How to configure internal and external interface on same network

[jhemperly]

Hello,

I'm currently evaluating Zentyal for use on our "courtesy network" for guests that bring laptops/smart devices as well as a few workstations that are hard wired.  The purpose for Zentyal in this network will be to filter web traffic, act as a firewall, and shape traffic to prevent bandwidth congestion.

We previously had a Barracuda 610 web filter installed in-line, which looked like this:

[               x.x.x.x (Public IP)               ]
[Comcast Small Business Cable modem]
[                   192.168.1.1                   ]

                          ^
                           |

[Barracuda - 192.168.1.2 - Default Gateway 192.168.1.1]

                           ^
                           |

[      Default Gateway - 192.168.1.2    ]
[                 Layer 3 Switch                 ]
[             VLAN 100 - 192.168.1.3       ]

                          ^
                           |

[     Rest of network, all on VLAN 100   ]


I'd like to install the Zentyal server in-line at the exact same location as where the barracuda sat, but when I attempt to configure the internal and external interfaces, it tells me they cannot be on the same network.  I'm completely new to this product, and unfortunately the barracuda is completely dead, and I'm unable to look at the configuration to try and match Zentyal to it.  The layer 3 switch will eventually be configured with multiple VLANs to separate wired clients/wireless clients/appliances, and anything else I end up needing to set up, but everything above the L3 switch is currently on the same network and was working correctly before the 'cuda kicked the bucket.  Is there a way to configure the Zentyal server in something like a transparent bridge mode?  Or...am I going about this completely incorrectly?

[christian]

I'm often having some criticisms about Zentyal way of implementing some technical stuff but here they are perfectly right 
You definitely can't have such kind of device with 2 NICs, one internal and one external on same subnet.
If keeping such IP addresses is mandatory, then you need to tune netmasks 

[jhemperly]

So if I were to move the cable modem to a different network (10.x.x.x) and put the external interface of zentyal on that network, would that work?

The other option I was looking at, which I'm not sure Zentyal supports is WCCP.  Would that allow me to keep everything on the same network?

[christian]

Zentyal is based on Squid (for what concerns HTTP proxy) and Squid does support WCCP but the more I think about this the less I understand why this would help to do nasty stuff on the network side. My answer to your question would be "no" but you perhaps need to elaborate on what you have in mind...

edit: added URL to Squid doc

[robb]

So if I were to move the cable modem to a different network (10.x.x.x) and put the external interface of zentyal on that network, would that work?

Yes that would work. Zentyal will have an external IP address on your 10.x.x.x subnet and an internal IP address on your 192.168.1.x network

[jhemperly]

Ok, bear with me, as I'm still a bit of a greenhorn in the networking world.

If zentyal fails, I want it to fail open.  This is why I was looking at WCCP.  When the barracuda failed, it failed closed because it was deployed inline and the hardware failed.  It was the only path between our cable modem and our "core" switch, so when it failed, traffic stopped there.   As I understand it (and again, I may be completely off-base) WCCP would allow Zentyal to be connected to a switch port and filter traffic passed to it, but the link from the switch to the cable modem would be a standard (ideally redundant) link completely separate from the zentyal server.  In the event of the zentyal server's failure, WCCP should fail open and pass all traffic on to the cable modem, instead of dropping all traffic because a device in-line between the switch and modem failed.

[christian]

That's an interesting debate 
What are you looking for exactly ?
Zentyal main purpose (well, mainly before it was focusing on Windows DC replacement  ) is to act as border infrastructure component and because on leg is exposed to internet, it embeds firewall that you really don't want to fail "open", trust me 

So it depends what "failure" means. Whatever device you will deploy between you LAN and WAN will exhibit this risk of dropping access to internet in case of failure. BTW that's true for your external modem too unless you have deployed HA.

That's the reason why I think this is really worth to clearly define:
- what you want to achieve in term of feature (not in term of components to be deployed)
- what are your constraints in term of level of service or availability as you focus on this.

What you have expressed in your first post is already a good starting point, at least before you start describing some potential implementation and discussed network stuff 
Let me elaborate on this so that it clarifies my point:
- if web based services you offer are only based on HTTP protocol, then you can easily design HTTP proxy that is not "in line" (in traversing mode) with your network. Most of the medium to large companies do not deploy their proxy as default gateway therefore not as transparent proxy. But in such case, you will need something else to act as firewall...

[jhemperly]

Ok, I'll try to answer your questions to the best of my ability:

I would like to use the Zentyal Server to perform the following:
 - Filter all client web traffic - No user should be able to access websites such as porn, gambling, known infected sites, suspicious sites, etc...
 - Firewall - I would like to block certain IPs and IP ranges from communicating with clients, and block clients from communicating with these IPs.
 - Traffic Shaping - Many of our clients are 'hogging' the bandwidth we have by using youtube/Netflix/Pandora.  I'd like to cap bandwidth for these sites while allowing other web traffic full bandwidth.  I would block these sites altogether, but management will not allow me to do this 

Management would like this all to fail open, but I would prefer to have it fail closed and bypass it manually on a temporary basis, if necessary, until I get something back up and running.

Furthermore, since many of these clients are accessing "apps" on their smart devices, traffic may not always be HTTP-based.  This being the case, perhaps WCCP is not an option for me because as I understand it, WCCP will only forward http-based traffic.

So, as I understand things, Zentyal is capable of all of the features I'm looking for, but must be installed in-line if I want to use it to do more than just filter http traffic. 

So, in your opinion, what would be the "best practice" way to configure and install this server in our environment shown in my first post?

Thank you very much for your help!

[robb]

So, as I understand things, Zentyal is capable of all of the features I'm looking for, but must be installed in-line if I want to use it to do more than just filter http traffic.

That is correct

[jhemperly]

Thank you, Robb...now I just have to wait for my next maintenance window.

[fasttech]

You may find the Untangle gateway in bridge mode may be an easier installation for you. Wouldn't hurt to look at it.