Home network layout - 2 subnets, 2/3 routers - DMZ, path control, and other questions
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Home network layout - 2 subnets, 2/3 routers - DMZ, path control, and other questions
I've been spending some time reading up on various Layer 2/3 subjects trying to get a good grasp on as much as possible to start playing a little in depth. Google is daily proving to be harder and harder to find what you're looking for with all the SEO exploiters and dumb questions being repeated and filling it up instead of using it first for an answer. I've yet to find an all encompassing guide that goes from basic - overall picture - technical so I've just been jumping around various sites (wikipedia, tldp, linuxhomenetworking) and acid_kewpie posts piecing it all together.
So, I have a basic layout to start with that I need some input and answers on. I'll save all from painstaking ascii representations unless requested.
Thick lines are carrying public connections, as should be obvious.
WiFi line should be obvious also, it being wifi vs wired has no relevance for this though.
Each line from a box should be treated as a separate interface.
Routers are 4-port routers, hence why I am using a switch off one that is seemingly unnecessary.
I have 5 public IPs available.
NAS unit is an appliance meant for fail-over/backup, Server is a multi-purpose Debian box which will provide file-serving for Linux MCE network, for now.
DMZ: Am I correct in presuming that the safest way in this poor man's setup to provide the ? a DMZ link with at least some protection is to use an extra router(properly configured) I have between it and the top-most switch? I'd prefer to use less hardware, but I'm guessing this would be preferred over even a open nix-based firmware router above Subnet A.
Path control for Main Rig: So, I've read that setting the default gateway on the interface you wish to reach the open net would decide which path gets chosen to hit a public site. Now, can someone explain/point me to docs on how this works, why it works? In other words, I would like to learn how this is all decided by the box in detail. I wish to ensure that the public interface is used to reach the net instead of looping around through the private router.
Also, if there is a difference across OS toolsets in accomplishing this, I would like to be aware of that also, as this box will have to run M$ also.
Furthermore, anything extra to reach Subnet B required, such as a static route?
Finally, what if we take this concept to the Server. How do we decide which path is taken when we want to get something from the internet like updates or browsing a webpage while working on the box. How do we ensure we take the path down Subnet A instead of looping through Subnet B, or across the DMZ link?
Routing in general: To further understand the big picture, can anyone point me to any info regarding how routing is accomplished that DO NOT end up saying something like "the router checks MAC against it's ARP table and if it can't find it, sends the packet to the next hop. This continues to till it reaches it's destination." That's like saying a driver pulls out of a driveway, doesn't see his destination, so he goes to the end of the block and turns the corner..... I'm a geek at heart, I would love a REAL explanation of how this works, including when/how a router decides packets should travel back towards the edge to get where it needs to be.
IPv6: Yes, a few people are interested in this, surprisingly. So, I ask, how does this play into this all. I'm looking for info on how a network like this would be carried over to IPv6 and retain the controls/features of it's layout. (i.e. separation via subnets, route control)
As always, thanks for reading mess. I'm open to info, suggestions, criticisms, and reading recommendations.
The MCE network will overload any other network. Isolating hq media transfer and only providing QoS for it's own connections vs. mixing that in with everything else going on in the other network is the purpose. It also allows that segment to forgo some security constraints: i.e. allowing UPnP on it. Also, with a MIMO wireless link, we don't wish to to have normal b/g devices steal some transmitter/receiver resources slowing down our link.
I do understand the basics of packet switching and TCP/IP implementation, rather a bit beyond the basics. The issue that isn't necessarily perceivable to all is that, there is a Linux MCE network in use here, which is a high bandwidth, often streaming network which we don't want mixing with another network on consumer grade layer 3 equipment. We wouldn't even like to have this on commercial grade equipment. Think of it like this, you wouldn't want Pixar's accounting/sales networks to be at the whim's of their animation departments. ;x
The aim is actually to prevent any loops. There are two multi-homed devices (main rig, server) but that's one of my questions is concerning how to isolate their traffic to the appropriate interfaces (they have 2 and 3, respectively).
Please let me know if these explanations don't rationalize something, so I can attempt to address that.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Like Mr. C already said, you've actually built loops by interconnecting several devices with multiple switches and routers. The issue isn't with the separate wireless router, it's with the way you have your switches/routers/multi-interface servers chained together.
Cable modem connects to the WAN port of the first router. This router has one LAN port connected to a switch (not necessary, just throwing in the switches somewhere), and one LAN port connected to the WAN port of the second router. Second router has a LAN port connected to a switch, and the Wireless interface is a second subnet that only the MCE box connects to.
This is basically a very small-scale example of exactly how most companies configure their networks. Another common variation would be to have the W/LAN off the first router, instead of the second (keeps wireless clients as far away from your internal machines as possible).
The way you have your diagram makes it a challenge to understand which machines you want on which networks, and which stations are routing vs. simple multi-homed.
Why don't you redraw your picture with your specific networks in mind. Create a set of containers where each computer is in one container. Your containers can be simple circles or rectangles.
A switch must be entirely contained in ONE container. A router is placed between two containers, creating the link between the two networks. Any multi-homed box goes into the container for one of its networks if it is a non-routing server. If it is a routing server, the like a router, it goes in between containers.
I see the point in a layout like you posted, chort, but I think it's missing the point in the isolation of subnets from crossing route paths.
Allow me to explain:
Main rig, NAS, Workstation, and one inteface of Server on Subnet A on an isolated switch allows, direct local traffic between the devices to avoid being loaded through any routers that can carry a path to the internet. This is to avoid bottlenecking with Subnet B, the MCE network, which when streaming HD or multiple media connection simultaneously. This would not bottleneck a router that other devices are using, or increase latency.
The W/LAN being used for the MCE network is simply due to the constraints of not owning living quarters and thus not being able to run cable through walls. The use is due to the lack of a better Point-to-Point solution.
I know this seems irrational at first glance, but the limitations imposed from funds/ownership of property status are what are driving the modifications to a standard layout.
Edit: Just saw your reply, I will modify the picture for better representation.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
What does the MCE box communicate with, just the Server? Either buy a $20 wireless card for the Server, or cable the MCE box directly do it (might need a cross-over type Ethernet cable, depending on whether the NICs in those boxes support auto MDI/MDX). I don't recommend this though, keep reading.
We get that you're trying to keep the traffic to/from MCE off the rest of the network, but what you don't understand is that the people trying to help you have a lot more experience with networking, and we're telling you that your design is not correct. You have multiple paths to just about everything, which can potentially introduce triangular routing and certainly bypasses and/or bridges firewalls in several locations.
Plugging machines into more than one network effectively makes that machine a bridge between two networks that an attacker can use to bypass firewalls (even if packet forwarding is disabled). You might as well just connect everything together through switches and setting subnet masks if you're not going to use the routers for what they were designed for. For instance the Main Rig is plugged directly into your external switch and bypasses all firewalls, yet it has an interface on your LAN as well (behind the router).
The other problem is you don't have sufficient separation of duties with the way you designed your network. The Server is connected to too many things. If you want that machine to run a website, FTP site, etc for the outside world to connect to, then don't put services on it that your internal machines use too. Any machine that's open to connections from the outside should be segregated in it's own network and firewalled off so that it cannot attack the rest of your machines if it gets compromised.
So now we're back to point #1 of the MCE box talking to the Server, and why it shouldn't. Whatever it is that the MCE box is using the server for, move that task to one of the other machines. In fact, does the MCE box need to connect to the server at all, or is it something very simple like DNS? In that case the traffic is going to be extremely minimal and won't cause a bottleneck at all.
I think you need to better describe the traffic to/from the MCE box and what devices it actually streams content to/from. If all the streaming traffic stays on wireless, then it's not even going through the router at all.
In my diagram, traffic that stays on the W/LAN won't cause bottlenecks with anything, traffic between Main Rig/Workstation/NAS will stay entirely on the LAN switch and never touch that router, and traffic between the Server and the Internet wouldn't be effected by anything other than other machines contact the Internet, but of course your Internet link is going to be orders of magnitude slower than any other links on your network, so the bottleneck won't be the router, it will be your ISP.
PS your original post asked what the best way to setup a DMZ for the server is, and how routes should be set on your main rig, as well as a lot of basic routing questions. Based on that I assumed you were looking for advice. I gave you some outstanding advice on how to redesign your network to industry best-practice standards, and instead you just re-posted your original network diagram and argued with me why it was the best way for you to setup your network. If you already know the best way to setup your network, what is your question? It's sort of strange to ask advice from experts, get it, and then spend 3 posts arguing with the advice you received.
Sorry for such a late reply, I have been busy. However, I had read your post and read the previous ones again and have done a bit of knowledge seeking and analyzation.
I must say that I'm not trying to incite any controversy, sorry if I came off as just seeking acceptance of my view, I was simply attempting to address how I didn't see the objectives I was attempting to meet being solved by the given solution.
The last post got me thinking and made me notice I was missing something. So, I've spent some time doing further reading and rereading of relevant materials and first I've realized I misinterpreted the implication of a switch's bandwidth rating. I've also read more about wireless network tech as I really haven't looked much into this before. So, now I can see point of having the W/LAN on the same router as the LAN, although my intention was never to use a wireless NIC in the server box for Subnet B. Server's Subnet B interface was to be wired to avoid an extra wireless link, and futhermore, it would not be the sole connection, NAS appliance would provide some failover. (Hence, reasoning for a route and no point-to-point on the Server/MCE link)
Note, for the next part: chort asks "In fact, does the MCE box need to connect to the server at all, or is it something very simple like DNS?" I mentioned streaming HD, since I didn't give detail, this would be from the server, while MCE would actually handle it's subnet's DHCP duties and likely DNS. To give understanding, the Linux MCE Hybrid box from the original drawing is a box running the Linux MCE distro which is pretty much just a suite implemented and implementable on another distro. It's a compilation of tools for a media center/home automation network. A "hybrid" box is a box that acts like a cluster head, in charge of the network and services AND a media director, which effectively is what a normal "media center edition" would accomplish, controlling attached devices, output to tv, and so on. So traffic on Subnet B would mostly consist of media streams between MCE/Server and a few minor services like VoIP, tv guide lookups, and such would be utilizing the uplink. Media wouldn't normally be served in either direction across this, hence why I didn't have a concern for bottlenecking the ISP link. Hopefully that's clear enough to make sense of it. =|
So, going forward to gain an understanding, please bear with me, let's propose in theory that we had no DMZ attached to Server, but we wanted to be able to interact with Server for various small things on the LAN (Subnet A), but of course be able to stream media out to W/LAN (Subnet B). Addressing this first, consider not wanting to interrupt a link between the Server and MCE boxes while streaming. 1.)Is there a worthwhile solution to having a multi-homed Server on the two subnets, one wireless router as suggested, implementing something like STP or something to control flow? The point here is to not break a stream while other nodes can still interact with the server. 2.) Understanding bandwidth is per bridged connection in the switch now, is there still any latency effect, or resource depletion effect on a embedded hardware device with very minimal resources? i.e. Does having a large link open constantly have any side effects such as causing latency by taking processing resources up that are needed by other nodes on other links of the switch trying to get their packets handled?