Re: Multiple green networks

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3614 bytes --]

On Mon, 2013-09-09 at 21:32 -0500, R. W. Rodolico wrote:
> I agree that for most small businesses and individuals, having multiple
> green networks is not necessary.
> 
> I came up with the idea when comparing IPFire to some other small/medium
> business routers like the Juniper. With them, you just have a bunch of
> ports, and you set up one or more ports to be LAN and one or more to be
> 'net, and one or more to be DMZ. I was wondering how difficult it would
> be for IPFire, and it sounds like it would be very difficult.

That is not very difficult to do. The limitation that keeps us from
doing that is the web user interface were almost anything is hardcoded.
Adding an additional zone or working with a variable number of zones
would require a complete rewrite (because modifying already existing
code will take much more time, I reckon).

The rewrite of the web user interface will happen with IPFire 3, but not
for IPFire 2 any more. There are also other limitations which require a
lot of work in almost every spot of the code (e.g. IPv6), so we don't
think it would be worth the time doing this for IPFire 2.

> 
> Question: We already have this partially. I could create a blue and a
> green, then set up rules between them. Correct? In many locations, they
> don't use the blue interface. It seems if I set up Blue to automatically
> allow connection (like the green does), ie find the code that restricts
> access to the blue network unless specifically given, then remove that,
> it would in essence be another green. Am I wrong?

Yes, this would be essentially the same. Indeed configuring this will
become very easy with the new firewall GUI.

> Anyway, like I said, I was just thinking. I had to work with some
> Juniper routers the other day and was intrigued by the idea.

Sure. Keep these kinds of ideas coming. I am always happy to hear about
the your needs as a network admin. I won't promise anything, but it
helps me prioritizing my list of things I need to do.

-Michael

> 
> Rod
> 
> On 09/04/2013 04:42 AM, Michael Tremer wrote:
> > Hey,
> > 
> > sorry that I reply that late...
> > 
> > Extending IPFire to manage more LAN interfaces than just BLUE and GREEN
> > is pretty hard to do if you want to use features like the DHCP server,
> > DNS proxy and so on...
> > 
> > In most of the cases, people don't need multiple separate LAN segments.
> > 
> > So, the answer to your question is no, unless you want to do a lot of
> > configuration on your own.
> > 
> > -Michael
> > 
> > On Wed, 2013-08-28 at 12:06 -0500, R. W. Rodolico wrote:
> >> Does anyone know if we have the ability to run multiple green networks
> >> on a router? I have a current situation where I need two LAN's I would
> >> like to run off the same router. They should have no connections between
> >> them (unless I set up a firewall rule).
> >>
> >> Is this possible?
> >>
> >> Oh, is this even the correct list to send this question to.
> > 
> > Support questions can also be posted on the forums, where more people
> > are around and will reply much quicker.
> > 
> >>
> >> Rod
> >> _______________________________________________
> >> Development mailing list
> >> Development(a)lists.ipfire.org
> >> http://lists.ipfire.org/mailman/listinfo/development
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> > 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development