Setting up a home network

[HungryMind]

Hi All,

I have a got a very simple query for the experts here as I am not much into networking field.

My requirement:
- Personal web server
- some laptops/PC

I have a router/modem that terminates my internet connection and my webserver is connected to it. and I want to use my PCs but don't want to directly connect them to the router ports as there are only 3 ports.
So I am planning to use a 8 port switch for a LAN among my PCs i.e. I want to connect the switch to the router and want to connect all the PCs to the switch. I am planning to use a gigabit switch so that my lan network is fast and would use Cat6 cables or would cat5e would be ok for me, I reuire good transfer rate among the PCs.

I just want to know in simple steps what all key configuration I would have to do to setup such a network. or if there are any tutorial or site for details about this, would be good for me.


Any suggestions would be gr8 as I have been trying to get some info about this on net and found this forum useful.


Cheers,
Hungry Mind

 

[DelJo63]

trival buddy.

modem=====router-----Web Server
          |
       switch
       |   |    |   |
       (x) PC systems

To ensure all PCs see the webserver at the same address (regardless of the boot sequence),
give the webserver a static IP address.

 

[HungryMind]

Thanks for prompt response, the overall scheme provided by you looks good for my use. Just a few queries/clarification regarding the same.

- On router I need to enable port forwarding for http towards webserver.. is that right?
- All the PCs connected to switch would have local IPs assigned by router or even I can assign them static Ips myself if I don't want them to change every time i reboot them
- If I want one of the PCs behind the switch to be accesible by external network, what do I do ? Do I have to connect it to router directly and then allow port forwarind for service like telnet/ssh ?

One more basic query, is setting up a vlan to restrict communication between the Pcs connected to switch possible on an unman aged switch or does it require managed switch.
or is it possible to set a Vlan on router port where switch is connected and set corresponding vlan on connected PCs, in such a case if webserver is not part of that vlan, will it be able to communicate with these PCs.


Actually I have a requirement to
- Connect via FTp/SSH to one of additional PCs in my home network other than my webserver
- Rest of the PCs I don't want any illegal access from outside world for security purposes


Thanks in advance

 

[DelJo63]

- On router I need to enable port forwarding for http towards webserver.. is that right?

ONLY if you expect Public Internet access into your server - - and that may violate your ISP License.

- All the PCs connected to switch would have local IPs assigned by router or even I can assign them static Ips myself if I don't want them to change every time i reboot them

use DHCP for the PCs normally, but it you have other requirements for fixed addresses, the I would google for Address Reservation to allow the router to controll everything

- If I want one of the PCs behind the switch to be accesible by external network, what do I do ? Do I have to connect it to router directly and then allow port forwaring for service like telnet/ssh ?

1) the switch has no IP address so where things are connected is not an issue.

2) Allowing both External and Internal access to your lan can be done - - but you need tight controls for the routing, ip address assignments, and a firewall that you can get absolute control of. and you know that creates an exposure for you.

Port forwarding requires the target PC have a static address AND to have that firewall opened for those ports.

One more basic query, is setting up a vlan to restrict communication between the Pcs connected to switch possible on an unman aged switch or does it require managed switch.
or is it possible to set a Vlan on router port where switch is connected and set corresponding vlan on connected PCs, in such a case if webserver is not part of that vlan, will it be able to communicate with these PCs.

Actually I have a requirement to
- Connect via FTp/SSH to one of additional PCs in my home network other than my webserver

SSH does both, but if you need FTP & SSH, write separate rules in the system that uses them
allow in tcp from=any ports 20,21,22
allow out tcp to=any ports 20,21,22

- Rest of the PCs I don't want any illegal access from outside world for security purposes

assume your router (and that subnet) is on 192.168.1.1
The default rule in a firewall is deny all new inbound connections.
So to allow say file/print sharing between and only your systems on 192.168.1.*,
the firewall rule would be (in every system)

• allow in tcp/udp from 192.168.1.*

all systems can access the Internet via the router (ie outbound) but only local lan systems can access one another.

You do not need an expensive managed switch

 

[LNCPapa]

Excellent and thorough response jobeard. I usually get too lazy to post so completely as you just did. As jobeard said try to use DHCP static reservations for the machines that will stay on your network, that way you can just leave them set to DHCP but they'll always receive the same IP addresses.

One note: If you plan to do large file or application hosting from your webserver to your local network you might want to connect the webserver to the switch instead of the router, unless the router also has Gb ports.

 

[CJ Casanova]

I did something similar to this once, i just used 2 wireless hubs and bridged the connections, you will only need cat5e's too btw

 

[HungryMind]

ONLY if you expect Public Internet access into your server - - and that may violate your ISP License.


Thanks a lot Jobeard for clarifying so many of my doubts and queries, I'll keep them In mind while setting it up.

Only I couldn't get what you meant by above. if i have a static IP from my ISP for my webserver there should not be any such issue i suppose, let me know if I am getting you right.

 

[HungryMind]

I did something similar to this once, i just used 2 wireless hubs and bridged the connections, you will only need cat5e's too btw

Thanks CJ i just read that Cat6 would be more future ready, so thought if it does not cost much more than cat5e I would go for that. fine for Gb ethernet Cat5e would also do. I'll check what suits my budget.

Thanks

 

[HungryMind]

Excellent and thorough response jobeard. I usually get too lazy to post so completely as you just did. As jobeard said try to use DHCP static reservations for the machines that will stay on your network, that way you can just leave them set to DHCP but they'll always receive the same IP addresses.

One note: If you plan to do large file or application hosting from your webserver to your local network you might want to connect the webserver to the switch instead of the router, unless the router also has Gb ports.

That looks a good idea, i din't think of it, i was thinking to connect webserver directly and other via switch.. good points Thanks I'll do that.

 

[DelJo63]

ONLY if you expect Public Internet access into your server - - and that may violate your ISP License.

Thanks a lot Jobeard for clarifying so many of my doubts and queries, I'll keep them In mind while setting it up.

Only I couldn't get what you meant by above. if i have a static IP from my ISP for my webserver there should not be any such issue i suppose, let me know if I am getting you right.

hmm; I was thinking that you need

• a domain name,
• have it registered, and then
• an ISP agree to host your site OR
• agree to have your connection become the IP address associated with your domain name

This would assure you that the ISP would not close you down using nasty EULA terms & conditions - - q.e.d. they would have known all along what you were doing. If you have a domain name, then ping my-domain-name will show packets to your existing static ip-address

Yes, a domain name has a static ip address, but by itself, a static address does not assure you of anything (see, from here I can't tell how you got it nor the EULA associated).

 

[HungryMind]

So based on all your inputs I think any of the below config would work fine for me.

**Configuration 1**

Modem<--->Router<---Port1--->Switch <--P1-->Webserver (192.168.x.11)
<---Port2---> <--P2-->backendmc1 (192.168.x.12)
<---Port3---> <--P3-->backendmc2 (192.168.x.13)
<---Port4---> <--PX-->backendmc3 (192.168.x.14)(FTP Server)

**Configuration 2**

Modem<--->Router<---Port1--->Webserver (192.168.x.11)
<---Port2--->Switch <--P1-->Webserver (192.168.x.12)
<---Port3---> <--P2-->backendmc1 (192.168.x.13)
<---Port4---> <--P3-->backendmc2 (192.168.x.14)
<--PX-->backendmc3 (192.168.x.15)(FTP Server)



On router, I can setup the following

Service Start Port End Port Server IP address
HTTP 80 80 192.168.x.11
FTP 21 21 192.168.x.14

allow in tcp/udp from 192.168.1.* on backend machines firewall except the one where I want to connect via ftp other PCs out of my network.

Config 1 would allow faster communication with webserver via Gb Switch.

Thanks everybody for suggesting your views and helping me out.

I will buying some hardware soon and will try all this. I have shortlisted the following hardware from Netgear.
- RP614v4: 4 Port Cable or DSL Router with 10/100 Mbps Switch
- GS108 : 8 Port Copper Gigabit Switch 10/100/1000 Mbps

Let me know if you have any recommendations for the same. As I don't see use of wireless for me, would prefer a wired router.

Thanks again

 

[DelJo63]

One note: If you plan to do large file or application hosting from your webserver to your local network you might want to connect the webserver to the switch instead of the router, unless the router also has Gb ports.

kind of nit-picking here so excuse me. Networking is exactly like the adage "The chain is only as strong as the weakest link".
Between any two points, the slowest component determines the bandwidth to be seen". So if we expect gigabit(GB) throughout our LAN, then every component will need GB capability. On the other hand, if we only expect GB between our client PCs, then only they need a GB hub or switch. This frequently is all moot, as our ISP gateway connection can throttle us, or may even enforce a QoS metric on our connection.

IMO, a home lan subnet will perform nicely with a 10/100 connection throughout and only in a Domain Controller environment (aka corporate users) need better due to many more systems on the subnet. Just my $0.02.

 

[DelJo63]

Service Start Port End Port Server IP address
HTTP 80 80 192.168.x.11
FTP 21 21 192.168.x.14

For the Webserver, you might as well add 80, 443 and consider port 8080 if you intend to use JCP or Java.

FTP will also need 20,21 (it can use both) and adding port 22 will enable SSH when/if you elect to be more secure.

 

[LNCPapa]

I do something sort of similar to what you're asking for on my home network:
http://www.duke.edu/~mepm/Computers/HomeNetwork.html
In this image Cauldron is both my internal webserver and my external ssh server. I have ssh opened up to a very specific set of external IPs to help minimize my exposure to the world. HTTP is only open to 192.168 but I could just as easily open it up to the world by forwarding all port 80 traffic to Cauldron. I occasionally open up RDP to BeefyArm, but I really don't need to with ssh available on the network. You can always tunnel anything you need through there.

 

[HungryMind]

Thanks for pointing out 8080,443 and 20.

Service Start Port End Port Server IP address
HTTP 80 80 192.168.x.11
FTP 21 21 192.168.x.14

For the Webserver, you might as well add 80, 443 and consider port 8080 if you intend to use JCP or Java.

FTP will also need 20,21 (it can use both) and adding port 22 will enable SSH when/if you elect to be more secure.

 

[HungryMind]

That's a pretty big network you have at home..

by the way at what points do you control these things
- SSH for limited IPs - Is it on all the machine/systems itself or some common point in the network ?
- HTTP is only open to 192.168 ?

Have you also used HA proxy or any other balancer for diverting traffic to two instances of your webserver..?

" I have ssh opened up to a very specific set of external IPs to help minimize my exposure to the world. HTTP is only open to 192.168 but I could just as easily open it up to the world by forwarding all port 80 traffic to Cauldron"
.

 

[LNCPapa]

Yeah, my network gets a bit of a workout and this doesn't even include many other mobile devices like my kids' DS's, PSP, etc.

As far as restricting services I've used a combination of restricting at the NAT as well as using iptables. Even though it's on my home network I still run with my local firewalls on and open up only the necessary ports on each machine. This helps me stay on top of the traffic within my network (just remembering what's going on can be a challenge) as well limit the immediate exposure in case anyone does manage to get into my wireless network. I also worry about that exposure because I have a single r/w scratch space on my fileserver that is accessible to all of the accounts on my entire network (all family members can drop files here.) I keep a close eye on this share, but you still never know. For a long time I only had WEP encryption for my wireless even after WPA had become commonplace in the consumer market so I was always fearful of being compromised.

 

[HungryMind]

thanks everyone.. I have my network up and running...
got a cisco router 300MBPS and a Gigabit switch from netgear..cat6 cables... everything working perfectly...