Notices

Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Reorganizing my network

Post Reply New Thread Subscribe Search this Thread
 
 
Thread Tools
Old 09-10-08, 08:03 PM Thread Starter   #1
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Reorganizing my network


As a followup to my other thread, I would like to get feedback on my current proposed network setup. A picture is worth a thousand words, so :



Any criticisms on organization/security would be appreciated.
The requirements for this network are:
  • Clients and my computer can access the fileserver
  • The clients use their own cable modems, my computer and the webserver use my cable modem

I think the web server is in a bad spot, and I should isolate it more, but it currently serves a smb share(my music), so it needs access to the fileserver.

I have extra routers/NICs, so extra hardware isn't a problem. I also have extra pentiums (~500mhz) that I need a use for , suggest w.e. (electricity is not a problem).

EDIT: Assume that the clients are normal ole joe-sixpacks who know little to nothing about computers.

__________________
Heat

Last edited by bLack0ut; 09-10-08 at 08:33 PM.
bLack0ut is offline   QUOTE Thanks
Old 09-10-08, 08:30 PM   #2
PLOBBY
Member



Join Date: Aug 2004

 
I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?

__________________
"Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

~DM
PLOBBY is offline   QUOTE Thanks
Old 09-10-08, 08:32 PM Thread Starter   #3
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Quote:
Originally Posted by PLOBBY View Post
I am a little confused with the client situation...are they strictly on the network to access the file server? But go through their own internet connection for the outside world?
Yep, they are only on the network for the files. Pretty much, we all have good download links but our upload is crap, so I would rather they connect through LAN than WAN so my upload link isn't saturated.

Plus, they might torrent on my connection (on accident of course).

This setup seems a little convoluted, so I'm taking all suggestions on how to make it simpler/more organized/more secure.

__________________
Heat
bLack0ut is offline   QUOTE Thanks
Old 09-10-08, 08:37 PM   #4
PLOBBY
Member



Join Date: Aug 2004

 
Well I would suggest moving the SMB share to a new server (you said you had extra).

From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.

EDIT:
Overall it seems like a pretty simple setup, I wouldn't change anything besides that, which is not absolutely necessary in the first place.

__________________
"Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

~DM
PLOBBY is offline   QUOTE Thanks
Old 09-10-08, 08:40 PM   #5
PLOBBY
Member



Join Date: Aug 2004

 
one more question -- how the wireless is setup now, can the clients currently access the file server?

__________________
"Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

~DM
PLOBBY is offline   QUOTE Thanks
Old 09-10-08, 08:41 PM Thread Starter   #6
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Quote:
Originally Posted by PLOBBY View Post
Well I would suggest moving the SMB share to a new server (you said you had extra).

From there I would add another interface to the pfsense (I think they can do this?) and make it not possible to touch the webserver from the other interfaces, but of course be able to still have web functions.

It adds a little extra to the network but then the webserver is isolated from the other clients on your LAN.
Well, I'll give an example. The fileserver has a SMB share with blah.mp3. All the clients and my computer should be able to access it, preferably locally (again, to save my upload link). However, the web server is also serving that same mp3, so John Doe in Alaska can also access, albeit through WAN.

I need that functionality, but it almost seems inherently insecure.

Quote:
Originally Posted by PLOBBY View Post
one more question -- how the wireless is setup now, can the clients currently access the file server?
Yep, that's the point of the LAN.

__________________
Heat
bLack0ut is offline   QUOTE Thanks
Old 09-10-08, 08:50 PM   #7
MR-FIX-IT
Disabled



Join Date: Jan 2008
Location: Somewhere on Long Island

 
Well, you have a few options..

1. Add more than one NIC in pfSense and team the NICS, if it supports it or
2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.
3. be sure the switch is a real switch, and not a glorified hub.
MR-FIX-IT is offline   QUOTE Thanks
Old 09-10-08, 09:52 PM Thread Starter   #8
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Quote:
Originally Posted by MR-FIX-IT View Post
Well, you have a few options..

1. Add more than one NIC in pfSense and team the NICS, if it supports it or
Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line

Quote:
Originally Posted by MR-FIX-IT View Post
2. Get a dedicated wireless firewall appliance, such as a sonicwall TZ 170, and put your web server on the DMZ port.
The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.

Quote:
Originally Posted by MR-FIX-IT View Post
3. be sure the switch is a real switch, and not a glorified hub.
It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies .

Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming

__________________
Heat
bLack0ut is offline   QUOTE Thanks
Old 09-11-08, 07:41 AM   #9
MR-FIX-IT
Disabled



Join Date: Jan 2008
Location: Somewhere on Long Island

 
Can you access the switch via a web browser?? This would require the switch to be assigned an IP... This would be called a manageable switch, and would be in the class of a "REAL" switch. The Dell PowerConnect 2016 is a glorified hub... No intelligence, does what it need to do without management.

Also, If you think you get 100Mbs on your NIC, then your more gullible than I thought. You'll be lucky to hit 25% to 35% of the 100Mbs. I would team as many nics as you can. Besides if you have 4 users hitting a so called 54Mbs, you've already hit your thresh hold...

100Mb/s is only 12.5 Megs a second. 54Mb/s is only 6.75 Megs a second. These numbers are rarely ever hit. Maybe PC to PC with a crossover cable and then maybe you'll hit 100% utilization, and that's if the cable is perfect!

Try this on your network. Luckily for you XP has a built in network bandwidth monitor, in the task manager > Networking tab.

Try moving a file or what ever you do, and see what network utilization is...and see for yourself...

Edit: Case in point. at work I have a Gigabit connection to my server. The server and myself are both on the same managed switch.

Gigabit is 125MB/s in theory. I moved a 465MB file to a server. It used a whole 8% of the Gigabit network. which equals to 15.625MB/s. It took about 30 seconds to move over..
Attached Images
 

Last edited by MR-FIX-IT; 09-11-08 at 08:03 AM.
MR-FIX-IT is offline   QUOTE Thanks
Old 09-11-08, 10:46 AM Thread Starter   #10
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?

__________________
Heat
bLack0ut is offline   QUOTE Thanks
Old 09-11-08, 12:08 PM   #11
MR-FIX-IT
Disabled



Join Date: Jan 2008
Location: Somewhere on Long Island

 
Quote:
Originally Posted by bLack0ut View Post
Well, why would I need to team NICs? Wireless limitations probably won't reach the throughput limit of one NIC and the switch would offload the wired side. You talking about teaming NICs WAN-side? If so, I only have access to one cable modem. -> but it's a good idea, i get another line



The problem with this the web server can't serve files from a smb share of the fileserver. I'm also pretty certain I can configure pfsense to have a DMZ port.



It's a Dell PowerConnect 2016, 16-port 100Mb switch. I think it qualifies .

Again, my main concerns are optimization of network flow and security. These are great suggestions, keep em coming
Quote:
Originally Posted by bLack0ut View Post
Ah, you meant a managed switch... I really doubt that I need a managed switch for this network (plus it's kind of expensive and this is really just for fun).

I've actually measured bandwidth of my NICs, and I usually get about 8MB/s, which is about 75%, which isn't too shabby. Considering that 802.11g rarely hits 3MB/s (because of interference)... oh wait lol. I'll team a few NICs and see if improves performance.

You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?
If both are windows boxes, setup a VPN between the two..
MR-FIX-IT is offline   QUOTE Thanks
Old 09-11-08, 12:19 PM   #12
MR-FIX-IT
Disabled



Join Date: Jan 2008
Location: Somewhere on Long Island

 
Quote:
Originally Posted by bLack0ut View Post
You seem to know quite a bit about networking. Got any ideas for the security aspect of the web server accessing the file server?
If both are windows boxes, setup a VPN between the two..
MR-FIX-IT is offline   QUOTE Thanks
Old 09-11-08, 12:27 PM Thread Starter   #13
bLack0ut
Member

 
bLack0ut's Avatar 

Join Date: Dec 2004

 
Quote:
Originally Posted by MR-FIX-IT View Post
If both are windows boxes, setup a VPN between the two..


Revised the picture. Both boxes are FreeBSD atm. Will a VPN between the two computers have packets leaving the LAN?

__________________
Heat
bLack0ut is offline   QUOTE Thanks
Old 09-11-08, 04:05 PM   #14
ppe1700
Member

 
ppe1700's Avatar 

Join Date: Jan 2007

 
dont you wish you could do trunking and vlans!?
another option is may be move your personal network to a seperate ip range and route traffic to it through a router, but may be this is too much for what you require..
ppe1700 is offline   QUOTE Thanks

Post Reply New Thread Subscribe


Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Thread Tools Search this Thread
Search this Thread:

Advanced Search


Mobile Skin
All times are GMT -5. The time now is 10:49 AM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
You can add these icons by updating your profile information to include your Heatware ID, Benching Profile ID or your Folding/SETI profile ID. Edit your profile!
X

Welcome to Overclockers.com

Create your username to jump into the discussion!

New members like you have made this the best community on the Internet since 1998!


(4 digit year)

Why Join Us?

  • Share experience
  • Max out your hardware
  • Best forum members anywhere
  • Customized forum experience

Already a member?