Re: Advise on setup of small office locally or via VPS
On Tue, 17 Mar 2015 11:22:29 +0000, Linux4Bene wrote:
> Hi,
>
> Local setup ===========
> I would connect a Debian box with 3 nics to the ISP router to serve as
> firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used
> iptables to do this. The wan nic would have 1 public IP, LAN
> 192.168.1.0/24,
> DMZ 172.16.1.0/24.
>
> DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and
> SMTP gateway. I would keep the free DNS for added redundancy. On the LAN
> part, I would put a file server, local DNS and some internal web apps.
>
> This raises some questions:
> - What device could I use for the firewall. I don't want to use an old
> computer as I have some public services and need a reliable service.
> I'm open to using an appliance as well. Any links or info is welcome.
> Any easy way to having this devices redundant?
Didn't you just say that you were using a Debian box as your firewall/
router?
Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're
really nice - based on Vyatta 6.3, rival bigger names in terms of routing
performance, and are cheap ($100 for the 3-port model "ER Lite", and
under $500 for the 8-port "ER-8". There's also a "PRO" variant of the 8-
port that includes 2 SFP ports that're shared with 2 of the copper ports,
and a 5-port model with PoE, but this is really only the ER Lite with a
switch in the same case, so it's 2x routing ports + 3x switch ports, and
might not fit in your situation).
Here's the Datasheet for their routers -->
http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
It's not "difficult" to get redundancy, though depending on the levels of
redundancy you're after, it can get a bit complex.
Easiest route is a cold spare -- buy a second of whatever router, config
it exactly the same way, and then shut it down for use if / when the
first one dies.
Though you could always scale to multiple WAN connections spread across
multiple routers, with OSPF / iBGP being used to manage the routes... but
this is probably a bit much for a small business.
>
> - I would only allow some traffic (mail for instance) from the DMZ to
> the private LAN. LAN could access the DMZ. Any downside to this security
> wise?
If I'm understanding your plan, no this shouldn't pose any problems.
>
> - If I have multiple public IP's, I would assign each public machine a
> public IP. I assume it's the ISP's job to redirect the IP's in my range
> to their router in my office. I could then map the public IP's to a
> private IP by prerouting all allowed traffic on the public IP to the
> private IP address of the machine in the DMZ.
Depends on how their router is configured, but this sounds about right.
That said, in 99.5% of cases that I've seen the ISP-provided routers are
absolute rubbish, and should be relegated to bridge-only mode so that you
can use a better (i.e. more configurable) device to handle the tasks.
> - My mail service (only used for my own purposes right now) consists of
> Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication
> provided by Dovecot. Domains, users and aliases are stored in a
> Postgresql database. Security wise it would be better to place this set
> up in the LAN part, and put a SMTP gateway in the DMZ to receive mail,
> and have the gateway forward the mail to the setup I just described.
> The SMTP gateway should have the same parts (Clamav, Spamassassin, ...)
> but just not store the mail locally. Any thoughts on this kind of setup?
If the email server is public already (in the DMZ zone), you'll probably
have an easier (and still secure) time if you just have the clients using
STARTTLS to access THAT server. Not that you couldn't set up a gateway /
relay, but there is much to be said about the KISS principle.
> - I have Roundcube (webmail) installed as well. I think I could handle
> this by forwarding the requests from firewall to the internal mail
> server.
> Not sure if this is the safest way to do this.
> One can of course argue about web mail in the first place.
Again, might be easiest (best) to keep the entire mail service in the
DMZ, including webmail.
>
> - Central user and document management.
> I would like to have a space on the file server where people could store
> their own and shared documents. I think I would need NFS for this
> (haven't used this before). The docs might need to be accessible from
> Windows as well, although I really would like to only use Debian
> machines for my own people. Otherwise, this would mean using Samba.
If you need / want access to the file server from windows hosts, I'm
pretty sure samba is your only solution.
> My mail users are in a Postgresql database. I would like to keep it that
> way if I would ever provide mail to customers.
Sure. If you're selling email services, then you might need a dedicated
DB box, but that's not exactly 'difficult'.
> I can see LDAP being useful to have central authentication.
> It can be a challenge to setup though. Are there other ways of having a
> simple central authentication?
LDAP, and a couple of books on the subject. ;)
>
> I have thought about using a document management system from the start.
> But I have only experience with commercial ones and that might be
> overkill from the start. Besides, they are Windows based.
You mean like git?
>
> VPS ===
> The other way I could go is by using multiple VPS servers (or renting
> dedicated servers). I could connect them with OpenVPN. I have no
> experience with that.
> But this would also mean I would have my file server online.
> Then I definitely would need to setup a permanent connection from the
> office firewall to the online server.
file server should be local. However, there's no reason that you could
not set up a local file server, and still run other services (e.g. email)
off a VPS.
>
> Might make it a bit harder to fully manage reverse dns. As for my
> current VPS, I had to ask my VPS supplier to insert a reverse DNS record
> for my mail server as I don't own the range and as such, can't set the
> reverse DNS. If I would want to manage this myself, I would need to
> reserve a small range with the VPS supplier.
> I probably wouldn't need those in the case of receiving a range of
> public IP addresses from the ISP that provides the company internet
> line.
> If I would use these public IP's, I wouldn't need the VPS range, and I
> could manage my own reverse DNS and have the firewall forward the
> traffic from these public IP's to the private IP's (well also public
> IP's because you get a public IP with every VPS) of the corresponding
> VPS'es over the OpenVPN connection?
I'm honestly not sure where you intended to go with this one?
Realistically, you can do most (all) of what you want to do with a single
public IP from your ISP. Multiple IPs just make it easier to work with.
Depending on your ISP and their policies, you may need to work with them
to get the reverse DNS entries added.
Reply to: