0

I have two Linux servers which are going to be connected to typical l3 switch/router. They will both have assigned one public IP number per each ( let's say: pub.ip.n.1 and pub.ip.n.2) by IT.

Q1: What is best (simpliest) way of getting functionality:

  1. working internet routing (to/from pub.ip.n.1 and pub.ip.n.2)

  2. any subnet I define on servers interfaces (let's say 10.1.1.1/24) will have trafiic passed between servers. Adding/removing subnet should be only server admin task, no router admin needed.

  3. those defined subnet(s) will not be routed at all nor interact in any way with other defined/assigned subnet.

  4. No need for routing/NAT on router side, firewalls will be managed on Linux.

On theory grounds and after some reading, it looks to me as it could be done by:

a) configure VLAN on both ports

b) set pub.ip.n.1 and pub.ip.n.2 to each port / assign pub.ip.n.1 / .2 and .gw to VLAN.

c) allow all ethernet level2 traffic to flow between ports

d) disallow any IP traffic (except pub.ip.n.1 , pub.ip.n.2 pub.ip.n.gw) enter/leave vlan.

Q2: Is any sophisticated router needed for that, or should be possible on average serverroom hardware nowadays?

Regards, thanks in advance !

Mateusz Korniak
  • 13
  • 3
  • Do you plan on using a firewall and static NATs for the public IPs or are you setting NICs directly on the Linux servers with public IPs and using IPTables or similar? – TheCleaner May 29 '13 at 15:09
  • I am setting Linux NICs with public IP (and private subnet) and using basic firewall on Linux. No NAT/firewall on router side required. – Mateusz Korniak May 31 '13 at 08:21

1 Answers1

0

I think you can do all of that with a managed L3 switch, and a firewall. VLANs would be the simplest way to isolate the subnets, then some simple firewall rules, how you define the rules depends on what you use.

So,

VLAN 10 1.1.1.0/30 GW 1.1.1.1 HOST 1.1.1.2
VLAN 20 2.2.2.0/30 GW 2.2.2.1 HOST 2.2.2.2

Allow traffic between 1.1.1.0/30 and 2.2.2.0/30 and towards internet, and from internet towards 1.1.1.0/30 and 2.2.2.0/30. Tell your firewall/router ACL the other networks, and disallow traffic to and from them those two networks.

Nothing special at all needed, you could do all this with SoHo gear.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • It's even simpler as pub.ip.n.1 and pub.ip.n.2 are in same subnet, so I suppose one VLAN can be used for both public IP#s? – Mateusz Korniak May 31 '13 at 09:32
  • Yeah, that's even simpler :) – NickW May 31 '13 at 09:32
  • I am asking this question, becouse router admin enforces subnet numbers (and defines another VLAN for it). I would prefer to **have control which private networks I use** (by Linux interface management) without any config from router admin needed at all. Is there any hidden problem here? – Mateusz Korniak May 31 '13 at 09:42
  • I'm not sure I understand, in theory you could put any RFC 1918 address inside, but it will only work if it is acting as a managed L2 switch, if it's level 3 (IP aware), it can enforce that only certain IPs are allowed in VLANs (and if it's a router, it will need to have an address in the same subnet to route for the addresses). – NickW May 31 '13 at 09:54
  • Sorry, I am unalbe to state my problem more cleanly. Let's check scenario: – Mateusz Korniak May 31 '13 at 11:49
  • No problem, I know explaining yourself in a second language isn't easy.. Like I said, if your 2 machines are connected to a managed L2 switch, you can probably set whatever you like, if it's a a router, things will probably not be so straight forward.. – NickW May 31 '13 at 11:56
  • Assume I have "working internet" as we described above. Now I add 10.0.0.1/24 to first server iface and 10.0.0.2/24 to second. Is it possible/easy to configre router so it will work out of box?Withour bothering router admin? IMHO I do not need any routing here (and I even do not want, as I do not want any 10.x.x.x/24 traffic to be routed into/out of my VLAN by router/L3 switch). Just my separate private subnet, only in my VLAN, for use only for my servers, managed only by me. – Mateusz Korniak May 31 '13 at 12:05
  • As I said, adding the IPs to the interfaces of the PCs is easy, but whether the router/L3 switch will pass the traffic depends highly upon how the network admin configured it. – NickW May 31 '13 at 12:13