Network Advice Needed

[Tayonas]

I'm at the point I have too many ideas on how to proceed, so I thought I would ask. I also get the feeling a few of them are totally the wrong way.

Setup:

175Mb modem then I have my home server

UserBenchmarks: Desk 131%, Game 102%, Work 110%
CPU: Intel Core i7-5820K - 92.5%
GPU: Nvidia GTX 970 - 85.5%
SSD: Samsung 950 NVMe PCIe M.2 512GB - 273%
SSD: SanDisk X110 mSATA 256GB - 89.5%
HDD: WD Green 3TB (2011) - 69%
HDD: Seagate Desktop HDD 4TB - 91.1%
RAM: Unknown 8x8GB - 115.6%
MBD: MSI X99S SLI PLUS (MS-7885)

It has VMWare and IPCop running

It has the router going to the onboard LAN. I then have a PCI-E 4 x Gigabit Ethernet card. That goes into http://www8.hp.com/lamerica_nsc_carib/en/products/networking-switches/product-detail.html?oid=6783427

I also want to add two wireless network points.

What is the best way for me to set this up, how would you do it?

I probably should mention I haven't used an L3 and originally I was going to just hook up 3 x Gigabit routers that had wireless and make all the passwords the same, whic is what I use ow but coming out of my modem/router.

I am hoping IPCop can control the whole show and log everything.

http://www8.hp.com/lamerica_nsc_carib/en/products/networking-switches/product-detail.html?oid=6783427

 

[ingtar33]

I'm not following. are you planning on using the home server to serve as the DNS portal for your network? Are you setting up a domain on your home network? why the extra ethernet card? Are you planning on using your server as a pc-firewall too (ipcop, seriously)? You can't be thinking of having the server perform routing services when having a router on the network already are you?

as for VMWare, i'm only tangentially familiar with it, but I recall it can be a pain in the backside to get new hardware to show up and be available in the separate VMs.

I'm gonna have to untangle this design because it looks like you're doing something you probably shouldn't.

1) don't use your server as a firewall. this sorta invalidates the point of a router/firewall, and at the same time makes your server the first device hacked in a network. It's backwards. If you want a pc-firewall set up a separate computer entirely to do this.

2) let your router be a router. there is little to no point for a server to stand between your router and your network. ditch the extra network card. While I can see what you're aiming for, unless you have hundreds of devices and are working on defense department contracts I don't think you need the network you think you need.

3) do you actually have need for a 24 port web managed switch? seems like a lot of cash thrown down the drain to me.

4) No RAID? what exactly is this a server of?

5) don't put more then one router on any network. buy some wireless access points or range extenders. don't buy a bunch of routers, that's just inviting trouble.

 

[joesavy86]

Home network?
How many computers are connected?
Seems excessive.

 

[USAFRet]

This is way misconfigured.
3 routers? Why?
ipCop and VMware on the same box? What is this supposed to be doing?

I've run ipCop (or untangle or similar) in the recent past. That should, ideally, sit on its own box. Does not have to be big and powerful.

So...ISP - modem - router - ipcop box - switches and WiFi access points.
The ipCop box could do duty as the 'router' and firewall, if desired. Otherwise, in the above line, it is just a firewall and logging device.

What is this VMWare bit doing?

 

[Tayonas]

I got the new router earlier for £140, thank you Amazon Warehouse deals It is an unexpected upgrade. It is overkill, sorta.

Why all the security? I will be using the network for IP cameras as well as an alarm system I am working on, but I started that years ago and haven't gotten around till now to go back to it. So at least 6 of those ports will be for wired IP POE cameras. I am actually hoping I can scrap the alarm system altogether and use the motion detection on the cameras etc. but that is a different conversation for another day.

I have 6 physical machines as well as 15 physical wireless devices.

I actually wrote this tutorial: http://ubuntuforums.org/showthread.php?t=799712 8 years ago, but since then my MS has got worse and my brain a bit more scrambled.


The current setup is a 4 port cable modem/router which currently is the DNS server, ports:

1. Server/my workstation.
2. XBox one.
3. Wireless router 1 with wireless router 2 daisy chained, they are in switch mode.
Those are all on the same net.

Port 4 is a Google router, I am on a panel. It has its own subnet.

IPCop as a VM on the host machine works and also protects the host using the microsoft loopback adapter to route the host.

The VM's are all Windows 10 and Ubuntu machines as well as no fewer than 68 Android VM's. What I have also been doing is virtualizing physical machines to VM's then retiring the machine and building more up to date versions of the server above for other people. I give it away, it is of no use to me.

My plan was to put the modem into modem only mode, connect that to the onboard LAN then connect 4 separate routers in passive mode to the 4 port Ethernet card and have IPCop running all security etc. One of those routers is a L2 network/standalone 8 port POE that I was going to use for the IP cameras, then the Google router and then the other 2 on the same net as my server with one up stairs and one down stairs.

But this L3 switch is a game changer for me, not something I expected to get but a, it looks cooler, lol ... nah, if it is going to make life easier then, hey I won't argue.

But if my setup is going to be router -> new switch -> PC's/devices then I can combine two or three, hell 4, ports on my server's 2nd card into the router.

I don't have a RAID setup for 2 reasons. First there are always 2 different physical copies of everything, one local and one network. Even my VM's have backups , they may be on the same physical machine, but different physical disks. My kid's and wife's machines have synchronized folders to the server.

The second reason is I am not buying anymore HDD unless they are SSD and SSD isn't cheap enough for me to have a total of 12TB SSD atm

I hope I didn't ,iss anything and thanks for the replies.

 

[ingtar33]

I get you have your justifications. only you're making your life hard for no reason or gain.

1) turning your SERVER into a pc/firewall is NOT SAFE EVER. no security expert in the history of IT would suggest you do that. and running it on a separate VM doesn't make it more secure. (it's been 10 years since pc/firewalls have been better than simple router/firewalls, still don't get why you'd want one).

2) why are you buying routers to function as wireless access points? I still don't get this step.

3) there is no measurable gain in making your server function as the network router.

it's almost like you have a pile of network equipment and you're just going to make use of them no matter how strange it might be

4) you still don't explain the net managed 24 port switch. a simple "dumb" 8 or 12 port switch will do the same job at a quarter of the price and probably last longer and be more reliable in the process.

5) I don't get your storage policy. you're spending a fortune on this pc, yet you're unwilling to create a RAID 5 or RAID6 setup on the server. Sorta defeats the advantages of a server; your system is going to be so slow for reading data off those two drives with 60+ VMs running at the same time (you do not have anywhere near the ram for that btw, you'll need at least x2 more ram then you're planning for this) not to mention how underpowered this server will be (yes MASSIVELY underpowered) for your stated goals, that I just am not sure where to start with this build.

 

[USAFRet]

Your ipCop firewall really, really needs to be its own discrete physical box.
I used to run one, but at this stage, it is more a hobby than a need. Sure, it gives you a bit more reporting/logging data. That's about it.

Your 'server', with all the VM's, is a whole other box (and needs way more RAM).

 

[Tayonas]

Well, yes I have a pile of equipment, but I don't see how it is a 'strange' setup, unorthodox but I guarantee you I am not the only one running such a setup.

I have 2 gigabit routers from Google and one I bought before I joined the panel. For example:

I have one into my cable modem-router that runs into the living-room/lounge/whatever. It is in switch mode with its wifi on The wifi name and pass are identical to one of the other two wireless routers so this is extra coverage for that net. I then make use of the LAN ports and one goes to the living-room PC for the TV and 2 to PC's.

As I said I had planned to use the onboard Ethernet for WAN and the 4 port PCIE for LAN.

As for the RAID, as I explained I am waiting for prices to fall. I wouldn't even say I need it with the SSD's.

I built this machine around March last year. I had set out to build a twin CPU with 128GB, but money-money-money. So i settled for this machine without the m2 and only 32GB of RAM. At that point I had another 2 machines running, but the heat is killer.

I never expected to be able to put so much more money into it, but I got all the extras like the m.2 for £200, the other 32GB for £75 and the new managed switch for £140. I already got away with getting the 4 port PCIE network card for £60.

ingtar33, you said I didn't explain the network switch, I did in my first line 😉

"I got the new router earlier for £140, thank you Amazon Warehouse deals It is an unexpected upgrade. It is overkill, sorta." That is awesome cheap and I will need POE for the cameras. Now I also have the option of replacing the routers with POE access points

This machine replaces my Win7 Q6600 Quad Core with 16GB RAM. It also replaces my Core2Duo 2GB RAM Ubuntu server and my P4 2GB RAM IPCop server, that I never really fully played with. I set it up once and basically forgot about it.

I want IPCop or some other advanced server because I have time to play with it. I want to be able to do all the advanced traffic monitoring and port mirroring.

When I said my 'MS has got worse' ... MS isn't MicroSoft, it is multiple sclerosis, hence the scrambled egg brain. I want to kill some time while my immune system kills me.

As for IPCop on a virtual machine, I don't think it really matters. First of all; this is not a challenge to hack me Tell me what flaws you see, that's what I asked in the first post -how would you do it?

My thinking on it is firstly the network doesn't work without the IPCop VM in play. IPCop disabled = nothing talking to the internet, nothing has an IP, nothing happening.

Not even the host can talk to the network without admin rights network reconfiguration and a reboot.

Also the host would have to be compromised and if the host is compromised it is game over anyway because it means IPCop has been taken out of play and the host (or server), regardless of where it is on the network has the keys to the kingdom.

I could build a Pi IPCop server and just buy a few USB gigabit LAN adapters.

I think what I am trying to say is, if someone has gone to all the trouble to get to your host and use it to reconfig IPCop they were going to get you anyway.

Errr, long post, sorry. But still, what would you do with the stuff I have?

 

[ingtar33]

I already told you how i'd do it.

modem -> router -> switch
connected to the switch
-cameras
-server
-wireless access points

if you WANT to run ipcop and a pc firewall; as well as use the pc/firewall as a router swap out the router part of this with a separate pc-firewall, and use the lan card on that device.