DHCP question

[sumthing]

i just purchased an oem box with 5 network interfaces. I want to set interface 1 as WAN link using DHCP and i have marked it as "external". I have set interface 2 as internal and set a class C network. I have enabled and configured the DHCP module based on the class c network set on interface 2. Is it possible for me to plug my network cable into interface 3 - 5 so that my client machines can get the DHCP leases from interface 2? thank you

[sumthing]

help please. I just want to make the box into a switch like linksys/dlink etc. thanks

[Svein Wisnaes]

If you only want to use it as an advanced router, maybe pfSense would be a better choice - router, firewall and hotspot.

IMHO - E-box is a server and is fantastic as that. But the routing and firewalling is not as easy as in pfSense.

[christian]

...Is it possible for me to plug my network cable into interface 3 - 5 so that my client machines can get the DHCP leases from interface 2? thank you

Do you mean "to get an IP that is in same subnet than interface 2"?
 In such case, what's the rational in spreading users across different interfaces? if you want to isolate them behind FW so that you can apply specific rules, then defining different subnets will help.

[sumthing]

...Is it possible for me to plug my network cable into interface 3 - 5 so that my client machines can get the DHCP leases from interface 2? thank you

Do you mean "to get an IP that is in same subnet than interface 2"?
 In such case, what's the rational in spreading users across different interfaces? if you want to isolate them behind FW so that you can apply specific rules, then defining different subnets will help.

thanks for replying. the rational behind this is because after deploying, i have 3 interfaces left out of the 5 interfaces. So i am thinking if it is possible to make use of the remaining 3 interfaces to grab the DHCP leases that is created from the interfaces set in 2.

[christian]

If your concern is waste of bandwidth because 2 interfaces are not used, I'm sure it's easier to connect to Gigabit switch from one interface instead of trying to split clients accross mutiple interfaces (assuming your server is not using Realtek 8111c chip which doesn't work very well with Ubuntu).
Then if you don't have any specific constraint that would require to have all clients on same subnet, you could also allocate different IP (subnet) to each interface, with different DHCP setting obviously. In such case, routing between these subnets will go through eBox but is it an issue?

You could also, depending on you topology, benefit from all these interface and FW embedded in eBox to isolate some service on DMZ and have, doing so, better control on protocol and clients allowed to access these servers.

Well a lot of different approaches but it really depends on your needs.

[sumthing]

well, i concur with what you have mentioned. DMZ is a good idea but I am not sure how DMZ is going to be configured in eBox. Seem like there isn't feature for DMZ....

[poundjd]

I also have an eBox with 5 network interfaces (MB interface, and 4NIC card).  I plan on using the MB NIC to be the wan connection, and the first NIC on the 4 NIC card to be the home network, the 2nd NIC to be my DMZ zone for risky services, and the third for HIGHLY Protected servers - NO ACCESS to/from WAN, and the 4th for testing/playing with new stuff, each will have a /24 subnet.  Latter if I get another Internet Access link (WAN2), then I'll use one of the NICs for access to WAN2.  Then I can play with load ballanceing and such.
-jeff

[poundjd]

The concept of a DMZ is that of a zone with different protections than the rest of the network.  So it is really a construct of the FW Rules that you apply to that subnet. 

The services that you have in your DMZ will determine what rules you apply to that subnet.  IE if there is no reason for other internal devices to access the DMZ then your rules should prevent that.
-jeff

[sumthing]

hi poundjd,

thanks for your recommendation on the usage of the NIC interface. they are useful for me to plan my NIC usage 

Lastly, you mentioned the concept of DMZ. Well i am aware of that but i am confused by the menu in eBox on how to setup the DMZ interface. I have done a search for "DMZ" and found couple of threads on DMZ and the recommended interface to configure DMZ is internal. And a couples of rule should make it works. Can you advise me what kind of firewall rule should i set? thanks

[poundjd]

Sumthing,
  I have been playing at setting up a eBox server sence befor 1.0.  I still have not gotten one into production here at the house. ( I lost almost a year due to a surge at work that kept me off of the internet.) I really am still learning about FW rules and such.  I understand the concepts but have not put it to code yet.  Also the FW rules you will want will be driven by what you have running in the DMZ.  I would start with allowing nothing from the DMZ into the home network, and only allowing what is required into the DMZ network from the WAN.  Allowing all from the DMZ to the WAN is one easy solution but then if your DMZ is comprimised you become part of the botnets.... not good.  I'd recommend that you completly identify what traffice you need to support the services that you want to run in your DMZ and then write the FW Rules that implement that and only that....
-jeff

[christian]

.../... Can you advise me what kind of firewall rule should i set? thanks

Say you want to isolate an internal HTTP serveur so that it can be accessed only from internal proxy using HTTP protocol and from few stations for admin purpose, then you can easily plug this server on dedicated interface, define network in eBox and set FW rules so that only prxy is authoriwed to access this network with HTTP protocol. Add another rule authorizing SSH from know admins stations et voila 

hmm, why should you want this web server to be accessible via proxy only...? I don't know  because you want to ensure cache at proxy level, or load balancing if your proxy can do this or any other good reason.

That's a very simplified example, maybe meaningless in your environnement. Do you need any DMZ 

Another approach could be to host services exposed to external network: by connecting dedicated servers hosting services accessible from internet:
- port forwarding is required to expose such service
- if you forward to server on you internal network, then any weakness on this server could be used by hackers to reach, bouncing on this server, your internal network.
- by isolating this server on dedicated subnet, you never expose your internal network, assuming you control, at FW level, how this server is authorized to communicate with internal network, of course  At this stage, other mechanisms can be used to have internal network a bit more hidden if needed.

To make it short, it's really not mandatory to use ALL interfaces but having more than 2 may help in some specific situation.

Christian

[sumthing]

hi christian

thanks for your reply. it has been very helpful into planning for the rest of the interfaces...