In my article about DIY Linux Routers (temporarily offline due to data recovery), you saw the diagram of the most common configuration used when setting one up. It consisted of two interfaces, red and green, and a network switch with an attached wireless access point to provide Wi-Fi. The red interface is the outside interface that faces the open Internet, in other words, it connects to your modem, and the green interface is facing your local LAN. The figure belowshows this configuration.
However, with a DIY Linux router, you can setup more than the two stock interfaces in order to provide more security and control over your network. We’ll be using Astaro Security Gateway 8 to take a look at setting up these interfaces, but nearly any Linux router has the ability to set up these types of interfaces.
The first thing you will need to setup more than two interfaces is at least three NIC cards. If you want more interfaces, add the appropriate number of NIC cards to your router. There are several types of interfaces that you can implement, and they are usually represented by colors like the standard red and green interfaces. Let’s take a look at a couple.
The blue interface is typically designated as a separate wireless interface. So instead of combining the green interface and wireless interface, you separate them on two different NICs. Why would you want to do something like this? More security and control over your network. Let’s hypothetically say that you are running a wireless access point on your green interface similar to the diagram above. If your wireless network was somehow compromised, your entire network, the machines on it, and any files you’re openly sharing between them would be open to whoever has compromised your network.
By segregating wireless clients to a separate interface, you can control what types of traffic that you want to be communicated between the interfaces. For example, if you wanted to enable remote desktop between wireless clients and those on the green interface, all you would need to do is create a firewall rule that allows TCP port 3389 to be communicated across those two interfaces.
Setting up the interface is pretty straightforward for just about any Linux router distribution. All that is needed is to define the NIC card to be used, setting the network options, and saving the changes.
Notice the IP subnet; it is different from my green network, which is 192.168.2.100/24. It is very important that any interface you setup does not overlap anything on any other interface or it could get very messy. Below is a new diagram with the new blue interface.
The orange interface is typically designated as the DMZ zone (short for demilitarized zone). The DMZ is essentially an interface that exposes itself to the greater internet. In enterprise networks, the DMZ is typically where servers, such as email or web servers, are placed in order to segregate the servers from the internal green network. Most consumer routers offer some sort of DMZ mode.
So what good is a DMZ NIC for a home user? Well, if you run your own email or web server out of your home, then you would certainly want to run them on that interface. I myself use it to connect my Xbox 360 and PlayStation 3 to the Internet. Consoles are notorious for causing problems with firewalls, NAT problems, etc. I'm sure most of you that have consoles have seen something like the image to the right at one time or another.
So I just decided, probably against better judgment, to open everything on the orange interface so that there are no problems with NAT or anything else. Now, I would never put a normal machine on such an interface, but a console is a closed, encrypted system that I feel confident with it being exposed to the Internet. Also, with all of my gaming devices on a single interface, I can easily set up quality of service to provide high priority on that interface in order to keep my ping low when other things are happening on the network.
In order to get connectivity of my consoles to my orange interface, I use a second wireless access point. I do this because my house has Cat5e Ethernet wired to every room, but that is used on the green interface only. A second wireless router should not cause interference as long as you choose a different channel than the first one. A diagram of the four interfaces can be seen below.
I hope this article has given you some ideas for utilizing multiple interfaces on your own network. There are many other things you can do with interfaces. You could, for example, get rid of the orange interface and replace it with a guest wireless interface. Never worry about guests snooping around your personal network if they’re segregated via separate interfaces. As a network geek, you’re only limited by your imagination.This article is part of a continuing effort to solicit content from the Broadband Reports community. If you're interested in writing about something, please contact us.