Net Work Design
-
Do not have any experience with networks with multiple routers, only single segment setups. Before starting with install, would very much like a second opinion as to how the network should be set up.
Requirements:
1. Ability to remotely access File server using OpenVPN
2. Remotely access MySQL database for full administrative control/production purposes
3. Security is a priority. Probably having a firewall on each machine would be a plus but resources are limited
4. Be able to access file server from all machines
5 Remotely access various machines behind routers
6. Allow access from Router 2 segment to Router 1, but block Access from Router 1 segment to Router 2
7 Allow access to MySQL server from Router 2 segment
8. Log traffic
Not to sure if I really need Squid. Have hosted website. Volume of traffic will be limited. Was under the impression that Squid would help the security some. Have more unused boxes kicking around so could set up other dedicated machines if that would help security.
Absolutely want to scan for viruses.
Other network similar but mostly Linux behind main WAN interface.
Have DDNS service set up already.
Router 1 and 2 are consumer level but do have port forwarding etc.
1. Security wise, would static addressing and subnets be as affective as the routers behind the PFSense router with respect to limiting/restricting traffic between the segments?
2. Is there a better approach to do this?Thanks
Ed -
Interesting.
Looking at your requirements:
1. From somewhere out on the net? No problem, either forward traffic to an OpenVPN server on your internal server machine or connect to the pfSense OpenVPN server and access it from there.
2. Same as above, pretty much.
3. Not sure what you mean, software firewall?
4. No problem just put firewall rules in place to allow it.
5. This will depend on how your routers are set up. If they are purely routers then you can add routes to pfSense so it knows what's behind each router. If they are running NAT (probably are) you need to port forward across it but you say they can't. The only other way would be to initiate a connection from the machines you re trying to connect to, say a VPN to pfSense. It would be complicated.
6. This traffic will not go through pfSense at all so it can't control it. You would have to setup your routers to impose this limitation.
7. See 4.
8. If you need to log everything you will need to setup a syslog server and set pfSense to send it's logs there. Also you can choose which firewall rules generate log entries.1. Security wise, would static addressing and subnets be as affective as the routers behind the PFSense router with respect to limiting/restricting traffic between the segments?
Not even close. Static IPs can easily be changed and does not prevent traffic reaching other machines anyway.
2. Is there a better approach to do this?
Yes! ;)
A much better way to do this would be to have your two subnets connect to pfSense via separate NICs. This will provide far better control of what traffic goes where and also remove many of the problems I mentioned above.
If you can't bring the two subnets back to the pfSense box, because of existing wiring restrictions for example, you could also use VLANs to separate the networks at the switch if it's VLAN capable. This is slightly more complex to configure and slower.Steve
-
Thanks stephenw10
Like the idea of getting rid of consumer level gear and using the main machine to handle traffic between the segments. Was looking at some motherboards with more PCI slots. Looks like for the main office that will be a good option. Other sites do not have segment restrictions so existing machines will be fine.
1. Software firewalls: Any picks for Windows machines? Linux?
Ed
-
If your switch supports VLANs you may not need any new hardware.
Software firewalls was more of a question than a suggestion. However with all your machines behind a firewall anyway the primary function of a software firewall on clients machines becomes, IMHO, to restrict outgoing connections.
As I type this on a relatively ancient Pentium 4 machine running XP I am running an almost equally old version of Zonealarm. As an only line of defence it would be almost useless, you need to keep your firewall software up to date, but in restricting what I allow to connect to the internet it works great. Firefox yes, IE no. ;) If some new piece of software installs itself and tries to send my details back to it's mothership I get to choose to allow it or not.
This sort of application level filtering cannot be achieved at the network firewall but it does completely depend on having co-operative users.Steve
-
Your standard modern windows firewall with advanced security and tweaking iptables on your Linux boxes should be fine. If your running xp or earlier machines then they may need a third party tool. pfSense running Snort is extremely powerful therefore you should segregate your servers such that all traffic to/from clients passes through it so you can filter it there.
Also, definetly turn NAT off on those internal routers; double NAT can be nasty. A managed switch with VLAN capabilities sounds more suitable for your needs.
-
stephenw10
No, my switches do not support VLAN. Guess you don't get much in an 8 port 10/100Mbs switch for $16.00 these days. Good for just using as switches though. Got a sustained 9MBs through put out of em. Pretty close to theory limit.
Familiar with Zone Alarm. If you ever have a reason check COMODO for Windows. Free Download at Filehippo.com. Haven't run either for a couple of years as have switched to Linux and keep windows machines off line. Don't keep any files on root drive so just strip and reinstall if they get infected/degraded anyway. I treat windows installs pretty much like a handy wipe. Well, Linux too if it gets buggy.
bdwyer
Thanks for the heads up on the NAT to NAT. I'm sure I would have had that look on my face after hooking it up.
Going through my copy of THE TCP/IP Guide Book on the chapter on NAT today. Actually double NAT is where you are connecting from a local LAN to a remote local LAN and both have the same network id if I got the point of it. At any rate was considering using sockets anyway (if I got that right: IP Address and port combination).
-
Yes, you've got the general idea of double NAT. The primary purpose of NAT is to translate/map public IP(s) to private IP ranges (10.0.0.0/8 172.16.0.0/12, 192.168.0.0/16) to facilitate Internet access. For this reason, it should only be done once, probably at the provider edge (WAN). In reality you could do it as many times as you want, but future troubleshooting could be difficult and certain applications might not function properly.
