Internet Access / Server Connectivity Setup

[Steve]

Good Day,

Since computer hardware (especially used) has become so cheap, I am setting
up a series of small servers for my home. I am using rack chassis and a
small 11U frame which I will build using standard rack rails. I am thinking
of four servers;

Standard Server (DNS, AD Global Catalog, DHCP, WINS)
File Server (Shares, Files)
Communications Server (Web, Usenet, Mail, Intranet, FTP)
Network Support Server (RIS, Etc...)

This should allow me to free up the really good hardware which I can tear
down and rebuild at will (upgrades for games, etc...), while being anal
retentive with the servers for the important stuff. We all know the
benefits of plugging in a new machine and having the user accounts already
existing, group policy automatically configure the PC, etc...

So the questions...

I need recommendations for a good inexpensive hardware-based firewall
solution, and advice on setting up the connectivity in the network. I was
thinking something like this.

All motherboards will have a built-in 10/100 LAN port, and I will install an
additional LAN card with WOL in each. I was going to buy a 4-port hardware
router with NAT to connect to the cable modem. I would connect each
on-board LAN controller to a port on the router so each system has direct
internet access, and connect the WOL LAN cards to a patch panel for the
network connectivity.

Is this stupid? Should there be only one access point for the internet?
Will the routers DHCP screw with Windows 2000 Advanced Server?

So many questions, so little time... LOL

TIA
Steve

 

[Steven L Umbach]

Unless you have multiple IP addresses from your ISP, there is no need to use multiple
nic cards on your computers. Just buy a router that is also a SPI firewall and don't
rule out a wireless one if you think you may want to use wireless. You can disable
the wireless ability in the mean time. Then use the ports on the router to connect to
each one of your computers which will give them internet access and access to each
other. I would disable the dhcp on the router as it will interfere with proper Active
Directory configuration. Keep in mind that in Active Directory, domain computers must
point to only your domain controller as their preferred dns server which can provide
internet name resolution for them by configuring a forwarder or using root hints. If
you want to spend a little more money, there are really good buys on Ebay for a real
firewall such as the SonicWall SOHO3 and the NetScreen 5XP which can usually be
purchased for around $200. For a high performance switch, there are lots of HP
Procurves such as the 2512 and 2524. I bought a new Procurve 2512 for under $200. It
can do port isolation, vlans, restrict port access by mac address, 802.1x
authentication, web interface to view status, and a whole lot more. Good luck. ---
Steve

 

[Jeff Cochran]

Good Day,

Since computer hardware (especially used) has become so cheap, I am setting
up a series of small servers for my home. I am using rack chassis and a
small 11U frame which I will build using standard rack rails. I am thinking
of four servers;

Standard Server (DNS, AD Global Catalog, DHCP, WINS)
File Server (Shares, Files)
Communications Server (Web, Usenet, Mail, Intranet, FTP)
Network Support Server (RIS, Etc...)

This should allow me to free up the really good hardware which I can tear
down and rebuild at will (upgrades for games, etc...), while being anal
retentive with the servers for the important stuff. We all know the
benefits of plugging in a new machine and having the user accounts already
existing, group policy automatically configure the PC, etc...

So the questions...

I need recommendations for a good inexpensive hardware-based firewall
solution, and advice on setting up the connectivity in the network. I was
thinking something like this.

All motherboards will have a built-in 10/100 LAN port, and I will install an
additional LAN card with WOL in each. I was going to buy a 4-port hardware
router with NAT to connect to the cable modem. I would connect each
on-board LAN controller to a port on the router so each system has direct
internet access, and connect the WOL LAN cards to a patch panel for the
network connectivity.

Is this stupid?

I'd say "ill informed" but I'm in mixed company now.

Should there be only one access point for the internet?
Yes.

Will the routers DHCP screw with Windows 2000 Advanced Server?

Yes.

Get a small SOHO firewall. I'm patial to the SonicWalls but there are
several decent makes. The key is a WAN port, LAN port and DMZ port.
Outward-facing systems run off the DMZ port, your internal the LAN
port and the external WAN port is to your internet connection.

Disable the router's DHCP, control it yourself. I would only put the
Communications Server on the DMZ, all else is internal. You want an
external facing DNS on the Com server as well, with your internal DNS
resolving only your internal net and forwarding to the DMZ for the
rest. If you don't have extra public IP's, the firewall should do
your NAT, not the router/broadband connection.

Jeff