[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Network design problem



On Saturday 15 March 2008 23:32:59 Lesley Binks wrote:

> Do you really need to tack on 32000 possible hosts? Furthermore do you
> really need more than 65000 on your phrnet?

No, of course not. I just had an idea, years ago when I started dabbling in 
such things, that I would work my way down the 32-bit field. You may say 
that's not a very good design approach, and I wouldn't argue.

> I suspect you could quite easily get away with
>
> 192.168.1.0/28 on the router side
> 192.168.2.0/24 on the switch side.
> 192.168.3.0/24 for your third interface
>
> and that is all you need according to the hardware you have declared.
> Presumably NAT and redirection on the gateway between the two subnets
> and use the gateway's firewall to protect your 192.168.2 subnet.

I'm using Shorewall to manage my firewall setup, which can easily MASQ one 
net to another. I haven't said that very well, but what I mean is that eth1 
(the Ethernet) is masqueraded behind the firewall with eth0 connected to 
the ADSL modem.

> I assume your WAP uses DHCP to assign an IP address to any machine that
> connects to it.

No, it has no DHCP server. I can either run one on the box upstream of the 
WAP or rely on static IP addressing. I tend towards the latter, though it's 
easier to get WinXP connections to the laptops using DHCP.

> If your wife is the only one using the wireless access point

No, I have a laptop too. I might occasionally have a guest as well, but 
those three would be all.

> make sure that the DHCP server on the WAP is set to rotate only one IP
> address, and that it will only accept from one MAC address  

I'll need to fix the address given to her machine so that it can use distcc 
(this is Gentoo, with mucho compiling of packages from source, and that's 
an old laptop).

> plus use appropriate authentication methods that are not WEP or WPA.

WPA-PSK seems to be the best I can have, together with MAC access control 
and switching off SSID broadcast. I haven't tested that last one yet.

> Your wife's machine should also be suitably firewalled and you will have
> to deliver the new password to her machine by a secure method every time
> you change it on the WAP.

Agreed. I can use a USB stick for this transfer.

> None of this is foolproof security

It would be good if there were such a thing :-(

> Monitor the network coming to or from the WAP.  Leave it on for a while
> when your wife is not using it and her machine is switched off and not
> registered with the WAP.

An interesting idea, which I'm doing now. So far I'm mostly seeing ipp 
broadcasts from cupsd on the server. This is a smallish village and so far 
not very sophisticated in its network behaviour (I hope :-)

> This may persuade you to at least switch it off when not in use.

I do that anyway.

> I think your best solution is to have the WAP on its own subnet e.g.
> 192.168.4.0/30 connected to the gateway, and monitored and controlled 
> from there.

As the DMZ is not used at present (it was just a possibility for the future) 
I think I'll take your suggestion and use its NIC. It's a headless box, 
which I manage over ssh from the server or the workstation.

> You can then prevent that subnet from accessing any other subnet on your
> network or at least control its access.  This means adding a new card to
> the gateway box. 

I can't do that, unless there's such a thing as a dual-NIC PCI card. But as 
I said above, I don't need to keep a spare interface so I can use what I 
have already.

Thank you for a very full and helpful reply. Plenty of food for thought. It 
looks as though I've misunderstood what a subnet is; I thought it was "sub" 
in the sense of being hierarchically included in the parent net, but maybe 
it isn't. I'm also reading through the article that Gary pointed me to 
(thanks Gary and the others too).

-- 
Rgds
Peter

_______________________________________________
        Sheffield Linux User's Group
  http://www.sheflug.org.uk/mailfaq.html
 GNU - The choice of a complete generation