hi there,
we're replacing our old firewall (ipchains) with a new astaro box. we think we've found a good setup for our network, but we'd like to get some feedback ;-)
some facts to our environment:
- we're two companies sharing a 2mbit line, 128 public ips are available.
- the server segment and the wireless infrastructure is shared by both companies
- we're currently running about 8 servers which are reachable from the internet
- other locations (adsl connected, dyn ip) are connected via IPSEC VPN (planned)
our firewall:
* celeron 1200 / 256 MB
* the interfaces:
- internet (212.x.x.65, aliases for .66, .67, .68,...)
- 2 segments for "clients" (192.168.2.x, 3.x)
- segment for wireless clients (192.168.4.x)
- segment for servers (192.168.5.x)
the "normal" clients are easy -> masquerade
clients in the wireless clients need to use pptp to get access to the internet and server segment
network access between clients in the 2 companies/wireless is controlled via packet filter rules (e.g. access to printers)
how we nat'ed the servers (1 server as example)
1) dnat rule:
any source -> external ip .67 as target, any service; change target to internal ip of server
2) snat rule:
internal ip -> any, change source to external ip
3) packet filter:
ALLOW any source, selected service (e.g. http) -> internal ip of server
feedback is welcome
thanks
jodok
This thread was automatically locked due to age.
