PDA

View Full Version : Networking question



egd
2007-04-05, 18:10
Historical state:
I have two PCs, two NAS devices and two SB3s networked via an unmanaged gigabit switch, all with hardcoded IPs using the 192.168.168.x range.
The SB3s are located outside of the study and take their audio feed from one of the NAS devices located in my study.
Slimserver is running on one of the PCs
The wired link between my study and SB3s is provided by three Ethernet over Power connectors.
Each of my PCs is connected to the Internet via a broadband router linked to a 2nd NIC with IP assigned by the router's DHCP and takes the form of 192.168.1.x
The 192.168.168.x range is not exposed to the Internet and I want to keep it that way

Everything works nicely.

Desired future state:
Same as above, except I want to add a WAP in the lounge so that we can surf etc from our laptop
If technically feasible I also want to add a 2nd WAP in the lounge to interact with the SB3 via a Nokia N800 or something similar

Current state:
To solve point 1 above I did the following (after consulting with the vendor):
purchased a Wireless Ethernet over Power connector and installed in lounge
connected broadband router to gigabit switch
configured wireless Ethernet over Power connector to accept IP from broadband router's DHCP. Broadband router assigns 192.168.1.2 to the wireless Ethernet over Power connector

Outcome is that Internet is now accessible from the Lounge, however:
devices in the the 192.168.168.x network become inaccessible to one another as soon as the wireless connectivity is established ie it pretty much looks like I can have the one or the other operational, but not both.
I have connected the broadband router to the switch with and without an Ethernet over Power connector in between - both options give me an active WAP and seemingly kill connectivity for 192.168.168.x

Any ideas as to how to get the two to coexist (the vendor specifically said I could run both networks on the same power line infrastructure)?

Finally, apologies if my networking knowledge/terminology is incorrect/laughable - I've learned through trail and error.

JJZolx
2007-04-05, 21:12
Historical state:
I have two PCs, two NAS devices and two SB3s networked via an unmanaged gigabit switch, all with hardcoded IPs using the 192.168.168.x range.
The SB3s are located outside of the study and take their audio feed from one of the NAS devices located in my study.
Slimserver is running on one of the PCs
The wired link between my study and SB3s is provided by three Ethernet over Power connectors.
Each of my PCs is connected to the Internet via a broadband router linked to a 2nd NIC with IP assigned by the router's DHCP and takes the form of 192.168.1.x
The 192.168.168.x range is not exposed to the Internet and I want to keep it that way

Everything works nicely.

By "not exposed", can we assume you mean that the .168.x network has no means of contacting the outside world? So your SB3s can't use Squeezenetwork, for instance? Why is that desirable? What you need to worry about is the outside world contacting your internal machines, which is usually protected against by your router/firewall by default.

This setup seems overly complicated. I don't see the need for two subnets and two NICs in the PCs.


Desired future state:
Same as above, except I want to add a WAP in the lounge so that we can surf etc from our laptop
If technically feasible I also want to add a 2nd WAP in the lounge to interact with the SB3 via a Nokia N800 or something similar

Why two wireless access points? The SB3s do 802.11g, so they shouldn't negatively affect throughput of the wireless network, and the 54GB+/- will likely be much faster than your Internet connection, so all of the devices maxed out simultaneously shouldn't be starved for bandwidth.


Current state:
To solve point 1 above I did the following (after consulting with the vendor):
purchased a Wireless Ethernet over Power connector and installed in lounge
connected broadband router to gigabit switch
configured wireless Ethernet over Power connector to accept IP from broadband router's DHCP. Broadband router assigns 192.168.1.2 to the wireless Ethernet over Power connector

Outcome is that Internet is now accessible from the Lounge, however:
devices in the the 192.168.168.x network become inaccessible to one another as soon as the wireless connectivity is established ie it pretty much looks like I can have the one or the other operational, but not both.
I have connected the broadband router to the switch with and without an Ethernet over Power connector in between - both options give me an active WAP and seemingly kill connectivity for 192.168.168.x

Any ideas as to how to get the two to coexist (the vendor specifically said I could run both networks on the same power line infrastructure)?

Simplify. Use just one subnet.

I'd set up the Squeezeboxes and laptops to use DHCP from the router. The NASs and the PC running SlimServer would probably be best served with static addresses. The router shouldn't allow any uninitiated inbound traffic to reach any of your internal machines. If a machine initiates a connection to the outside, then any return traffic will be allowed through, which is what you have going on right now on the 1.x network.

egd
2007-04-05, 22:28
By "not exposed", can we assume you mean that the .168.x network has no means of contacting the outside world?
Yes, albeit I presume if a connected Internet facing device is compromised it can in turn be used to attempt compromise of devices on the .168.x network.


So your SB3s can't use Squeezenetwork, for instance? Why is that desirable?
At present I've no use for Squeezenetwork. At this time none of the radio stations I'd like to listen to work correctly with Squeezenetwork or connecting directly from the SB3.


What you need to worry about is the outside world contacting your internal machines, which is usually protected against by your router/firewall by default.
Agreed, but I still feel better knowing my music and family video and picture libraries aren't Internet facing.


This setup seems overly complicated. I don't see the need for two subnets and two NICs in the PCs.
Both PCs came with two on-board NICs. I trust the question of two subnets is explained above?




Why two wireless access points? The SB3s do 802.11g, so they shouldn't negatively affect throughput of the wireless network, and the 54GB+/- will likely be much faster than your Internet connection, so all of the devices maxed out simultaneously shouldn't be starved for bandwidth.
Agreed, however, so long as I want to keep the two subnets apart I'm guessing there is no other way?

JJZolx
2007-04-05, 23:05
All I can say is that you're gaining nothing in terms of security with that configuration. For increased security and peace of mind you'd be better off putting a good firewall between the network and the router. Then create firewall rules saying (for instance) that the NAS at 192.168.1.5 and the NAS at 192.168.1.6 are blocked from making outgoing connections. Incoming is already blocked, but go ahead and make a couple of explicit rules just to feel better.

This would be identical to your current situation - you cut off any possibility of either outgoing or incoming connections to/from those machines. But IMO that's a little bit over the top, since those machines probably never even make any outgoing connections.

peter
2007-04-05, 23:19
egd wrote:
> JJZolx;192940 Wrote:
>
>> By "not exposed", can we assume you mean that the .168.x network has no
>> means of contacting the outside world?
>>
> Yes, albeit I presume if a connected Internet facing device is
> compromised it can in turn be used to attempt compromise of devices on
> the .168.x network.
>
> JJZolx Wrote:
>
>> So your SB3s can't use Squeezenetwork, for instance? Why is that
>> desirable?
>>
> At present I've no use for Squeezenetwork. At this time none of the
> radio stations I'd like to listen to work correctly with Squeezenetwork
> or connecting directly from the SB3.
>
> JJZolx Wrote:
>
>> What you need to worry about is the outside world contacting your
>> internal machines, which is usually protected against by your
>> router/firewall by default.
>>
> Agreed, but I still feel better knowing my music and family video and
> picture libraries aren't Internet facing.
>
> JJZolx Wrote:
>
>> This setup seems overly complicated. I don't see the need for two
>> subnets and two NICs in the PCs.
>>
> Both PCs came with two on-board NICs. I trust the question of two
> subnets is explained above?
>
>
>
> JJZolx Wrote:
>
>> Why two wireless access points? The SB3s do 802.11g, so they shouldn't
>> negatively affect throughput of the wireless network, and the 54GB+/-
>> will likely be much faster than your Internet connection, so all of the
>> devices maxed out simultaneously shouldn't be starved for bandwidth.
>>
> Agreed, however, so long as I want to keep the two subnets apart I'm
> guessing there is no other way?
>

Your main security risk, as I see it, is that one of your PC's (laptop)
becomes infected by a Trojan. If that happens, both subnets are exposed
anyway. Your router/firewall is highly unlikely to be compromised itself
unless you've misconfigured it. PC's exp. when running Internet Explorer
or even any other browser or mail client are the modern hacker's
favorite attack target.

That and your own lack of network understanding. It's probably
impossible for a non expert to build a really secure network with
different subnets, waps and firewalls. And really, no attacker is going
to be interested in your family's videos or pictures (you have backupped
them on DVD?) unless you're some kind of royal. In that case you should
have staff to handle this kind of thing ;)

Regards,
Peter

egd
2007-04-06, 00:40
Simplify. Use just one subnet.

I'd set up the Squeezeboxes and laptops to use DHCP from the router. The NASs and the PC running SlimServer would probably be best served with static addresses. The router shouldn't allow any uninitiated inbound traffic to reach any of your internal machines. If a machine initiates a connection to the outside, then any return traffic will be allowed through, which is what you have going on right now on the 1.x network.

Ok, assuming I go down this path have I interpreted you correctly?:


Hard code NAS and PC running slimserver IPs to 192.168.1.x subnet, say .2, .3 & .4
Set 2nd PC, wireless EOP, laptop and any other devices I choose to connect to the network to use dynamic IP supplied by the router's DHCP

Mark Lanctot
2007-04-06, 09:49
Also your sig says "Linux and loving it" which means:

- you're not using IE/OE

- your OS is fairly secure by default (you likely run on a restricted account)

- you're not the target of the millions of Chinese script kiddies

So you already have a fairly significant security advantage over Joe Six-Pack. This isn't to say you're invulnerable but you're in a better position.

Mark Lanctot
2007-04-06, 09:52
In addition, if you had an old PC in a closet, install SmoothWall (http://www.smoothwall.org/) on it and turn it into a corporate-strength firewall at no cost.

JJZolx
2007-04-06, 10:31
Ok, assuming I go down this path have I interpreted you correctly?:


Hard code NAS and PC running slimserver IPs to 192.168.1.x subnet, say .2, .3 & .4
Set 2nd PC, wireless EOP, laptop and any other devices I choose to connect to the network to use dynamic IP supplied by the router's DHCP

Yes. That's what I'd do. I used to have pretty much everything on my home network using reserved/static IP addresses, but found that there wasn't much need to that for the Squeezeboxes and PCs that don't act as servers.

Make sure the DHCP server on the router is handing out addresses on the 192.168.1.x network and that it doesn't hand out any addresses that you've hard coded.

You might also give a static IP address to the WAP, although it may not be necessary. What is the make & model of the wireless EOP?

egd
2007-07-02, 05:36
Now that I've had some time to come back to this I've thought it through and have corrected the issue without resorting to a single subnet - the key reason I implemented two to begin with (which I should have mentioned at the outset) is that the 192.168.168.x subnet provides gigabit connectivity between all PCs and NAS devices. Changing to a single subnet would force the 10/100 broadband router into the equation, which, if I'm not mistaken will adversely impact network performance when copying between two devices on the subnet etc - from memory gigabit NICS will negotiate down to the lowest common denominator on the network, effectively turning everything into a 10/100 network.

The wireless EOP is a Netcomm NP290W. I now have it configured to allow wireless access to slimserver (looking forward to the N800, in the meantime my PDA will suffice). If I'm wrong about the single subnet performance issue I'll happily implement it.

Further thoughts/comments appreciated...

mherger
2007-07-02, 06:03
> implemented two to begin with (which I should have mentioned at the
> outset) is that the 192.168.168.x subnet provides gigabit connectivity
> between all PCs and NAS devices. Changing to a single subnet would
> force the 10/100 broadband router into the equation, which, if I'm not
> mistaken will adversely impact network performance when copying between

Well, you are mistaken :-). If you have a gigabit switch, connecting a
single 100Mb device won't influence the other machines. No need to
separate them.

--

Michael

-----------------------------------------------------------------
http://www.herger.net/SlimCD - your SlimServer on a CD
http://www.herger.net/slim - AlbumReview, Biography, MusicInfoSCR

egd
2007-07-03, 08:09
Well, you are mistaken :-). If you have a gigabit switch, connecting a
single 100Mb device won't influence the other machines. No need to separate them.

So having the 10/100 router assign IP's via DHCP also won't influence the other machines? Great to know, that enables me to access the net and slimserver through a wireless device. Thanks.