www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Segregated LANs

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
bionemesis



Joined: 16 Feb 2016
Posts: 2

PostPosted: Tue Feb 16, 2016 9:11 pm    Post subject: Segregated LANs Reply with quote

I have ZS setup in VMWare ESXI. There are 5 physical adapters connected into 5 virtual switches. ZS has these configured as ETH00, which has an IP of 10.0.0.55 and is physically connected to a switch shared by other devices on my network. ETH01-ETH04 have IPs of 192.168.1.1, 192.168.2.1, 192.168.3.1 and 192.168.4.1 and are configured to provide DHCP and DNS services. Each port is physically connected to an individual device (usually a client's computer or laptop). On each of the virtual switches associated with ETH01-ETH04, there is only ZS and a virtual NAS server (the virtual NAS server also has ETH01-ETH04 configured with a static IP matching the subnet configured in ZS).

I want any device that is connected to ETH01-ETH04 to be able to get on the internet, see the NAS, and that is it. I've done considerable searching on this and found a few tutorials which resulted in the firewall configuration below. Despite this, devices connected to any of these ports can see themselves, other devices connected to the other ports, and devices connected to ETH00. So obviously I'm doing something wrong. So any help, would be greatly appreciated. I've also attached screenshots of my configuration.

Firewall Configuration
Policy Drop, Chain Forward
Seq Input Output Description Log Active
1 * ETH00 DROP all opt -- in * out ETH00 0.0.0.0/0 -> 10.0.0.0/24 no
2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
3 ETH02 ETH00 ACCEPT all opt -- in ETH02 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
4 ETH03 ETH00 ACCEPT all opt -- in ETH03 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
5 ETH04 ETH00 ACCEPT all opt -- in ETH04 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
6 * * ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no

Policy Drop, Chain Input
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt -- in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 ETH03 * ACCEPT all opt -- in ETH03 out * 0.0.0.0/0 -> 0.0.0.0/0 no
4 ETH04 * ACCEPT all opt -- in ETH04 out * 0.0.0.0/0 -> 0.0.0.0/0 no
5 * * ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no




[/img]
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 63

PostPosted: Wed Feb 17, 2016 10:08 am    Post subject: Reply with quote

as you use virtual switches, using the interface names for firewalling is perhaps not a good idea, try to set all your rule with IP only.
by the way, i think your forward rule 1 is useless, and all your input rules are useless for this specific need (but don't set input to drop without allowing your subnet!)

i'm not sure to understand evrything...is your description of the issue accurate? you want ETH1-ETH4 to see ETH0 and internet, and not each other? and currently everybody sees everybody?
Back to top
View user's profile Send private message
bionemesis



Joined: 16 Feb 2016
Posts: 2

PostPosted: Tue Feb 23, 2016 6:34 pm    Post subject: Reply with quote

Yes, I want ETH1-4 to see internet via ETH0 and any other devices within their subnet but not across (so, ETH1 shouldn't see any devices on ETH2).
Back to top
View user's profile Send private message
ilNebbioso



Joined: 31 Mar 2009
Posts: 21

PostPosted: Mon Mar 21, 2016 12:12 pm    Post subject: Reply with quote

I think you could take some inspiration from a different scenario (but not so different from yours).

I've asked in the past here http://www.zeroshell.net/forum/viewtopic.php?t=1807&highlight=
The scenario was for TWO ethernet cards (one is WAN and the second manages multiple VLAN with a VLAN capable switch), where just one VLAN was visible to the others (#198 in my case).

Maybe this could help.... I hope!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group