Topic: server and gateway behind a hardware DSL router

[Jan]

Hi all,

I was wondering if the following will work.

Internet => Hardware Router&Firewall => switch => PC's & SME55

I want to put a second ethernet card in it put it on a different range and have the
DMZ function on the hardware router point to this second ethernet card.

I'm forced to have the switch in between the router and the SME55 because some of the users won't use the SME 55 as a gateway. Reason is that they are either stupid or generally anying people. ) Its cooperative setup where everyone gets a very high degree of freedom to use the SME or not.

Question is can this work? Am i missing something very simple?

regards,

Jan

[Bob Todd]

Absolutely no reason why not that I can see - I am in a similiar situation in that I am currently setting up the following arrangement ::


adsl router ===>gnatbox firewall===>II===>Smoothwall===>Win2k server
                                                       II
                                               DMZ II
                                                       II
                                                  SME Web Mail Server

[Bob Todd]

dont you just hate it when the formatting screws up obviously the DMZ and SME box are supposed to be in a vertical line below the II in the line that starts "adsl router===>....."

[Bill Talcott]

Jan wrote:
>
> Hi all,
>
> I was wondering if the following will work.
>
> Internet => Hardware Router&Firewall => switch => PC's & SME55
>
> I want to put a second ethernet card in it put it on a
> different range and have the
> DMZ function on the hardware router point to this second
> ethernet card.
>
> I'm forced to have the switch in between the router and the
> SME55 because some of the users won't use the SME 55 as a
> gateway. Reason is that they are either stupid or generally
> anying people. ) Its cooperative setup where everyone gets
> a very high degree of freedom to use the SME or not.
>
> Question is can this work? Am i missing something very simple?
>
> regards,
>
> Jan

Yes, this will work. However, I'd like to know a little about why some people won't use it. When configured properly, the end-user wouldn't be able to tell the difference between a hardware router and an SME...

[Bob Todd]

maybe they are worried about their web access being monitored and logged through the SME proxy ? In which case I'd be insisting on all traffic being filtered through the proxy to make sure they are on the net for business use and not personal use.

[Jan]

Hi all and thanks for the respons!

Maybe they are worried about being monitor, I just don't know. They're VERY stubborn M$ users that just don't know what's good for them.

Another thing is that there was no need to use SME to gain access to the internet, the router did all. And since this is a private network in a student home under student management you soon find out why educational settings are sometimes referred to as ' organized anarchy' .

Another reason might be they simply don't trust what they don't know or understand. Forcing them to use SME is no option since they have physical access to the server and switch and will simply mess with the wiring and change it back. Maybe someday they will see the error of their ways... ?

I'll try this setup this weekend and will keep you informed of any progress.

Regards,

Jan

[Jochen Hoegerl]

Does your students pc's have static IP's ?? If not......
Confugure SME as Server & Gateway, enable DHCP, switch DHCP at your HW-Router off.....and just wait until they start their pc's....normally they don't even know that they are now using SME as the Gateway )

A HW-Router also log the connections they made.

jochen

[Jan]

You've guessed it, they are using static IP's ... that is... just three of fourteen really know what they're doing so maybe I could try that.

It's just that I want to keep the basic setup unchanged as a backup if, for some reason, the server fails. It could, its not a very new machine.

Well, if it works I'll let you know next weekend I hope.

regards,

Jan

[Bill Talcott]

If you take the router out of the mix, and give the SME the same IP, they probably won't even know it's changed, regardless of whether or not the IPs are static. Just make sure to exclude those IPs from the DHCP range...

If they each have public IPs, there is a "1 to 1 NAT" HowTo that explains how to forward everything coming in on another IP to a PC on the LAN. This would still allow them to "have their own IP" and not have to mess with NAT issues (for IM file transfers, etc.), while still going through the SME and eliminating the other router...

In short, the SME is the exact same thing as the hardware router, with some added features too.

[Craig Foster]

I generally set the adsl router (eg 10.0.0.1) to port forward 22,25,80,443 to the e-smith box external (10.0.0.2) and let everything else sit internal (192.168.0.1) with dhcp serving everyone else.

No worries so far, and it cuts down on hack attempts (nothing available except web, incoming SMTP, and upto date SSH (with internal port forwarding fromlocal machine's port 980 to localhost:980 in PuTTY

[Jan]

Hmm not a good day today....

Here's the setup

Internet
   I
Router/firewall/modem ADSL 192.168.1.*(forewarding some ports to SME)
   I
Switch -- SME 5.5 server only 192.168.1.*(one ethernet card)
   I
Client Comuters 192.168.1.*

This works fine for now but as I posted before I want to start using it as a gateway and server. I tried it but got into some trouble setting it up and als got some complaints so maybe I should ask here for full details first.

Here's the new setup I want to get working

Internet
   I
Router/firewall/modem ADSL 192.168.1.* (DMZ to SME5.5 on 10.0.0.*)
   I
Switch == SME 5.5 server and gateway external 10.0.0.* & internal 192.168.1.*
   I
Client Computers 192.168.1.*

The idea is I do NOT want to change the router setup from router to bridge or something like that nor put the SME in between router and clients (for the moment. Can this work?

Problems I ran into:
Once I set it up like this I couldn't ping the server's internal or external address
Once I gave my client a static IP in the 10.0.0.* range I could ping both addresses.
Both ethernet cards are of the same make and type so difficult to keep apart but I figured it shouldn't matter since both are connected to the same switch.
No connection to the internet

Any ideas?

Thanks in advance,

Jan