[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Network design problem
Peter Humphrey wrote:
> On Friday 14 March 2008 14:13:36 Tom Bird wrote:
>> Peter Humphrey wrote:
>>> ethnet 192.168.128.0/17
>>> wapnet 192.168.192.0/19
>>>
>>> $ cat /etc/conf.d/net
>>> config_eth0=( "192.168.128.49 netmask 255.255.128.0 brd
>>> 192.168.255.255" ) config_eth1=( "192.168.192.210 netmask 255.255.224.0
>>> brd 192.168.223.255" )
>> These overlap. This is bad.
>
> I thought it was an example of sub-netting. Have I misunderstood that
> concept? Where can I find an explanation?
>
Quick recap on IP addresses. Each one of the four numbers in an IPv4
address represent an octet of binary digits (or bits) which can equally
well be represented by two hexadecimal numbers.
The 17 in the subnet 192.168.128.0/17 says your network is matched by
the first 17 bits of the preceding data with the remainder of any
matching IP address being a host. The leftmost octet takes 8. The
second leftmost takes a further 8 leaving 1 for the third octect and
none for the fourth octet. Your netmask for this network is
255.255.128.0 and your broadcast address will be 192.168.255.255.
This will allow 192.168.128.0 through to 192.168.255.255 (over 32,000
hosts) on that subnet and it includes the 192.168.192.0 you
subsequently subnet to wapnet.
192.168.192.0/19 says the network is matched on the first 19 bits of the
preceding data with just over 8000 hosts attached. Again the first two
octets take 16 bits leaving three bits at the top of the third octet -
which can therefore be expressed as 1110 0000 in binary, or E0 in hex or
224 in decimal. So your netmask is 255.255.224.0 with a broadcast
address of 192.168.255.255.
I think you really meant /18 here (giving 1100 0000 or C0 or 192).
However I am worried about what you think you are doing with the network
- especially as you are tacking on a WAP.
Do you really need to tack on 32000 possible hosts? Furthermore do you
really need more than 65000 on your phrnet?
In essence I have this setup
192.168.1.0/28 - internal side of ADSL router allowing up to
13 hosts - one is used for the router and one is used
for the gateway connection. The default route is the
internal IP address of the router
192.168.2.0/24 - a network with 254 possible hosts. The default route
for anything connected to this network is the IP
address of the card on the gateway box for this subnet.
192.168.3.0/24 - a network with 254 possible hosts. The default route
for anything connected to this (even through a switch)
is the IP address of the card on the gateway box for
this subnet.
Similarly to you, I have three ethernet cards on my gateway box - one
goes to the ADSL and the other two to each of the subnets. Neither of
these are a demilitarized zone. The nearest I could get to a DMZ is to
hang it off the back of the router which means it would be part of the
router's internal subnet.
If I wanted to be really really tight about it I could have
192.168.1.0/30 - gateway and internal side of ADSL allowing only two
hosts one of which would be the gateway and t'other the
router (but I wouldn't be able to connect to the
router any other machine.)
192.168.2.0/30 - allowing two hosts which will be used by the card on
the gateway for this subnet and the single machine I
have attached to it.
192.168.3.0/29 - allowing six hosts which would have to include the card
on the gateway box and would therefore leave me with
the capability of attaching 5 more hosts onto this
network.
and it would all work the same.
From the hardware you declare you have one card to the modem and one to
a switch plus one more. You therefore need one subnet for the card that
is connected to the ADSL router and one for the card connected to the
switch and one for the extra card.
I suspect you could quite easily get away with
192.168.1.0/28 on the router side
192.168.2.0/24 on the switch side.
192.168.3.0/24 for your third interface
and that is all you need according to the hardware you have declared.
Presumably NAT and redirection on the gateway between the two subnets
and use the gateway's firewall to protect your 192.168.2 subnet.
Now let's deal with your WAP.
You should bear in mind that a wireless device is a receiver and
transmitter. It doesn't care who or what it receives from or who or
what it transmits to. When the data over a wireless connection is
transmitted so that a WAP can receive it, any other suitable device in
the range of the transmitting device can also receive it. And there is
much out there to sniff the air e.g. http://airdump.net/ .
I assume your WAP uses DHCP to assign an IP address to any machine that
connects to it. If your wife is the only one using the wireless access
point then make sure that the DHCP server on the WAP is set to rotate
only one IP address, and that it will only accept from one MAC address
plus use appropriate authentication methods that are not WEP or WPA.
WPA2 can be sniffed but you can use 63 character passwords designed for
machine to machine communication i.e. case sensitive and containing any
character including alphanumerics, punctuation and special characters
such as '@' or '>'. These are harder to crack. Change this password
frequently.
Your wife's machine should also be suitably firewalled and you will have
to deliver the new password to her machine by a secure method every time
you change it on the WAP.
None of this is foolproof security but it may stop or hinder some people
from using your network or using your wife's machine as a trojan on your
network.
Monitor the network coming to or from the WAP. Leave it on for a while
when your wife is not using it and her machine is switched off and not
registered with the WAP. This may persuade you to at least switch it
off when not in use.
I think your best solution is to have the WAP on it's own subnet e.g.
192.168.4.0/30 connected to the gateway, and monitored and controlled
from there. You can then prevent that subnet from accessing any other
subnet on your network or at least control its access. This means
adding a new card to the gateway box.
If you don't want to add a new card to the gateway then put it on the
third interface and deal with it at the firewall end of the server,
workstation and any other element connected to the switch. At least
then the firewall on your gateway can redirect incoming 25, 80 traffic
as required to your server and you can prevent any incoming to other
service ports reaching the WAP. Bear in mind that anything can connect
to your WAP if it is determined to do so.
Regards
L.
_______________________________________________
Sheffield Linux User's Group
http://www.sheflug.org.uk/mailfaq.html
GNU - The choice of a complete generation