Reorganizing my network

bLack0ut · 09-10-08, 08:03 PM

As a followup to my other thread, I would like to get feedback on my current proposed network setup. A picture is worth a thousand words, so :

Any criticisms on organization/security would be appreciated.
The requirements for this network are:

Clients and my computer can access the fileserver
The clients use their own cable modems, my computer and the webserver use my cable modem

I think the web server is in a bad spot, and I should isolate it more, but it currently serves a smb share(my music), so it needs access to the fileserver.

I have extra routers/NICs, so extra hardware isn't a problem. I also have extra pentiums (~500mhz) that I need a use for

, suggest w.e. (electricity is not a problem).

EDIT: Assume that the clients are normal ole joe-sixpacks who know little to nothing about computers.

PLOBBY · 09-10-08, 08:30 PM

I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?

bLack0ut · 09-10-08, 08:32 PM

Quote:

Originally Posted by PLOBBY

I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?

Yep, they are only on the network for the files. Pretty much, we all have good download links but our upload is crap, so I would rather they connect through LAN than WAN so my upload link isn't saturated.

Plus, they might torrent on my connection

(on accident of course).

This setup seems a little convoluted, so I'm taking all suggestions on how to make it simpler/more organized/more secure.

PLOBBY · 09-10-08, 08:37 PM

Well I would suggest moving the SMB share to a new server (you said you had extra).

From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.

EDIT:
Overall it seems like a pretty simple setup, I wouldn't change anything besides that, which is not absolutely necessary in the first place.

PLOBBY · 09-10-08, 08:40 PM

one more question -- how the wireless is setup now, can the clients currently access the file server?

bLack0ut · 09-10-08, 08:41 PM

Quote:

Originally Posted by PLOBBY

Well I would suggest moving the SMB share to a new server (you said you had extra).

From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.

Well, I'll give an example. The fileserver has a SMB share with blah.mp3. All the clients and my computer should be able to access it, preferably locally (again, to save my upload link). However, the web server is also serving that same mp3, so John Doe in Alaska can also access, albeit through WAN.

I need that functionality, but it almost seems inherently insecure.

Quote:

Originally Posted by PLOBBY

one more question -- how the wireless is setup now, can the clients currently access the file server?

Yep, that's the point of the LAN.

MR-FIX-IT · 09-10-08, 08:50 PM

Well, you have a few options..

1. Add more than one NIC in pfSense and team the NICS, if it supports it or
2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.
3. be sure the switch is a real switch, and not a glorified hub.

bLack0ut · 09-10-08, 09:52 PM

Quote:

Originally Posted by MR-FIX-IT

Well, you have a few options..

1. Add more than one NIC in pfSense and team the NICS, if it supports it or

Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line

Quote:

Originally Posted by MR-FIX-IT

2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.

The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.

Quote:

Originally Posted by MR-FIX-IT

3. be sure the switch is a real switch, and not a glorified hub.

It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies

.

Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming

MR-FIX-IT · 09-11-08, 07:41 AM

Can you access the switch via a web browser?? This would require the switch to be assigned an IP... This would be called a manageable switch, and would be in the class of a "REAL" switch. The Dell PowerConnect 2016 is a glorified hub... No intelligence, does what it need to do without management.

Also, If you think you get 100Mbs on your NIC, then your more gullible than I thought. You'll be lucky to hit 25% to 35% of the 100Mbs. I would team as many nics as you can. Besides if you have 4 users hitting a so called 54Mbs, you've already hit your thresh hold...

100Mb/s is only 12.5 Megs a second. 54Mb/s is only 6.75 Megs a second. These numbers are rarely ever hit. Maybe PC to PC with a crossover cable and then maybe you'll hit 100% utilization, and that's if the cable is perfect!

Try this on your network. Luckily for you XP has a built in network bandwidth monitor, in the task manager > Networking tab.

Try moving a file or what ever you do, and see what network utilization is...and see for yourself...

Edit: Case in point. at work I have a Gigabit connection to my server. The server and myself are both on the same managed switch.

Gigabit is 125MB/s in theory. I moved a 465MB file to a server. It used a whole 8% of the Gigabit network. which equals to 15.625MB/s. It took about 30 seconds to move over..

bLack0ut · 09-11-08, 10:46 AM

Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?

MR-FIX-IT · 09-11-08, 12:08 PM

Quote:

Originally Posted by bLack0ut

Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line

The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.

It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies

.

Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming

Quote:

Originally Posted by bLack0ut

Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?

If both are windows boxes, setup a VPN between the two..

MR-FIX-IT · 09-11-08, 12:19 PM

Quote:

Originally Posted by bLack0ut

You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?

If both are windows boxes, setup a VPN between the two..

bLack0ut · 09-11-08, 12:27 PM

Quote:

Originally Posted by MR-FIX-IT

If both are windows boxes, setup a VPN between the two..

Revised the picture. Both boxes are FreeBSD atm. Will a VPN between the two computers have packets leaving the LAN?

ppe1700 · 09-11-08, 04:05 PM

dont you wish you could do trunking and vlans!?
another option is may be move your personal network to a seperate ip range and route traffic to it through a router, but may be this is too much for what you require..

09-10-08, 08:03 PM	Thread Starter #1
bLack0ut Member Join Date: Dec 2004	Reorganizing my network As a followup to my other thread, I would like to get feedback on my current proposed network setup. A picture is worth a thousand words, so : Any criticisms on organization/security would be appreciated. The requirements for this network are: Clients and my computer can access the fileserver The clients use their own cable modems, my computer and the webserver use my cable modem I think the web server is in a bad spot, and I should isolate it more, but it currently serves a smb share(my music), so it needs access to the fileserver. I have extra routers/NICs, so extra hardware isn't a problem. I also have extra pentiums (~500mhz) that I need a use for , suggest w.e. (electricity is not a problem). EDIT: Assume that the clients are normal ole joe-sixpacks who know little to nothing about computers. __________________ Heat Last edited by bLack0ut; 09-10-08 at 08:33 PM.
	QUOTE Thanks

09-10-08, 08:30 PM	#2
PLOBBY Member Join Date: Aug 2004	I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world? __________________ "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend" ~DM
	QUOTE Thanks

09-10-08, 08:37 PM	#4
PLOBBY Member Join Date: Aug 2004	Well I would suggest moving the SMB share to a new server (you said you had extra). From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions. It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN. EDIT: Overall it seems like a pretty simple setup, I wouldn't change anything besides that, which is not absolutely necessary in the first place. __________________ "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend" ~DM
	QUOTE Thanks

09-10-08, 08:40 PM	#5
PLOBBY Member Join Date: Aug 2004	one more question -- how the wireless is setup now, can the clients currently access the file server? __________________ "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend" ~DM
	QUOTE Thanks

09-10-08, 08:50 PM	#7
MR-FIX-IT Disabled Join Date: Jan 2008 Location: Somewhere on Long Island	Well, you have a few options.. 1. Add more than one NIC in pfSense and team the NICS, if it supports it or 2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port. 3. be sure the switch is a real switch, and not a glorified hub.
	QUOTE Thanks

Reorganizing my network

Internet Services

Website Development

Tech Hardware

09-11-08, 07:41 AM	#9
MR-FIX-IT Disabled Join Date: Jan 2008 Location: Somewhere on Long Island	Can you access the switch via a web browser?? This would require the switch to be assigned an IP... This would be called a manageable switch, and would be in the class of a "REAL" switch. The Dell PowerConnect 2016 is a glorified hub... No intelligence, does what it need to do without management. Also, If you think you get 100Mbs on your NIC, then your more gullible than I thought. You'll be lucky to hit 25% to 35% of the 100Mbs. I would team as many nics as you can. Besides if you have 4 users hitting a so called 54Mbs, you've already hit your thresh hold... 100Mb/s is only 12.5 Megs a second. 54Mb/s is only 6.75 Megs a second. These numbers are rarely ever hit. Maybe PC to PC with a crossover cable and then maybe you'll hit 100% utilization, and that's if the cable is perfect! Try this on your network. Luckily for you XP has a built in network bandwidth monitor, in the task manager > Networking tab. Try moving a file or what ever you do, and see what network utilization is...and see for yourself... Edit: Case in point. at work I have a Gigabit connection to my server. The server and myself are both on the same managed switch. Gigabit is 125MB/s in theory. I moved a 465MB file to a server. It used a whole 8% of the Gigabit network. which equals to 15.625MB/s. It took about 30 seconds to move over.. Attached Images Last edited by MR-FIX-IT; 09-11-08 at 08:03 AM.
	QUOTE Thanks

09-11-08, 10:46 AM	Thread Starter #10
bLack0ut Member Join Date: Dec 2004	Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun). I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance. You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server? __________________ Heat
	QUOTE Thanks

09-11-08, 04:05 PM	#14
ppe1700 Member Join Date: Jan 2007	dont you wish you could do trunking and vlans!? another option is may be move your personal network to a seperate ip range and route traffic to it through a router, but may be this is too much for what you require..
	QUOTE Thanks

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search