[Wylug-help] Help needed setting up server and LAN

[Mike Goodman]

Chris Davies MBCS wrote:
> Mike Goodman wrote:
>> I'd like to set up a server on a box which includes two (identical) 
>> hdds and two 10/100 ethernet cards. I'd like it to be a web server, 
>> NFS server and print server and act as a firewall to the outside 
>> world, running on Debian 4 (Etch).
>
> In addition to your router, or do you want turn your router into a 
> bridge? (I'm not sure the Netgear can function as a bridge, so it's 
> going to do NAT for you regardless.)
>
I've just checked the router and can disable NAT. I had thought its 
address was fixed at 192.168.0.1 - it is not. Does this mean it can 
operate as a bridge and if so, is this desirable? That's the way 
SMEServer operates, but I've rejected that as an option because of the 
lack of inbuilt functionality/learning curve with non-M$ clients. But I 
do like the overall principles.
>> I'd like this server, not my router, to offer DHCP and fixed 
>> addresses as appropriate to anything else on the network.  My router 
>> is a Netgear DG834 which hogs 192.168.0.1, so from my understanding, 
>> having anything behind the server in the 192.168.0.* range is a bad 
>> idea. Please correct me if I'm wrong.  I have a fixed IP
> > address from my ISP (Zen Internet).
>
> Ensure you understand the topology before you start:
>
> Internet <--> Router <--> Server <--> Switch <-->> Device[s]
>
> The Router will have an Internet address on its external (WAN) port 
> that's been assigned by Zen. It will NAT everything on its inside to 
> that single external address. Your Server will have two IP addresses: 
> one on its outside that talks to the Netgear and one on the inside 
> that talks to the rest of your network.
So far so good. However, I have the ability to turn off NAT as above, so 
would it make sense to configure the one on the outside to talk directly 
to the internet via the Internet address? The router is set up to allow 
all going out and nothing coming in, so my network is vulnerable if 
anything which is capable of transmitting does get in. As for any fool 
inside? Let's not go there. :-)
>
>
> Let's assume you have 192.168.0.* between the Router and the Server 
> (eth0), and 192.168.1.* between your Server (eth1) and your Devices.
>
> I like servers low and routers high, with DHCP somewhere in the 
> middle. So I'd put the Router as 192.168.0.254, and your Server as 
> 192.168.0.1 (external) and 192.168.1.1 (internal).
>
> 1. Turn off DHCP assignment on your router
> 2. Set your router to have a static IP address on your preferred 
> "external" subnet, e.g. 192.168.0.254
> 3. Set your server eth0 (connected to the router) to have a static IP 
> address on that same subnet, e.g. 192.168.0.1
> 4. Set your server eth1 (connected internally) to have a static IP 
> address on a different subnet, e.g. 192.168.1.1
> 5. Configure the Router to have a route to 192.168.1.0/24 via 192.168.1.1
> 6. Install something like "dhcp3-server" and configure 
> /etc/dhpc3/dhcpd.conf (more on that later)
I've established that I can do all that's asked on the router, as above, 
so we're still good. Is dhcp3-server a straightforward apt-get install 
command to get it?

>
>
>> Using a single CD and netinstall, the system picks up both ethernet 
>> cards and sets the primary (eth0) using DHCP as something like 
>> 192.168.0.6 which makes me wonder, is the "primary" the 
>> outward-facing, i.e. the one with the cat5/RJ45 attached to the 
>> router as I suspect, or is it the one attached to my 8-port hub, 
>> which also has another PC (running Ubuntu) and sometimes my laptop 
>> (running Xubuntu) attached by cat5s?
>
> That's hardware dependent, and there's no easy way to find out except 
> by trial and error. Assume for now, though, that once you've got it 
> sorted it will remain constant. (Once you do have it, label the 
> sockets on the back "external ethP" and "internal ethQ" with P and Q 
> as appropriate
>
>
>> I hit problems whenever I try to manually set the network on this 
>> card with either an alternative IP range, say 192.168.xx.0/255 or 
>> with the fixed (ISP-provided) IP address.
>
> What sort of problems? Your router's currently configured to issue 
> DHCP leases on 192.168.0.*, so whichever interface successfully gets a 
> DHCP lease is the one that's connected there. The other, by 
> definition, isn't, and can be configured as 192.168.1.1 (or whatever)
Loses the internet connection, so can't complete the installation using 
apt-get install. But that's during the initial install process. You've 
told me below to do all this but more completely at a later stage 
anyway, so the problem shouldn't arise.
>
>
>> Given the aspiration, should I simply accept the detected/allocated 
>> settings? Or should I accept them for the installation process then 
>> go back in and alter them manually? Or am I simply doing something 
>> wrong when configuring manually?
>
> Personally I tend to go with the defaults for installation and then go 
> back and fix them up manually afterwards. I would never accept DHCP 
> for a server other than during configuration.
>
>
>> Once I have the answer to this, how do I configure eth1?
>
> Networks are defined in /etc/network/interfaces (see "man 
> interfaces"), e.g.
>
> auto eth0    # External
> iface eth0 inet static
>         address 192.168.0.1
>         netmask 255.255.255.0
>         broadcast 192.168.0.255
>     gateway 192.168.0.254
>
> auto eth1    # Internal
> iface eth0 inet static
>         address 192.168.1.1
>         netmask 255.255.255.0
>         broadcast 192.168.1.255
This section of your response is a particularly useful reference. More 
thanks.
>
>
>> Last question for this stage: should I download any packages for the 
>> firewall part, or will the box itself act as a hardware firewall 
>> without any help?
>
> At home I use iptables directly, but I'm moving towards "shorewall" 
> (which I use at work). You may prefer something more GUI based
>
> Chris
>
Finally, should I be OK if I do the basic install then configure the 
network for the new settings, or should I install the full server then 
go back in and do it, or at what stage in between?

Many thanks for the help to this point. It is very clear and easy to follow.

Best,

Mike