network plan (diagram included) good plan? any flaws? [50k gif]

L

LadyJaqie

I Have No Title
Joined
Jun 9, 2002
Messages
1,422
Okay, first off, Ill show you the network diagram, then explain the systems a bit and the use.

fixed IPs moved 5port switch to living room on diagram.

network.gif


basically three power users / computer techs will be living here. internet is 1.5/1.5 wireless.
we plan on slowly building up to this configuration piece by piece.

In a week i should be getting the first pieces, a P3 1Ghz with 384MB RAM and a 40GB HD.
That will start as the internet & intranet server, and I will swap the hard drive with what is in my system at the moment.

As soon as (and if) I sell my LCD monitor and SCSI stuff I will upgrade my system with this stuff and using the spare parts to build my girlfriend a computer.

I will be getting an old celly system from someone after a while, that will be the vpn server.

Eventually I want to build a dual socket A athlon XP 2600+ MPX system with ~2TB of HD space for the intranet server, and use the P3 1Ghz for the internet/p2p server.

I want to get a system something like this as 'acbot' and maybe one like it but with an nForce board for the HTPC system.

Opinions? thoughts? critiques? ideas?
 
Both your "Intranet Server" and your "VPN server" are labelled with the same IP address (192.168.0.3)
 
I don't understand your numbering scheme. Why limit yourself to only ten addresses per bunch that you want to have segregated? If you end up with more network equipment, you'll have to give it a .70-something number, and then that might also be right next to some extra equipment that Hannah has. The numbering scheme is now meaningless.

If you really must use static IP addresses, why not give each intended use a larger range?

Why is the WAP on a VPN server? Why doesn't it have an IP address?

The topology is a little surprising; there will be four 1000Mbps lines from the server room to the living room, then two more 100Mpbs lines? One of the 100Mbps lines goes into a switch ... why not just pull a single line and switch everything in the living room?

No firewall, just NAT?

Why no caching server?

What's ACBot? And what's the dotted line between it and Foxen's machine?

.B ekiM
 
Why do you have connectivity into the Living Room from two different points? Why not just use one switch to feed all the PCs and save yourself the hassle of cabling for two switches?

And define ACBOT. I'm curious.
 
Topology is unusual because the house is extremely small and Im trying to save money. only one switch means I only spend $100 on a gigabit switch and I have 1000' of cat5e already sitting here I dont't have to buy.

The WAP is on a VPN server so that I don't have to worry about encryption or anything, and I dont have to worry about people bustiong into the network, prettymuch I can let it open and just VPN into the network from the boxes that I am going to be running in, a lot more secure then any WEP. A trick I picked up from my friend [H]emi_426 which is using that at home. The WAP isnt showing an IP addy because I havent decided one for it yet.

I have never had troubles with people breaking into my network with just NAT, and I don't forsee any, so I think NAT would be adequate... please tell me if this is wrong? The VPN server could function as a router and firewall, it will be running freeBSD 5.x anyway... and I have been considering using it as a caching server as well once I learn enough about freeBSD, that is actually why the 'test' computer is there, for me to play with fBSD and learn things without harming critical network operations.

The network IP numbering scheme is just one I have always used. Ill redo it to take 20 IPs per type. Does that sound more reasonable? I really do hate DHCP... with NAT I forward lots of ports and it becomes an unholy mess with DHCP.

Running some of the systems from 100Mbps and some from 1000Mbps, I am trying to save as much money as I can, and this is a way to do it, this house is quite small, so cabling running into a central area wont cost as much as runing a switch will, and this way I can give extra bandwidth to only those computers that really could use it, that is why some are running 100Mbps and some are running 1000Mbps.

ACBot... alright, there is a game, a MMORPG, Asheron's Call: Dark Majesty http://acdm.turbinegames.com that I am quite addicted to. there are third party apps that allow you to run a mage in 'bot' mode, and you can give other players free magic enchantments, trouble is they only last an hour and it takes spell components... also the server is unreliable. so you have to keep monitoring your bot and stuff to keep him/her filled with comps and online... so the line is a KVM switch cord. I forgot to label it in the legend oops ^^;;

if any of tthese thigns is a stupid idea please let me know ok? its all in the planning stages now and so now is the time to change it...
 
I thought the purpose of the 1G bandwidth of those servers connected to the intranet server was for your gaming stuff? if so, why is the ACBot on the 100mbs line? if that is talking to the intranet server, why not put that on the 1g switch?
 
berky said:
I thought the purpose of the 1G bandwidth of those servers connected to the intranet server was for your gaming stuff? if so, why is the ACBot on the 100mbs line? if that is talking to the intranet server, why not put that on the 1g switch?
Click to expand...

How much bandwidth is this server going to use? Is it worth it to put it on the gige when his internet upload won't come even sorta close to that at all. Probably why you would save the gige for something for inhouse and needs more bandwidth.
 
Just a suggestion but....

I use this router box called m0n0wall and it is simply put.. Awesome. I have a VPN tunnel going from my network to the network of a friend of mines across town and once i figure out how to, i'm going to link up another 2 friends one in florida and one in california so that we can all share stuff securely and for the simple experience of learning more about VPN'ds and what not.

The m0n0wall has the ability to act as a wireless AP as well which is sweet because you simply put a card in it and there you have a router that would normally cost like $50 or so. I am still learning about subnets, routes, protocols and all that stuff so there is a bunch of stuff i've never even messed with before but it seems pretty robust to me. Just an idea.

From what I see, it looks like this m0n0wall could replace about 3 of your components, the WAP box, the VPN box and the router. You can even put 3 network cards in the box and do true segments, seperating different things. oh and m0n0wall doesnt require a HD, just a floppy and cdrom. I personally use the CF card version but cdrom and floppy work just as well.

Josh.
 
Karandras69 said:
How much bandwidth is this server going to use? Is it worth it to put it on the gige when his internet upload won't come even sorta close to that at all. Probably why you would save the gige for something for inhouse and needs more bandwidth.
Click to expand...


ya, i was thinking he might use it also for any LAN party type stuff also. perhaps i'm wrong....
 
jaqie said:

The WAP is on a VPN server so that I don't have to worry about encryption or anything, and I dont have to worry about people bustiong into the network, prettymuch I can let it open and just VPN into the network from the boxes that I am going to be running in, a lot more secure then any WEP. A trick I picked up from my friend [H]emi_426 which is using that at home. The WAP isnt showing an IP addy because I havent decided one for it yet.
Click to expand...

The VPN creates a tunnel between the laptops and the rest of the network. You'll notice a bit of perf loss because of that tunnel.

If you're not using WEP, then the individual machines are vulnerable because if someone hops onto your wireless network they can walk up to the other wireless nodes.

jaqie said:
ACBot...
Click to expand...

That's interesting. I thought they had outlawed bots on AC a long time ago.

I'm not sure there's anything that's wrong, but there's certanily a few things that I'd do differently.

.B ekiM
 
Hey guys, I am not a male here, I'm a girl... please stop calling me 'he'...

AC, no BATTLE bots were outlawed, you cant fight monsters with a bot. any other bots, trade bots... cooking bots... buffing bots... etc are allowed. Bandwidth for AC is about double what a dialup modem can do.

GigE... that is for file transfers. most of the systems will be limited to 40 and 80GB drives only for installed programs, all data files will be stored on the intranet server, and I want us to have fast access to them. the only thing I am worried about is having the HTPC on the 100Mbps segment...

m0n0wall, Ill have to play with it a bit. I tried it when the version that has bandwidth shaping was in beta, and didn't like it, mnaybe it's gotten better since then...hmmm. I do plan on mounting the WAP in the roof though so the idea of running that with a card just wont work.

I planned on running WEP also on the wireless stuff, just not worrying so much about having it clenched up tight as can be and such, an extra layer of protection, yaknow. and slowdown is ok, the notebooks will pretywell only be used for net browsing and such when on wireless.

Firewall - As I said before, Ive been running behind a nat router for a long time, and its proven to be a VERY good 'firewall'. This isnt a dare, but if you want to check for yourself, http://jaqiejean.mine.nu/ I'm not saying I cant be hacked... im just saying that it seems pretty dang secure to me, ive asked some people that know a good amount about security to check my setup out and they say I'm pretty dang safe...

Thanks for all the imput so far :) I would love to keep it all going...
 
Your nat router will be fine. For a home power user I see no problems with it. Most of the time if you don't know what your doing with a standalone hardware firewall, you'll get in over your head and cause more problems than its worth.

[sarcasm on] Better us IPSEC with that VPN server as PPTP is old and outdated with poor poor encryption. At least use L2TP [/sarcasm off]

If the "guys" want to get real technical I can design a network utilizing cisco equipment that would be above "par" for what these guys are trying to push you into. Seesh.. its a home network, yes data is criticle, but not as to a business where tons of money is at stake. (not saying that home users make little to no money and data isn't important, but rather, what would be the reason for someone to intentally hack you or I?)
 
mikeblas said:
The VPN creates a tunnel between the laptops and the rest of the network. You'll notice a bit of perf loss because of that tunnel.
Click to expand...

Win2K and XP take a 10-15% performance hit when running in IPSec (AH+ESP) transport mode. WEP at 64bit takes up to 25%, and 128bit can see up to 50% performance loss (unless you've got VPN accellerators onboard).

If you don't mind the extra configuration, and/or if you've got a certificates server in the network, client/server VPN is the way to go.

And as I mentioned in another thread, its always good to implement a layered security paradigm. All I'm really talking in this scenario is about transport security from client to server, and implementing some form of transmission security in the 802.11. MAC filtering works easily enough in the 802.11 schema, and any attacks against it will not work against the VPN itself (DHCP+MAC reservations is also a good idea for authenticated hosts). Yeah, its basic, but it will be enough to twart script-kiddies and all but the most serious hackers. The MAC filtering will stop people from jumping on the segment from automatic configurations like Apple laptops do, and anyone thinking they'll just freeload will find they can't. And if they decide to try and attack the WEP or WPA, they'll soon find they can't because their haxor script-kiddie program won't work against IPSec.
 
so WEP+MAC is enough?
what version of WEP should I use then? how many bits security should be enough?

And a subject Ive not broached yet: What AP should be best? I like D link but I'm willing to go with any quality brand...but whatever you do DON'T suggest linksys. :rolleyes:
 
We've gotten past the firmware that takes a 50% performance hit or anything close when encrypting however 64bit WEP is usually more than enough. If your really concerned then 128 bit WEP would make the security threat take some extra time to crack the key.

As far as AP's, the budget AP's are pretty much all the same. Linksy, regardless of your experience is no worse or better than the rest when taking in a broad number of devices you might use to test/benchmark. If you do want to take a step up then look at Buffalo Technologies wireless gear. Very nice. A bit more money but generally worth it depending on your expectations and/or requirements.
 
Alright, I'll take a look at them. Hawking any good?
any other good brands? besides the one there is no need to mention, cisco. ;)
 
jaqie said:

m0n0wall, Ill have to play with it a bit. I tried it when the version that has bandwidth shaping was in beta, and didn't like it, mnaybe it's gotten better since then...hmmm. I do plan on mounting the WAP in the roof though so the idea of running that with a card just wont work.
Click to expand...


Yeah I tried it then as well and I wasnt to fond of it, but I think its gotten better. As for the packet shaping itself, I still think it sucks, but hey it might get better, and there are a few items on their wishlist that would be killer to see working in the future. As for the wap being on the roof... .monowall is just what your looking for if you have the extra money for an embeded PC... check this out...

http://m0n0.ch/wall/gallery/phil_kenoyer/m0n0-at50foot.jpg
http://m0n0.ch/wall/gallery/phil_kenoyer/m0n0wall-router.jpg
http://m0n0.ch/wall/gallery/michael_mee/ap_10-142.jpg
http://m0n0.ch/wall/gallery/michael_iedema/fiddler.jpg

I wanted to do something like that at some point just no need yet.... If you need more info let me know, or the site has most of the info too.
 
ktwebb said:
We've gotten past the firmware that takes a 50% performance hit or anything close when encrypting however 64bit WEP is usually more than enough. If your really concerned then 128 bit WEP would make the security threat take some extra time to crack the key.
Click to expand...

I said it can take up to 50%. If its old gear, then its quite possible that there would be such of performance hit. As for 64bit vs 128bit, 64bit is easily cracked with brute force attacks whereas 128bit is not. However, both are easily cracked by figuring the key due to the IV vulnerability inherent in WEP across the board. Fact: You can deduce the WEP key (including 128bit mode) after capturing only 7.5 - 10 MB of data. Yes, its that simple and no I'm not going to tell you how.
 
Uh... well.. I would say that ill be fine with 64 bit... I doubt there is much anyone here with even any 802.11x networking... its a tiny town in kansas, mostly elderly folks...
nice quiet place where I can just live my life in peace and be me. I am very androphobic (fear of men) and somewhat xenophobic (fear of strangers) so I don't get out much, I am also disabled... have physical and emotional problems that are quite severe... so this town is great for me to just sit and work out my emotional problems without worrying about people much. I was in chicago before here, that was about the worst place for osmeone like me to be in the world *shiver* I never wanna go back there... and people in illinois treated me quite horribly too... all my life. so far out here Im being treated a lot better, then again Ive not gotten out much so far, so...

Anyways, I bet 64 bit WEP and blocking all but allowed MACs will be plenty to stop anyone that might pass by from being able to get in on my network.
 
jaqie said:
Uh... well.. I would say that ill be fine with 64 bit... I doubt there is much anyone here with even any 802.11x networking... its a tiny town in kansas, mostly elderly folks...
nice quiet place where I can just live my life in peace and be me. I am very androphobic (fear of men) and somewhat xenophobic (fear of strangers) so I don't get out much, I am also disabled... have physical and emotional problems that are quite severe... so this town is great for me to just sit and work out my emotional problems without worrying about people much. I was in chicago before here, that was about the worst place for osmeone like me to be in the world *shiver* I never wanna go back there... and people in illinois treated me quite horribly too... all my life. so far out here Im being treated a lot better, then again Ive not gotten out much so far, so...

Anyways, I bet 64 bit WEP and blocking all but allowed MACs will be plenty to stop anyone that might pass by from being able to get in on my network.
Click to expand...


uh oh. and i called her a 'he'
 
oh yeah, one other suggestion.


if you ever want to record stuff from your htpc to your intranet server in terms of tv shows/tv movies (ala tivo-like technology), you may want to put that on the gigE side.
 
ill run all the wires into the server closet and then hook up the ones that need to gigabit... ill switch em as my needs dictate... sounds like a good plan to me anyways...
 
You must log in or register to reply here.
Back
Top