Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Can I setup Mac mini as a LAN wide firewall?

C

ChrisH3677

macrumors 6502a
Original poster
Oct 6, 2003
774
99
Victoria, Australia
I would like to use the Mac mini as a firewall on our network.

But my understanding is a firewall needs two network cards (NICs) .

- One to the internet on an external IP address

- The second to the internal LAN on its private address range.

Is getting a USB NIC the only way around this? Or is there some safe way to make the single NIC drive both IP addresses?

Also, any recommendations on firewall software? Is the OS X one good enough for this purpose?

thanks
 
Or better yet, just get a Linksys befvp41 they're around $110 and do everything you need. Very good little boxes to have.
 
ChrisH3677 said:
You guys are suprisingly objective! Are you sure there's no Mac solution?
Click to expand...
Oh there's a mac solution, he'll just need another network card. For a firewall tho, I'd prefer a dedicated piece of hardware. Software-only firewalls tend to have several problems.

To me, it just sounds like he's trying to rationalize his desire to buy a Mac mini :)
 
Mitthrawnuruodo said:
It should be possible to run a mini with only darwin, and a firewall... with a usb-network-card in addition to the built-in...
Click to expand...

Or spend $100 and have a piece of hardware you'll never need to reboot ever again and you'll still have the Mac mini to play games on :)
 
Macs or PCs are not good candidates for firewalls, unless you *really* know what you're doing and *really* craft a bare bones OS install for a *dedicated* solution, i.e. you only use it for a firewall/router (there's nothing left on the box for general purpose use - no GUI, etc.). Spend the small amount of $$ on a dedicated fw/router.
 
relimw said:
Or spend $100 and have a piece of hardware you'll never need to reboot ever again and you'll still have the Mac mini to play games on :)
Click to expand...

Yeah, I know, but it's what he asked for... and it would be a cool little $550 firewall... ;)
 
What you could do is build like a router on a stick. In order to get it working, have a switch, with 2 vlans, and a tunk-port.... connect your mini-mac to the trunc port, have two ip-adresses assigned to the ethernet interfac and you're ready to go.
Assigning two ip adresses to your ethernet interface is somethign that i believe mac os won't let you do, but im certain that the BSD core has a way of doing this.

This is a technical solid way to do it. Which software you sould use, i'm not sure, im more of a networking guy.....
 
There is another reason I want to do this... I want to show that Macs can do anything Linux can do. And the Mac mini makes it affordable to experiment with.
 
ChrisH3677 said:
There is another reason I want to do this... I want to show that Macs can do anything Linux can do. And the Mac mini makes it affordable to experiment with.
Click to expand...

Ok, well, if you can do it with linux, you can do it with the mini. Prolly use the exact same setup and software. I've personally never used one ether interface and assigned two IPs to it, so I have no idea how to do that without some research.

The low cost is the main reason my mini is on order. I've need a good development machine to run developer releases of the OS on for some time. I've been a little afraid of late to install the beta releases Apple has been putting out since one of them took my machine offline (10.2.7 I think).
 
ChrisH3677 said:
This link is really really useful. Thanks
Click to expand...
But a bottle neck will happen at the USB Nic. Where as two gigabit ethernet cards on any PC or Mac can offer much better bandwidth speed. Of course you will either have to set the PC up as just a firewall using the fire Linux suggested above (smoothwall), or use a Mac, which could have more abilities. Such as ease of use of setting the firewall and other services. It could also double as something that could be used in a crises (such as a PC virus making it though the firewall by email and all the PCs are going nuts.) Even just a mini setup as a backup, that is if you have the money, is a good idea when the company gets hit hard with something it could not prevent.
 
Cuckoo said:
What you could do is build like a router on a stick. In order to get it working, have a switch, with 2 vlans, and a tunk-port.... connect your mini-mac to the trunc port, have two ip-adresses assigned to the ethernet interfac and you're ready to go.
Assigning two ip adresses to your ethernet interface is somethign that i believe mac os won't let you do, but im certain that the BSD core has a way of doing this.

This is a technical solid way to do it. Which software you sould use, i'm not sure, im more of a networking guy.....
Click to expand...
So your routing all LAN traffic in AND out of the *same* interface (2 IPs)? Performance and latency would suck, big time.

If you're doing this as a learning experience, great, but I'd never deploy your FW on my network. I'm not trying to be an ass, really.

Also, if you're going to build a FW, FreeBSD/Mach (the open source core of OS X) is were you want to start, not OS X per se. As I said above, a FW needs to be devoid of any extra software that doesn't directly contribute to its intended function (GUI, apps etc.), since anything extra offers potential security holes into the FW.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back