Results 1 to 3 of 3
I am an instructor at a school where I also maintain the network for my classroom and all of the adult programs as well as the biz and admin offices. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-11-2008 #1
Protecting my network through a vlan
I am an instructor at a school where I also maintain the network for my classroom and all of the adult programs as well as the biz and admin offices. Part of the classes / offices are at a different building / physical location.
there are presently 2 T1 lines to that campus, one for IP phones and one for my network. I do not maintain the phones, they are taken care of by the technology coord. They are changing the connections between the 2 locations by replacing the T1s with a single fiber. They may be able to make the connection transparent for my network and I would not need to make any changes. Presently I have all one segment for both places.
Even if it does work to be transparent, I am VERY concerned about the security of my network. I do not have access to the 2 L3s they are going to use on each end so someone can "peek" into my network any time they choose unless I prevent that. I have logged repeated attempts to connect to my main NAT from the outside, I feel this is a cut to the heart.
I am thinking I want to have a NAT on each end of the connection but I am not really sure how to set the routing up.
Internet <--> lan here <--> new nat <--> L3 <--ss--> L3 <--> new nat <--> there
I have a custom firewall with iptables on my main nat to the internet, I am not sure how I would set the routing or if I need 5? network segments or .....
I would want it to all be transparent to the users. I know I have to set a new DHCP server at that campus and I can still use my DNS servers here.
Really looking for a simple but effective solution. They will set the IPs to the L3s to whatever IP I give.
- 02-11-2008 #2
- Join Date
- Nov 2007
So you have an iptables machine with 2 NIC's in it already...
You can physically add 1-2 more NIC's and create 2 new subnets - routing is then straight-forward IP forwarding at the iptables machine.
OR, you can continue to use one "internal" NIC and create virtual IP's tied to VLAN's (eth1:1). I know I have seen other posts about VLAN's and iptables on this forum. This also makes your iptables rules a little more complex.
My personal preference would be to throw 2 more NIC's (like a dual port) into the iptables machine.
Another thread along the same lines is here.
- 02-11-2008 #3
sorry, is hard to know what all I have not added that I already know
My main NAT is between my network and the Internet, the other campus is connected to my network via a T1, which is being replaced and combined with the phones for that campus. My NAT will remain as is but I want to protect the network at this campus and the network at that campus from the, not maintained by me, pair of L3s that will combine / separate the segments here and there.
For the most part, Internet requests will just come from the other campus through me and I should be able to simply route traffic through and then allow for the established,related traffic back. I will want to be able to see things on the other side from here myself.
It seems like it will be a big task but I may be making more out of this than needed, I am just really unsure of the routing solution.
If I want to connect to the other campus, it would be a different ip than my segment, my main NAT would need to reject those packets and the new NAT on this end should see them and forward them. If the L3s are set to pass packets right, the other NAT should receive and route as needed.
I am being paranoid, I know, but there have been too many issues that I cannot go into that makes me take these measures.
Thanks for the reply