Would this setup work?

Mr Splat · Jun 10, 2014

Hi guys,

I've been building my own small server farm to experiment with over the last few months, It's nearly complete and I'd just like to ask anyone with networking experience if the setup I've imagined will works as I'm hoping it will.

Here's a picture of how I'm thinking of setting my network up:

The idea is that everything on the 192.168.0.x subnet will be unaware of my pc and the servers I've set up on the 192.168.1.x subnet.

The router I've labelled as being converted to a wireless access point will actually just be a normal wireless router with its dhcp turned off as is described in the ultimate router/modem thread. However I didn't see anything in regards to actually keeping the networks handled by both routers unaware of each other.

Just to note that the IPCop router/firewall connected to the modem, and the 5-port gigabit switch with the servers hanging off it are located in my garage. the subsequent 5-port gigabit switch and the stuff hanging off it are located in my house, hence why there are two switches.

I was thinking I could just tell my IPCop Router/Firewall to treat the 192.168.0.x network as a DMZ, and therefore let the the other router, which is the one supplied by my ISP handle everything with its own firewall.

My NAS, which is running FreeNAS hosts stuff like a plex media server in its own virtual machine (also known as a jail by FreeNAS), so i was thinking I could create pinholes in my first router's firewall to allow computers on the 192.168.0.x subnet to access the plex virtual machine, but nothing outside it, meaning only I controlled what media was on it, seeing as only my machines on the 19.168.1.x subnet would be able to see where the plex server's storage came from.

any help you can give me is much appreciated,

thanks,

Mr Splat

bill001g · Jun 10, 2014

Tends to not be real secure since it is a simple ip change to get onto the other network.

You largest issue will be getting your ipcop device to not get confused. If you are using 2 physical interfaces it must tolerate and solve things like receiving ARP messages for both its ip on both its interfaces. If you are going to try to run this on a single interface the device must support the concept of secondary ip addresses.

This tends to be very messy but with care you can get it to work....it really isn't security and it does not isolate the traffic. The only reason I have seen it done was to migrate from one ip block to another. I guess if you don't have equipment that supports vlans it is your only option.

Mr Splat · Jun 10, 2014

bill001g :

I was thinking as much, just needed it confirmed. Fortunately nobody in the house I'm in is particularly tech savvy, so at the very least they won't accidentally come across one of my network shares if I try following this route.

I do have an old managed switch, however it's got a major drawback in that it only has two gigabit interfaces, so only one vlan would have access to a gigabit connection, which my network of servers/pc's would be using owing to the amount of data that'll be being bounced around, I suppose however, that if the other devices connected to the 192.168.0.x network are mostly using wireless then a 100Mbps connection between the secondary router and the managed switch would be acceptable. The only problem is that I only have two rj-45 sockets available in the garage, and therefore both vlans (1Gig and 100Meg) would have to go back into the unmanaged gigabit switch in the garage and out to the second unmanaged gigabit switch in the house via the one spare rj-45 socket I'd have available.

Mr Splat · Jun 10, 2014

I should also add that I have a spare gigabit nic I can add to the ipcop router so I have one connection from the modem in, and to separate IPs coming out, or I could add a wireless card I have kicking around, I could then create a wireless network directly from the ipcop device, and use the second router as an extender I suppose?

I have included two diagrams to illustrate the set ups I've tried to explain, if possible could someone more knowledgeable than myself in networking tell me the good and bad sides of these setups?

As before, any help given would be much appreciated

bill001g · Jun 11, 2014

Your second option is the more standard design. It use the ipcop device as a router between the segments. As long as the device can handle all the traffic between the 2 networks there will be few issue. It is very simple so is much easier to maintain.

The first option likely will not work. Once the traffic gets to the non manged switches they have no concept of vlans and can't do much with the traffic. Depending how you cabled it you would either end up the same overlapping network you had before or you would have packets with vlan tags on them. Hard to say what a unmanged switch does with vlan tags. It will either drop the packet because it is too long or it will pass it to your end devices with the tags intact and expect them to do something with it.

You could I suppose use a combination if you do not wish to put a second nic in your ipcop device. You could run a trunk between the ipcop and the managed switch and then plug the wireless network in a port on vlan 20 and plug you unmanged switches on a port in vlan 10.

Mr Splat · Jun 11, 2014

Unfortunately I just realised that option 2 of my previous post will not work, the server I'm using as the router/firewall doesn't use pcie slots, only pcix, which means my wireless nic won't work as far as I can tell.

I suppose one other option left open to me is to revert to a bog standard wiring set up, with my ISP's router being connected to the modem, and then letting it treat everything behind the ipcop router/firewall as a DMZ (or use an any/any rule) and then let IPcop protect everything behind it. However I'm not too sure but wouldn't that remove the benefits of having a computer running as a router/firewall in the first place? in particular, caching would be negated owing to all the traffic coming out through the IPCop router having to go through my ISP's original router?

I'm trying to think of any other way I could deal with this, however if anyone has a brainwave or knows of a solution that will let me benefit from having an over-powered router then your help would be much appreciated.

Cheers.

bill001g · Jun 11, 2014

You last diagram implies you have a way to cable the wireless router somehow directly back to the server or modem. I guess it depends where you need to physically put it.

What you should be able to do if you have a managed switch is replace the first gig switch with that managed switch...you could cable in front of your other switch I guess if you wanted both switches. Then define the 2 vlans as you suggest and create a 802.1q trunk between your server and the switch. The server should support virtual interfaces so your physical nic becomes 2 logical ones. You would cable the wireless router to one vlan and everything else to the second vlan. The switch would in effect act as multiple physical nics to your server.

Mr Splat · Jun 11, 2014

bill001g :

I'm having a bit of trouble with understanding your post bill001g, You wrote about replacing the first gigabit switch with my managed switch. The problem I have with using my managed switch alone is that it only has two gigabit interfaces, one of which which would immediately be taken up by the cable coming out of my IPCop router, and the other, to supply both of my servers in the garage plus the PC and NAS in the house would have to be hooked up to another gigabit switch, but I haven't done enough networking to categorically say if my unmanaged gigabit switches will like the vlan tagged traffic coming from my managed switch as you have said previously. I know the likes of FreeNAS is able to have vlans configured on its NICs, and I would suppose my rackmounted servers would too. I'd have to look into my PC to see if it would accept vlan traffic.

The wireless side of things isn't such a priority when it comes to speed, so I don't mind using the managed switch' remaining 100Mb ports, as I don't think the wireless router (which is a BT HomeHub3 which has 4 ethernet ports onboard) is capable of delivering much more than that, however it would've been nice to be able to manage my servers from my laptop for instance. I suppose I can configure IPCop to allow that by pinholing the firewall on the 192.168.1.x side to allow traffic from a fixed IP of the wireless network, or my laptop's nic's mac address? Though VLANs might cause issues again I'm sure.

Just for clarity, you wrote

you could cable in front of your other switch I guess if you wanted both switches. Then define the 2 vlans as you suggest and create a 802.1q trunk between your server and the switch. The server should support virtual interfaces so your physical nic becomes 2 logical ones. You would cable the wireless router to one vlan and everything else to the second vlan.

I'm assuming from that when you talk about the 802.1q trunk between my server and the switch, the server's my IPCop Router/Firewall? Plus, you are suggesting that I plug my BTHomeHub3 directly into the IPCop machine? or are you suggesting the HomeHub3 goes into the managed switch?

To help you help me, here's my inventory of hardware available to me at this moment in time:

IPCop Router/Firewall (3 gigabit NICs)
HP ProCurve 2510-24 managed switch (2 gigabit ports)
2 x 5 port gigabit switches
2 x rackmount servers (at least 2 gigabit nics each)
BT HomeHub3
BT HomeHub4 (possible fault with internal wireless antenna's)
FreeNAS box (2 gigabit NICs)
PC (2 gigabit NICs)

Please be aware though, that I only have two ethernet ports available in my garage, so I can only have the connection from the modem coming in one way, and then one more wired connection coming back the other way from the IPCop machine, switches and servers currently mounted in my garage.

Thanks for all the help so far bill001g.

bill001g · Jun 11, 2014

I see the modem is outside the garage and uses one cable to reach the ipcop device and then you use your other cable to connect everything else. When you showed the wireless router in the path you were inserting in the cable before it goes to the garage.

If you can place you managed switch outside the garage you could plug the modem and the router into your switch and then plug one of the gig ports back to the ipcop box in the garage. With only 2 gig ports you will have to decide if your wireless router is more important or the modem is since you will want the port to the garage to be running on one of the gig.

What you do this way is again define 2 vlans. 1 for the connection between the modem and ipcop box and the second for the connection between the wireless router and the ipcop box. What you now have is 1 interface on the ipcop box with your normal lan, and 2 virtual interfaces sharing the other. One of the virtual interfaces is your WAN and the other is LAN interface that connects to the wireless router network.

Pretty much all this does is get you another virtual ethernet cable running to the garage. The hard part with your configuration is that you only one managed switch so you must connect the other end directly to your server since it is the only other device that can build 802.3q vlan trunks.

Mr Splat · Jun 11, 2014

I suppose an easy solution to all this would be if I was to just go out and buy something along the lines of this: http://www.amazon.co.uk/Netgear-ProSafe-Gigabit-Ethernet-Switch/dp/B002YPJ8KM/ref=pd_cp_computers_3

bill001g · Jun 11, 2014

Those have sure come down in price. It does most the features use managed switches for a fraction of the price, pretty much the only thing missing that is commonly used is spanning tree support.

Mr Splat · Jun 11, 2014

bill001g :

They look like a pretty good deal, If I was to consider spending the money should I be looking to replace both of my unmanaged gigabit switches, or would I only need to be replacing one? Probably the one connected to the IPCop router?

bill001g · Jun 11, 2014

Hard to say if you were to replace both then you could have any vlan anyplace. It really depends on your requirements and how many device you have on each vlan. You would have to draw out the traffic flows and make sure you have equipment that can support vlans. if you must pass though unmanaged switches then you lose the vlan ability.

Mr Splat · Jun 11, 2014

ok, that makes sense, and I've been doing bit of reading, is it possible to have two vlans going through a switch' port? i.e. If I wanted my NAS to be accessible to computers on the 192.168.0.x network when its primary function is to serve the machines on the 192.168.1.x network.

Mr Splat · Jun 12, 2014

This is what I am now imagining my network will look like. I went into a bit more detail this time, also showing the RJ-45 ports that link my house to the garage etc.

If I've made any mistakes please point them out.

I'm also supposing, that if I wanted machines on the general LAN (192.168.0.x) where the rest of my housemates have their machines connected to have access to my Freenas box, that I can modify the IPCop firewall to allow communication across the networks to make the NAS accessible, of course, locking the access rules down to certain IPs or MAC addresses accordingly.

bill001g · Jun 12, 2014

What you depict is a fairly common setup in a enterprise install. You assign devices to whatever vlan they need on each switch and then run 802.1q trunk ports between the switches.

Your server can even support 802.1q. You need to configure the switch port specially and it varies a bit between devices. Some you just tell it is a 802.1q trunk and all vlans are allowed by default other you must list which vlans you want to carry over the trunk. All it is really doing is inserting a vlan number into every packet when it sends it and other switch then knows which vlan it runs on. It remove the vlan tag before sending it to the user......unless you configure it to send it which is how it works to send tagged packets to a server.

You IPCOP box is now acting as a router/firewall so it controls all the traffic. There is no way for a end user to change the vlan they are on so the traffic stay separate even though it does travel in the same cable between the switches/server.

With these switches you have maximum flexibility. You could assign physical pc to your vlan 20 if you needed just by assigning it a port on the switch. If you had a more advanced AP/wireless router these too support vlans and 802.1q trunks. You can assign different SSID to different vlans. I don't think you can load dd-wrt on your homehub but if you were to ever get something else dd-wrt has faily advanced vlan support.

Mr Splat · Jun 12, 2014

bill001g :

In relation to my NAS, which supports VLANs, would it therefore be possible to connect it to a trunk port on its managed switch? Alternatively, the NAS does have two gigabit nics installed, but I've heard from a couple of guys with experience in NAS' that having two separate networks going into the one NAS isn't a good idea, at best it's a messy job?

bill001g · Jun 12, 2014

It depends on the nas some can not assign the different nics to different networks. In any case it is the same issue the nas is on 2 networks and has to be smart enough to know what is on each network. You would only want a default route on one or the other. The only NAS units i have put on different vlans are large commercial ones and they are designed to run that way. We share the same nas..with different virtual arrays.. between systems in many different security zones.

I would hope the consumer nas boxes are getting smarter

Mr Splat · Jun 12, 2014

Ok, Thanks very much for you help bill, you've helped clear up the parts of this I was having trouble understanding, I reckon I can now consider this thread answered.

Would this setup work?

Honorable

Titan

Honorable

Honorable

Titan

Honorable

Titan

Honorable

Titan

Honorable

Titan

Honorable

Titan

Honorable

Honorable

Titan

Honorable

Titan

Honorable

Share this page