperbackup.
All Data, except for the VM images is also saved daily out of house, to an external Synology NAS using Synology’s CloudStation, and NethServer running a few rsync jobs.

A few notable exceptions to virtualization:
The Camera / CCTV server is a windows 7 “Server”, running Axis Camera Station software.
Performance reservations about virtualization, and the fact that the Windows box was “lying around” led to this. This “server” is imaged using StorageCraft on a regular basis.

A note to using AD on a NAS providing Storage to HyperVisors:

Just Don’t !!!

Think about it:
Your NethServer is running in a VM, the Storage is on a NAS using NethServer’s AD.
Something crashes…
You want to add in a file to the Hypervisor, but access is denied - the AD isn’t available…
Some NAS may allow you limited access, some don’t allow ANY access in this situation!

If you must use AD on a NAS - this does make sense on a NAS accessed by Users, get a second, dedicated NAS for VM-Storage!!! The VM-Storage NAS needs only a VERY limited set of users - which also simplifies administration.

Another - important - advantage is the possibility to optimize the file system according to duties.
Like RAID 5 or 6 for Users NAS, but RAID10 for storage… (Or ZFS, anyone?)

My 2 cents

(Alessio Fattorini) #6

Great topic thanks @oneitonitram
i’m now curious about that, let us know about your complex network! Do you have implemented any specific scenario?

(Héctor Pérez) #7

Ok I have a Nethserver, FULLNAT, AD, Mail, Proxy-webfilter with a Rsync failover.

(Nitram Oneito) #8

Hello, So here is the complex setup I have on my end.

I have deployed 3 Servers(This is After learning a huge lesson), All public facing VPS that I use for my day to day operations.

One of the server, has collaborative programs,
Nethserver with Ldap, for Authentication. I hate many logins and password.

  • I have an Installation of Sogo webmail, with Virtual hosts pointing at mail.domain.com
  • I have also installation of rspamd for spams. Man I hate them a lot. which works well so far.
  • I also have a setup of Fail2ban, which since installation has blocked over 30k login attempts… very surprising.
  • in the same server I also have a configuration of Nextcloud, with onlyoffice. The nextcloud talk, which helps very much with video conferencing, as well as screen-sharing for our teams.
  • I also use webtop5 some times, or see people in the office launch it in some instances, but mostly sogo is used.
    webtop does not load well in mobile phones.
    That wraps up Most of the features of the first server

2The second server.
This server is dedicated only and mainly for corporate mails.

In this case I Am using zimbra. Yes I did install Zimbra o top of Nethserver.
The reason why I used Zimbra on top of nethserver was so as to get rspamd as well as the fail2ban features. these work very well.
I had initially tried to configure sogo and webtop on the first server, so as to have sogo handle one domain, then webtop another domain. but this was not possible in the manner that I had wanted. So I had to engineer some solutions.

For some reasons, I couldn’t get the ssl feature to work well. Still trying the best well to install letsencrypt. If I am not able, ill just go for a commercial wildcard ssl. or something.

3The third server
This is the development server.
This I have setup Nethserver. And after the painstaking process we had in this forum here PHABRICATOR on NS

I could not let that effort go to waste.

I have deployed Phabricator as the code repository, as well for chat on development projects. It has a lot to offer, and I do like its features and functionalities so far.

On the same server, I have also deployed Bitbucket. Which has only one reason, or function.

We push Any C# and VB based projects, that have been developed in Windows visual studio, you know the main one. not code. to bitbucket, then have configured phabricator to observer those repositories.
The reason why this was done, is because. It is really painful to push code to pharbicator from visual studio 2017 etc. But pushing the same code to bitbucket. is just a plugin away.
As far as pushing code to phabricator is concerned using any other tool. It is fairly easy.

That is the setup I have on my server, as far as setting up a complex setup. Oh… this is all production setup.

(Alessio Fattorini) #9

That’s so cool, did you use NethServer’s userbase? Joining AD or LDAP?

Amazing setup huge NethServer user :smiley:


(Nitram Oneito) #10

Thank you. I find it to help me a lot, considering I used to tinker with centos head on

All the other software I have mentioned make use of ldap. For some reasons I was not able to setup Zimbra to use ldap.

(Rob Bosch) #11

AFAIK Zimbra incorporates it’s own LDAP. It seems there is a plugin for Zimbra to authenticate against a 3rd party LDAP server (for instance NethServer?) https://wiki.zimbra.com/wiki/External_LDAP_authentication_with_zimbraAuthLdapExternalDn

It should be possible usinge either LDAP or Samba4AD:

(picture taken from zimbra wiki)

(Nitram Oneito) #12

I have been trying to setup that kind of configuration on zimbra, but has not been possible. so at last I just left it all alone. I mostly kept getting the error that DN is wrong…

(Dominik) #13

Since my last post here at this wonderfull forum many have changed at my work. Now I have 3 different locations nad the setup goes like this:

Location 1-3 are connected via IPSec based on NethServer.

Location 1:

  • router/firewall,
  • AD Controller,
  • internal WWW,
  • backup server.

Location 2:

  • router (DHCP,DNS, Fail2Ban,IPSec, OpenVPN, Proxy),
  • file server,
  • virtual machine server

Location 3:

  • router (DHCP,DNS, Fail2Ban,IPSec, OpenVPN, Proxy),
  • VM server

Now I am trying to solve this scenario: connect all Locations to AD Controller (NS Server) located at LOCATION 1 or to setup 3 diff AD Controllers (?) hmmmm…
Clients are Windows 7/10 Pro

ps. I have also working NethServer on polish VPS hosting where NS is responsible for PrestaShop store :slight_smile:

(James Nesbitt) #14

Interesting spread of installation @des!

One possibility is to have each of the sites create a VPN connection with the “master” location. Once the VPN connection is established, the AD Controller at the secondary sides could be slaves to the AD Controller at the master site and the clients can authenticate with whichever LDAP controller is located at their site.

I know the above configuration is possible with Windows Server server, I just haven’t tried this with NethServer yet so I am unsure of the challenges of setting this up or how it would behave exactly.

If you do go for it, I thing I would recommend for the VPN configuration is to have a VPN Mesh configuration where each site is connected to each other via a VPN connection and that the routing is configured in a failover configuration so that if one of the VPN connection fails for whatever reason, the LDAP slave can still communicate with the LDAP master via one of the other office locations. Not sure how to configure this option yet though.

(Rob Bosch) #15

I think this would stand or fall with the option of having ‘sites’ and AD replication managed in a controlled way through NethServer AD account provider. Is this possible?
Otherwise you could get stuck in network traffic jams due to AD replication over VPN WAN connections.

(James Nesbitt) #16

Good point about the potential for network traffic jams.

Although if you have a 1Gb Fibre internet connection with 40Mb dedicated to each VPN connection, then its something you don’y have to worry too much about it (I really do miss that connection I worked on in Japan, although I can get similar connections in the AWS environments)

(Dominik) #17

@bwdjames, @robb,
I was thinking about something like that:

  • all location has connection via IPSec to “master” location at “Location #1
  • NS server at “Location #2” and “Location #3” connected to AD at “Location #1” as members to main AD

so this is something like @bwdjames said.

this is possible, but… i don’t know if this will work if there could be some “breakdowns” with the internet connection for example at main location…

i will have to try it…