Date: Mon, 28 Oct 2002 16:20:20 -0700 (MST) From: Nick Rogness <nick@rogness.net> To: Kristin Guttormsen <prince_of_wands@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Home network design Message-ID: <20021028093721.I46186-100000@skywalker.rogness.net> In-Reply-To: <F28aXjAQkRKadxgK39K0001824f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Oct 2002, Kristin Guttormsen wrote: > > I have been playing around with different configurations for my home > network for some time and while I have learned much of the specifics, I > remain dissatisfied with my general concepts. I hope someone can offer > some clarity to my designs, and then I should be able to solve the > specifics (I hope) with time and study. > > I have a cable connection through ATTBI (1-5 dynamic IP's available at > $5/month a piece after the first, no truly static IP's). > > I have three registered domains (mynet1.net, mynet2.net, mynet3.net) and > can work out dynamic dns using available free resources. > > I have 4 user pc's (win98se, nt4 workstation, win2k, winxp mix) that > need constant connection, a networked ps2 (needed as I'm a beta tester), > an occasionally laptop connection needed (win2k or xp), and I'd like to > be able to let 1-5 people drop in whenever for lan parties. I also have > 4 constant servers built (2 freebsd, 1 will be sol linux when it > arrives, 1 linux of oft changing flavor), and I also have one borrowed > server which I'm currently using for my Novell training which may > eventually join the network (undecided yet). > > Network hardware currently available: 5 port switch, router w/ 4 port > switch, 4 port hub, and I'm picking up an 8 port switch next week > sometime. > > I have 2 public websites to host and one which I use purely for testing > and fun. I have had ftp, irc, mail (only for my private domain, not the > two others), nntp, and a game server running publicly. I have remote > storage (a private fileserver for friends (mostly mp3 and video)) and a > mysql server which are not for public use but which DO need to be fully > accessible from any location (as well as desiring remote network > management just for showing off). > > I'd like to be moderately secure, although I'm not talking about fortune > 500 class sensitive material. If nothing else, I'm doing all this to > broaden my skills and experience and have a little fun. > > Where I start to break down is deciding what to do as far as how many > ip's to get and where to assign them. Do I build a full DMZ, or use a > 3rd nic DMZ out of a firewall gateway, or just lump them altogether? > Should I run the servers each with the public IP's and share the private > systems behind NAT, or the other way around, or should everything use > NAT behind a single or maybe two public IP's? So far I've compiled > about 11 different network designs but don't have enough knowledge to > know the pro's and cons each would present. Can anyone suggest an > appropriate physical layout and address scheme (and if anyone is feeling > REALLY helpful how they would break down the application load across the > different machines (ie what services would play together nicely residing > on the same server)? This is a rather difficult question to answer. It's like asking a fisherman how to catch a fish. Everyone has there own ideas on how you should do this. It depends mostly on what you want to accomplish or what has more importance, functionality or security. However, I'll take a shot at it. Consider the following diagram: Internet Connection | | HUB/SW | | NAT | ================ Web Server & FreeBSD Firewall ---HUB/sw---- protected machines ================ (DMZ) (RFC1918) 10.0.0.0 | OR ext. IP subnet | HUB/Sw | Private Lan (192.168 or other RFC1918) The service breakdown is simple. Anything that needs to be accessed FROM the outside world (ie, the Internet) put on the DMZ. Firewall off the important services for the DMZ network. Put general machines in the private segement. Run NAT where needed. This is generally how most firewall appliances (like Cisco PIX, Sonic Wall, etc) work. It's just a matter of preference anyway, it's not like your running some massive network service. Of course, you could just KISS and put everything behind a BSD gateway and NAT certain ports to different machines. That is the easiest. Nick Rogness <nick@rogness.net> - "Wouldn't it be great if we could answer people with a kick to the crotch?" -maddox@xmission.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021028093721.I46186-100000>