Advertise on Bikeforums.net



User Tag List

Results 1 to 9 of 9
  1. #1
    Senior Member MrCrassic's Avatar
    Join Date
    Jun 2007
    Location
    Brooklyn, NY
    My Bikes
    2008 Giant OCR1 (with panda bear on the back!)
    Posts
    3,648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    For network specialists - setup question.

    A while ago, I started a thread about switching one of my servers over to Debian Etch. The switch was successful, and its only use right now is as a SAMBA server.

    However, I tried to set it up so that it can only be accessed internally. I'm looking for a critique. I can post a diagram later if anyone wants to see it.

    There are three routers in the setup. One of them is a DSL router that is on the DMZ so I didn't have to bridge it. It connects to the WAN of a wireless router, which I tried to configure to allow VPN and SSH (for internal use ONLY). The router will connect via ethernet to the VPN server, which will have two NICs. The other NIC will be connected to a DMZed router, which will connect my SAMBA server and any other computer using that network.

    Is this a good setup? What security implications should I worry about?

    Thanks!
    Ride more.

    Code:
    $ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
     $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces

  2. #2
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah it's a little hard to wrap around your verbal description. But, the first question that comes to mind is, why three routers? What are you trying to segregate from what? Do you have a specific reason for multiple networks?

    What are your specific security requirements? The security implications depend on the requirements.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  3. #3
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not sure if one router is doing the firewall work between your DMZ and your internal network, or if its handing traffic to the other routers.

    For the router connecting to the Internet, PPP over ssh is one way to bridge so if you are not at home and want to access your samba shares you can, pptp is another way.

  4. #4
    Senior Member MrCrassic's Avatar
    Join Date
    Jun 2007
    Location
    Brooklyn, NY
    My Bikes
    2008 Giant OCR1 (with panda bear on the back!)
    Posts
    3,648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using PPTP right now, but I would like to set up my VPN with a more secure protocol. I'll Visio up what I'm trying to do.
    Ride more.

    Code:
    $ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
     $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces

  5. #5
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also list brands & models of the routers. Do you need a DMZ? Do you need file-sharing access at a remote location?

  6. #6
    Senior Member MrCrassic's Avatar
    Join Date
    Jun 2007
    Location
    Brooklyn, NY
    My Bikes
    2008 Giant OCR1 (with panda bear on the back!)
    Posts
    3,648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Turned out that it didn't need to be complex at all!

    Here's the scenario:


    • DSL MODEM: This connects our network to the Internet, obviously. Set it to Bridge mode; I put it in a DMZ to send all ports open to the wireless access point, but it turned out that its built-in firewall was still mucking it up.
    • WAP 1: This wireless access point is more for the people using the Internet on another floor. I used this also, but the purpose of this post was to eliminate the need to. This is connected directly to the DSL modem, and not including wireless clients, my Debian server and the second WAP is connected directly to it on eth0 and eth1.
    • WAP 2: This is my wireless access point. It's connected directly to WAP 1 and no other devices connect to it. Using this access point improved my signal SIGNIFICANTLY.



    I was going to connect to my stuff using VPN, but I finally figured out the proper way to use SSH to connect to my SAMBA shares. So all I'm running right now is SSH on that server, which lets me connect to my two shares. It works amazingly; I'm so happy!
    Ride more.

    Code:
    $ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
     $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces

  7. #7
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Bah! I HATE modems with built-in routers or firewalls. They're crap! Usually I like a different component for each function:

    MODEM -> Barracuda Firewall/SPAM filter -> Cisco 6500 router/switch -> Wireless Access Points#1, etc, etc.

  8. #8
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    Bah! I HATE modems with built-in routers or firewalls. They're crap! Usually I like a different component for each function:

    MODEM -> Barracuda Firewall/SPAM filter -> Cisco 6500 router/switch -> Wireless Access Points#1, etc, etc.
    +1 there. I have a 2-Wire combination modem/router/wireless AP that initally came with my DSL connection. Its firewall and NAT abilities are passable, but I had to manually disable the wireless because it only supports WEP.

    Eventually, I plan to see if AT&T can sell me just a plain CSU/DSU, and I can then use a real firewall/router/AP such as a Linksys WRT350N, or perhaps a 1TB Time Capsule. Both of these devices can be used as NAS heads, so I can hook up a big external drive array. This, combined with TrueCrypt, will give me decent, secure storage without having to remember where I stored what on which machine.

  9. #9
    Senior Member MrCrassic's Avatar
    Join Date
    Jun 2007
    Location
    Brooklyn, NY
    My Bikes
    2008 Giant OCR1 (with panda bear on the back!)
    Posts
    3,648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That would be an amazing backup solution. Too bad this is my grandma's house, so I can't exactly turn it into a server farm (though I have enough old computers to do it).

    This is the first time I actually got SSH to work reliably. It's frackin' amazing. I can use Flickr at work now!

    The only bite is that because I don't have permissions to disable File and Print Sharing or install a loopback adapter, I can't map my network drives. Bummer; would have been pretty rad to listen to music remotely.
    Ride more.

    Code:
    $ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
     $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •