Best practice / convention for small network

Discussion in 'Linux Networking' started by CCW, Feb 1, 2009.

  1. CCW

    CCW Guest

    Hi,

    Apologies if any of the following questions / statements seem very
    basic, I'm currently teaching myself how to build a network using
    Ubuntu..!

    I want to build a small network in a single-site (charity - hence lack
    of money to employ someone or to buy Windows Server!) office. We
    currently have several Windows computers, and I've played around with
    Samba / Fedora before, so know I can get it to work..

    My 1st question is about the best network layout. Different people
    have different ideas / advice, so I've always been a bit confused
    about which layout to use. I've always assumed that the 2 main types
    would be:


    internet --> router --> server --> hub --> workstations

    internet --> router --> hub --> all computers (1 of which is the
    server)

    I've always tended towards the former layout, so that there is total
    control over all the workstations. I know there is the downside of
    needing 2 network cards in the server instead of 1, and there would
    need to be a bit more configuration at the outset, but are there any
    other pros / cons for either method?

    Am I also thinking too advanced at this stage to consider, in the long-
    term future, whether a wireless subgroup would be possible, whereby
    wireless laptops could access files on the server (/filestore), and
    also have access to networked printers? The router we've got is
    wireless, so laptops will always be able to access the internet, but
    would I need a 3rd (wireless) network card in the server for the this
    kind of situation?

    Thanks in advance for any advice anyone is able to give.

    Chris
     
    CCW, Feb 1, 2009
    #1
    1. Advertisements

  2. That is the "usual" arrangement. But do you want your server to be
    accessible from the internet? If so, depending on your security
    requirements, you may want to define some port forwarding in your router
    towards the server or you may want to place your server in a
    DeMilitarised Zone (so that the server is accessible to the internet but
    the rest of your network is not).

    Routing everything between the internet and your network through your
    server just puts an unnecessary strain on the server.

    And use a switch instead of a hub. Wikipedia will tell you the
    difference; the cost difference is minimal these days.
     
    Robert Harris, Feb 1, 2009
    #2
    1. Advertisements

  3. This will to a large extend depend on the capabilities of your router
    device. Routing all traffic via a central server gives the advantage of
    better control over the workstations. But as many modern routers offer
    fine grained firewall settings for the attached systems it might not be
    necessary to implement these functions on your server installation.

    And replace the hub with a switch as Robert has already mentioned. Also
    these come integrated on routers these days.
    My routing device links the wired and wireless network into the very
    same subnet. So from an user point of view it does not make a
    difference how the systems get their network access. They all have
    access to the outside world as well as to all systems on the local net.
    But this will be different on other devices, and can be configured to
    your needs on some. If you want to exclude some machines like notebooks
    from certain services like SMB/CIFS shares on your Windows systems you
    will have to set up according rules on the wireless access point, on
    another router, or the local firewalls on the computers offering these
    services.

    Günther
     
    Günther Schwarz, Feb 1, 2009
    #3
  4. First: You don't use hubs, you use switches. If you still got
    hubs in use, um... how do I say that in a polite way... Just get
    rid of them.
    What do you mean by "control"? Controlling the internet access of
    the workstations? Good routers can do that themself.
    Good 100MBit/s PCI-NICs go around for about 10$, the cheapos for
    even less. That should not be the problem.

    If you go for the 2 NIC apporach you could abandon the router
    completely and let the server do this job. This requires a bit
    more careful configuration though, to not expose private
    services on the public interface. Subnets and NAT itself don't
    provide security (a often made misconception) anyway.
    If the router is configured as AP, then a WLAN-NIC in the server
    would make it just another station.

    There's another solutin: VLANs. Some layer 2 switches allow it to
    ports to participate in separated networks (VLAN access). Ports
    can also be confiigured to be parts of multiple VLANs (VLAN
    tagging). That way the server/router needs just one NIC, which
    internally is split into several virtual NICs which can be
    configured individually. This is what I am running here at home,
    i.e. the server is also the router, is connected to a tagged
    VLAN on the switch and on the switch the different parts of the
    network are separated in access VLANs.

    This setup is working flawlessly for some months now.

    Wolfgang
     
    Wolfgang Draxinger, Feb 1, 2009
    #4
  5. CCW

    1PW Guest

    Hello Chris:

    Although you've supplied some good information, please relate the number
    of near future local network devices in use, what are/will the computers
    (be) running, and what is the /current/ topology. Is their ISP ADSL,
    cable or otherwise? Try to characterize their need/regard for security.
    What might be their upper dollar limit for all this? Labor plus
    material costs...

    Pete
     
    1PW, Feb 1, 2009
    #5
  6. CCW

    Rikishi42 Guest

    Use this. A simple router does DHCP, DNS, WiFi and cabled connections, port
    forwarding, Internet access control and maybe even offer a printer port for
    no money at all. If you do it on your server, you have to configure it all
    yourself. Don't give yourself extra work and headaches.
    If one day you need more refined options than your router can handle, it'll
    still be time to use an old machine for that.

    Besides, why waste you server's resources? Use it for more usefull purposes
    (backup, mail, files, news, database, intranet webserver...).

    And the entire network stands or fails with a server you'll have to setup
    and maintain.

    Again, apply the KISS principle. Why people want to consider Wireless to be
    something different/separate... It's just a form of network connection.
    Slower and less safe than cable, but safety can be handled by any
    inexpensive router.

    Connect the router, use MAC lists and encryption for the wireless, multiply
    the number of cabled connections with 100Mbits/s switches, and you're off.

    The first real limit you're going to find is the router's limit of 253
    adresses, if it's DHCP uses a C-class (192.168.) range. Do you expect that
    volume of machines?
     
    Rikishi42, Feb 3, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.