[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Network design problem
On Saturday 15 March 2008 23:32:59 Lesley Binks wrote:
> Do you really need to tack on 32000 possible hosts? Furthermore do you
> really need more than 65000 on your phrnet?
No, of course not. I just had an idea, years ago when I started dabbling in
such things, that I would work my way down the 32-bit field. You may say
that's not a very good design approach, and I wouldn't argue.
> I suspect you could quite easily get away with
>
> 192.168.1.0/28 on the router side
> 192.168.2.0/24 on the switch side.
> 192.168.3.0/24 for your third interface
>
> and that is all you need according to the hardware you have declared.
> Presumably NAT and redirection on the gateway between the two subnets
> and use the gateway's firewall to protect your 192.168.2 subnet.
I'm using Shorewall to manage my firewall setup, which can easily MASQ one
net to another. I haven't said that very well, but what I mean is that eth1
(the Ethernet) is masqueraded behind the firewall with eth0 connected to
the ADSL modem.
> I assume your WAP uses DHCP to assign an IP address to any machine that
> connects to it.
No, it has no DHCP server. I can either run one on the box upstream of the
WAP or rely on static IP addressing. I tend towards the latter, though it's
easier to get WinXP connections to the laptops using DHCP.
> If your wife is the only one using the wireless access point
No, I have a laptop too. I might occasionally have a guest as well, but
those three would be all.
> make sure that the DHCP server on the WAP is set to rotate only one IP
> address, and that it will only accept from one MAC address
I'll need to fix the address given to her machine so that it can use distcc
(this is Gentoo, with mucho compiling of packages from source, and that's
an old laptop).
> plus use appropriate authentication methods that are not WEP or WPA.
WPA-PSK seems to be the best I can have, together with MAC access control
and switching off SSID broadcast. I haven't tested that last one yet.
> Your wife's machine should also be suitably firewalled and you will have
> to deliver the new password to her machine by a secure method every time
> you change it on the WAP.
Agreed. I can use a USB stick for this transfer.
> None of this is foolproof security
It would be good if there were such a thing :-(
> Monitor the network coming to or from the WAP. Leave it on for a while
> when your wife is not using it and her machine is switched off and not
> registered with the WAP.
An interesting idea, which I'm doing now. So far I'm mostly seeing ipp
broadcasts from cupsd on the server. This is a smallish village and so far
not very sophisticated in its network behaviour (I hope :-)
> This may persuade you to at least switch it off when not in use.
I do that anyway.
> I think your best solution is to have the WAP on its own subnet e.g.
> 192.168.4.0/30 connected to the gateway, and monitored and controlled
> from there.
As the DMZ is not used at present (it was just a possibility for the future)
I think I'll take your suggestion and use its NIC. It's a headless box,
which I manage over ssh from the server or the workstation.
> You can then prevent that subnet from accessing any other subnet on your
> network or at least control its access. This means adding a new card to
> the gateway box.
I can't do that, unless there's such a thing as a dual-NIC PCI card. But as
I said above, I don't need to keep a spare interface so I can use what I
have already.
Thank you for a very full and helpful reply. Plenty of food for thought. It
looks as though I've misunderstood what a subnet is; I thought it was "sub"
in the sense of being hierarchically included in the parent net, but maybe
it isn't. I'm also reading through the article that Gary pointed me to
(thanks Gary and the others too).
--
Rgds
Peter
_______________________________________________
Sheffield Linux User's Group
http://www.sheflug.org.uk/mailfaq.html
GNU - The choice of a complete generation