Network Segmentation & Routing Setup on Ubuntu Server

Objective: Configure the Ubuntu server as a central router, providing connectivity between lab subnets while enforcing segmentation and security.

Step 1 – Assign Interfaces and Subnets

1. Open VirtualBox and make sure your Ubuntu VM has at least 2 network adapters:

   • Adapter 1: NAT (for Internet access)

   • Adapter 2: Internal Network for lab VMs (e.g., LabNet)

   • Optional: Add more adapters if you want separate networks for Monitoring and Management.

2. Assign static IPs to each interface:

   • Example:

     • eth0 (NAT/Internet): 192.168.56.101

     • eth1 (Lab Subnet): 10.10.10.1/24

     • eth2 (Management Subnet): 10.10.20.1/24

     • eth3 (Monitoring Subnet): 10.10.30.1/24

3. Edit Netplan configuration (Ubuntu 24.04 uses Netplan):

   network:
   version: 2
   renderer: networkd
   ethernets:
   eth0:
   dhcp4: yes
   eth1:
   addresses: [10.10.10.1/24]
   eth2:
   addresses: [10.10.20.1/24]
   eth3:
   addresses: [10.10.30.1/24]

4. sudo netplan apply

Step 2 – Enable IP Forwarding

1. Edit sysctl configuration:
   

   sudo nano /etc/sysctl.conf

2. Uncomment or add the line:
   

   net.ipv4.ip_forward=1

3. Apply immediately:
   

   sudo sysctl -p

This allows the Ubuntu server to route packets between subnets.

Step 3 – Configure NAT (Optional)

If lab VMs need Internet access:

1. Add a NAT rule with iptables:
   

   sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   sudo iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
   sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

2. Save rules:
   

   sudo apt install iptables-persistent
   sudo netfilter-persistent save

Step 4 – Configure Firewall for Segmentation

Install ufw if not installed:

1. sudo apt install ufw
   sudo ufw enable

2. Set default rules:
   

   sudo ufw default deny incoming
   sudo ufw default allow outgoing

3. Allow only required inter-subnet traffic:

   • Example: allow management to access lab servers:
     

     sudo ufw allow from 10.10.20.0/24 to 10.10.10.0/24
     sudo ufw allow from 10.10.30.0/24 to 10.10.10.0/24

   • Deny all other traffic by default.

Step 5 – Configure Lab VMs

1. Set static IPs for each VM within their subnet. Example:

   • Windows File Server (Lab subnet): 10.10.10.10/24, Gateway: 10.10.10.1

   • Windows Client (Management subnet): 10.10.20.10/24, Gateway: 10.10.20.1
2. Set Ubuntu router as the default gateway for each subnet.
3. Test connectivity:
   

   ping 10.10.10.1 # From a lab VM
   ping 10.10.20.1 # From management VM

Step 6 – Optional: DHCP / DNS on Ubuntu

1. Install isc-dhcp-server:
   

   sudo apt install isc-dhcp-server

2. Configure /etc/dhcp/dhcpd.conf to assign IPs to each subnet.
3. Install bind9 if you want local DNS for lab hostnames.

Step 7 – Verify Network Segmentation

1. Test ping between subnets:

   • Lab ↔ Management: Allowed if rules permit.

   • Lab ↔ Monitoring: Allowed only for logging/monitoring.

   • Lab ↔ Internet: Allowed via NAT.

2. Ensure unauthorized subnet traffic is blocked via ufw.

Result:

• Ubuntu server acts as a central router and firewall, connecting multiple subnets.

• Segmentation ensures isolation between lab, monitoring, and management environments.

• Lab VMs can communicate only according to the defined rules