Right now I have the servers on their own and my internal network is routed using an OpenBSD box.
Doing it for a single external IP is manageable to me, the thing is the leap in doing it for multiple public IPs. I do know I have some heavy reading ahead, and I look forward to it. Any recommendations are very much appreciated.
I did what you mentioned with a multi-function CentOS machine for the longest time, then when I got multiple static IPs I decided to route my internal network with Debian. After a while, decided to try IPFire/pfSense/OPNsense, but it wasn't long until I got tired of the GUI. So Adam mentioned OpenBSD is the thing if you want security, and I've been looking for ways to get my feet wet on the BSDs besides purpose-built ready-to-go packages such as *sense. And here I am.
I used to do one-box-for-everything as well, mostly because I didn't have a lot of equipment to begin with. However, I see lots of people talking about security, and I can see having things on separate places reduces the impact if any of them were to be breached. Also, I am kind of OCD with my hardware. It sucked having my wife screaming on one side and family calling on the other because I knocked off the lone box whenever I wanted to dust its fans. At least now I can pick my battles =D
Alberto Abrao 204-202-1778 204-558-6886 www.abrao.net
On 2020-03-30 5:04 p.m., Trevor Cordes wrote:
You can do all this with Linux quite easily. It's a bit to delve into, though, if you want to handle and route multiple IPs, NATing some, etc. The interface, iptables and route stuff will start to get complex.
But then you get fun features like qos (tc command), like you said.
I'd say find a way to start slow. Like start making your single-connection-point firewall first without putting any boxes behind it. Then move them behind it one by one as you add more setups/features to the firewall.
Some will say use OpenBSD for all of this, but I say use Linux. Or, more accurately, use what you know and are good at. It'll be easier to get a grasp of things if you're already partway there.
Also, I always recommend "rolling your own" using basic utilities rather than using some pre-made "simple" firewall/router distro. But that's mostly because I like my boxes to serve many duties, not one just for firewall, one just for NAS, etc. Plus, you learn more doing it yourself, and have ultimate flexibility. With a purpose-made distro you'll eventually run into something you want to do that it can't.
My 2c. YMMV! _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable