Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: ReetP on October 18, 2012, 01:16:41 AM
-
Can someone give me the benefit of their advice on the following....
Hope this makes sense !
A server in Server / Gateway mode gets the benefits of more security.
The PCs are protected behind the firewall. The server is currently in Private server mode. However, it is required that the server be put into a DMZ for access from the Internet.
How can this be implemented if you only have a single multiport router as per my awful diagram ?
http://www.prestige-branded-merchandise.com/My_Pix/Computer/Network_plan.pdf (http://www.prestige-branded-merchandise.com/My_Pix/Computer/Network_plan.pdf)
http://www.prestige-branded-merchandise.com/My_Pix/Computer/Network_plan.png (http://www.prestige-branded-merchandise.com/My_Pix/Computer/Network_plan.png)
Is there anything else that can be done to increase the security of the server in this scenario if you don't have a second card / switch (I was thinking about this Bug/NFR http://bugs.contribs.org/show_bug.cgi?id=6603 (http://bugs.contribs.org/show_bug.cgi?id=6603) - Enable dummy LAN ethernet to be able to run SME as VPS in server/gateway) ?
Presumably in this scenario local PCs would not have access to file sharing or other 'local' services on the server and only 'Internet' services ?
In this instance there is a router to router VPN LAN which the PCs need to use - currently there is a static route for this on the router.
How will they be affected if a second network card is added and they are routed via the server ? Would this be affected if they were an 'active True IP' rather than just a private IP DMZ ?
Any answers gratefully appreciated.
B. Rgds
JC
-
It depends on how the router is setup. If it routes, then the external ip would be on a nic in the sme. If it nats, you would have to open ports to the server
-
I think you're trying to use your router as firewall... it isn't one!
Even if it say it has "firewall features" ... even if it say it has a place to put the IP for a DMZ.
If you dont have a firewall, do not use DMZ.
To create a DMZ you need a separate NIC on Firewall, and connect your server in S/G mode on that NIC.
When you uses a DMZ feature of a router, your opening all internet ports to that host pointed in DMZ feature.
I hope this make senses and is at least vaguely correct :$
-
Thanks for the replies.
Does a Draytek 2820 count as router or a firewall ? It has a DMZ for either a private IP or 'Active True IP'.
Any thoughts appreciated !
-
What kind of service for internet do you have? From looking at the Draytek, it seems to me that the active ip in the DMZ actually just bridges the dsl to whatever mac address is enabled. I could be wrong though. If this is the case and you are acceptable to using the sme as the firewall, it would work without any issues I see in server-gateway mode.
The external nic would be the only thing connected to the draytek and I would also make sure whatever nat network ranges it uses doesn't conflict with your internal scheme, just to be on the safe side.
I've run server-gateway for many years and find it to be secure and reliable. I've also used many draytek products and find them to function as intended. Their vlan implementation is a bit weak, but they are stable.
-
my 2 cents why not put the router in bridged mode and let the sme server do the pppoe
What kind of service for internet do you have? From looking at the Draytek, it seems to me that the active ip in the DMZ actually just bridges the dsl to whatever mac address is enabled. I could be wrong though. If this is the case and you are acceptable to using the sme as the firewall, it would work without any issues I see in server-gateway mode.
The external nic would be the only thing connected to the draytek and I would also make sure whatever nat network ranges it uses doesn't conflict with your internal scheme, just to be on the safe side.
I've run server-gateway for many years and find it to be secure and reliable. I've also used many draytek products and find them to function as intended. Their vlan implementation is a bit weak, but they are stable.