Results 1 to 14 of 14
  1. #1
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045

    Reorganizing my network

    As a followup to my other thread, I would like to get feedback on my current proposed network setup. A picture is worth a thousand words, so :



    Any criticisms on organization/security would be appreciated.
    The requirements for this network are:
    • Clients and my computer can access the fileserver
    • The clients use their own cable modems, my computer and the webserver use my cable modem


    I think the web server is in a bad spot, and I should isolate it more, but it currently serves a smb share(my music), so it needs access to the fileserver.

    I have extra routers/NICs, so extra hardware isn't a problem. I also have extra pentiums (~500mhz) that I need a use for , suggest w.e. (electricity is not a problem).

    EDIT: Assume that the clients are normal ole joe-sixpacks who know little to nothing about computers.
    Last edited by bLack0ut; 09-10-08 at 08:33 PM.

  2. #2
    Member
    Join Date
    Aug 2004
    Posts
    1,469
    I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?
    "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

    ~DM

  3. #3
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045
    Quote Originally Posted by PLOBBY View Post
    I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?
    Yep, they are only on the network for the files. Pretty much, we all have good download links but our upload is crap, so I would rather they connect through LAN than WAN so my upload link isn't saturated.

    Plus, they might torrent on my connection (on accident of course).

    This setup seems a little convoluted, so I'm taking all suggestions on how to make it simpler/more organized/more secure.

  4. #4
    Member
    Join Date
    Aug 2004
    Posts
    1,469
    Well I would suggest moving the SMB share to a new server (you said you had extra).

    From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

    It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.

    EDIT:
    Overall it seems like a pretty simple setup, I wouldn't change anything besides that, which is not absolutely necessary in the first place.
    "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

    ~DM

  5. #5
    Member
    Join Date
    Aug 2004
    Posts
    1,469
    one more question -- how the wireless is setup now, can the clients currently access the file server?
    "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

    ~DM

  6. #6
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045
    Quote Originally Posted by PLOBBY View Post
    Well I would suggest moving the SMB share to a new server (you said you had extra).

    From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

    It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.
    Well, I'll give an example. The fileserver has a SMB share with blah.mp3. All the clients and my computer should be able to access it, preferably locally (again, to save my upload link). However, the web server is also serving that same mp3, so John Doe in Alaska can also access, albeit through WAN.

    I need that functionality, but it almost seems inherently insecure.

    Quote Originally Posted by PLOBBY View Post
    one more question -- how the wireless is setup now, can the clients currently access the file server?
    Yep, that's the point of the LAN.

  7. #7
    Disabled
    Join Date
    Jan 2008
    Location
    Somewhere on Long Island
    Posts
    589
    Well, you have a few options..

    1. Add more than one NIC in pfSense and team the NICS, if it supports it or
    2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.
    3. be sure the switch is a real switch, and not a glorified hub.

  8. #8
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045
    Quote Originally Posted by MR-FIX-IT View Post
    Well, you have a few options..

    1. Add more than one NIC in pfSense and team the NICS, if it supports it or
    Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line

    Quote Originally Posted by MR-FIX-IT View Post
    2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.
    The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.

    Quote Originally Posted by MR-FIX-IT View Post
    3. be sure the switch is a real switch, and not a glorified hub.
    It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies .

    Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming

  9. #9
    Disabled
    Join Date
    Jan 2008
    Location
    Somewhere on Long Island
    Posts
    589
    Can you access the switch via a web browser?? This would require the switch to be assigned an IP... This would be called a manageable switch, and would be in the class of a "REAL" switch. The Dell PowerConnect 2016 is a glorified hub... No intelligence, does what it need to do without management.

    Also, If you think you get 100Mbs on your NIC, then your more gullible than I thought. You'll be lucky to hit 25% to 35% of the 100Mbs. I would team as many nics as you can. Besides if you have 4 users hitting a so called 54Mbs, you've already hit your thresh hold...

    100Mb/s is only 12.5 Megs a second. 54Mb/s is only 6.75 Megs a second. These numbers are rarely ever hit. Maybe PC to PC with a crossover cable and then maybe you'll hit 100% utilization, and that's if the cable is perfect!

    Try this on your network. Luckily for you XP has a built in network bandwidth monitor, in the task manager > Networking tab.

    Try moving a file or what ever you do, and see what network utilization is...and see for yourself...

    Edit: Case in point. at work I have a Gigabit connection to my server. The server and myself are both on the same managed switch.

    Gigabit is 125MB/s in theory. I moved a 465MB file to a server. It used a whole 8% of the Gigabit network. which equals to 15.625MB/s. It took about 30 seconds to move over..
    Attached Images Attached Images  
    Last edited by MR-FIX-IT; 09-11-08 at 08:03 AM.

  10. #10
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045
    Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

    I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

    You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?

  11. #11
    Disabled
    Join Date
    Jan 2008
    Location
    Somewhere on Long Island
    Posts
    589
    Quote Originally Posted by bLack0ut View Post
    Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line



    The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.



    It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies .

    Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming
    Quote Originally Posted by bLack0ut View Post
    Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

    I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

    You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?
    If both are windows boxes, setup a VPN between the two..

  12. #12
    Disabled
    Join Date
    Jan 2008
    Location
    Somewhere on Long Island
    Posts
    589
    Quote Originally Posted by bLack0ut View Post
    You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?
    If both are windows boxes, setup a VPN between the two..

  13. #13
    Member bLack0ut's Avatar
    Join Date
    Dec 2004
    Posts
    1,045
    Quote Originally Posted by MR-FIX-IT View Post
    If both are windows boxes, setup a VPN between the two..


    Revised the picture. Both boxes are FreeBSD atm. Will a VPN between the two computers have packets leaving the LAN?

  14. #14
    Member ppe1700's Avatar
    Join Date
    Jan 2007
    Posts
    1,384
    dont you wish you could do trunking and vlans!?
    another option is may be move your personal network to a seperate ip range and route traffic to it through a router, but may be this is too much for what you require..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •