* Home Help Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 01 November 2024, 03:43:01 pm

Login with username, password and session length

Download the latest community FREE version  HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Multiple zones with VLAN		 0 Members and 3 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Multiple zones with VLAN  (Read 19516 times)
nir1978
Jr. Member
*
Offline Offline

Posts: 7
« on: Tuesday 10 April 2012, 03:14:31 pm »
Hello

I have 2 interfaces in my endian FW 2.5.1 community version.

One is used for WAN (connected to ADSL Router) and other to the local network. I have segregated the network using VLANS on the switch (3 VLANS)

One VLAN is for Servers, one for normal users and other I call it "cube" is restricted to its own network.

Normal Users can access internet, server segment as well as the "cube".

Server segment will have internet access and some server in User segment.


Now on the Endian part. since I have only 1 interface left for Green Zone, how can I create more zones using VLAN as I do not get any option for creating zones.

please help me !!!!
Logged
timupci
Full Member
***
Offline Offline

Posts: 34
« Reply #1 on: Wednesday 11 April 2012, 06:36:39 am »
They are not the same. VLANs are used to segment your network with out having to have multiple cables for each lane. Hence the Virtual Local Area Network.

In the Endain Firewall, each "Zone" is a Subnet.
Logged
ewitcher
Jr. Member
*
Offline Offline

Posts: 1
« Reply #2 on: Friday 08 June 2012, 02:30:55 pm »
While you are absolutely right (timupci) about VLANs and ZONEs being different, I think I would tend to agree more with Nir1978. EFW completely marries the two when it comes to what is commercially accepted as the "standard" way of using VLAN. Also, by the protocol's very nature, each VLAN has its own subnet as well (at least when I use them).

The average product (OTHER THAN EFW) that offers VLAN capabilities, also offers the following abilities:

1. Assigning a direct IP to the VLAN interface (not bridged / br0), allowing for each VLAN member to be assigned a default gateway that ACTUALLY EXISTS in the router. While this could be done with a bridge (e.g. br0.10 for VLAN 10), the bridge would then requires additional firewall rules due to the GAPING security hole it introduces. The firewall rules would then waste valuable resources (CPU, memory, etc.). This seems like a wasteful method to me. It's worth noting here that the bridging technique is what EFW uses.

2. Creating multiple subnets in the DHCP pool to support as many VLANs as needed. EFW Zones are brought up often in the VLAN/DHCP subject, as they are currently the only way (I believe) to assign different DHCP subnets to the VLANs.

3. Security / Firewall rules for VLANS.

4. and a lot more.

The only way that I understand to get these capabilities in EFW is to use the zones outside of their intended use case (i.e. DMZ, Wi-Fi, etc.) Furthermore you could really only do it for up to four VLANs (including WAN). As an example of how truely moronic this can be, I'm currently working on a job at a university that would greatly benefit from the firewall and content filtering in EFW. However, they have 96 trunked VLANs (in standard Cisco style configs), making EFW basically useless as a standalone solution. Keep in mind that I could always hack the config files; using  vconfig, brctrl, and ip/ifconfig to set the VLAN interfaces, while (more or less) completely destroying the dhcp.conf file (template) to accommodate them all, but alas, I would also destroy the ability to manage the EFW from the web interface, meaning that my customer(s) would have no recourse.

To be fair, it's like the most important parts of VLAN is directly in conflict with the zones. This leads to one of two options (in my opinion):

1. Allow for the creation of additional zones. This would be a band-aid, as all it would accomplish is giving the capabilities back VLAN, the very ones they should have had all along.

OR

2. Pull the EFW fork even further away from IPCop by finally (once and for all) abandoning the zone concept all together. I know I'm speaking blasphemy here, but think about it. We could actually have all of the incoming, outgoing, and inter-zone (though would now be called interface to interface) rules, configs and capabilities that we have now, but multiplied by however many physical or virtual interfaces that we have. This would also require the ability to edit IP Addressing (and other configs) out side of the Network Configuration Wizard, but I believe that as an "advanced" option, this would be a welcome change too.

All in all, IPCop's zone concept was great for it's time, but is now the monolithic and thick headed 800 pound gorilla holding us all back. Until then, EFW will never be able to perform as a true gateway device in the real enterprise. It is also worth noting that 85% of most VLANs that I've created or encountered would technically be considered the GREEN zone. Just saying.

Please hold your flaming, but I welcome disagreement here. I would love to learn that I'm flat wrong, so teach me!

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 17 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com