linux home gateway/firewall/webserver recomendation

Offloading HDDs and other functions to remote NAS or servers is increasingly popular
jessekopelman
Posts: 1406
Joined: Tue Feb 13, 2007 7:28 pm
Location: USA

Post by jessekopelman » Sat May 23, 2009 11:19 pm

Monkeh16 wrote:I'd really like to see a working setup as you've just described. One which doesn't take hours of fiddling to make two DHCP servers (WAN and LAN) co-exist on the same dumb switch.

Meanwhile, I'll go back to using two NICs..
Two DHCP servers are not coexisting on the switch. The switch must have a hard IP address. A local IP address, mind you. The external IP address provided by your ISP is not assigned to the switch, it is assigned to the router. The router is the gateway device on your network, not the switch. It doesn't matter that the WAN is connected to the switch and not the router directly, because the switch is just a bridge. It just passes the packets along, it doesn't make any decisions about where they should go. All decisions are made by the router using static routing tables.

jessekopelman
Posts: 1406
Joined: Tue Feb 13, 2007 7:28 pm
Location: USA

Post by jessekopelman » Sat May 23, 2009 11:53 pm

ghatothkach wrote: jessekopelman:
Can you please post links to some of the switches which can do what you are saying you can do.
Well, let me make one correction to what I said in one of the posts: You aren't going to be able to assign IP address based on switch port. I got too caught up in what I was trying to describe and didn't pay enough attention to what I was actual writing. Other than doing that, I was just talking about using a switch as an Ethernet bridge and any switch can do that.
ghatothkach wrote: I need to run 3 networks on the 3 different ports I am looking at
eg port 1=> 10.10.10.0/24
port2 => 192.168.10.0/24
port3=> DHCP client on ISP network

I dont see how I can do this using a single port ethernet on a linux computer and a consumer network switch...
I don't see the problem. The switch is just a bridge, it just passes stuff along. The ISP network is connected to the switch, but all packets are just passed to your router. The router requests an IP from the ISP's DHCP server and it is passed through the switch back to the router. A device on your LAN requests 10.10.10.0/24 and it is passed through the switch to your router. Same with a request for 192.168.10.0/24. Now you may not be able to isolate your networks by Ethernet port, since you won't actually know what switch port a device is connected to, but you will be able to use MAC addresses to control what IP address a device is assigned and you will be able to control what networks a given IP address can communicate with via routing.
ghatothkach wrote:Next I will have to configure shorewall (www.shorewall.net) if you read through some of the documentation, I need to configure 3 interfaces with the software and setup the configuration. I am unable to understand how I will see the 3 or 4 interfaces on the consumer switch visible on the linux computer... which has only one interface...
Well, I am talking about routing by IP address not physical interface. If you absolutely have to do control by physical interface, than my solution will not work. That said, the routing solution I propose seems to be fully supported by Shorewall -- look at this. I believe the same can be said for pretty much every popular firewall package.

Monkeh16
Posts: 507
Joined: Sun May 04, 2008 2:57 pm
Location: England

Post by Monkeh16 » Sun May 24, 2009 7:00 am

jessekopelman wrote:The switch is just a bridge, it just passes stuff along. The ISP network is connected to the switch, but all packets are just passed to your router.
Yes, it passes the DHCP requests from your clients along to the modem. This is.. not wanted behaviour.

dimach
Posts: 4
Joined: Thu Apr 30, 2009 1:10 am
Location: uk

Post by dimach » Wed May 27, 2009 12:19 am

ghatothkach wrote:
dimach wrote:If you like OpenWRT, Ubiquiti routerstation pro is just for you!
Thanks for the link... I will look into it.. the price is right so is the CPU speed, not yet sure if I can install a HDD on to the board... but I guess will work through the USB... Also I will have to host my www server elsewhere as this is a perfect router board, but many not be powerful enough for a webserver, but definitely better than the NSLU2

Ghat
You can get minipci ide or SATA cards. I've need for PCI slots, so can't use it unfortunately.

jessekopelman
Posts: 1406
Joined: Tue Feb 13, 2007 7:28 pm
Location: USA

Post by jessekopelman » Sat May 30, 2009 12:59 pm

Monkeh16 wrote:
jessekopelman wrote:The switch is just a bridge, it just passes stuff along. The ISP network is connected to the switch, but all packets are just passed to your router.
Yes, it passes the DHCP requests from your clients along to the modem. This is.. not wanted behaviour.
You are correct. I wasn't thinking this through properly. Single port router really only works for all-static IP configuration. DHCP is probably too useful to live without, so that consigns my idea to niche implementations. Oh well . . . I guess if you want to build your own router you just got to pony up for a board with two Ethernet ports. Thanks for setting me straight.

funklizard
Posts: 40
Joined: Wed Aug 26, 2009 1:09 pm
Location: Fairfax, VA
Contact:

Re: linux home gateway/firewall/webserver recomendation

Post by funklizard » Sun Aug 30, 2009 8:17 pm

ghatothkach wrote:I was looking for a mini-itx or smaller system which has at least 3 gBe ports (overall) and a mini-PCI-E slot, where I can attach a Atheros-802.11n card later...
The MSI Fuzzy 945GME2 looks like it might be another option for you.

No mini-PCIe; but it does manage to cram in a PCI slot, a PCIe x16 slot, and a PCIe x1 slot.

pacella
Posts: 1
Joined: Thu Nov 12, 2009 3:16 am
Location: CHANDANNAGORE

Post by pacella » Sat Nov 14, 2009 2:27 am

Can you run Windows firewall alongside McAfee firewall or is it detrimental to the operation of the system? I have running the Windows XP firewall, alongside my McAfee firewall and associated products. By running 2 firewalls alongside each other, is it to the detriment of the system?
______________________
matrimonial magazine
Last edited by pacella on Fri Nov 20, 2009 11:36 pm, edited 1 time in total.

yoitsmeremember
Posts: 42
Joined: Sat Sep 01, 2007 4:18 am
Location: earth

Post by yoitsmeremember » Fri Nov 20, 2009 8:59 am

This is quite the thread! Allow me weigh in on a few things...

@jessekopelman/Monkeh16
Managed switches, especially 100mbit, are very easy to come by. I'm in the business so I get some (HP 2424M) from contacts I know, but some I pick up as the local college/businesses upgrade their network and hand off the old switches to surplus outlets (HP 4000M + modules, BayStack 350T, and a couple Cisco 10mbit). Sure, they don't have anywhere near the protocol support that a modern, more expensive switch has (even my Powerconnect 5324 puts it to shame), but they usually have the things you need to run a decent home network (link aggregation, spanning tree, and of course, VLAN support).

@zprst
I am surprised you don't like the Via. I don't have that particular model, but I own two EPIA boards (one is a C3, the other is a C7) and they have worked almost flawlessly. There was an issue with VLAN tagging on the C7 machine being sent in the wrong endian (VT6122 controller), but a quick PR to the FreeBSD team got that fixed right away. It runs with 9K jumbo frames, hardware VLAN tagging, polling, etc., with no issues. The SN10000EG does use a different controller (VT6130), and I don't run Linux, so I can't comment on that particular situation, but these boards have been amazing for me, particularly for their hardware crypto.

Monkeh16
Posts: 507
Joined: Sun May 04, 2008 2:57 pm
Location: England

Post by Monkeh16 » Fri Nov 20, 2009 2:20 pm

yoitsmeremember wrote:This is quite the thread! Allow me weigh in on a few things...

@jessekopelman/Monkeh16
Managed switches, especially 100mbit, are very easy to come by. I'm in the business so I get some (HP 2424M) from contacts I know, but some I pick up as the local college/businesses upgrade their network and hand off the old switches to surplus outlets (HP 4000M + modules, BayStack 350T, and a couple Cisco 10mbit). Sure, they don't have anywhere near the protocol support that a modern, more expensive switch has (even my Powerconnect 5324 puts it to shame), but they usually have the things you need to run a decent home network (link aggregation, spanning tree, and of course, VLAN support).
100Mbit, yes. Gigabit is much harder (to the tune of several hundred pounds). And if you want to mix MTUs in a simple manner, you can tack another 50% on that for a layer-3 switch.

yoitsmeremember
Posts: 42
Joined: Sat Sep 01, 2007 4:18 am
Location: earth

Post by yoitsmeremember » Sat Nov 21, 2009 12:15 pm

Monkeh16 wrote:100Mbit, yes. Gigabit is much harder (to the tune of several hundred pounds). And if you want to mix MTUs in a simple manner, you can tack another 50% on that for a layer-3 switch.
Yes, but very very few home networks need a gigabit switch. Also, the OP was running a Linux router so L3 switch isn't necessary.

Post Reply