IP Cop should be able to handle this for you. A nice and quick setup, and
pretty robust.
In terms of wiring, I have the following:
Internet
|
Switch ------
| | |- Workstation 1
Firewall |- Workstation 2
|- Linux Server
This isn't the optimal solution though because of how the switch is being
used. I'm taking advantage of IP subnetting here (just realized the reasons
I was doing this no longer exist, guess I should change it now....). A
better wiring solution would be something like so:
Internet
|
Firewall
|
Switch
| - Workstation(s)
| - Server(s)
And even better, if you want tighter security for your internal network
would be like so:
Internet
|
Firewall
|
Switch - Public Server(s)
|
Firewall
|
Switch
| - Workstation(s)
| - Internal Server(s)
In all the above cases, IPCop can provide what you need, including DCHP, and
VPN services. If you are more skilled with Linux, and want to really
control your network, use a basic Linux install with IPTables as your
router. This is quite a bit more challenging, but gives you absolute
control over your network, and allows you to do things IPCops interface may
make a little more difficult.
A quick and easy way to handle the security issues you talk about is to use
static IP addresses, and a different subnet for each section. For instance
the Bible School might use 192.168.10.x, the Church Admin 192.168.20.x, the
Student Lab 192.168.30.x, and the Dorm Rooms 192.168.40.x, all with a subnet
mask of 255.255.255.0. Then, you can configure the router to forward
required packets between the necessary subnets. Another option is to
protect each logical network with another firewall, and allowing the
appropriate traffic between these sections through the firewall
configurations. This method is suitable for larger organizations, but for
what you're talking about, I'd recommend the subnet method.
If you must use DHCP on all the workstations, then you'll probably need a
more robust DHCP server (i.e. a Linux box running dhcpd) on the network
somewhere that all the computers can access. It is possible with DHCP to
choose the IP range to use for a given MAC address, though I'm not 100%
clear how to do this with modern servers.
If you have some older boxes laying around, and some spare NICS, then this
should be a breeze - regardless of what router you choose. (keep in mind
though the cheap ones you can buy for about $50 - $80 aren't very robust.
IPCop is much more robust than any of these types of devices, and can even
apply QoS to your network (bandwidth throttling based on IP, port, or
protocol). Using IPTables directly removes any barriers, and leaves your
hardware as the only real limitation - but if you have a 100BaseT network,
going over a 10BaseT link (cable and DSL fall into this category), You'll
like never stress your routers at all.
I've just completed a new article on my web site that covers basic network
design for the "un-initiated", if it helps any
(http://www.open2space.com/intranet/network101.htm). (Not quite sure how
proficient you are with networks, though I'd guess you know most of what
I've covered.) My intent is to add the next part of this guide this weekend,
and covers some common router questions and usages.
Feel free to email me off list if I can help out in your design choices.....
Shawn
-----Original Message-----
From: Dave Watkins [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 5:33 PM
To: [EMAIL PROTECTED]
Subject: (clug-talk) Router Project
Hi All,
I'd like to pick the brains of the collective concerning the best way to
setup and configure a router.
Current network setup plan is as follows:
Shaw Cable modem connected to 10/100 unmanaged switch via RJ45 # 0.
RJ45 # 1 to Windows PC - IP address obtained by DHCP
RJ45 # 2 to NAT Router - WAN IP address obtained by DHCP
NAT Router - LAN IP Address 192.168.0.1
RJ45 # 3 from LAN port on Router to Wireless Access Point (
192.168.0.2) in Bridge Mode to 24dBi Antennae
(WAP's are configured to recognize only each others MAC address)
Wireless Link between Antennae - 350 yds
24dBi Antennae to Wireless Access Point (192.168.0.3) in Bridge Mode
(WAP's are configured to recognize only each others MAC address)
WAP to 16 Port 10/100 Unmanaged Switch via RJ45 # 4
RJ45 connections from Unmanaged Switch to workstations.
LAN layout:
10 Windows PC running XP Pro, Home, ME, 98, 98SE and 95 on subnet
192.168.0.nn. STATIC IP's
All access internet and require access to POP email.
GOAL:
Provide secure access to internet for the following groups:
A: Bible School Administration 10 PC's Currently the
only group on network
B: Church Administration Offices 5 PC's
C: Student Lab Network 8 PC's
D: Dorm Rooms
A-B-C all have access to Internet, Email etc.
A-B have unlimited access to Internet, Email etc but are protected from
C & D
C has CONTROLLED but unlimited access to Lab, Email, Internet
D has CONTROLLED but unlimited access to Internet and Email
Students must log on with individual passwords and some type of log is
maintained to determine usage and possibly history.
1. SO, is this possible?
2. Can we set up a firewall that will allow the required access but
restrict
access of Student Lab Network and Dorm Rooms to both A and B?
3. Access between A and B - selected stations only ie: accounts related
PC's
4. Can security be maintained using MAC addresses vs IP addresses?
5. A and B will in future be connecting to SAMBA server.
If anyone needs to chat I can be reached @ 701.5746 anytime.
Thanks,
Dave Watkins
