Here is my new thought. Replace my OpenBSD pf firewall physical server with a Joyent-brand ipf firewall zone.
Then I can have the cable modem line go into the ipf firewall zone and have another physical cable go out from the ipf firewall zone to a physical switch for the internal servers. And the dmz can be handled virtually on the SmartOS server itself. The admin nic on the SmartOS server can go to the internal physical switch. This would allow me to remove 1 physical switch and a physical firewall. Does anyone do this or have any opinions or thoughts on this? On Tuesday, August 19, 2014 4:31 PM, Usama Ahmad via smartos-discuss <[email protected]> wrote: Hello, May I suggest visualizing the pfSense (I assume) firewall. Or adding another interface to your firewall. The former being my preferred method (saves energy). Usama On Aug 19, 2014 11:47 AM, "G B via smartos-discuss" <[email protected]> wrote: > >Internet--->cable modem--->PF firewall (physical server) > | > physical switch|physical switch > / \ > / \ > internal dmz > / \ > Windows \ > /\ > mail web(multiple domains >each in a Zone) > >What I'd like to do since my mail and web servers are in Zones is get rid of >the physical switch for the dmz and make it a virtual switch. (sorry for the >poor ascii art) > > > >On Monday, August 18, 2014 10:09 AM, Robert Mustacchi via smartos-discuss ><[email protected]> wrote: > > > >On 08/16/2014 09:39 AM, G B via smartos-discuss wrote: > >> I'm stumped for the moment, so maybe somebody can alleviate my block. >> >> Currently I have a firewall with dmz and internal interfaces each going to >> a physical switch. What I'd like to do is removed the dmz physical switch >> and have my dmz servers go through a virtual switch, but that is what has me >> stumped. >> >> I created an etherstub: # dladm create-etherstub vswitch0 >> >> Then I created a vnic: # dladm create-vnic -l vswitch0 vnic0 >> >> Next I intended to plug the CAT6 cable into vnic0, then I would create >> another vnic and put that in a zone. But: >> >> 1) I'm not sure if that is correct >> 2) I'm unsure what the syntax is for the json file for the vnic >> >> Another thing is presently the physical nic on the server goes to the >> physical dmz switch. Not sure what I'd change to eliminate the dmz physical >> switch for the dmz server's physical nic. > >So, I think it's worth clarifying a few things. While an etherstub is a >virtual switch, it's a virtual switch that only exists on the host, a >single vnic can only be created over a single device and therefore >there's no notion of plugging in a physical cable to a virtual nic. It's >also the case that every physical device has an implicit virtual switch. > >Would it be possible to draw a small network diagram of how you want >everything to look? It's not really that clear from the mail how you >want this to look. > >Robert > > >------------------------------------------- >smartos-discuss >Archives: https://www.listbox.com/member/archive/184463/=now >RSS Feed: https://www.listbox.com/member/archive/rss/184463/24559458-54d8e931 >Modify Your Subscription: https://www.listbox.com/member/?&; >Powered by Listbox: http://www.listbox.com > > > > >smartos-discuss | Archives | Modify Your Subscription smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
