Network Planning

Knowing which services NethServer will provide and the roles assignable to the network interfaces, can help to determine how many interfaces will be required for your set up and in which way your network can be laid out.

NethServer supports an unlimited number of network interfaces. Any network managed by the system must follow these rules:

  • networks must be physically separated (multiple networks cannot be connected to the same switch/hub)
  • networks must be logically separated: each network must have different addresses
  • private networks, like LANs, must follow address’ convention from RFC1918 document

Logical interfaces can be created according to the network needs.

Every network interface has a specific role which maps to a firewall zone and determines its behavior.

Roles and Zones

Roles are identified by colors. Each role corresponds to a well-known zone with special network traffic rules. The zones, ordered from the most to the least privileged, are:

  • GREEN: local network. It’s considered almost trusted. Hosts on this network can access any other zone.
  • BLUE: guests network. It's considered partly trusted. Hosts on this network can access ORANGE and RED zones, but cannot access to GREEN zone.
  • ORANGE: Demilitarized zone (DMZ) network. It's considered mostly untrusted. Hosts on this network can access RED zone, but cannot access to BLUE and GREEN zones.
  • RED: public network. It's considered untrusted. Hosts on this network can reach only the server itself.

The server must have at least one network interface. When the server has only one interface, this must have the GREEN role.

RED interfaces can be configured with static IP address or using DHCP. All other interfaces can be configured only with static IP addresses.

The server can manage multiple same colored zones (e.g. multiple GREEN interfaces).

Interfaces with unassigned roles wont be used.

Examples:

  • LAN placed in GREEN zone.
  • A Wireless Access Point for guests can be placed in the BLUE zone.
  • Servers that need to be accessible from the Internet can be placed in a DMZ (ORANGE zone).

When using NethServer's Firewall, this segmentation into zones adds another layer of protection, preventing unauthorized access to each of them. For instance, a web server or a mail server requiring public access (from the RED zone) can be isolated into a DMZ (ORANGE zone) so that if any of them is compromised, you still have the firewall between the compromised system and your LAN, thus preventing the GREEN zone from being compromised as well.

NethServer can work into two basic modes: Server mode and Gateway mode.

Server Mode

In Server mode, NethServer can be used to provide services to a network that already has a Gateway/Firewall. NethServer will be a standard host inside the network offering services like e-mail or acting as a file server.

 Network layout with NethServer in Server Mode

In this mode a network interface configured with a GREEN role is required.

Gateway Mode

A server acting as a gateway is often also acting as a firewall.

A Gateway serves as an entrance point for one network to another network, converting the different protocols used on each one. A Firewall helps to protect a private network from unauthorized access.

In Gateway mode, NethServer is the gateway and firewall of the local network. NethServer sits between the local network and the Internet, filtering all traffic and deciding how to route packets and what rules to apply according to the Firewall Policies.

 Network layout with NethServer in Gateway Mode

Firewall Policies allow inter-zone traffic accordingly to this schema:

GREEN -> BLUE -> ORANGE -> RED

Traffic is allowed from left to right, blocked from right to left.

From the Firewall Rules page you can create rules between zones to change default policies.

Main features:

  • Advanced network configuration (bridge, bonds, alias, etc.)
  • Multi WAN support (up to 15)
  • Firewall rules management
  • Traffic shaping (QoS)
  • Port forwarding
  • Routeing rules to divert traffic on a specific WAN
  • Intrusion Prevention System (IPS)