Topic: Multiple LANs on SME Server

[pstrooij]

I am wondering if it is possible to install SME Server on a server with the following specs:
* 1 ethernet card to ADSL router (to the internet)
* 1 ethernet card to LAN1 (company network)
* for LAN1 I want to configure the SME Server as domaincontroller
* 1 ethernet card to LAN2 (testnetwork for configuring computers for my customers)
* LAN2 has its own domaincontroller, so the SME Server only has to act as router for the internet traffic to LAN2

In short terms: I want to use 2 different (separated) networks with 1 internet connection.

Please let me know how I have to configure my SME Server to realize this situation.

[jester]

This is not possible. Maybe with heavy customisation if you REALLY know what you are doing. I think you would be better of using an old pc with an  stripped down firewall distro like pfsense (pfsense.org) or one of the many others that can do the job you want.

HTH

[Elliott]

I believe you could achieve the same results by adding the other LAN as a trusted local network and routing the other LANs clients through the SME.

Or another possibility would be to have the other LAN use a cheap off the shelf router/firewall type box as it's gateway and then give that little box an IP on the SME LAN as it's upstream.

[CharlieBrady]

Or another possibility would be to have the other LAN use a cheap off the shelf router/firewall type box as it's gateway and then give that little box an IP on the SME LAN as it's upstream.

That's what I'd recommend.

[arne]

But, if you install one small router inside your lan, all clients behind that small router will still have access to your lan resources, so that your lan will not be protected at all this way (??) (Don't know if it is something I have missunderstood ..) (And the same will also be the case if you install a WEP based wireless router or an access point on your LAN segment, there will not be any protection of your LAN at all.)

I am using such an arrangement just now, with two SME 7.2 gateways connected in series. (Reason is for testing and modifying the internal one in a safe and practical way.)

I believe that If you want to make a safe zone arrangement using two firewall routers connected in series, then the safe zone will be inside the firewall router no 2. So then, if you want to make a safe zone arrangement using a cheap router this will have to be located in the front of the SME gateway, and you will obtain an "experimental zone" in front of the SME server.

The SME gateway I have connected against internet contains a 3 card arrangement as indicated in this question. It has one safe Zone that can be used for a wireless lan, for testing of equipment or for anything. There will generally not be allowed traffic between the safe zone and your lan, exept for that traffic that is specified as exeptions by you. I have now used this 3 NIC soulutions for a moth or two, and it has worked 100 % stable and has not had any issues at all.

A third safe zone arrament via a third NIC can not be implemented using the automated firewall configuration tools as provided by the sme server today. At the moment there is no other way to to this than shutting down the automated firewall configuration tool and then do the 3 NIC configuration manually.

To do a discussion about firewall modifications on contribs.org these days have apeared to be not to easy. The only time in all my life when I have got negative feedbacks on internet forums, was at the period I tried to collect some basic datas from contribs.org to to the 3-NIC firewall development work. But it ended well in that way that the 3 NIC firewall works very good..

If allowed and wanted by SME developers and contribs.org administrators I could try to make a "howto" or some description on how to set up (and test out in a safe way) such a 3 NIC firewall solution.

If there is any security related issues, it would be very valuable to get some feedbacks about this, with some technical argumets and reasons behind it.

Actually it is also possible to make some rather nice and usefull improvements on the existing 2 port firewall arrangement with just minor changes to the existing template system, but to know and find out what is "usefull" and what is "nice" it will first be neccessary to test out "everything" in an enwironment of no restrictions at all.

My personal faverite is not the 3'rd NIC and the safe zone, but rather the ability to have full access to the SME gateway and LAN resources, ip telephony, etc from wirless zones and hotspots. These functions should be possible or rather easy to implement into the existing automated 2 port firewall arrangement, if wanted.

Personally I think that the SME server is the ideal platform and the most difficult platform for doing firewall development. It is ideal because all those server functions are atomated, so all focus and energy can be set on doing the firealling part of it.  

***********

Correction:

As I have not used the 3'rd NIC on regular basic, I had just forgotten a few issues there actualy are there:

When setting up the 3'rd NIC and modifying the firewall only as the only modification, there is issues with dhcp and dns on the 3'rd network segment. Like I use the 3'rd network segment I use it as a safe wireless zone only. This means that the wireless segment is fully isolated from all server functions on the gateway and all lan resources. This again means that I have to set up the wireless access point to use an external dns server and also the wireless access point has to do the dhcp service for the wireless safe zone. I just remebered these things when I made a new test just now.

If the wireless access point were not connected to the 3'rd NIC, dhcp and dns services would not have worked at the 3'rd network segment. (And I guess that the reason is that these server functions are configured to work against the eth0 lan segment only.)

..Will be using the 3'rd wireless zone on regular basis, for the future, to see if there should be more issues.