multiport firewall AND L3 switch/VLANs... redundant?

[xyyz]

i picked up a brand spanking new SMC Tigerswitch 10/100 6716L3 switch from someone who didn't know it's value... don't ask how much i paid... you'll either be shocked or get really pissed off and say that i ripped the person off... which i didn't... 'cause he mentioned the price... i simply paid him.

anyways... i digress.

so... i have setup an OpenBSD firewall with a system with 5 interfaces. each interface, as you obviously have determined, has a different network element (servers, internal, external, router, mystery).

now this is a HUGE assumption... but i figured since all these networks were connected to one device, that device would be able to route traffic to each network based on the pf.conf file. i'm assuming, i don't need to enable any type or routing since it's routing traffic between its own interfaces.

so now i have this layer 3 switch, which not only does VLANing... but since it is a layer3 device, i'm assuming it can route between the VLANs w/o the need to another layer3 device.

so now here's the question. should i simply have the switch route traffic between the VLANS, fullfilling it's role as a layer 3 device, or should i simply isolate the networks with the VLAN and have all traffic forwarded to the firewall to be routed?

is this a redundancy? i know that i have more control with ACLs on the firewall. this switch model doesn't support ACL's the way it's replacement does.

also, will i need to enable 802.1Q on the OpenBSD box to allow for inter-VLAN communication? i know normally, you need to because of the larger framesize, but does OpenBSD compensate for this w/o the need for extra configuration?

 

[mboy]

Altho you will get faaar better advice from Scottmac,Cmetz and some of the other gurus. I would personally use the switch to create and isolate the Vlans and let the BSD BOX handle the routing/ACL'S.

 

[xyyz]

hmmm... Scottmac's advice is always golden.

So you're pretty much suggesting the way I want to do it then...

 

[Garion]

Yep, you're right on. A firewall-on-a-server has a lot of overhead and won't perform nearly as well as a layer 3 switch, plus it will be much more difficult to manage. Also, if you have a firewall with 5 interfaces, you'll have to deal with firewall rules between those - Much more difficult.

What the "traditional" way to do this is to build your firewall with an "Inside" and an "outside" interface - Inside obviously goes to your switch and Outside goes to the Internet. You can either make a dedicated VLAN between the switch and the firewall or you can just put it into one of the existing VLANS. Makes little difference either way.

One thing to keep in mind, however, is routing. Your firewall will have a default route out to the Internet. IF you have an internal router (L3 switch), you'll need to assign static routes to the firewall to make sure those networks get routed inside instead of out to the Internet.

- G

 

[xyyz]

the OpenBSD box isn't anything other than a firewall. it's an Ultra 1 200e w/128mb. i hope this wont be overloaded. it's only going to service 4-6 machines.

as for the pf.conf, you're right it was a bitch to deal with... however, that's been taken care of thanks to some really helpful people. the access is pretty straightforward. i was able to get a new 4-port 10/100 sbus card for a good price, so i figure i might as well use all the interfaces. this also gives me a bit more control. for example, i have one network where i'll keep my router pod that will only allow for inbound telnet access to the access server. then you have another network, which will only allow for http and https services.

this is for a non-production environment, therefore, anything beyond what is needed is classified as a learning experience, and i don't mind having those.

in looking at this layer 3 switch, it seems to be VERY rudimentary, which is another reason I rather have the OpenBSD box handle the routing between networks.

 

[cmetz]

xyyz, you can configure the OpenBSD router to be "one-armed" off the switch using an 802.1Q VLAN tagged link. That is, you only need one physical interface, and it can be as many logical interfaces as you need. This introduces MTU and hardware/device driver complexities that you won't have to deal with if you just already have enough interfaces, and I don't think you're going to be doing much else with the sbus quad-hme, so you might as well just use physical Ethernet interfaces and avoid all the potential hassles.

The L3 switch should do IP forwarding at line rate, cache-flow (that is, fast path is line rate). It might or might not do anything else useful - I don't believe that model you have has any hardware L3/L4 ACLs that you the user can program. So use it only to route between internal VLANs.

The OpenBSD box will not be able to do anywhere near line rate, but you can do a lot of ACLs and stateful flow stuff on it. pf is incredible at what it does. Best to use this to face the outside world, and to wrap the public-facing servers.

I suggest that you connect the external to the firewall, and the public facing servers VLAN (which may be a L2-only VLAN on the switch, just don't let it forward!), and then a port to be the "internal handoff" subnet, which the switch will need an IP address on. Then break out your internal VLANs on the switch and enable forwarding.

 

[xyyz]

cmetz,

btw... when they gonna grant you elite user status?