How to setup effective school network

Hi there!



I have a problem - so many questions and no one there with whom to
discuss them:


I have a very nice quality server and around 50 clients in my
school. At that moment the setup is quite nothing: All machines are
connected to hubs/switsches, which are connected to the DSL
modem. This goes also for the server. User authentication goes by one
central user account, which is set up on al machines. No networking
here.

What I want is:

1) Connect the server only to the DSL modem, and througn my 2nd
Network card all hubs and switches to my server and serve dhcp.

2) Get dhcp to run. I have tried the following rules:

ddns-update-style none;

default-lease-time 86400;
max-lease-time 86400;

subnet 10.0.1.0 netmask 255.255.255.0 {
#subnet 192.168.2.0 netmask 255.255.255.0 {
range 10.0.1.10 10.0.1.220;
option domain-name "www.waldorf.lu";
option domain-name-servers 194.154.192.101, 194.154.192.102;
option netbios-name-servers 10.0.1.1;
option netbios-node-type 8;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option routers 10.0.1.3;
}

But somehow it doesn't work. I'm not sure about any of these
lines... Especially the "domain-name-servers" line. THe IPs there are
the ones I use with my ISP.

Would the switches/hubs update themselfes? And is it problem if I want
to use the 10.0.0.x range when the switches/hubs use the 192.168.0.x
range?

I also want to run a nameserver on my server and have no idea which
one to choose.

3) I would like to set user accounts in a way that no matter on whihc
machine a user sits he gets his home directory on the server,
possibly as an icon on the desktop (clients run Aurox Linux 10.0,
some few run Windows 2000 or XP).

4) I want to filter content. I guess squid or safesquid would work
once I'd have solved problems 1) and 2).

Believe me, I have consulted the O'Reilly networking bookshelf, but
somehow it doesn't help me. Could someone out there, plase?

Btw, I run Slackware 10.0 on my server.


Thanks a lot, guys!

--
Michael

r-znvy: zvpunry.wryqra jro.qr (chg gur "@" jurer vg svgf...)
ab fcnz cyrnfr

upro wrote:
> I have a problem - so many questions and no one there with whom to
> discuss them:
>
> I have a very nice quality server ...

What are the specs on the server, ie., cpu, ram, hard disks, raid,
nic(s), etc.

> ... and around 50 clients in my
> school. At that moment the setup is quite nothing: All machines are
> connected to hubs/switsches, ...

Hubs and switches are very different beasts when connecting computers.
Use no hubs if possible and if you must use them put the least
used/needed machines on them and as "far away" from the server and
firewall as possible (drop them from "leaf" switches). You need to
preserve as much bandwidth for "good" use as possibe. Check that all
nics are operating at full capabilities (100 Mbps-full duplex?). Could
you provide an ascii art diagram of your network layout. Or a "real"
diagram on a web page?

> ... which are connected to the DSL modem.

What is the connection speed?

> This goes also for the server. User authentication goes by one
> central user account, which is set up on al machines. No networking
> here.
>
> What I want is:
>
> 1) Connect the server only to the DSL modem, and througn my 2nd
> Network card all hubs and switches to my server and serve dhcp.

This is an edge postion suitable for a router/firewall -- something you
_definitely_ need. It is _not_ a good place for an internal server,
especially a dhcp or file server. And think twice about using dhcp
until you get the network design/layout working. 55 static IPs are not
that onerous and will save you initial headaches -- many headaches.

Do you provide any public services, eg., web server? You will need to
set up a dmz from a third nic on the firewall.

> 2) Get dhcp to run. I have tried the following rules:

Which dhcp server are you using? ISC's? Which dhcp client(s)?

Is below the complete contents of the dhcpd.conf file?

> ddns-update-style none;
> default-lease-time 86400;

You might want your default to be shorter -- say the length of a school
day. 8 hours=28800. 86400=24 hours. It forces clients to attempt
renewal at 4 hours. Depends on your needs.
http://www.j51.com/~sshay/tcpip/dhcp/dhcp.htm

> max-lease-time 86400;
> subnet 10.0.1.0 netmask 255.255.255.0 {
> #subnet 192.168.2.0 netmask 255.255.255.0 {
> range 10.0.1.10 10.0.1.220;
> option domain-name "www.waldorf.lu";

This is _not_ a domain name -- it's a DNS entry/name of a host running
httpd on port 80. Its domain is waldorf.lu. Likely not what you want
to do for internal machines. Give them a separate domain name.

You might also want to revert to the 192.168.0.0 addressing -- there is
no magic and some gotchas that might accompany your use
(misconfiguration) of 10.0.0.0/24. The "normal" tools will default to
"classful" netmasks if you forget, eg. 10.0.0.0/8 instead of
10.0.0.0/24 ;(

> option domain-name-servers 194.154.192.101,
194.154.192.102;

Provided by ISP?

> option netbios-name-servers 10.0.1.1;
> option netbios-node-type 8;

Is this a Samba server?

> option subnet-mask 255.255.255.0;
> option broadcast-address 10.0.1.255;
> option routers 10.0.1.3;
> }
>
> But somehow it doesn't work. I'm not sure about any of these
> lines... Especially the "domain-name-servers" line. THe IPs there are
> the ones I use with my ISP.

See, you would not be worrying about this at all with static IPs. From
the listing it appears you are running samba/windows clients. Correct?
Networking _requires_ more exactness/completeness re: your setup to
configure correctly and to avoid problems.

Are your clients set up properly to use dhcp? Not sure? Then probably
not.

> Would the switches/hubs update themselfes?

Huh? Hubs are completely dumb -- think multi-port signal repearters.

Switches "learn" the info (MAC addresses) they need to function
automagically (most of the time).

> And is it problem if I want
> to use the 10.0.0.x range when the switches/hubs use the 192.168.0.x
> range?

Switches/hubs don't have an IP address. Every machine connected to
them is on the same subnet. Switches avoid collisions on the net
medium, hubs don't. Both "provide" a single broadcast domain.

> I also want to run a nameserver on my server and have no idea which
> one to choose.

http://www.thekelleys.org.uk/dnsmasq/doc.html

You will have to download the source to get the complete documentation.

This will also make using static client IPs for your _private_ subnet
easier while providing a "safer" dns forwarder for public dns lookups.
It will also cache dns lookups, thus saving bandwidth. Don't even try
to set up bind/named properly. You have enough headaches you will have
to deal with.

If you need a firewall and can use a "dedicated" solution you might
look at IPCop (or something similar):
http://www.ipcop.org/ << includes dnsmasq

> 3) I would like to set user accounts in a way that no matter on which
> machine a user sits he gets his home directory on the server,

This is called "single sign on" or SSO. Don't even attempt it till the
basic network is laid out and confirmed working properly. Don't try to
implement everything at once -- it will go much quicker and with fewer
hassles to set up one thing at a time. That way the number of
variables/configs caught up in the additions/changes are kept to a
minimum. Do SSO for just a few hosts initially to get some experience.

> possibly as an icon on the desktop (clients run Aurox Linux 10.0,
> some few run Windows 2000 or XP).

When SSO is working properly, this is not necessary. Logging in will
automagically mount the home dir of the user. Logging out unmounts it.
Till then you don't have what you want.

> 4) I want to filter content. I guess squid or safesquid would work
> once I'd have solved problems 1) and 2).

Not entirely sure what you mean by "content". WWW content? Try here:
http://dansguardian.org/?page=whatisdg

> Believe me, I have consulted the O'Reilly networking bookshelf, but
> somehow it doesn't help me. Could someone out there, plase?
>
> Btw, I run Slackware 10.0 on my server.

If you're comfortable with slack this is OK. Generally I prefer to
keep to a single distro base -- eases
administration/maintenance/updating and keeps down possible
compatibilty glitches resulting from updates/upgrades.

With only 50 machines I would give up on dhcp for now. You have enough
to do getting the rest working properly/reliably. You also make it
more difficult to do other tasks that you may (should?) undertake --
SSO, logging, accounting, auditing? It also uses bandwidth. Save it
for later

When you have more experience with/confidence in your basic network
functioning -- local dns, SSO, Samba file server, firewall and web
filter -- then you can tackle dhcp. DHCP is not _really_ that
difficult, but it has many implications/gotchas and rather scattered
documentation. Takes a while to understand _what_ you need from it and
_how_ to implement your needs. You will probably want host
declarations and fixed-address entries, eg. Makes monitoring the
clients easier even if the initial setup is more tedious.

You do not mention if the Linux clients will also be using Samba to
access their home dirs or if you intend to use nfs for them. It will
be easier to adopt a single set up since you also want SSO. You will
have to try out Linux Samba client software to make sure you get the
one you want. May depend on the desktop you use, eg., KDE vs Gnome.

For general Linux use in schools (K-12 here in US) you might want to
check with these is you haven't already:

http://www.k12ltsp.org/ << many good links
http://www.lfsp.org/ << good example info

May be useful, single reference to have handy (together with the tldp
how-tos):
http://www.linuxhomenetworking.com/#Linux
http://www.tldp.org/HOWTO/HOWTO-INDEX/howtos.html << on-line
http://www.tldp.org/docs.html#howto << download all

For SSO check:
Google this search string:
linux samba sso + "single sign on"
or click this:
http://www.google.com/search?num=50&...gle+sign+on%22
http://www.zytrax.com/tech/howtos/samba.html
and many other links ...

And check your Samba docs -- you have them all, don't you?
http://samba.org/~samba-bugs/docs/sa...latest.tar.bz2
http://www.samba.org/samba/docs/

You will need a "central repository" of user account info using LDAP.
It's not easy/intuitive to set up, but once you understand what's going
on, it's not that bad
http://www.openldap.org/

It will be easier to implement/test with fewer clients now than with
more clients later ;-)

hth,
prg
email above disabled

"prg" <(E-Mail Removed)> writes:

> upro wrote:
>> I have a problem - so many questions and no one there with whom to
>> discuss them:
>>
>> I have a very nice quality server ...
>
> What are the specs on the server, ie., cpu, ram, hard disks, raid,
> nic(s), etc.
>
>> ... and around 50 clients in my
>> school. At that moment the setup is quite nothing: All machines are
>> connected to hubs/switsches, ...
>
> Hubs and switches are very different beasts when connecting computers.
> Use no hubs if possible and if you must use them put the least
> used/needed machines on them and as "far away" from the server and
> firewall as possible (drop them from "leaf" switches). You need to
> preserve as much bandwidth for "good" use as possibe. Check that all
> nics are operating at full capabilities (100 Mbps-full duplex?). Could
> you provide an ascii art diagram of your network layout. Or a "real"
> diagram on a web page?
>
>> ... which are connected to the DSL modem.
>
> What is the connection speed?
>
>> This goes also for the server. User authentication goes by one
>> central user account, which is set up on al machines. No networking
>> here.
>>
>> What I want is:
>>
>> 1) Connect the server only to the DSL modem, and througn my 2nd
>> Network card all hubs and switches to my server and serve dhcp.
>
> This is an edge postion suitable for a router/firewall -- something you
> _definitely_ need. It is _not_ a good place for an internal server,
> especially a dhcp or file server. And think twice about using dhcp
> until you get the network design/layout working. 55 static IPs are not
> that onerous and will save you initial headaches -- many headaches.
>
> Do you provide any public services, eg., web server? You will need to
> set up a dmz from a third nic on the firewall.
>
>> 2) Get dhcp to run. I have tried the following rules:
>
> Which dhcp server are you using? ISC's? Which dhcp client(s)?
>
> Is below the complete contents of the dhcpd.conf file?
>
>> ddns-update-style none;
>> default-lease-time 86400;
>
> You might want your default to be shorter -- say the length of a school
> day. 8 hours=28800. 86400=24 hours. It forces clients to attempt
> renewal at 4 hours. Depends on your needs.
> http://www.j51.com/~sshay/tcpip/dhcp/dhcp.htm
>
>> max-lease-time 86400;
>> subnet 10.0.1.0 netmask 255.255.255.0 {
>> #subnet 192.168.2.0 netmask 255.255.255.0 {
>> range 10.0.1.10 10.0.1.220;
>> option domain-name "www.waldorf.lu";
>
> This is _not_ a domain name -- it's a DNS entry/name of a host running
> httpd on port 80. Its domain is waldorf.lu. Likely not what you want
> to do for internal machines. Give them a separate domain name.
>
> You might also want to revert to the 192.168.0.0 addressing -- there is
> no magic and some gotchas that might accompany your use
> (misconfiguration) of 10.0.0.0/24. The "normal" tools will default to
> "classful" netmasks if you forget, eg. 10.0.0.0/8 instead of
> 10.0.0.0/24 ;(
>
>> option domain-name-servers 194.154.192.101,
> 194.154.192.102;
>
> Provided by ISP?
>
>> option netbios-name-servers 10.0.1.1;
>> option netbios-node-type 8;
>
> Is this a Samba server?
>
>> option subnet-mask 255.255.255.0;
>> option broadcast-address 10.0.1.255;
>> option routers 10.0.1.3;
>> }
>>
>> But somehow it doesn't work. I'm not sure about any of these
>> lines... Especially the "domain-name-servers" line. THe IPs there are
>> the ones I use with my ISP.
>
> See, you would not be worrying about this at all with static IPs. From
> the listing it appears you are running samba/windows clients. Correct?
> Networking _requires_ more exactness/completeness re: your setup to
> configure correctly and to avoid problems.
>
> Are your clients set up properly to use dhcp? Not sure? Then probably
> not.
>
>> Would the switches/hubs update themselfes?
>
> Huh? Hubs are completely dumb -- think multi-port signal repearters.
>
> Switches "learn" the info (MAC addresses) they need to function
> automagically (most of the time).
>
>> And is it problem if I want
>> to use the 10.0.0.x range when the switches/hubs use the 192.168.0.x
>> range?
>
> Switches/hubs don't have an IP address. Every machine connected to
> them is on the same subnet. Switches avoid collisions on the net
> medium, hubs don't. Both "provide" a single broadcast domain.
>
>> I also want to run a nameserver on my server and have no idea which
>> one to choose.
>
> http://www.thekelleys.org.uk/dnsmasq/doc.html
>
> You will have to download the source to get the complete documentation.
>
> This will also make using static client IPs for your _private_ subnet
> easier while providing a "safer" dns forwarder for public dns lookups.
> It will also cache dns lookups, thus saving bandwidth. Don't even try
> to set up bind/named properly. You have enough headaches you will have
> to deal with.
>
> If you need a firewall and can use a "dedicated" solution you might
> look at IPCop (or something similar):
> http://www.ipcop.org/ << includes dnsmasq
>
>> 3) I would like to set user accounts in a way that no matter on which
>> machine a user sits he gets his home directory on the server,
>
> This is called "single sign on" or SSO. Don't even attempt it till the
> basic network is laid out and confirmed working properly. Don't try to
> implement everything at once -- it will go much quicker and with fewer
> hassles to set up one thing at a time. That way the number of
> variables/configs caught up in the additions/changes are kept to a
> minimum. Do SSO for just a few hosts initially to get some experience.
>
>> possibly as an icon on the desktop (clients run Aurox Linux 10.0,
>> some few run Windows 2000 or XP).
>
> When SSO is working properly, this is not necessary. Logging in will
> automagically mount the home dir of the user. Logging out unmounts it.
> Till then you don't have what you want.
>
>> 4) I want to filter content. I guess squid or safesquid would work
>> once I'd have solved problems 1) and 2).
>
> Not entirely sure what you mean by "content". WWW content? Try here:
> http://dansguardian.org/?page=whatisdg
>
>> Believe me, I have consulted the O'Reilly networking bookshelf, but
>> somehow it doesn't help me. Could someone out there, plase?
>>
>> Btw, I run Slackware 10.0 on my server.
>
> If you're comfortable with slack this is OK. Generally I prefer to
> keep to a single distro base -- eases
> administration/maintenance/updating and keeps down possible
> compatibilty glitches resulting from updates/upgrades.
>
> With only 50 machines I would give up on dhcp for now. You have enough
> to do getting the rest working properly/reliably. You also make it
> more difficult to do other tasks that you may (should?) undertake --
> SSO, logging, accounting, auditing? It also uses bandwidth. Save it
> for later
>
> When you have more experience with/confidence in your basic network
> functioning -- local dns, SSO, Samba file server, firewall and web
> filter -- then you can tackle dhcp. DHCP is not _really_ that
> difficult, but it has many implications/gotchas and rather scattered
> documentation. Takes a while to understand _what_ you need from it and
> _how_ to implement your needs. You will probably want host
> declarations and fixed-address entries, eg. Makes monitoring the
> clients easier even if the initial setup is more tedious.
>
> You do not mention if the Linux clients will also be using Samba to
> access their home dirs or if you intend to use nfs for them. It will
> be easier to adopt a single set up since you also want SSO. You will
> have to try out Linux Samba client software to make sure you get the
> one you want. May depend on the desktop you use, eg., KDE vs Gnome.
>
> For general Linux use in schools (K-12 here in US) you might want to
> check with these is you haven't already:
>
> http://www.k12ltsp.org/ << many good links
> http://www.lfsp.org/ << good example info
>
> May be useful, single reference to have handy (together with the tldp
> how-tos):
> http://www.linuxhomenetworking.com/#Linux
> http://www.tldp.org/HOWTO/HOWTO-INDEX/howtos.html << on-line
> http://www.tldp.org/docs.html#howto << download all
>
> For SSO check:
> Google this search string:
> linux samba sso + "single sign on"
> or click this:
> http://www.google.com/search?num=50&...gle+sign+on%22
> http://www.zytrax.com/tech/howtos/samba.html
> and many other links ...
>
> And check your Samba docs -- you have them all, don't you?
> http://samba.org/~samba-bugs/docs/sa...latest.tar.bz2
> http://www.samba.org/samba/docs/
>
> You will need a "central repository" of user account info using LDAP.
> It's not easy/intuitive to set up, but once you understand what's going
> on, it's not that bad
> http://www.openldap.org/
>
> It will be easier to implement/test with fewer clients now than with
> more clients later ;-)
>
> hth,
> prg
> email above disabled
>

Wow, that's really an answer that let's nothing open! THanks a lot for
your time and considerateness. You helped me a lot and I appreciate
very much the amount of time and thought you put into your reponse!

I'll do as you suggest: Assign fix IPs to the clients - especially
since their number will not be increasing.

And I'll try to get into SSU as soon as I got my point 1) to run!

That's all I can say for now. I'll post again under the same issue
when new questions arise!

Thanks again!

--
Michael

r-znvy: zvpunry.wryqra jro.qr (chg gur "@" jurer vg svgf...)
ab fcnz cyrnfr

upro wrote:
[snip]
>
> Wow, that's really an answer that let's nothing open! THanks a lot
for
> your time and considerateness. You helped me a lot and I appreciate
> very much the amount of time and thought you put into your reponse!

I do/did this at my workplace starting years ago. I know the "special"
challenges of networking an entire school district, paricular
buildings, and the labs. You never forget it. No big deal -- just
lots of bruises ;-)
I'll keep an eye out.

Good luck,
prg
email above disabled