Hi,

I'd like to ask for some ideas on how best to organize my home LAN. I currently have 2 static IPs. One of the external IPs features a server with 2 NICs that currently provides NAT/Router/Firewall service. I have another server with 2 NICs that I want to use for the 2nd static IP.

I'd like to have the first server continue to be a router/gateway, but I'd also like to have it provide DNS service for my domain along with some other services possibly. The 2nd server would be a 2ndary DNS server, a web server, and maybe some other services like mail, etc.

I'm pretty new to setting up all these services and am concerned about running the 2 servers as securely as possible, but also to be able to access them from within my NAT'ed LAN.

I don't know if I should put the 2 servers in some sort of DMZ, or if I should continue to have them be tied to the private LAN. I'd like them to provide mail and DNS for my internal LAN as well.

One other option I have is a crappy Linksys router that I can use between the outside servers and the inside LAN... but I'm not sure if adding that would just complicate matters.

I guess I'm asking for what others are doing with similar setups, or what others would do given a similar setup.

Also, is there any advantage to giving each NIC on a single server a separate hostname? (They currently have the same hostname inside and outside and are using external/private IPs).

Thanks in advance for any ideas.

Since nobody has answered you I will give it a shot. FIrst off i have never done this before but would really like to try it (I am jellous).

If you want to run you own domain, you will need two or more DNS servers. I would use on IP for a router with that conects you to the internet and NAT and firewall that to a DMZ that will run your DNS (2 server), web (1 server) and mail (1 server). You could setup the mail and web on the secondary DNS server if you don't have the extra PCs. Unless you are expecting alot of traffic, a P133 to P233 with 128 mb to 256 mb and 4 gb to 10 gb hard drive.will suffice from your web and mail server. The other IP I would setup as a gateway for the rest of the your net and NAT that with a firewall.

Heres an idea. Take one NIC outta of the one server that is not the gateway. Add it to the gateway to give it three NICs and then you can make a DMZ on the third nic to place your web server. You can then do some port forwarding and such for whatever services you provide. I'm assuming thre gateway is Linux already. It's safer then having your publically addressable servers mixed with your private computers. You would just have to make real good firewall rules so that your DMZ is nice and seperated from your private LAN. I could probabaly help you plan the IP addressing and firewall scheme if you need help with it. I think I can speak for the Linux networking fans on this forum and say "sounds like fun".

--tarballedtux

Thanks for the suggestions. I like the ideas you both gave. I was thinking that 2 NICs in the 2nd server was a bit overkill. Currently one server is already providing the NAT/Firewall/Gateway services to my home LAN. (Don't tell anyone, but these are OpenBSD servers, not Linux....but these questions aren't OS related, they're more design related, thus my posting here.) I was using the 2nd IP as sort of a failover gateway, but I never use it since my gateway server is never down (except during power outages).

The one thing I'm not 100% clear on is this: If I DMZ the 2nd server and make it the main web/dns/mail server, then I guess I'd be left with using the gateway/DMZ server as a 2ndary DNS server (I definitely want 2 DNS servers active). So it'd be pretty tight except for the fact that it would be listening for DNS....which I'm not that scared of. It's a chrooted DNS under OpenBSD. It should do.

Another question is....what kind of throughput would I have from my NAT'ed LAN to my DMZ hosts, would it be 100Mbp/s (LAN Speed) or would it be like communicating with any other host on the Internet?

Thanks for the input. I'm getting a lot clearer about how to set this up.

From the LAN to the DMZ it would be as fast as you want it! Or as fast the NICs can handle. Speed also depends whether you use a switch or a hub to connect the gateway/router to the Private LAN and the DMZ. Be sure to use a seperate switch/hub for the private LAN and the seperate switch/hub for the DMZ.

Question: Why should you make a secondary DNS on the router if the primary fails which I assume is on the webserver? Unless of course there is more than one server on the DMZ that can provide DNS.


P.S. Nothing wrong with asking BSD stuff here. But if your going to dedicate a thread to it put it in the BSD forum instead as it might get a better response there.

--tarballedtux

I actually thought I'd get a better response here since it's a much more heavily trafficked forum than the BSD forums.

As to the question of DNS, I just thought it was good form to have at least 2 DNS servers hosting DNS for the outside world. ...sort of a failover thing in case one goes down. For the inside (private LAN) I could set up any internal machine for DNS on the private LAN...that's not really an issue. Is that what you were asking?

I was just wondering why you would have a 2nd DNS server if the first one(which I thought was the webserver and mailserver also) failed. SO if the first one failed whats the point of having DNS available if you have no services to offer? Unless fo course you want to access the firewall directly by it's FQDN. Be on the positive side, do you expect your BSD box to fail?


--tarballedtux

Okay, I've pretty much settled on the following:

DSL Switch into Cisco mini-switch, then server1 (with one NIC) serving up DNS, web, mail, etc., then server2 (2 NICs) will be a 2ndary DNS server and maybe provide some other services. Server2 will also act as a router for my LAN, since I need some way to get out from my LAN.

Server 2 will be connected to server3 (a crappy old pc with 2 NICs), and server3 will provide NAT/Gateway/DHCP service for my private LAN.

I'm not sure how I should connect server2 to server3...like what kind of IP address I should use. I guess it doesn't really matter since they will be directly connected....it could be just about any IP address really.

My system is already pretty much set up like that. I just have to replace the Linksys I have with server 1, then turn of PF in server2, connect server3 to server2 and configure server3 for NAT/PF and dhcp. (which is already set up on server 2).

Thanks guys for helping me sort this crap out. I'm pretty slow so it's good to have some help working this out. I'll let you know how it goes.