Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Linux as an Advanced Router

    I am a relative newbie, I built a P4 server last year with RH 9.0 and Apache, it lives in my Windows LAN and does fine - Samba, FTP, HTTP. Now we are "ready for prime time", but I need a perimeter solution. This is my laundry list of what I need:
    1.) 2 WANs hot fail-over, preferably bandwidth optimization.
    2.) A DMZ for the web server mentioned above (needs to connect to windows box inside LAN for MySQL)
    3.) IPTABLES firewall
    4.) Must be able to run on a Dual PPro 200MHz Compaq Proliant 2500
    5.) To be obvious from the above it must use 4 nics
    6.) DNS?
    7.) One Wan is static, the second DHCP from ASDL modem.
    8.) VPN end-point or pass-through to LAN with W2K3 SMB Server as end-point.

    I thought that this was solved last year when buying a HotBrick but the VPN doesn't seem to agree with MS, so I turned to Linux. I have read the ADV Routing How-to, along with many others, but still run into walls.

    I have tried RH 9 (installs fine from CD, after learning to pass mem parameters to the kernel), but cannot get the fourth nic installed, with 3 I cannot reach the DNS of my ISP. Also, no more support (updates) for RH 9.

    Mandrake 9.2 and SUSE SLES 9 wouldn't install from CD. I got SLES 9 to start the install from Boot floppies but then it couldn't find the CD-ROM still. Switched to NFS using the web server above (which buy the way boots the CD fine so its not a media issue) and it hangs, says its retrieving data and then freezes for 30 minutes before I rebooted.

    Debian had various problems not the least of which with graphics (as a newbie I cannot do it all from the #). Again getting 4 nics, 2 the same card and therefore the same driver. In latest release -WOODY- the kernel has multiple tables turned off by default after 3 tries and 2 days of processor time I gave up on compling a new 2.6 Kernel.

    I've tried Sentry - the firewall distro, but again it wouldn't boot on the Proliant (it did on web server - not a media problem).

    To sum up, I am at an impasse, I need guidance, which distro? can 4 nics really work? has anyone written a comprehensive (almost cook book) guide for this type of application? Any help is much appreciated!!

  2. #2
    man i'm only gona say that those proliant compaq servers are really hard to deal with. i've got a proliant 1500 and i can't even start the installation, the cd dosn't work i have no clue why, from the floppys it always freezes and dosn't continue,it's been like that for like a month now and i still can't finde a way to install anything on this damn machine.
    anyways i think you should have got an easy installation cd with the server it has everything in it and i'm sure that you can work with 4 NIC, i'll try to finde a tutorial for you and i'll post it here

    again good luck with ur installation and i hope that soon i will be able to configure my damn proliant server


  3. #3
    Linux Enthusiast
    Join Date
    Jun 2002
    San Antonio
    Okay, this is quite a setup. Yes, 4 nics will work. However, with only 2 lans and a DMZ, do you really want to do this the cheap way with a dual PPro 200 linux machine? If you really want something this complicated, you are going to need to give us waaaay more detail than you did in that post. The best I could gather would be a setup like so:

    one ADSL line coming in
    one static (T1, T3?) line coming in
    one DMZ backend
    one NATted backend
    With one webserver (RH9, apache) to go on the DMZ, and one W2k3 Fileserver on the NAT. Let me know how far off this is.

    Those assumptions being made, you should take it one step at a time. First, get the four NICs working. I know you can do this, I have done it before. I would suggest using the same brand/type of NIC in the four separate PCI slots. If you have the money, it may be best to buy two dual NICs.

    Also, a suggestion: you should eliminate one of the NICs and just put the webserver on the NAT side behind the firewall. Added protection, and allows for easier configuration of the Proliant routing setup.

    Please post further information, and/or let us know how far you have gotten. With enough information, there are plenty of people around here that know what they are doing. If you really want to get it working right, post a link to your dmesg output, your ifconfig -a output, and all other relevant items. There is no such thing as too much information when dealing with a complex setup like this.


    I respectfully decline the invitation to join your delusion.

  4. $spacer_open
  5. #4
    You assumed correctly:

    eth0 - ADSL -DHCP external #1
    eth1 - static fractional T1 (768/768) external #2
    eth2 - - DMZ - RH9 web server
    eth3 - - Internal Lan - Windows SMB Server & 5+ desktops
    As far as other details and printouts of config files, I don't have them right now, because I don't have any distro installed. I need a place to start, Debian??

    I am also reading about, getting ready to install a floppy distro to try it out, maybe floppyfw. Sentry didn't work because the CD wouldn't boot.

    Also, what are the security risks of not having a DMZ and putting the Apache inside the firewall? I kept seeing the mention of that when I was researching hardware solutions - not having a DMZ port being a drawback.

  6. #5
    Linux Enthusiast
    Join Date
    Jun 2002
    San Antonio
    Think about it this way: why would you need a DMZ? These are normally only necessary when you have a router in front of the whole configuration. The standard config is to have a router passing traffic either to a DMZ or to a NATted backend. The NATted backend is there to hide all the services you want protected, and the DMZ is there to ensure that people have unlimited access to the machines in question. The DMZ machines are normally for filesharing between non-VPNed WANs, and for crazy configurations where you want to ensure that a compromise of the DMZ machine will not mean a compromise of the NATted, firewalled machines.

    I would not suggest this unless you have a rather large (14-18 machine) configuration where you are afraid of certain services. Like I said, people will normally use this setup for non-VPNed WANs, FTP stuff, and externally-accessed Databases that don't have as sensitive of data as the internal, firewalled, NATed machines.

    As for a place to start, any distribution can/will do this. If you specifically want my help, I would use RedHat ES3, just because it is what I work on mostly. However, everyone has different preferences depending on what they are used to, and what they think is "the best". I have seen RedHat servers max out a 100Mb/s NIC card with no problem, as well as FreeBSD. I am sure any other linux distribution would perform just about equally as well given the chance.


    I respectfully decline the invitation to join your delusion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts