I am looking at setuping a new firewall box hopefully using clearos.
My new setup would require the firewall to handle 2 incoming wan connections, both static ips from different ISPs.
Secondly i will want to have 2 pc users zone lets call one greeen and the other purple.
I want to split the incoming wan connections to the green and the purple zone .. meaning that green will only have access to the bandwidth from one wan connect and purple will only have access to the bandwidth from the other wan connection. (green and purple are 2 building across the street from each other)
Thirdly I want the pcs in both green and purple to see each other for file sharing purposes and that the pdc will be in the GREEN zone handing out dhcp ips to both green and purple machines.
Forthly I want to setup a dmz for my email server, where both green and purple can access. The dmz will be using the same wan connection as GREEN zone.
And lastly I want to set up another zone called blue in which will only have internet connectivity from the WAN connection that Green is connected 2 and gets an Ips from the Clear OS box. The reason for this zone is that when our customers come to our facilities, we would like them to have access to the internet in case where they would need it.
So can anyone tell me if ClearOS can do this and what basic system specs i should build the box with.
My new setup would require the firewall to handle 2 incoming wan connections, both static ips from different ISPs.
Secondly i will want to have 2 pc users zone lets call one greeen and the other purple.
I want to split the incoming wan connections to the green and the purple zone .. meaning that green will only have access to the bandwidth from one wan connect and purple will only have access to the bandwidth from the other wan connection. (green and purple are 2 building across the street from each other)
Thirdly I want the pcs in both green and purple to see each other for file sharing purposes and that the pdc will be in the GREEN zone handing out dhcp ips to both green and purple machines.
Forthly I want to setup a dmz for my email server, where both green and purple can access. The dmz will be using the same wan connection as GREEN zone.
And lastly I want to set up another zone called blue in which will only have internet connectivity from the WAN connection that Green is connected 2 and gets an Ips from the Clear OS box. The reason for this zone is that when our customers come to our facilities, we would like them to have access to the internet in case where they would need it.
So can anyone tell me if ClearOS can do this and what basic system specs i should build the box with.
Share this post:
Responses (5)
-
Accepted Answer
Well Tim.
Let me give you a little inside to why i wish to do it like this.
The company i worked for recently spilt it self up into 2 companys... and all the internet lines ran to one warehouse where we had a centralized network infrustructure... not that we are spilt .. they arent willling to pay to have the network wiring to be redone for the internet ..
So at simple request .. i was looking at doing this setup and testing it for a few months till they have remove their internet lines from my building and placed it in theres..
And to top it off that new company doesnt have an IT department... so i am running between buildings like a mule
-
Accepted Answer
Your certainly shooting for the most complicated setup
If it were me, i'd had two ClearOS boxes, one at each location (purple and green by your definition), then setup a site to site VPN link between the two. This way they get to keep their own bandwidth each with their own WAN, routing is simple and they can share files between each office as required over the VPN link. You can also authenticate across the VPN using the PDC of the other server if required.
You can then choose to add a webserver in a DMZ or Hotlan as you see fit in either location.
Why do you feel the need to do all the above on one machine? besides creating yourself a headache -
Accepted Answer
-
Accepted Answer
John..
I found this.. maybe this can work for me..
http://www.clarkconnect.com/olddocs/Network_Settings_-_Multi-WAN#Source_Based_Routes
need to build a firewall machine now with 6 nics
lol.. -
Accepted Answer
Hi Andre,
That is quiet an ambitious plan to start out with and let me start by saying that I don't have all the answers, but maybe with my, and others advice together, you will be able to start getting there.
I think that you need to have an expert understanding of ip tables (which I do not have) to get the green, purple & blue zones split up exactly as you described, but maybe partly it will also be possible true the web interface.
These are the points I think I might assist / guide you with:
2 incoming static wan connections with 2 different providers.
Multi-WAN
Connections 2 buildings across the street.
Maybe this could help, but you will have to confirm this yourself:
- IPsec VPN
- Open VPN (AFAIK, this is the only one that's free)
- PPTP VPN
DHCP handling the ip addresses for all zones.
DHCP Server
DMZ for e-mail server only using the green WAN, but accessible by the green and purple zone.
Not sure why it should be in the DMZ.
The blue zone for customers could be a Hot-LAN.
IP Settings
Hot LAN (or “Hotspot Mode”) allows you to create a separate LAN network for untrusted systems. Typically, a Hot LAN is used for:
- Servers open to the Internet (web server, mail server)
- Guest networks
- Wireless networks
A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in the meeting room could access the Internet and each other, but not the LAN used by company employees.
The firewall port forwarding page in webconfig is used to forward ports to both LANs and Hot LANs.
Only one Hot LAN is permitted.
Basic system specifications.
System Requirements
My general advice would be to start experimenting with ClearOS on a redundant machine to see if this is the way to go. For the rest of your answers I will have to redirect you to others who have more experience with the specific requests that you have.
Good luck,
John
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »