oops, just a minor clarification.... I use the term "firewall" to mean a router doing packet filtering and port forwarding. The distinction has to be made because some devices are only a firewall, and do not do any real routing jobs (Such as SonicWall devices). These devices may be suitable at protecting a network, but I think they're as useless as buying white paint for snow. A good router that can do packet filtering and port forwarding will likely give you as much protection, but can also do true routing which gives you much more options in a device that costs about the same.
My thoughts.... Shawn -----Original Message----- From: Shawn [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 6:58 PM To: [EMAIL PROTECTED] Subject: RE: (clug-talk) Router Project IP Cop should be able to handle this for you. A nice and quick setup, and pretty robust. In terms of wiring, I have the following: Internet | Switch ------ | | |- Workstation 1 Firewall |- Workstation 2 |- Linux Server This isn't the optimal solution though because of how the switch is being used. I'm taking advantage of IP subnetting here (just realized the reasons I was doing this no longer exist, guess I should change it now....). A better wiring solution would be something like so: Internet | Firewall | Switch | - Workstation(s) | - Server(s) And even better, if you want tighter security for your internal network would be like so: Internet | Firewall | Switch - Public Server(s) | Firewall | Switch | - Workstation(s) | - Internal Server(s) In all the above cases, IPCop can provide what you need, including DCHP, and VPN services. If you are more skilled with Linux, and want to really control your network, use a basic Linux install with IPTables as your router. This is quite a bit more challenging, but gives you absolute control over your network, and allows you to do things IPCops interface may make a little more difficult. A quick and easy way to handle the security issues you talk about is to use static IP addresses, and a different subnet for each section. For instance the Bible School might use 192.168.10.x, the Church Admin 192.168.20.x, the Student Lab 192.168.30.x, and the Dorm Rooms 192.168.40.x, all with a subnet mask of 255.255.255.0. Then, you can configure the router to forward required packets between the necessary subnets. Another option is to protect each logical network with another firewall, and allowing the appropriate traffic between these sections through the firewall configurations. This method is suitable for larger organizations, but for what you're talking about, I'd recommend the subnet method. If you must use DHCP on all the workstations, then you'll probably need a more robust DHCP server (i.e. a Linux box running dhcpd) on the network somewhere that all the computers can access. It is possible with DHCP to choose the IP range to use for a given MAC address, though I'm not 100% clear how to do this with modern servers. If you have some older boxes laying around, and some spare NICS, then this should be a breeze - regardless of what router you choose. (keep in mind though the cheap ones you can buy for about $50 - $80 aren't very robust. IPCop is much more robust than any of these types of devices, and can even apply QoS to your network (bandwidth throttling based on IP, port, or protocol). Using IPTables directly removes any barriers, and leaves your hardware as the only real limitation - but if you have a 100BaseT network, going over a 10BaseT link (cable and DSL fall into this category), You'll like never stress your routers at all. I've just completed a new article on my web site that covers basic network design for the "un-initiated", if it helps any (http://www.open2space.com/intranet/network101.htm). (Not quite sure how proficient you are with networks, though I'd guess you know most of what I've covered.) My intent is to add the next part of this guide this weekend, and covers some common router questions and usages. Feel free to email me off list if I can help out in your design choices..... Shawn -----Original Message----- From: Dave Watkins [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 5:33 PM To: [EMAIL PROTECTED] Subject: (clug-talk) Router Project Hi All, I'd like to pick the brains of the collective concerning the best way to setup and configure a router. Current network setup plan is as follows: Shaw Cable modem connected to 10/100 unmanaged switch via RJ45 # 0. RJ45 # 1 to Windows PC - IP address obtained by DHCP RJ45 # 2 to NAT Router - WAN IP address obtained by DHCP NAT Router - LAN IP Address 192.168.0.1 RJ45 # 3 from LAN port on Router to Wireless Access Point ( 192.168.0.2) in Bridge Mode to 24dBi Antennae (WAP's are configured to recognize only each others MAC address) Wireless Link between Antennae - 350 yds 24dBi Antennae to Wireless Access Point (192.168.0.3) in Bridge Mode (WAP's are configured to recognize only each others MAC address) WAP to 16 Port 10/100 Unmanaged Switch via RJ45 # 4 RJ45 connections from Unmanaged Switch to workstations. LAN layout: 10 Windows PC running XP Pro, Home, ME, 98, 98SE and 95 on subnet 192.168.0.nn. STATIC IP's All access internet and require access to POP email. GOAL: Provide secure access to internet for the following groups: A: Bible School Administration 10 PC's Currently the only group on network B: Church Administration Offices 5 PC's C: Student Lab Network 8 PC's D: Dorm Rooms A-B-C all have access to Internet, Email etc. A-B have unlimited access to Internet, Email etc but are protected from C & D C has CONTROLLED but unlimited access to Lab, Email, Internet D has CONTROLLED but unlimited access to Internet and Email Students must log on with individual passwords and some type of log is maintained to determine usage and possibly history. 1. SO, is this possible? 2. Can we set up a firewall that will allow the required access but restrict access of Student Lab Network and Dorm Rooms to both A and B? 3. Access between A and B - selected stations only ie: accounts related PC's 4. Can security be maintained using MAC addresses vs IP addresses? 5. A and B will in future be connecting to SAMBA server. If anyone needs to chat I can be reached @ 701.5746 anytime. Thanks, Dave Watkins
