Please help correctly segment the network
Last response: in Networking
I wish to seperate sections in the LAN
Lan traffic only, Internet traffic only
Server/Workstations have eth0 and eth1 available.
Please see the below diagrams for advise;
1. Current: http://www.kwamsook.com/pub/NETWORK-Public.png
2. Proposed: http://kwamsook.com/pub/NETWORK-Public-Firewall.png
Objectives;
I'm not sure which is the best approach...
1. Use the layer 3 managed switch (port based) for each server/workstation,
eth0 for LAN only, eth1 for Internet only ?
2. Use a dedicated Firewall 'before' the router and assign the
wireless a 10.0.0.0 network to keep them off the lan 192.168.100.0
3. Use another router
The issue I'm concerned with most is using one of the servers for a Samba file share
(LAN access only), but the server needs updating from the Internet as well. My understanding
is that it's best to separate the LAN/Internet traffic with an entirely different subnet.
I wish to prevent a setup where a server/workstation could be accidentally misconfigured
to use Internet traffic on the wrong eth0/eth1 interface.
All server/workstations are Debian amd64 Testing.
Can someone please recommend an approach to properly isolate LAN/Internet traffic for
the proposed network layouts at the above links?
Thank you much.
jennyforme
Lan traffic only, Internet traffic only
Server/Workstations have eth0 and eth1 available.
Please see the below diagrams for advise;
1. Current: http://www.kwamsook.com/pub/NETWORK-Public.png
2. Proposed: http://kwamsook.com/pub/NETWORK-Public-Firewall.png
Objectives;
I'm not sure which is the best approach...
1. Use the layer 3 managed switch (port based) for each server/workstation,
eth0 for LAN only, eth1 for Internet only ?
2. Use a dedicated Firewall 'before' the router and assign the
wireless a 10.0.0.0 network to keep them off the lan 192.168.100.0
3. Use another router
The issue I'm concerned with most is using one of the servers for a Samba file share
(LAN access only), but the server needs updating from the Internet as well. My understanding
is that it's best to separate the LAN/Internet traffic with an entirely different subnet.
I wish to prevent a setup where a server/workstation could be accidentally misconfigured
to use Internet traffic on the wrong eth0/eth1 interface.
All server/workstations are Debian amd64 Testing.
Can someone please recommend an approach to properly isolate LAN/Internet traffic for
the proposed network layouts at the above links?
Thank you much.
jennyforme
More about : correctly segment network
Thank you dadiggle.
Sorry, I'm not 100 percent clear. Do you mean use all eth1 nics (Internet access) and
connect directly to the Firewall or a seperate proxy server on 10.0.0.0 ?
>"...Option 2 just have the firewall added. Routing is the key here."
? Do you mean 'static routing' ? If so which source/destinations?
>"...Set your ADSL gateway as the default gateway on clients or proxy server and then only set default gateway of the wan link for other clients that you want to go over the wan"
? In the diagrams above, where are you assigning the gateways ?
Thank you for your help.
Jennyforme
Sorry, I'm not 100 percent clear. Do you mean use all eth1 nics (Internet access) and
connect directly to the Firewall or a seperate proxy server on 10.0.0.0 ?
>"...Option 2 just have the firewall added. Routing is the key here."
? Do you mean 'static routing' ? If so which source/destinations?
>"...Set your ADSL gateway as the default gateway on clients or proxy server and then only set default gateway of the wan link for other clients that you want to go over the wan"
? In the diagrams above, where are you assigning the gateways ?
Thank you for your help.
Jennyforme
dadiggle, thanks for your patience.
Noted, on the explanation on how a firewall functions. I am familiar with the process.
Would it be possible for you to address my specific 2 questions in my previous post
regarding recommended eth1 nics, gateway addresses, static routing, and proxy server ?
Best regards,
Jennyforme
Noted, on the explanation on how a firewall functions. I am familiar with the process.
Would it be possible for you to address my specific 2 questions in my previous post
regarding recommended eth1 nics, gateway addresses, static routing, and proxy server ?
Best regards,
Jennyforme
Related ressources:
- ForumDNS Over a Segment
- Forum2 segment network problems.... upgrading..waps and routers
- ForumI5 or I7 is thet worse in 14 " segment
- ForumFile Record Segment xxx is Unreadable. Please help
- ForumRepaired file segment unreadable
- ForumSegment 166729 unreadable
- ForumSuggest a Graphics Card - Low / Mid Segment
- ForumChkdsk verifying files segment unreadable hangs
- ForumSegment Personal and Work traffic
- ForumFile Record Segment XXX is unreadable
- ForumNetwork setup for 25 people, Advice please
- ForumHelp with theory question on network topology
- ForumHow to set up network segments?
- ForumIdentifying network ... endless loop
- ForumLaptop doesnt boot to windows correctly
- ForumRouter Setup
- Forum[Solved] Set up my small network
- ForumIf there are multiple routers on the network how to figure out which one is conn
- ForumNetwork help...please!!
- ForumWireless Network Key
- More resources
Read discussions in other Networking categories
!
