Topic: 30 static IP's

[coffee]

I was just wondering if the sme firewall supports more then one staitc IP. I have 30 computers each with it's own static ip that gets out on the internet, used for gaming purposes. So, each computer will go threw the firewall and get on the internet using a different IP each machine.

thanks in advance.

[Bob Todd]

hmm thats going to involve a lot of configuring if I'm not mistaken - games and firewall ports can be difficult to set all the correct ports. If its not a silly question if the machines are only being used for games why bother with the firewall?

[coffee]

There's about 40 machines total, 20 or so are used for games and the other 20 are used to do work with like surf the net/do reports/e-mails/accouting .etc. We just want to secure our network using a firewall so i suggested the SME e-smith firewall thing.

[Bob Todd]

problem as I say with games is that it means opening more ports so you're decreasing your security for your entire network - take the games machines and hook them onto a separate switch connected directly to your internet router. then protect the rest of the network - ie the important machines behind the firewall. Make sure you keep the games machines entirely separate from the secure network - they can all have a static IP and you'll have spare left over because the machines behind the firewall/SME server will be using internal internet address range such as 192.168.x.y and the external interface on the SME box just needs the 1 fixed ip assigned to it.

Thats the quick, easy method I'd use. I'll stand corrected if anyone comes up with a better/ quicker way.

Bob

[coffee]

ok, but what about the 20 - 30 static IP's that have to go threw the firewall on to the internet ? i been doing some research and i have come to the comclution that i will "need" to install IPTables for the static IP forwarding to work. SME currently doesn't support IPtables it only supports IPCahins.

Am i right or have i lower looked something A

[Bill Talcott]

The 1:1 NAT addon might help you out, though I think it forwards all ports, so the firewall wouldn't really be doing anything...

http://www.tech-geeks.org/article.php?story=20020206234827402

[Bob Todd]

ok, maybe I wasnt clear enough in my previous post. lets assume you have been given 30 static ip addresses to use - just for arguments sake.

1 will be assigned to your router (dsl , cable whatever) - this is known as your gateway

1 will be assigned to your external interface on the SME server - all incoming and outgoing traffic for your "protected" office machines will pass through this interface. The firewall and NAT in SME will protect the office machines from the outside world. The machines connecting through the SME server will use "internal" IP addresses such as those in the 10.x.x.x range or the 192.168.x.x range

That means you still have 28 static addresses available. These you can assign to the "games" machines. Any spare can be left over for "expansion".

So for a "games" computer that we are not protecting from the net it connects like this

gamepc---->router----->internet



And for your "protected" machines they connect as follows

officePC---->SME Firewall/Proxy------>Router----->internet


Hope this clears it up for you.

[Boris]

This may work, but I would go with one of the more flexible firewall solutions for Game PCs as well, unless you ready to "ghost" them fresh often.
Firewall you should be looking for needs to support DMZ, IP alias for public interface and NoNAT touneling option. This at last let you to protect the most exploitable services. Having no firewall at all for Game PCs is asking for trouble. There are many free or inexpensive solutions to your discretion. SME will serve you well as a basic firewall for office computers with integrated mail, mySQL, file/print, domain authentication etc. services or stand alone internal server behind firewall.

[brian read]

Try www.ipcop.org or www.smoothwall.com

and put the games machines on the DMZ side of the firewall, and the office machines (including an SMEServer if needed), on the green side.

Cheers

Brian

[Steve]

what if he just used mandrake 9.0 it have a nice Shorewall feature that is Iptable based  (   http://www.linux-mandrake.com/en/9.0/presentation/10.php3   ) and i has a GUI layout for easy administration.

BTW where can i find screenshots of the SME layout ? or is it all text based ?

[Tony]

Read again Bill Talcott,s post,,
NAT 1 to 1 works fine and easy to setup you ned not to make any changes to the pc,s on your lokal LAN. Only to update the conf file for NAT,,,

/Tony

[Dok]

Coffee,

Since you did not state that it was important to protect your game pcs.  I agree with Bob Todd and keep two separate networks.  

Here is what I mean.


               Internet
                   |
                   |
           Broadband modem
            (DSL or cable)

                   |
         |
         |
              ---Switch---------------
              |          |   |   |   |
              |          |   |   |   |
              |          |   |   |   |
             E-Smith    PC  PC  PC  PC
               |          
               |       (Game PCs with Public Static IPs)
               |
           --Switch--
           |   |    |
       |   |    |
          PC  PC    PC
           
         (internal PCs with private IPs)
         (i.e.  192.168.x.x or via DHCP)

Regards,

Dok

[Dok]

Sorry everyone.  The drawing did not post correctly.  I made the changes.

Dok

========================================================
Coffee,

Since you did not state that it was important to protect your game pcs. I agree with Bob Todd and keep two separate networks.

Here is what I mean.


                Internet
                    |
                    |
         Broadband modem
             (DSL or cable)
                    |
                    |
                    |
            ---Switch---------------
            |           |     |    |    |
            |           |     |    |    |
            |           |     |    |    |
   E-Smith       PC PC PC PC
        |
        |                (Game PCs with Public Static IPs)
        |
    --Switch--
    |     |     |
    |     |     |
   PC PC PC
(internal PCs with private IPs)
(i.e. 192.168.x.x or via DHCP)

Regards,

Dok

[Dok]

Sorry everyone,

I cannot seem to get the picture to show correctly.  I created the file in notepad and when I copy and paste the text drawing, all the characters are left aligned.  If you want the text drawing, please send me an email request.

Regards,

dok