So I used FreeBSD for a short time, and I was immediately sold on BSD. Definitely won me over...and I absolutely LOVED Slackware. So I went looking for something for a server situation and stumbled upon OpenBSD, and I'm quite interested. So here's what I'm thinking for a server running OpenBSD along with network configuration.

I'm by no means a professional, or even an amateur. I absolutely suck and could be wrong on SEVERAL points as I'm just now actually getting into Server/Client services in networking (more familiar with the ease of P2P). And I'm REALY inexperienced with OpenBSD (haven't installed it yet) and UNIX networking in general.

I run a small network at home with four devices connected at any one time, though those devices may vary and who uses those devices definitely varies. I briefly used Windows Server 2003 (Ugh...I know) and its Domain Controller service mainly to manage users centrally. I'm pretty sure the UNIX equivalent of this is OpenLDAP, but I'm not sure. Confirmation, please? I'm not interested in the advanced features of Active Directory/Domain Controllers (whatever their UNIX equivalents may be) such as standard images, storing user settings, etc... I just want centralized user authentication, and to deny the DHCP service to anyone not authenticated.

So here's my network scheme thus far:

DHCP will assign addresses to clients in the range of 192.168.1.200 - 192.168.1.210. Servers will be assigned to IP addresses above 192.168.1.240.

A single physical server will fullfil the following roles:
DHCP
DNS
Domain Controller (For centralized authentication [Again, OpenLDAP, I guess?]
HTTP
FTP

The server will also have SSH enabled for remote administration.

Now, based on what I know from Windows 2003 (again, how I managed is beyond me), I can have a separate IP address configured for each service, even though I have a single NIC installed and wired.

For example, on my Windows Server 2003 machine, I had an IP address of 192.168.1.100 for the DHCP role, 192.168.1.101 for the DNS role, and 192.168.1.102 for the HTTP role.

Now, for my OpenBSD server, I am considering the following:
DHCP/DNS/OpenLDAP all running on 192.168.1.240
HTTP/FTP both running on 192.168.1.245
SSH running on 192.168.1.250.

Can this be done? There is only 1 physical NIC installed and wired, and it's probably going to stay that way. There's no REAL reason for this other than perceived additional security from one of my professors...who is a Windows advocate, so maybe he's wrong. =D According to him, doing something like this prevents other services on the server from being compromised. Is this true?

I'm not asking for any information on HOW to set this stuff up. I can find that on my own, and when I have specific questions I can ask here again. Right now, I just want to know if all of this sounds correct and viable, and for any top-level suggestions.

Thanks!

P.S. I know...I need to reconsider my name...

There's really not much point in putting different services on different IPs, that's just more Microsoft-based mumbo-jumbo, remember these are the same people who had the "you'll always have a firewall, so we don't need to worry about securing our services" attitude all through the 90's and early 00's. The only time there's any point to having them run on different internal services is if you have to NAT to them from the outside, and your firewall doesn't support port-forwarding (hence you need one external IP for each DNS address). Any way, never mind that.

There are lots of services that can provide authentication, but it depends on what you're authenticating for. Kerberos is the closest thing to what Windows authentication does, mainly because Microsoft ripped-off and royally screwed up Kerberos for their "NTLM" authentication. Many UNIX services support Kerberos for authentication.

As for not being able to get a DHCP address unless you're authenticated in some way... I've never heard of doing that with ISC dhcpd. I suppose it might be possible, so check the documentation. If you want to deny Internet access until someone authenticates, OpenBSD has a great utility called "authpf" which will wait for a user to ssh to the machine with correct authentication credentials, then it will automatically insert firewall rules that allow them to connect to the Internet. I used that on Windows machines before by scripting PuTTY with a private key for authentication.

OpenBSD can be a great server, and it's hands-down the best firewall OS in the world, but trying to duplicate all the features of a Windows network on UNIX is probably going to prove frustrating.

Thanks, Chort!

I'm not trying to duplicate Windows features on UNIX...that would defeat the point of UNIX.

I've never been a Windows advocate, and the only reason I've used Windows Server is because (at my campus) only the Windows networking classes are offered, and the instructor for those classes is always available. I won't be taking those classes, but being able to do something pretty quick and dirty was convenient (for a while).

There are more things than I can count that frustrated me about Windows Server...and that's after only 1 week!

Thanks for clearing up using different internal IP addresses for different services. I secretly figured it was MS mumbo-jumbo...I find it difficult to believe in an OS (especially a server OS) when the (now former) CEO said that the internet was a passing fad.

I'll look into Kerberos and drop the idea of OpenLDAP and Domain Controllers...DCs didn't really interest me and I never saw the real point of them.

As for authpf, it sounds like it's exactly what I was looking for...I was simply under the impression that in order for my system to deny internet access, it would have to be physically setup as follows:

Modem --> Server --> Router/Switch --> Client PCs

which would require 2 NICs in the server...if this is not required, however, I'll definitely be looking into this.

Thanks again!

Yes, you need two NICs (unless your PCs support VLAN trunking, which is doubtful). NICs are cheap, though. You can get a very decent modern one for $40, or a previous-generation PCI NIC for $5 at a surplus computer store (or website). If you don't have enough slots in your case, you can get a USB ethernet adaptor and use it for the external interface that plugs into the router/modem/whatever, since the bandwidth to the Internet is a lot less than what the USB adaptor will support any way.

Not really - it's useful if you want to move a service to a different physical machine without clients knowing it. We use it a lot on AIX and z/OS (where they are called VIPA or DVIPA).
Much easier and quicker imho as changing the DNS "A" record.

Chort didn't mean to imply there was no specific use, rather that there is no reason to do this as a general matter.

Most companies do that with load-balancers.

PS My comment was directly to the OP on the value of using different IPs for a) security and b) in the context of a small home network, neither of which was address by your reply. The fact is it's not better security, and there's really no point to do it for a small network with only one server.

I am not an native speaker, but for me, saying
does not automatically imply
hence my answer.

You use a load balancer if you have more than one instance of a service. But if you only have one instance, such as in a home network, there's no sense in distributing a load. But you can still want to move a service to a different machine, and then a virtual IP address for your application makes sense.

It's going to be NAT'd any way, so just change the NAT statement.

Really, why are you trying to make things complicated? There's no need for it.

True for outside access, but False for access from inside your own network.

Because I believe it's a useful technique, and it serves the OP to know that.