Network Types - External/LAN/HotLAN/DMZ
This guide will help you understand the different network roles within ClearOS. The behaviour of each role differs in what can be accomplished making ClearOS flexible to handle most networking needs and topologies.
There are 4 network types in ClearOS:
Communication between networks is routed according to this table:
External is simply an interface that is Internet facing. External does not mean WAN in ClearOS as an external interface can exist on a LAN network. For example, if you have a Standalone ClearOS server (ie. not acting as the gateway), External is the role you would select even though it is on the LAN. External networks are the only role with a gateway address specified. The 'Network Mode' affects how the External role is deployed. The modes are:
Under gateway mode the firewall is active on the External interface. Additionally, networks behind the firewall are routed (DMZ, HotLAN, LAN) and NAT is applied to LAN type networks (LAN, HotLAN).
Under Standalone, the External interface is firewalled. This is useful if you are running ClearOS as a server in the cloud.
Standalone - No Firewall
Under this mode, the External interface is not fire-walled. This is useful if you are running ClearOS as a server on a local network.
Trusted gateway is a hidden, unsupported mode that does not have a firewall on the external interface. It is useful for LAN routing and transparent bridging.
Interfaces designated as LAN have NAT applied to them as well as have access to all networks. Specify LAN for networks that should be able to access all networks.
Interfaces designated as HotLAN have NAT applied to them but do not have access to LAN networks. Specify HotLAN for networks that are considered restricted but still need access to the Internet.
Interface designated as DMZ are designed for public IP networks that are directed to the ClearOS server as the gateway. This allows you to specify public IP addresses and have firewalling. Hosts behind the DMZ can ONLY access LAN addresses where pinholes are opened between the DMZ network and the LAN. NAT is NOT applied to DMZ hosts.