# Is this possible? (mixing subnets and external acess)

## NotQuiteSane

Right now my network looks like this.

The modem has the address of 192.168.0.1, and the router has 192.168.1.1, with the bridge being 192.168.1.2

I'm in the process of making it look like this.

In this case the routing would start out the same, but the second router would then start a new subnet (possibly 10.0.0.1 to avoid confusion with parent network), and all machines below it be given appropriate IP addresses.

What I'm unsure about is the stuff like apache, postfix and ssh.   How can I set routing so, for instance if i try to ssh in from outside, it'll go through modem to router 0 to bridge to router 1 to the ibm?

Is all I need to do to accomplish this is send desired port to router 1, then from it to desired machine?  is a consumer grade router (router 0) capable of doing this?  And if so, would I be better off sending all ports (except 80, 25, and other "common" ones) to the second router, and then filtering them as needed?

NQS

----------

## Jaglover

There must be a good reason for a wireless link. Are you using directional antennas to cover distances greater than 100 m? Or, maybe there are some other obstacles, like street or river so you cannot use ethernet cable? Can't you move your servers so they will be on internet side of wireless link? Having mail and web servers behind wireless ... I refrain from commenting on this.

Anyhow, another thing that is not clear is why you have to use different subnets. One NAT is already bad enough, but you've got two? Plus wireless. Is this some sort of attempt to make it work in most awkward conditions possible?

----------

## NotQuiteSane

 *Jaglover wrote:*   

> There must be a good reason for a wireless link.

 

Well, I'd prefer to have it wired except for netbook and phone.

The modem and router 0 is controlled by my landlady.  I have access via wireless as part of my rent.   I asked in the past to run a wire direct to it, and was turned down.   So my options are the bridge or buy my own uplink direct to the net.  as it stands now I've finally negotiated a upgrade to either dsl or cable for 12 or 15mbit respectively, where i pay the difference between cost of basic 1.5 mbit and new speed (expected $30 or so difference).  However, that's not until November when current contract expires.  DSL or cable will depend on the best deal financially, but I'm pushing DSL.

With that in mind, I have considered a house electrical wiring adapter to route from router 0 to router 1.   I've also considered a small (was looking at the guruplug, but got discouraged by overheating reports) firewall to go between modem and router 0, but am unsure if it'll be allowed.

 *Jaglover wrote:*   

> Anyhow, another thing that is not clear is why you have to use different subnets. One NAT is already bad enough, but you've got two? Plus wireless. Is this some sort of attempt to make it work in most awkward conditions possible?

 

More of an attempt to separate out my LAN from the landlady's LAN.  However, I'd be content to remain all on the same LAN if I could get a firewall in ahead of the first router.

NQS

----------

## 1clue

OK, so leaving out the landlady's gear, which I assume to be the stuff to the left of the wireless bridge on your desired network?  You have the android phone?

You have a wireless access point and a wireless bridge.  Is there some specific thing that makes the bridge unable to be a wireless access point?

The thing is, you have a wireless access point hooked in to the secure side of your network.  Making it most definitely not secure.  I don't think most managed switches you might be using have sophisticated enough packet filtering to make this a good idea.

Is there some hardware that never needs to be accessed from wireless or from outside?  This hardware should go behind a firewall with absolutely no access from outside.  Since you're using subnets, that should get its own subnet.

Next you have your DMZ, which will be everything you might access from outside or from the wireless.  This network can't access inside, or if it does then you need to limit everything to the minimum necessary, by port and host.

Third, you have your WAP.  If that has to be inside your firewall, then make it a separate insecure network, same as the Internet but with slightly different rules.  Force the WAP you control to be the absolute highest security you can manage, and pick a good key.

I would set your firewall/router up with a trunking protocol.  Ethernet cards that can handle that aren't too spendy now if the one you have won't do it, or you'll wind up with 4 cards either way.  You would have 4 vlans, the last one being the Internet.

Let your firewall handle all the packet filtering and all the routing.  Have a convenient hookup on the secure network for your laptop if you need to get there, otherwise you can use the wireless if you want.

If you can do without your WAP then you can secure everything behind the firewall, and your netbook would only have internet access if not plugged in.

This doesn't give you defense in depth for anything, but it does give you some decent isolation of your risky networks.

----------

## NotQuiteSane

 *1clue wrote:*   

> OK, so leaving out the landlady's gear, which I assume to be the stuff to the left of the wireless bridge on your desired network?  You have the android phone?

 

She owns the modem, router 0, windows pc and VOIP phone.  I own everything else on the page.

 *1clue wrote:*   

> You have a wireless access point and a wireless bridge.  Is there some specific thing that makes the bridge unable to be a wireless access point?

 

The bridge is a 3com unit.  i don't belive it can function as a AP.  I have no problem with using router 0, which has a built in AP, i just want my stuff behind a firewall

 *1clue wrote:*   

> The thing is, you have a wireless access point hooked in to the secure side of your network.  Making it most definitely not secure.  I don't think most managed switches you might be using have sophisticated enough packet filtering to make this a good idea.

 

the only reason I'm using a "managed" switch is it was a gift.  The only difference between it and a normal switch is each mac address has it's own port.   I'm using it as a normal switch at this point.   However, one of he planned upgrades is to a managed gigabit switch, and I do intend to use it to it's full ability

 *1clue wrote:*   

> Is there some hardware that never needs to be accessed from wireless or from outside?  This hardware should go behind a firewall with absolutely no access from outside.  Since you're using subnets, that should get its own subnet.

 

the only things falling under either of those i'm sure on are the web and mail server and the 2 wireless units (in general, my policy is unless it is portable, it get's a wire).  However I am unsure on the file server, since it hosts /home, /srv, /usr/portage and /mnt/backup for all machines except the win2k laptop.  I also am looking for either an IBM or SUN brand dual opteron, which will become a Virtualbox server, and was wanting to have it acessable from the outside world, so it's a "maybe" on acess

 *1clue wrote:*   

> Next you have your DMZ, which will be everything you might access from outside or from the wireless.  This network can't access inside, or if it does then you need to limit everything to the minimum necessary, by port and host.

 

the only things "inside" this group needs to access is NFS from the file server, and SSH to the webserver (from there you can ssh around the lan).   Not sure off top of my head the correct port for nfs, but since it is a single host, should be easy to control

 *1clue wrote:*   

> Third, you have your WAP.  If that has to be inside your firewall, then make it a separate insecure network, same as the Internet but with slightly different rules.  Force the WAP you control to be the absolute highest security you can manage, and pick a good key.

 

is the an advantage to having it outside the firewall?   I suppose i could run an independent firewall on the netbook.   Currently router 0 is serured with WPA2-PSK/AES.  this says it's 95% secure, and I could raise that to 100%, but not until informing landlady of planed change (not required pe se, but best to not go behind her back).  

 *1clue wrote:*   

> OK, so leaving out the landlady's gear, which I assume to be the stuff to the left of the wireless bridge on your desired network?  You have the android phone?

 

She owns the modem, router 0, windows pc and VOIP phone.  I own everything else on the page.

 *1clue wrote:*   

> You have a wireless access point and a wireless bridge.  Is there some specific thing that makes the bridge unable to be a wireless access point?

 

The bridge is a 3com unit.  i don't belive it can function as a AP.  I have no problem with using router 0, which has a built in AP, i just want my stuff behind a firewall

 *1clue wrote:*   

> The thing is, you have a wireless access point hooked in to the secure side of your network.  Making it most definitely not secure.  I don't think most managed switches you might be using have sophisticated enough packet filtering to make this a good idea.

 

the only reason I'm using a "managed" switch is it was a gift.  The only difference between it and a normal switch is each mac address has it's own port.   I'm using it as a normal switch at this point.   However, one of he planned upgrades is to a managed gigabit switch, and I do intend to use it to it's full ability

 *1clue wrote:*   

> Is there some hardware that never needs to be accessed from wireless or from outside?  This hardware should go behind a firewall with absolutely no access from outside.  Since you're using subnets, that should get its own subnet.

 

the only things falling under either of those i'm sure on are the web and mail server and the 2 wireless units (in general, my policy is unless it is portable, it get's a wire).  However I am unsure on the file server, since it hosts /home, /srv, /usr/portage and /mnt/backup for all machines except the win2k laptop.  I also am looking for either an IBM or SUN brand dual opteron, which will become a Virtualbox server, and was wanting to have it acessable from the outside world, so it's a "maybe" on acess

 *1clue wrote:*   

> Next you have your DMZ, which will be everything you might access from outside or from the wireless.  This network can't access inside, or if it does then you need to limit everything to the minimum necessary, by port and host.

 

the only things "inside" this group needs to access is NFS from the file server, and SSH to the webserver (from there you can ssh around the lan).   Not sure off top of my head the correct port for nfs, but since it is a single host, should be easy to control

 *1clue wrote:*   

> I would set your firewall/router up with a trunking protocol.  Ethernet cards that can handle that aren't too spendy now if the one you have won't do it, or you'll wind up with 4 cards either way.  You would have 4 vlans, the last one being the Internet.

 

i've been using HME and 3com 10/100s, but am wanting to upgrade to gigabit.  a quick search indicates the ability is there for both companies

 *1clue wrote:*   

> Let your firewall handle all the packet filtering and all the routing.  Have a convenient hookup on the secure network for your laptop if you need to get there, otherwise you can use the wireless if you want.

 

hmm, the laptop is hardwired, the netbook wireless.  but you probably were referring to the netbook.  The problem is "'need".  on it, i mount via nfs /usr/portage/distfiles and /usr/portage/packages.  one solution would be to not mount distfiles, do a 'emerge -f' before mounting packages, and then since it's in the intranet, distcc should still work

 *1clue wrote:*   

> If you can do without your WAP then you can secure everything behind the firewall, and your netbook would only have internet access if not plugged in.

 

I'm thinking about this. right now the fastest chip not in a server is in the dell laptop (win2k).  if I was to slap win2k on say a p2, then gentoo on it it could serve as the desktop, and then move the ultra 10 to a new job (been looking at building a [url=

http://wiki.zmanda.com/man/amanda-devices.7.html]RAIT[/url] backup server), and it should be able to handle the job if equiped with a SCSI card for the tape drives.  

 *1clue wrote:*   

> This doesn't give you defense in depth for anything, but it does give you some decent isolation of your risky networks.

 

Looking over all this, and quick searches, I'm beginning to think i need either a dsl/firewall or cable/firewall, not a standalone device.    either that, or buy the uplink and run my stuff seperate from landlady.   Biggest disadvantage there is on my own it's $46, if i stay as I am and pay differance from basic 1.5mbit it's $16. $360 a year is a blade 2500 (maybe) or some other decent equipment.  the dual opteron server for sure.  

Biggest problem with a integral firewall/modem is who to buy from.   i see several out there claiming to have a firewall, but often it's an afterthought.  if I'm gonna pay for it, i want as close to what open source can give me as possible.   And especially no to system that hardwires certain settings.

NQS

----------

## 1clue

Wait.

Let's start over.

Your switch is only a layer 2 switch?  There is no way to configure it such that ports 1-4 are vlan 1, ports 5-8 are vlan 2 and so on?  If so then just plain ignore my entire last post.  In my definition a managed switch is one you can log into and change its configuration.  For example, you can make some ports be dedicated to a specific network.

Now for some definitions.

An insecure network is one in which you do not have control of who can connect to it.  The Internet is by definition an insecure network.

A secure network is one in which absolutely no port on any IP can be opened from outside that network.  All access through the firewall is instigated from the inside.  There is no way some stranger can plug a cable into that network, and no way for them to log in remotely.  Depending on whose definition you use, even that's not necessarily secure, but for a home network this definition will do.  From the sounds of it, you may not be even trying for this.

A DMZ (demilitarized zone) is a semi-secure network where there is no way for an unknown system/user to plug in, and strict controls on what sort of network access is granted from outside that network.

Any wireless network is by definition an insecure network, even if you have a WEP key and have turned on all sorts of security.  No matter what you do, some unknown system may be brought in and attempt to connect, or may sniff packets without even announcing its presence.  There is no way you can pretend that your wireless network is secure.  You had better limit access as much as you possibly can though, or whatever is on it is open for anyone to look.

The difference between the Internet and your wireless is that from the Internet the attacker can be anywhere, and on the wireless they need to be within range of your transceiver.  But keep in mind that if your landlady's computer is compromised that means your wireless network has an intruder on it, and by that measure it can be the same as if they were sitting on your front porch.

----------

## NotQuiteSane

 *1clue wrote:*   

> Wait.
> 
> Let's start over.
> 
> Your switch is only a layer 2 switch?  There is no way to configure it such that ports 1-4 are vlan 1, ports 5-8 are vlan 2 and so on?  If so then just plain ignore my entire last post.  In my definition a managed switch is one you can log into and change its configuration.  For example, you can make some ports be dedicated to a specific network.

 

It's a superstack 3300.  however i'm locked out due to unknown password.  also it does random reboots, so it may be time to retire it.  OTOH, i've just been offered a pair of Baystacks.  not sure, but sounds live either 253 or 255 units or one of each.  all I know is that they're 24 port units.

 *1clue wrote:*   

> Now for some definitions.

 

Great.  I'm trying to find these online, but am failing.

I know that for instance, i have in my pile a 8 port 10 mbit hub.  as I understand, that 10 mbit is shared.  so if I have 8 computers hooked up to it, i wouldns't be getting 10mbit to each, i'd be getting 1.25 mbit.

I also have my broken wrt54g here.  It has a 5 (under ddwrt) port 10/100 switch.  I had understood in the past that with a switch let the full bandwidth to each port, however after giving it some thought,that seems wrong.  would it be correct to say that it acts more like 5 independent hubs, where each pair of ports are given the full bandwidth for x amount of time, then it switches to a new pair?

So assuming that's correct, besides being able to be controled by software, what exactly is a managed hub, and how does it differ from a unmanaged switch?  and the same for a managed switch?

i'm getting way to much "noise" in my search, but it seems to me that:

hub < switch < managed hub < managed switch. 

is that correct?

and more importantly, if I want a) gigabit and b) enterprise grade, what is a good choice?   I'd perfer 3com, but only insist on the enterprise grade if i buy (now if it's free like almost all my equipment...).  looking on ebay, it looks like most "managed gigabit" results start at about $200, or around twice what i'd like to pay.  Ironically enough, there's a 16 port IBM for $125, but it's beyond my current budget.   

 *1clue wrote:*   

> An insecure network is one in which you do not have control of who can connect to it.  The Internet is by definition an insecure network.

 

ok, so router 0 does have the ability to restrict connection by mac address, but is not implemented.   If it was it would then be "secure", correct (ignoring possibility of spoofing)

 *1clue wrote:*   

> A secure network is one in which absolutely no port on any IP can be opened from outside that network.  All access through the firewall is instigated from the inside.  There is no way some stranger can plug a cable into that network, and no way for them to log in remotely.  Depending on whose definition you use, even that's not necessarily secure, but for a home network this definition will do.  From the sounds of it, you may not be even trying for this.
> 
> A DMZ (demilitarized zone) is a semi-secure network where there is no way for an unknown system/user to plug in, and strict controls on what sort of network access is granted from outside that network.

 

looking at these, I think I want a mix like you mentioned.  Certain items, like (planned) print server never need outside access.    others, such as web and mail servers need external access.

I don't recall where, but I remember hearing once that security is the art of compromising.  on one extreme we wave open, anything can get in or out.  the other end of the scale is closed, where no information is shared.   obviously i need to find a middle ground between the 2 points.

 *1clue wrote:*   

> Any wireless network is by definition an insecure network, even if you have a WEP key and have turned on all sorts of security.  No matter what you do, some unknown system may be brought in and attempt to connect, or may sniff packets without even announcing its presence.  There is no way you can pretend that your wireless network is secure.  You had better limit access as much as you possibly can though, or whatever is on it is open for anyone to look.
> 
> The difference between the Internet and your wireless is that from the Internet the attacker can be anywhere, and on the wireless they need to be within range of your transceiver.  But keep in mind that if your landlady's computer is compromised that means your wireless network has an intruder on it, and by that measure it can be the same as if they were sitting on your front porch.

 

So even if it can't be 100% secure, how can i make the wireless as secure as possible?  I've just received a 400' spool of 6e wire, so i'm going to attempt to get an ok for a hard line again.   IMO, that's the best choice, since being rated at 10GBit, it's mostly future proof. And talking with my neighbor, who would be doing labor, since I have the wire, the panels and labor should be minimal.   Choice two is a powerline network.  at 85mbit for the slower speed it'll handle up to fiberoptic, but even the fast 200mbit is not as future proof.  it's also about $150-200 to install.  choice 3 is to keep the wireless.  I'm not liking that one.   I just did some tests.   from inside, within 6" of the bridge, my best speed using the FCC app on my android phone is 0.05mbit/sec.  that's on a wireless G with the router hooked to a 1.5 clearwire connection.  going outside and standing under window nearest to router I get 0.33, which is still short of the 1.5 I should get.

the last choice is my own uplink.   it's more expensive, (fsking cable co want's over $100 for standalone internet), but in some ways may be a better choice.

NQS

----------

## NotQuiteSane

Ok, first the good news is I asked again, and I'm getting a hard line, on my dime.  Also the upgrade will be to DSL 12mbit  The bad news is not until November.

I'm not sure I understand VLANs, i read the wikipedia article, but i haven't had a chance to do more research yet.   However here is a proposed layout, with separation by VLANs.

couple notes, I'm not sure where the file server should be positioned.  Since it hosts /home and /usr/portage on all Linux systems, it needs to be available through the entire lan from the firewall down.

VLAN0 would be the computers accessable from the internet.  I dropped the opteron system I'm shopping for into this group, since i want it available to select people.

VLAN1 is the "desktop" group.  again, I dropped the other machine i'm watching Ebay for in there, since that would be it's proper place.  also, when connected via hard wire.  The dell I'd swap to a dual boot since I /shouldn't/ need windows.   only reason to keep it on there is it is a legit install. 

VLAN2 is testing, i should have one of the virtual machines from opteron linked to this group (is that possible?), so that all architectures within the lan are represented.

besides the placement of the file server, there are two issues I'm unsure of.  First, and this may answer the other, how are ip addresses dealt in relation to to the VLANs?  it the firewall is 192.168.2.1, are all machines connected downstream of it on same subnet, or does each VLAN get a new subnet?

Second, with the exception of the firewall (which is still a client) and the android, all Linux machines run both distcc and cross-compile (plus I build and use binaries to further cut build times).  Will the VLAN separation cause any trouble with this?

Ironically enough, I may not need the firewall in the  layout.  The current wireless router (netgear 614) does have a basic firewall built in.   however it can only accept up to 20 rules, and can only deny, not allow (so no blocking everything, then allowing as needed).  I've got it set to block groups of ports from 1-6800, but that leaves everything above that wide open.   the DSL modem I'm considering  also has a firewall.  so it is possible between the two units i can dispense with the p3 based firewall.  /me doesn't see why consumer firewalls can't be made to actually work, instead of being set to block a few popular ports

NQS

----------

## 1clue

OK, a VLAN is a virtual local area network.  It's a means of abstracting your network from the hardware.  A VLAN acts as though it were a physically separate network.  Packets from VLAN 0 are not visible to VLAN 1 unless the router passes them over to VLAN 1.  Meaning that the destination host is on VLAN 1.

A layer 2 switch (most switches) can't be a router.  A managed layer 2 switch can possibly have VLAN support.  If it is configured to have 3 VLANs then it acts as though it were 3 separate switches.  If it has trunking support, then you only need 1 cable between the router and the switch, and all VLANs can use that cable while the traffic stays separate.

A layer 3 switch can be a router as well as a switch.  That means that traffic between 2 VLANs need not go through a physical cable but may instead be passed network to network at the speed of the back plane.  On good gear, that is much faster than the throughput of any network interface on the device.

Some VMware products allow trunking or multiple networks inside of the virtual environment.  I've never messed with it because it's not important to my needs.

IP addresses:  At some point you have a DHCP server.  In your switch, you configure each VLAN such that it knows which DHCP server to use, and how much of which information to pass to the DHCP server.   In Cisco speak, (the only way I've ever done this) that means you define an ip helper-address which points to the DHCP server, but I can't remember what options I used.  Barely enough to let the DHCP server know which network the client was on.

Your appliance probably does not have a DHCP server which is that sophisticated.

I don't know of any issue with using distcc, you would essentially be doing it across networks.  There must be something there to facilitate that because most cases would probably need it.

I actually like consumer appliance firewalls at home.  They don't let you get fancy, but they're pretty good at blocking out just about everything and it's a lot harder to mess up and accidentally let something in that you weren't planning to.  If my setup can't be done to my satisfaction on an appliance I'll put something in, but FWIW the last 7 or 8 years I have been able to do everything I actually needed.  But in general I use 2 layers -- The modem is set up to not let anything in, and the firewall router doesn't let anything in.  Then if I need it, I'll start with the fancy stuff from there.  However if I actually need that fancy stuff I probably need to either open up some sort of port/address mapping or I need to enable a VPN access.

Frankly I prefer VPN for internal access.

Good luck and have fun.

----------

## NotQuiteSane

 *1clue wrote:*   

> OK, a VLAN is a virtual local area network.  It's a means of abstracting your network from the hardware.  A VLAN acts as though it were a physically separate network.  Packets from VLAN 0 are not visible to VLAN 1 unless the router passes them over to VLAN 1.  Meaning that the destination host is on VLAN 1.

 

Ok, i did do a bit more reading, i need to do much more, but I think i can communicate between VLANs via "trunking"

 *1clue wrote:*   

> IP addresses:  At some point you have a DHCP server.  In your switch, you configure each VLAN such that it knows which DHCP server to use, and how much of which information to pass to the DHCP server.

 

actually...   except for the one assigned by the ISP, almost eveything is static.  I did give a small block to dhcp on the router to dhcp, but noting resides on it

 *1clue wrote:*   

> Your appliance probably does not have a DHCP server which is that sophisticated.

 

Nor would I want it.   I only use it becase i'm too lazy to explain to guests how to connect via a static IP

 *1clue wrote:*   

> I don't know of any issue with using distcc, you would essentially be doing it across networks.  There must be something there to facilitate that because most cases would probably need it.

 

a quick search didn't give great results.  but agaidn, it was just a quick search.

 *1clue wrote:*   

> I actually like consumer appliance firewalls at home.  They don't let you get fancy, but they're pretty good at blocking out just about everything and it's a lot harder to mess up and accidentally let something in that you weren't planning to.  ... But in general I use 2 layers -- The modem is set up to not let anything in, and the firewall router doesn't let anything in.  Then if I need it, I'll start with the fancy stuff from there.  

 

I'd agree with you here, If the examples i have seen worked that way.   But what i've seen won't allow for a blanket DENY setting, you have to block ports, instead of ALLOW being used to open a few.  I've also had one experience with quest and a actiontec that blocked port 22 both ways.  the solution to that was to put the router i was using with it on a DMZ, that allowd all

NQS

----------

## 1clue

You can have a really good career being a network admin, if you get enough education.  It's not something you'll likely figure out completely unless you make it your career.  It's not mine, I know enough to do my job and to satisfy my curiosity for the most part and that's all.

You can do static if you like.  It becomes harder to reconfigure your network, but otherwise it's OK.

I've never used distcc.  Don't want to fake knowledge I don't have, but looking at the problem from the perspective of a business doing its work it must be able to span multiple networks.

Every appliance home appliance I ever used uses NAT on the inside, and doesn't even translate an address if you don't specifically configure for it.  So in essence you actually have a blanket DENY as long as you aren't using public addresses.  I know my current setup blocks everything inbound by default, both on the cable modem and on the wireless.

----------

