Okay. Whatever you wanna do with your ASG, it needs at least two interfaces to do something useful. Just trust me on this if you don't use VLANs (which you don't).

So you want your ASG to protect your PC from the internet? That means, you have to put the ASG in _front_ of your PC, in another subnet. For this, your ASG has to route. For routing, you need at least two subnets, for this you need 2 virtual NICs. See?

Your packet flow would look like:

Internet
|
WAN Router Public (Public IP)
WAN Router Internal (192.168.1.254)
|
Host PC NIC
||
bridge1: Host PC NIC <=> VMnet1
||
ASG VMnet1 (192.168.1.x, Gateway 192.168.1.254)
ASG VMnet2 (192.168.2.254)
||
bridge2: Host PC NIC <=> VMnet2
||
Host PC NIC (IP 192.168.2.x, Gateway 192.168.2.254)

Legend:
|: Wired connection
||: Virtual wired connection

Yes, this is not an easy-to-understand-and-do setup for beginners.

Explanation: To secure your PC, it must not be directly reachable by your Internet Router (The packets must flow trough the ASG). Therefore you need two IP subnets and the ASG acts as Security-Router between them. This setup also works for additional PCs connected to your Router, if they use the same protected IP subnet (192.168.2.x and the ASG as gateway), Of course your Host PC has to run all the time then.

Still, this setup is not 100% secure because your PC is still directly physically reachable from the WAN router. The setup is vulnerable to packet spoofing and there is a bottleneck because all traffic must go through the Host PCs NIC two times. Best setup would be to use the ASG as WAN Router.

__________________
"Datenautobahn: Einrichtung zur schnellen Übertragung großer Datenmengen (z.B. über das Telefonnetz)" (DUDEN, 21. Auflage)

Mario Schmidt
QA Engineer
Astaro AG

i still dont get it,

I'm just as lazy as buggs1a - I don't want to have to learn to configure VMWare either!

Won't one of you VMWare gurus do a quick howto for us?

Thanks - Bob
PS Mario, that's a clear explanation of what one needs to do, but I don't know how to configure the bridges, or to configure the Astaro VM as a WAN router. Also, it's not clear what I need to do to browse/ftp through the Astaro in my laptop.

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

I dont mind learning, just sometimes stuff i dont get.

look to my newer thread cus i have a new scenereo now kinda sorta. wireless issues and advice needed thread.

To configure vmware is more than simple. For german users Portal - VMware Forum
Using the workstation or the server-console while give you access to configure the nics.
brigded = a seperate virtual system in the same network as the host
nat = access to the physikal network but own ip-range
host only = separte system without any access to network or host

a easy top use configuration is astaro with two virtaul devices one brideg and one host only. A second virtaul system with one host only nic.
As a first step the astaro and the second system should ping each other (config of astaro blocks ping by default).
The second challange then will be to open the astaro to forward traffic into the physical network.

Ralf

Im pretty good with VMware these days, and the problem with a howto is that everyones network is going to be different. VMware networking is easy once you understand how it is "binding" to your real nics.

For example, if you only have one nic in your vmware ASG, and you set the type to "bridged" in the vmware network settings, it will act as a stand alone, dedicated nic just like it was on a machine sitting right next to your pc.
In this scenario, if your pc has 192.168.0.5 from your linksys box for example, your vmware ASG will perhaps pull 192.168.0.6 from the dhcp server. This is great for testing/playing with webadmin, and even "bouncing" http proxy traffic off via a browser setting, but since you are not actually gating through the vmware, you wont be able to use and experience packet filtering, etc...

The other types of nics allow for more flexible and creative work, such as choosing NAT for your virtual nic type. With NAT, your host machine/workstations actual ip (192.168.0.5) in this example, will be the "outside" of the virtual network, and the virtual machine on its NIC will get something random (unless you configure the NAT network range/subnet in the vmware settings) such as 192.168.204.2 say. This means you can then install yet another vmware machine say something like windows xp on the host, and have it use 192.168.204.50 as it's ip, and 192.168.204.2 as it's gateway and from then in the XP machine you can play with features and work with the ASG in a true testlab style setup.

The hardest way for beginners to setup vmware is to have the virtual machine running asg and then route/gate your host/metal PC through the vmware, that requires a bit more of a tricky setup. If you are new to vmware and the networking side, i would stick with one VMware for ASG, and another for a host pc such as ubuntu, XP etc..and gate that host vmware through your asg vmware.

It is easy to get an ASG up and running for accessing webadmin using just a bridged adapter on a single nic as outlined above, and going forward from there you will need a little trial and error as you play with the nic types and learn how they impact, relate, and can be reached by the host machine using the various NIC types possible with vmware.

Good luck, happy learning

__________________
Angelo Comazzetto
Astaro AG
--------------------------------------------------------
Visit the KB for documentation and help (www.astaro.com/kb)
Astaro is FULLY free for home use, including all subscriptions. Download it from http://my.astaro.com

Thanks, Ralf, but that's still more of "what to do" rather than "how" to do it. I didn't find any threads on the German VMware Forum addressing inital setup with Astaro.

I just googled on 'astaro vmware player easy setup' and I found a readme.txt for installing V6, so I went noodling and finally found the equivalent for V7. You can find the VM version of V7 in several places on the ftp site, but the instructins only exist in one place: http://ftp.astaro.com/Astaro_Securit...are/readme.txt.

I'm sure you guys thought we'd already seen that!

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Thanks, Angelo, you posted that while I was searching and writing. All I want to do is configure a VMWare Astaro in my laptop so that, when I start it up, I can demo Astaro and what happens when I browse behind an Astaro.

I assume that I'll connect to the Internet via WiFi, and that the wired ethernet port will be the one bridged to the Astaro's internal interface.

It seems like this is a standard setup that would be advantageous for any organizaation involved in reselling Astaro.

Anyway, I'll see if I can get any further now that I've found the almost-secret readme.txt

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

there should be also in the vmware download package a pdf, for convenience i'll attach it here as well in case it succeeds in getting you past any hurdles. For the most part, to just get into webadmin set the vmware appliance nic to bridged, then inside the asg set the interface to dhcp and it will pull another address just like if you plugged in another PC (use the console or CLI if you need to see the address pulled, or set a static if you like bob).

VMware Virtual Appliance Readme:

http://portal.knowledgebase.net/arti...=306565&p=5956

__________________
Angelo Comazzetto
Astaro AG
--------------------------------------------------------
Visit the KB for documentation and help (www.astaro.com/kb)
Astaro is FULLY free for home use, including all subscriptions. Download it from http://my.astaro.com

As i wrote
Astaro 1 nic bridged and one host-only
your Demosystem host only

use a static IP in the local network astaro selects by default.

Then you should be able to manage the astaro using the second virtual system if a ping between demosystem and astaro is working.

Normaly the only problem is that you ve to change the nics in the astaro once if a ping doesn t work.

Ralf