[Cialug] Network Layout

[Don Cady]

responses inline-
> I'm trying to restructure my home network and have a few criteria, an idea 
> how it should look and a bunch of questions.
>
> Criteria:
> ==========
> - Foreign access to the inside LAN has to be blocked since the computers 
> there are less secure and files are shared openly.  No 
> internal-to-internal traffic should leave the inside LAN (aka outsiders 
> can't sniff it).  Anybody plugging in a computer at the inside LAN is 
> trusted.
> - WAN is untrusted and will need VPN to access inside LAN.  Visitors 
> should be able to use the internet without VPN to inside LAN once I 
> authorize them.  A web portal where username and passwords are entered 
> would be cool.
> - Outside LAN has the same criteria as WAN (yes, the ethernet jacks are 
> outside of the building)
> - Server for web, e-mail and DNS should be accessible from the internet, 
> inside LAN, outside LAN, and WAN using the same domain name.
> - Only one public IP should be used.  Inside LAN, outside, LAN and WAN 
> should use DHCP, NAT and private IPs. The server should use a static 
> private IP via NAT.
> - OpenBSD is the operating system for the firewall and server.
>
> Network Layout (proposal):
> ==========================
> Best is to look at a picture of it at:
>  http://www.public.iastate.edu/~cniesen/future-network.jpg
Neat picture, howdya make it?!

> The Network is connected to the internet via DSL using a bridged DSL 
> modem.  The first thing after the modem is a firewall with 4 ports 
> (internet, server [web, email, dns], inside LAN, and WAN/outside LAN).
> The WAN and outside LAN are supported via the Linksys WRT56GS wireless 
> router that has 4 ethernet ports.
>
> Questions:
> ==========
> - For the VPN to the inside network does the VPN server have to be a 
> server inside of the "inside network" or can the firewall do it?
It can be done either way.

> - Should the DHCP be done by the server [web, email, dns] or the firewall?
I'd do it by the firewall, but that's just me. What is the consencise of the 
group?

> Should the WAN access point run its own DHCP server for the WAN clients?
Sure, that'll provide an extra half layer of security, keeping out the 
kiddies that only scan the one subnet they see on that WLAN. The other side 
is, client apps on the WLAN might have trouble going through multiple NAT 
devices.
> - Can the server [web, email, dns] provide DNS service to all network 
> sections? It will run OpenBSD 3.6 with its version of bind 9.
I'm thinking yes it could, with the right forwarding. Just don't ask me how 
to do it (on a *nix box). ;)
sorry.

> Thanks
>   Claus
Realize I'm historically a windows guy, just learning Linux. But if windows 
can do it, I see no reason Linux/BSD/Unix/etc. couldn't. If someone on the 
list sees I'm wrong, please point it out.

Don