Because we will need to scale the system (and space limitations of the 1U firewalls PCs), physical interfaces
have been pretty much ruled out.
Do you know how netfilter will handle the VLAN interfaces? i.e. I use fwbuilder (I can't say enough good things about this program, http://www.fwbuilder.org/) for managing rules, and would like to then assign per interface rules limiting the subnets that are allowed to traverse the interface.
As you pointed out, netfilter shouldn't be a real issue as 90%+ of all traffic will be across the vpn tunnel and thus routed, not NATed. The rest will be connectionless.
thanks.
On 22-Jul-04, at 4:43 AM, Kresimir Sparavec wrote:
Sean,
the main complexity in your setup will probably come from the fact that you want to use VLANs on firewall machines. That means you need one virtual interface per VLAN (that is the only way known to me to get packets tagged on layer 2). Of course, that also means you have to deal which each and every one of these interfaces on layer 3 (routing and firewalling). Any solution which hopes to scale with the growing number of VLANs has to solve this problem. I'm working on the very similar setup to yours and I still do not see a simple and elegant way to deal with this problem. Of course, if the number of networks is limited to three or four, then you won't have too much trouble (actually, in that case I would rather use separate physical interfaces instead of VLANs).
The second problem is that netfilter does not offer connection tracking synchronization features present in expensive commercial products. That is usually not the problem because much of the traffic is single request-response (think HTTP), but when one machine goes down, the state information gets lost. Anyway, you still can build a pretty nice solution with keepalived or heartbeat.
Kresimir
Sean McAvoy Network Analyst Megawheels Technologies Inc.
Phone: 416.360-8211 x242 Fax: 416.360.1403 Cell: 416.616.6599
