Network Types - External/LAN/HotLAN/DMZ
This guide will help you understand the different network roles within ClearOS. The behaviour of each role differs in what can be accomplished making ClearOS flexible to handle most networking needs and topologies.
Types
There are 4 network types in ClearOS:
- External
- LAN
- HotLAN
- DMZ
Communication between networks is routed according to this table:
From/To | External | LAN | HotLAN | DMZ |
---|---|---|---|---|
External | Pass | FW/PF/1:1NAT | FW/PF/1:1NAT | DMZ Firewall |
LAN | Pass | Pass | Pass | Pass |
HotLAN | Pass | Block | Pass | Pass |
DMZ | Pass | Blocks/Pinholes | Block | Pass |
External
External is simply an interface that is Internet facing. External does not mean WAN in ClearOS as an external interface can exist on a LAN network. For example, if you have a Standalone ClearOS server (ie. not acting as the gateway), External is the role you would select even though it is on the LAN. External networks are the only role with a gateway address specified. The 'Network Mode' affects how the External role is deployed. The modes are:
- Gateway
- Standalone
- Standalone - No Firewall
- Trusted Gateway (hidden mode)
Gateway
Under gateway mode the firewall is active on the External interface. Additionally, networks behind the firewall are routed (DMZ, HotLAN, LAN) and NAT is applied to LAN type networks (LAN, HotLAN).
Standalone
Under Standalone, the External interface is firewalled. This is useful if you are running ClearOS as a server in the cloud.
Standalone - No Firewall
Under this mode, the External interface is not fire-walled. This is useful if you are running ClearOS as a server on a local network.
Trusted Gateway
Trusted gateway is a hidden, unsupported mode that does not have a firewall on the external interface. It is useful for LAN routing and transparent bridging.
LAN
Interfaces designated as LAN have NAT applied to them as well as have access to all networks. Specify LAN for networks that should be able to access all networks.
HotLAN
Interfaces designated as HotLAN have NAT applied to them but do not have access to LAN networks. Specify HotLAN for networks that are considered restricted but still need access to the Internet.
DMZ
Interface designated as DMZ are designed for public IP networks that are directed to the ClearOS server as the gateway. This allows you to specify public IP addresses and have firewalling. Hosts behind the DMZ can ONLY access LAN addresses where pinholes are opened between the DMZ network and the LAN. NAT is NOT applied to DMZ hosts.