We help IT Professionals succeed at work.

Advice sought for Linux setup as edge server

Alexandre Takacs
Alexandre Takacs used Ask the Experts™
on
I'd have a *nix box sitting on the open internet with an L2TP tunnel to our LAN (PFSense router). Everything works fine as is but I'd like to be able to use the multiple public IPs I have available on the *nix machine to route / NAT traffic into our LAN (in effect having multiple public IPs to play with, both inbound (mainly)/outbound.
I feel relatively comfortable with our router but I am seeking advice about the "edge" machine, with the understanding that it has to be some Linux distro. What tools would you use to configure such a setup ?

Any suggestion / pointer welcome
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Devin BeckerIdentity Management and Security
Distinguished Expert 2018

Commented:
Have you looked into PFSense's ability to support multiple WAN IPs on a single WAN interface? Or are you strictly trying to separate the edge router and an internal router(Sounds like PFSense would be your internal router)?

Author

Commented:
Pfsense is my internal router and unfortunately I can't present it with my public IPs (that would be the best way).
Devin BeckerIdentity Management and Security
Distinguished Expert 2018

Commented:
What were you planning to use for your method of L2TP? PFSense supports doing OpenVPN/L2TP over multiple WANs. I think you would be able to use most common linux distributions for something like this, each just requiring different configuration steps.

Here is a netgate document on this process: https://docs.netgate.com/pfsense/en/latest/routing/multi-wan-openvpn.html

My recommendations for distros are strictly based on my own experience of using OpenVPN mainly with both CentOS and Ubuntu.
Fractional CTO
Distinguished Expert 2018
Commented:
Linux security is very easy to manage.

1) Just configure your machine for all public IPs associated with your machine.

2) Keep all software on your machine up to date.

3) Block attacks using Fail2Ban + iptables. If you're managing 1,000,000s of firewall rules, also use ipset.

4) If you don't specifically require some service, then uninstall it.

Note: I run all my routers in bride mode, pushing all security logic to machines, as machines security can be automated + documented.

With routers, every time a router is reset or updated all settings are lost.

Author

Commented:
Interesting perspective - haven't thought to do it like this but seems perfectly doable. Thanks.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Good luck!