Hi,
I'm after a bit of advice on how to setup my home network.

We've got the following scenario:

our house is split over 2 levels and each level has its own patch panel/switch with (ethernet) lines into each room and
one line going down into the basement. the idea at the time was that each level can be its own independent unit.

I'm looking at the following setup:
put the DSL modem in the basement and feed the two levels. The thing is that i have NAS system where i want to share
media filas and some personal files accross the home network and i want to setup our own little CMS system... The CMS would be
on a ubuntu server running various virtual appliances for db, app server etc.

I don't really want the NAS server to be accessed at all from the internet and only really from the ubuntu server and its virtual
appliances.

ideally i would like to grant access to the NAS on IP or mac address basis to be really sure...

i've been looking at the netgear pro safe dual http://support.netgear.com/app/products/model/a_id/2425 it seems like it could do what i
want, but i only know enough about network security to get me into trouble.

I'm unsure whether a single router could even do the job or whether its better physically separate NAS and server
in a type of subnet behind its own router ...

appreciate any ideas.

thanks,
michael


ADSL Modem
|

Router
--> +
|
+-- NAS
|
+-- Ubuntu Server (virtual applicances - ldap, application servers, db. . . )
|
|
+-- other pcs

Hi,

Unique challenge, I like it.
So, a DSL modem, and a router? Like mine (a Dlink modem/router) the router has a block list. It would be nice to put the NAS in that list to keep it from being accessible from the outside. You can prevent it from going out, from someone accessing it or both, and the protocol (TCP/UDP) should be an option as well...

Ehrm...you're on the right track here, so: be sure, because that is the option.

I dont see what type/make, but the manual should provide some help. Typically, a modern device has a web interface (192.168.1.1 typically, but...refer to the manual) - load it in the web browser and do the settings. Also, (of course) set the admin pass to the router, but...hey, you know this.

I'll keep this thread in my watch list!

Thor

hey thor,
thanks for taking an interest :-)

just a couple more things - want to make sure i'm on the right track...

the router from my isp has a block list (ip based) so i could filter all traffic that isn't 192.168.* that would take care of outside traffic hitting, say the nas server? i don't suppose its possible to fake 192.168... addresses in packets? i have seen a router (for WLAN) where you could filter based in MAC i liked that idea...

now if i want to limit/control access within my network to the NAS and my home server. so for example: i'd want my laptop/pc to access server and nas for say remote admin. but not the kids, visitors etc they would access certain server apps like a web server etc.

For that kind of config i would need those to to either come directly off of the main router (which means put them in the basement) or replace the simple lan switch with a router? Then that router could control which internal packets may get through.

I was thinking of installing a virtual proxy/firewall like m0n0wall (http://doc.m0n0.ch/handbook-single/#id11553347) as a vmserver and that controlling access to NAS and other virtual appliances. I don't know whether this is a good idea or how to go about this (ie making sure packets hit m0n0wall first).


thanks,
m.

Most routers are able to do that, I dont know the make of the IPS's router, but it is bond to have the same ability.

Now, as far as limiting access is concerned.

Fully feasable, in fact, the better option. You may not be able to avoid someone "knocking at the door" but a password will prevent access. An example: the WLAN router has an IP address of 192.168.1.1, once that address is entered, the page will want a password. But, a freely accessible webserver can also be available,on say 192.168.1.10, with webb apps freely available to visitors, and via a password for the kids. The router needs to filter who accesses the LAN by filtering the MAC address.

That is the very escence of hacking: spoofing addresses, names, ...
You are on the right track on the MAC filtering...

From the documentation...do change that, will ya. As soon as you have started configuring (or as soon as possible) change the password in something hard. The name of your poodle, or your licenceplate on the car will not do, try a mumber/letter combo, like CC577?a&2 - let them crack that...

Okay, but...alll in all, you're on the right track...I'll be watching this thread in case it's needed!

Thor

again, thor, thanks for taking an interest.

i've set my little network up now:

1. ubuntu 11.04 server with two nic the eth0 is connected to the "WAN" ie my internet providers router, eth1 to my 'internal' network switch.

2. i've setup vmware server with two bridged networks each connected two one of the nic's (vmnet0 -> eth0, vmnet2 -> eth1)

3. setup a monowall firewall as a vm and connected the WAN/LAN interfaces to the appropriate ports

i can get monowall to act as a dhcp server for the machines on the internal network by setting dns forwaring.

So basically it works but there are a couple of questions:

1. currently the server is reachable from both eth0 and eth1. i need access from eth1 to get to the server but i guess i could shut down eth0 no ? how would i do that ? setup a NAT in the server to forward all traffic on eth0 to the monowall?

2. this ones a little tricky. it seems that when connecting to certain sites on the internet going via the monowall is very slow. ping to those sites does not show any significant differenc (ping from pc on ip router vs ping from pc on monowall->router). and it doesn't seem to be all sites. one example is au.finance.yahoo.com but other australian sites are fine. how would i go analysing soemthing like that ? i installed wireshark on the client pc but there didn't seem to be much of a diffenrence in bad packets etc when comparing the two scenarios....

cheers,
m.