|
At work, we have some private VLANs for which I want to provide a NAT gateway to the broader corporate VLAN. The way I did this back in the day was to deploy something like IPCop as a Linux VM, then do a bunch of ugly configuration hacks so I can administer it from OUTSIDE (i.e. on the so-called "red", or uplink, interface). It's ugly, especially on install. What's a good free VM-deployable NAT router package for something like this? The requirement is that I have to admin this from OUTSIDE the private VLAN using a plain browser, which is not normally possible on home-oriented NAT packages. I don't always have an easy way to put a browser in these VLANs, so I'd prefer a package where I can enable external administration during install or via the command line. Any ideas? EDIT: I know I could do this with iptables in plain Linux, but I'd like something simpler, especially so colleagues can make changes without learning iptables.
|
#
?
Jun 27, 2014 21:50
|
|
|
|
| # ? May 6, 2024 19:17 |
|
|
I think pfSense can do all of that. It's a BSD based software firewall, and it does NAT and all that and is configurable over the web. https://www.pfsense.org/
|
|
#
?
Jun 27, 2014 22:14
|
|
|
Seconding pfsense (or it's trimmed down cousin m0n0wall) -- I've got multiple lab networks running and we use it on all of them and it is amazing. The packages themselves are BSD running iptables and other standard *nix network tools in a web-based wrapper that makes things approachable. I would probably go with pfsense as it has many more features and it probably likes running in a VM better. For outside access we leverage the VPN capabilities of the device rather than directly expose the admin panels. Really handy for lab networks because you can get onto the network remotely to tap into whatever lovely devices you've got in your lab.
|
|
#
?
Jun 27, 2014 22:41
|
|
|
https://www.vyos.net
|
|
#
?
Jun 27, 2014 23:28
|
|
|
Thanks. I just realized that the company's shut down next week, so I won't get to try these until the week after, but I'll let you folks know how it goes.
|
|
#
?
Jun 28, 2014 05:14
|
|
|
Thirding pfSense. It runs great in a VM or on real hardware. My home LAN is currently running on a PC Engines APU1C (AMD G-T40E 1GHz dual core, 2GB RAM) and the thing doesn't even break a sweat with a dozen VPNs and two IPv6 tunnels over two internet connections. Here's some RRD graphs from mine this morning while my housemates bought a few Steam games: http://imgur.com/a/c17Oq In the past I ran it on a 233MHz Pentium II stuffed full of network cards to combine six 10m campus LAN connections with my 10/1 cable and a neighbor's 5/1 WiFi. If you just need it to firewall and pass packets you can get a lot out of very little hardware with this. wwb posted:The packages themselves are BSD running iptables and other standard *nix network tools in a web-based wrapper that makes things approachable. It's actually "pf" from the OpenBSD project as implemented in FreeBSD rather than iptables, but the end result for the user is pretty much the same in that they have a powerful firewall engine with a nice GUI on top of it.
|
|
#
?
Jun 28, 2014 20:08
|
|
|
Installed pfsense, it worked perfectly, A++ would install again. One tip I had to figure out -- I didn't have any machines on the private LAN side to use to login to the web interface, but using the console, I was able to do "pfctl -d" to disable the whole firewall, then I could web admin from the WAN interface enough to make a "real" firewall rule allowing it. Anyway, now I have another question. The company has a 10.0.0.0/8 address space which is partitioned into all kinds of subnets and VLANs. Further, many people commonly use Cisco AnyConnect VPN to get into this address space to do work. I'd like to use pfSense as a VPN target so that people can access the private 192.* networks behind it. This means doing a VPN over VPN: Remote PC (public IP) -> AnyConnect VPN (10.x.y.z) -> pfSense VPN (192.168.a.b) This is currently not working, because when the second VPN kicks in, it replaces the gateway used by the AnyConnect to stay connected, and the whole thing falls over. Is there any way to make this work? The alternative is our standard practice -- having a "jump machine" that you can RDP into that's on the border of the 10.x.y.z as well as the 192.168.a.b networks, which sucks.
|
|
#
?
Jul 15, 2014 17:09
|
|
|
Unless you're enforcing it on the server side, I believe that's an option in most VPN clients whether it sets the VPN as the default route or just as a route for the subnet(s) at the other end. Which VPN technology are you using?
|
|
#
?
Jul 15, 2014 18:19
|
|
|
|
| # ? May 6, 2024 19:17 |
|
|
wolrah posted:Unless you're enforcing it on the server side, I believe that's an option in most VPN clients whether it sets the VPN as the default route or just as a route for the subnet(s) at the other end. Which VPN technology are you using? On pfSense, I tried L2TP but had trouble, so I went to PPTP. I don't care about security. The outer VPN is Cisco AnyConnect. I'll try to mess with the gateway settings. One thing that complicates it further is that my IP address on the wireless at work is also a 10.0.0.0 address, but one that doesn't route to anything corporate. So just saying "use this VPN for anything 10.0.0.0" may not be sufficient.
|
|
#
?
Jul 16, 2014 00:35
|
|