Wednesday, November 5, 2008

My new Network Layout with Astaro

So I being a Comcast customer, not by choice, decided I wanted to be able to more closely monitor and control my network usage. I was toying around with different ways to monitor my traffic but didn't want to replace my router not add another device to the network outside the router.

I also looked at monitoring traffic per device, but this has its own problems such as missing traffic and counting local traffic twice, once on the source and again on the destination. The long an the short is I can only do what I want by having the traffic bass through a single device, an Astaro Security Gateway in my case.

I do run VMware Server on my single server though and desided if I could get a configuration with the ASG running in a virtual machine thus not needing the extra hardware. While, after a few hours of testing, and restoring my router once, I got it up and working. Heere is a diagram of the layout and soem notes.

Black lines on white are pyisical network connections.
Black lines on blue are vmware bridge connections.
Green lines indicate internal network traffic.
Red lines indicate external network traffic.

Some variouse notes on my configuration:
  • The monitored internal netowrk is on the 192.168.1.* subnet.
  • The unmonitored external network is on the 192.168.1.150.* subnet.
  • Both networks exist on the same pyisical switch but the DHCP server doles out only internal addresses. A computer could be configured staticly to the external subnet and I havn't found a way to prevent this but in oder to circumvent the ASG the user would have to know about the second subnet.
  • The server has only a single gigabit network interface card on it. Traffic on the internal network heading out will go to the server and be passed onto the ASG's internal virtual interface. Next the ASG will proccess the traffic and send it back out on the external interface. The server will pass the traffic back out on its internal interface but the traffic will really be on the external subnet so it will pass off to the router.
  • The internal and external networks co-exist on the same network segment just differnet segments, for that reson I pourpasly left on the main routers Firewall and NAT.
  • There is no noticible impact on network preformance as the traffic is already limited by teh 6M cable modem connection.
  • I can not monitor just the external interface of teh ASG for trafic usage statistics with vnstat.
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Project Licenses


Creative Commons License
These works by Jeremy Pyne are licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License