High Performance Firewall

From ArchWiki
Revision as of 18:59, 11 October 2007 by CarLost (talk | contribs) (Hight Performance Firewall/Nat with iptables and VLANs and iproute2)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Hight Performance Firewall/Nat with iptables and VLANs and iproute2


Hi, this is my first intent of making a wiki document, so be warned, this may have some errors or misunderstandings.

Imagine this, you have more than two networks separated by Virtual Lans protocols (IEEE 801.1q) or VLANs, carried to you by a intelligent/manageable switch on one troncal line 10/100/1000 MB HD/FD (naturally the best is 1000 MB FD).

You have to share internet to a really BIG numbers of hosts, and maintain a good performance. The firs choice is separate the networks into a equal numbers of ports and maybe a more numbers of firewalls machines. This is not really cost effective, but works.

The second one is what I did. the history of how this begin is related to a some emergency/burn/crash/out of a group of Cisco PIXs. I will don't deep in that.

The facts:

I have about 4 networks mask 21 i.e a 8 class C each!!! This is a lots of MACs addresses and even more dangerous a really lots of BROADCAST. This is insane but this is the way that my company works.
They gave me 30 publics IPs addresses in 3 groups.
And a machine, a little one, not big deal.... just for testing. Later (about 8 monts) we change the PC. We put a real monster.
Later we add a class C network with a routed lot of increasing subnets.... PLUS!!!!

The work

VLAN support