Connecting two lans together with policies in one network.

[sahne2000]

Hi guys hope you can help me out. I would like to connect my network with my neigbours but i want to block internet and dlna for my neigbour. How can i adchieve this?
At the moment I have a Adsl modem/router from there in a switch all in 192.168.10.0,255.255.255.0 network. So now the question is how to setup zentyal between my router and my neighbours so we can share files. He will be in 192.168.5.0, 255.255.255.0. I also would like to use my router as the main firewall and not zentyal.

Set up is like that at the moment.
Internet-Router-LAN-Zentyal-Neigbours lan

Thanks guys for your help

[christian]

except if you use advanced routing features with product like, e.g. openWRT, I don't see the added value of using your ADSL router as your main FW.

This said, and whatever your design choice, I would rather suggest to do something like:

_{internet  <-- ADSL router --> 192.168.10.0/24  <-->  NIC 1 Zentyal}   ^{NIC 2 <--> 192.168.5.0/24  <--> neighbour's LAN
                                                                                  NIC 3 <--> 192.168.15.0/24  <--> your LAN} 


Doing so, you can:
- share resources between internal interfaces: you have 2 LANs and describe rules between these 2 LANs
- Zentyal will control internet access for all, providing more flexibility (still you can implement additional rules at router level if needed)
- if you put "our" LAN between internet and your neighbour, either you describe 2 Zentyal interfaces as "internal" (with low added value) or you describe one as external, in such case this is the one on your LAN, which will make access to share resources more complex.


EDIT: fixed typo in neighbour's LAN IP

[robb]

1 correction:
NIC 1 and NIC 2 can't be on the same subnet

[sahne2000]

Thanks Christian.
Now I have more time to explain more in detail what I have done so far.
I have set up two nics on zentyal. The first one is as wan (192.168.10.0/24) in front of the wan are also all my servers and local computers since I don't want them to be behind zentyal. The other nic is configured as dhcp local LAN with 192.168.5.0/24 which is for neighbour. I managed to set proxy to block Internet for this subnet. I can also access servers from 192.168.10.0/24 which is really good. But I can not access shares from 192.168.5.0/24. Could it be because the 192.168.10.0/24 is sitting in front of the zentyal?

Setup:



192.168.10.0/24 >zentyal :nic0 =wan
                                     nic1 = LAN 192.168.5.0/24 with dhcp for neighbour



Question now how to make 192.168.10.0/24 talk to 192.168.5.0/24???

[christian]

1 correction:
NIC 1 and NIC 2 can't be on the same subnet

Sure, this is a typo 
I obviously meant 3 NICs with 3 different subnets.
Sometihng like:
192.168.5.0
192.168.10.0
192.168.15.0

I'll fix my post. Thank you for the highlight 

[christian]

@sahne2000

let me rephrase what you target.
You have defined Zentyal between WAN and internal network (the one for your neighbour) meaning one NIC is set as "external".
You are sitting on the "external" network (from Zentyal standpoint) and want to access internal network from internet (still from Zentyal standpoint).

Your question is "how to access internal network from internet on Zentyal"  Am I correct ?
I would say either:
1 - by opening network ports at Zentyal FW level (notice that you also need to announce this route to 192.168.5.0 to all machines on "your" LAN or set up dirty stuff like "using default route - here your ADSL router - redirect flow to Zentyal external IP"
2 - or using openVPN client from your LAN to neighbour's LAN
3 - or configuring Samba so that it listens on external NIC too

Well, as you can see, you have plenty of different options.
To me, none is good but this is due to your initial "constraint".

[sahne2000]

That's correct Christian. It seems it is not very practible what I had in mind. I probably will go with 3nics in zentyal, nic0 external WAN, nic1 for my network and nic2 network for neighbour.
Thank you very much for ur help.

The only problem I have and that's the main reason I need to have a firewall like zentyal or pfense is that I do not know another way how I can block dlna on certain devices. Would you know if there is any way to block dlna? I need dlna for my website unfortunately with server 2012 essentials you can't specify which device will see dlna it's either ON or OFF.
 
Cheers,
Daniel

[robb]

Well, as you can see, you have plenty of different options.
To me, none is good but this is due to your initial "constraint".

+1
Better would be to use the suggestion of creating 2 LAN's: 1 for you and 1 for your neighbour.
By going to the WAN side of Zentyal you introduce a lot security risks.

[christian]

The only problem I have and that's the main reason I need to have a firewall like zentyal or pfense is that I do not know another way how I can block dlna on certain devices. Would you know if there is any way to block dlna? I need dlna for my website unfortunately with server 2012 essentials you can't specify which device will see dlna it's either ON or OFF.

Sure, that why FW is very useful 

You could, e.g. even set up more flexible Zentyal based design where all servers you want to control access to are hosted on specific (fourth) network acting as DMZ.
Then you can set up rules at FW level to permit access or not depending on source (notice this is different from authentication)

If goal is only to isolate your neighbour so that he won't access UPnP & DLNA, then design I initially suggested works 

[sahne2000]

Yes I thought about dmz. I will start playing around with it tomorrow in a virtual environment. Will let u know how it goes.


Thanks again. Your feedback was very useful.