I have been looking in the wiki, and googled and I think what i am after is simple, but i would like to verify.
Basically, I’ve got a piece of equipment which is suseptible to DOS (Or rather, repeated failed login attempts to SSH makes it hang, and SSH cannot be disabled), out of support and I really cannot motivate the cost to replace it. It is just my own colocated little vmware box on a very old Supermicro Server with a “&%¤”!!! IPMI-module.
So, I want to drop a transparent firewall infront of it. The CRS125 is pretty much the cheapest Rackmountable piece of kit I have come across so I figured it would do nicely.
On the upstream side, I have a /27 network, and the provider will not issue a new link net, hence the need for transparent.
I want a CRS to be manageble on one of my available IP adresses, let all traffic through untouched, except for traffic to one IP in my net, to which access would only be allowed from a specific subnet.
Should be easy enough? Right? But, i am still missing hte eureka moment when i realize just how to set this up.
I guess i should start by defining port 2 as a master, link 3-5 as slaves to two (for the links to the equipment)
I guess i then need to create a bridge between 1 and 2 and assign the bridge my “Management IP”?
Depends on the load you want to pass through. Maybe using a switch to do bridging firewall is not a good idea due to expected low performance. If it is not your concern, implement the brute force rule set with address lists. Use the search function to find some examples.
Well, i have a 100Mbps pipe, but usually I see nowhere near that load. And with a handful of rules I think it should cope? Yes, an 1100 would be better. But I have the CRS lying around.
If you can use routing mode instead bridging, it will be much faster, and 100mbits should not be such problem. You need to test to see what fits your needs.
Oh. I have just checked the bridge firewall filter rules and it seems it is not able to use address lists. I am afraid, you cannot use bridge firewall for what you want.
A CRS-125 bridges 100Mbps without problems.
But still, do you really need that bridge?
Don’t forget, the switch chip can do some filtering in hardware on the CRS…
Yes, you are right. Not supported on this switch chip.
But why did I remember that I could set them on one of the early CRS firmwares?
And why is that menu there in the first place?
example rb951Ui integrated switch chip do not support rules but the options its available, only when you try to create a rule appears the message but on rb951G rules apply ok
because that its important to check switch functions available on wiki
I may have been loking at this the wrong way. I dont really need bridging. I could change the IP of my IPMI management card, and use the third NIC on the machine for management traffic. Hence, i could nat those two interfaces, and just connect the current NIC straight to the switch. (What i can NOT do is change the IP-config of most of the virtual machines)
Sooo, then (if we’re still looking at CRS125… or maybe a 2011UiAS-RM)
I need Port 1 as master, Port 2 as slave to Port 1. (1 to upstream switch, 2 to the current interface)
Then i need 3 as master, and 4-5 as slaves for my “internal” switch which i connect to the IPMI-interface and the aother nic which now will handle only management traffic for WMWare
Switching 1-2 should be wire-speed, right, and 3-5 should be like any other “Home NAT”… right? Then a few access rules and i should be golden?
I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my “kludge” works nicely. Ports 1-2 as a switch, and the troublesome NIC’s behind a NAT.
