View Single Post
  #4   (View Single Post)  
Old 16th January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by unixjingleman View Post
I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch.
It is not altogether clear from the information presented that the services purchased from your ISP will support such a structure.
  • Customarily, ISP's hand out a single IP address which is assigned via DHCP. This address is not typically a public address which is accessible from the outside world (work, school, public library, etc.), although the IP address assigned may not be what is typically classified as a non-routable RFC1918 private address. Most of the public doesn't need anything more than a single address (nor understands it...), & they don't need real public address so this is most likely the cheapest & most prevalent plan many ISP's provide to customers. It also doesn't require that ISP's allocate a public address solely for your use either. From the ISP's perspective, having to assign a real publicly accessible address to a single user involves a resource with higher value, so they charge more.

    You mention having servers in front of the firewall. If all your ISP is providing is a single address, implementing a DMZ where multiple machines exposed to the Internet, each with their own static IP address goes into the domain of what ISP's classify as business accounts. Each server which is to independently be accessible from elsewhere on the Internet will need its own static IP address given the topology described. One option is to pay a monthly fee for each IP address, but this can quickly become costly. Publicly accessible IP addresses not yet allocated are dwindling in number. Expect to pay more for having them assigned to you.
  • The second flaw in what is described is that the firewall resides on the same switch as some number of servers & the connection to the ISP. These servers are getting no benefit of the firewall. For a firewall to have any effect, all traffic has to go through the firewall first. One possible way this can be done is to connect one interface of the firewall directly to the ISP connection, & another firewall interface to some internal switch. Assuming NAT has been configured, any number of clients & servers can sit on the internal side.
  • Otherwise, your message segues into questioning whether one should configure DHCP or simply assign internal addresses to the various hosts manually. This is a personal choice. Home environments don't typically have so many systems that DHCP saves a signficant amount of administration & maintenance, however it can make life simpler -- somewhat. It's your decision.
  • As for NAT, it only needs to be done once. Home environments do not require complicated topologies.
  • Lastly, when asking network topology questions, provide a diagram of what you intend to implement. Having a picture will clarify in your own mind what is going on, & it will certainly help anyone else attempting to make a useful response. What was initially described was the following:
    Code:
         internal network --- switch --- firewall --- switch --- ISP
                                                         |
                                                      servers
    What I suspect you really want is the following:
    Code:
        internal network --- switch --- firewall ---  ISP
                                |
                             servers
    Not knowing the details of how you connect to your ISP, you may need some multiple-purpose device to be inserted between the firewall & ISP, but that detail is left for you to figure out. You may have already done so.
Reply With Quote