need network setup suggestions

Hello.

i just moving in a house that has high speed internet ready. A router
in front that enable all the machines in the house get online.

now that myself have small network consisting of 5 compuets ( running
dns,mail,webservers etc). i want to put it behind another router to
seperate it from the rest of computers in the house.

by doing it this way, i relized that all traffic will be NATed twice
by the time it reachs the internet( or reached from outside ). it
sounds too much complexity to me. what about internet speed and
efficiency?

i know i could just get away with a switch and merge my little network
with the house's own. but is there something better than that?

i hope it's nothing but me concerning too much. but i need someone
clarify for me.

oh, how much difference does it make between software router and
hardware router. i have a machine that functioning as a
router/firewall for my network already. but hardware router is much
easier to setup and maintain though.

many thanks!

Qiang.

Hello Qiang.

You are correct.
You could just join all with a switch but then its one network.
You could use a NAT firewall , but then is NAT twice. It does work but its
a bit of a pain.

You could use a proxy server instead of NAT, but proxies are a pain.


Does the existing router have the ability to route ?
If so,you can create a 2nd network and then the route can go via your linux
box, or another router.

If the internet router cannot have routes added, then you can use linux as
the router between the home and your secure server LAN. The network range
would be the same, so that the internet router can talk to all machines..
The trick to achieve this is to proxy arp.

An ascii picture ....
Internet < > Internet Router <> Home network < > Linux firewall <> server
network

By using proxy arp, the linux firewall is acting a bit like a bridge - but
the firewall is in effect and you can control all access to the other server
machines. Proxy arp just means adding an 'arp' entry for the machines behind
the linux firewall. The rules will tell machines on the home network that
the hardware(MAC) address for all machines on the server network is the
hardware/MAC address of the ethernet card on the linux firewall on the home
network... because of the ARP protocol, the home network and the internet
router discover that they should send all packets for the server network to
the linux firewall.... And note that to achieve this, the server network
must be a subnet of the home network (eg use addresses 192.168.1.0 ->
192.168.1.128 with netmask 255.255.255.0 for the home network, and
192.168.1.129->192.168.1.144, with netmask 255.255.255.196 for the server
network ). And also note that broadcasts wont work between the servers and
between server and home network. That means that windows machines wont
discover shares and cups wont discover printer servers. They will just have
to be added manually.


The far easier way is to use two totally seperate networks, and use a
router between them (some little box firewall/router, or a linux on a PC or
something), and just route between the two networks. But if the internet
access device is crippled it wont be able to deal with two local networks.





"Qiang" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hello.
>
> i just moving in a house that has high speed internet ready. A router
> in front that enable all the machines in the house get online.
>
> now that myself have small network consisting of 5 compuets ( running
> dns,mail,webservers etc). i want to put it behind another router to
> seperate it from the rest of computers in the house.
>
> by doing it this way, i relized that all traffic will be NATed twice
> by the time it reachs the internet( or reached from outside ). it
> sounds too much complexity to me. what about internet speed and
> efficiency?
>
> i know i could just get away with a switch and merge my little network
> with the house's own. but is there something better than that?
>
> i hope it's nothing but me concerning too much. but i need someone
> clarify for me.
>
> oh, how much difference does it make between software router and
> hardware router. i have a machine that functioning as a
> router/firewall for my network already. but hardware router is much
> easier to setup and maintain though.
>
> many thanks!
>
> Qiang.

Qiang wrote:
> Hello.
>
> i just moving in a house that has high speed internet ready. A router
> in front that enable all the machines in the house get online.
>
> now that myself have small network consisting of 5 compuets ( running
> dns,mail,webservers etc). i want to put it behind another router to
> seperate it from the rest of computers in the house.
>
> by doing it this way, i relized that all traffic will be NATed twice
> by the time it reachs the internet( or reached from outside ). it
> sounds too much complexity to me. what about internet speed and
> efficiency?
>
> i know i could just get away with a switch and merge my little network
> with the house's own. but is there something better than that?
>
> i hope it's nothing but me concerning too much. but i need someone
> clarify for me.
>
> oh, how much difference does it make between software router and
> hardware router. i have a machine that functioning as a
> router/firewall for my network already. but hardware router is much
> easier to setup and maintain though.

Go on the assumption that all routers are software, some just some with
it installed. Unless you spend big bucks the little box you get is just
a few NICs and a bit of software. If you trust yourself you run linux on
a dedicated box and write your own firewall and router rules. If you
don't want to learn that, or from experience know that isn't your strong
point, buy something. Just remember that the "hardware router" can have
bugs and hack points as well.

Does the router which came with the hourse have firewall capabilities? I
wouldn't put anything on the net without protection these days, there
are just too many badguys out there.

--
bill davidsen <(E-Mail Removed)>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979

> Does the existing router have the ability to route ?
> If so,you can create a 2nd network and then the route can go via your linux
> box, or another router.

i am not sure what you mean here. the router in front is a SMC 5 port
routers. how do you call this router ability? i can look it up in the
manual. but i doubt it does that because this is a cheap router.( $40
)

>
> If the internet router cannot have routes added, then you can use linux as
> the router between the home and your secure server LAN. The network range
> would be the same, so that the internet router can talk to all machines..
> The trick to achieve this is to proxy arp.
>
> An ascii picture ....
> Internet < > Internet Router <> Home network < > Linux firewall <> server
> network
>
> By using proxy arp, the linux firewall is acting a bit like a bridge - but
> the firewall is in effect and you can control all access to the other server
> machines. Proxy arp just means adding an 'arp' entry for the machines behind
> the linux firewall. The rules will tell machines on the home network that
> the hardware(MAC) address for all machines on the server network is the
> hardware/MAC address of the ethernet card on the linux firewall on the home
> network... because of the ARP protocol, the home network and the internet
> router discover that they should send all packets for the server network to
> the linux firewall.... And note that to achieve this, the server network
> must be a subnet of the home network (eg use addresses 192.168.1.0 ->
> 192.168.1.128 with netmask 255.255.255.0 for the home network, and
> 192.168.1.129->192.168.1.144, with netmask 255.255.255.196 for the server
> network ). And also note that broadcasts wont work between the servers and
> between server and home network. That means that windows machines wont
> discover shares and cups wont discover printer servers. They will just have
> to be added manually.
>

thanks for going so much detail. i need to go look up my TCP/IP Volume
1 for this proxy arp thing again.

> The far easier way is to use two totally seperate networks, and use a
> router between them (some little box firewall/router, or a linux on a PC or
> something), and just route between the two networks. But if the internet
> access device is crippled it wont be able to deal with two local networks.
>

if i understand you correctly, this requires 3 ethernet cards on the
linux router with one card connect to the cable modem. this way sounds
much easier! i can utilize my spare hub for the rest of house. and
swith for my little land

if i could do the ways you described, i will face rearranging the holy
messy wires.


Thanks for the ideas!


Qiang.