Topic: Going from Win2k Server to SME , HELP

[sicnus]

OK I've searched a good amount of the forum and found little about DNS Servers.  Currently my network runs where all the host computers have static IPs and I have a computer setup as a DNS server.

My plan is to do "gateway and server" i think is what SME Documentation calls it.  Have DNS comp as the server / gateway / firewall and other server as webserver SQL server.

My question is , can SME allow me to keep my same settings as far as DNS is concerned?  Does any part of my plan conflict with what SME is capable of doing?

EDIT: For 'gateway and server' option would onboard LAN and 1 pci LAN card work?  Lost my other LAN card

Thanks

[NickCritten]

Hi Sicnus,

Do you mean that you want to keep a Win2k machine to do your DNS, and use the SME as your gateway only?
Or you want two SME's, with one doing your gateway and one doing your web/sql stuff?

Please clarify exactly what you want to do.


As for your network cards... It depends upon what they are! SME works with most common 10/100 cards and a few Gig cards.
Best bet is to just try it and see... SME only takes 15-30 minutes to install on newish hardware.

[sicnus]

I want to have the computer between my router and modem be a DNS server (so my host computers can keep static IPs) and be gateway.

Then have another SME server in my network to be my website / SQL server.

If SME is capable of doing what WIN2k is currently doing I'll go with SME, I just couldn't find the specific features in the documentation and wanted to see if people who have used the software might know if it's possible.

Thanks.

[NickCritten]

SME can do all that in one box - no need to have two servers.

Setup one box in server gateway mode.
If you really really want to continue using static IP's on your LAN (Why not use DHCP?) then you just configure them so that the Gateway, DNS and WINS servers are the LAN address of the server.

e.g. SME LAN IP = 192.168.1.1/24

set your clients to be
IP 192.168.1.x
SM 255.255.255.0
DG 192.168.1.1
DNS 192.168.1.1
WINS 192.168.1.1

External resolution is handled automatically.
To create Host records for your PC's on the SME server, add the entries into "Hostnames" in server-manager. (When you are doing this you can also enter the MAC address of your PC's so that if you switch them over to DHCP, they will always get given the same address.)


If this is not what you were after, please post back and let us know

[sicnus]

The initial reason I setup Static IPs was so port forwarding would be easier, because with changing IPs I would have to change which computer gets what incoming Ports...Also because I wanted to have very simple and secure windows domain file sharing...but glad to here SME can do what I want , Thanks

EDIT:  Would having everything (web , dns , sql and so on) on one box be a security issue compared to 2 boxes or is SME just that good when it comes to security?  I for sure want to have the box that sits between my modem and router to have a very strong firewall setup,  which is why a friend pointed me in SME's direction

[sicnus]

Currently I have a windows domain setup.  All the computers you eirther log in to local machine or to domain, and it makes file sharing and running the network and controlling users and groups easy...

Does SME allow me to still have a domain?

[sonoracomm]

Yes, SME servers work great as domain controllers.  Only under rare circumstances do I not turn on the domain controller functionality and join all the workstations to the domain.

Nick is right, make your life simpler.  Just install one SME server.  This ain't Windows.  And definitely switch to DHCP.  If you use Nick's suggestion to enter the MAC adresses, you then also get the benefits of static address reservations.

Not that SME is insecure as a gateway...it is not...but I almost never use them that way.  I generally install a firewall/router/NAT device on the 'edge' then I just forward a few ports into my (Server-Only) server as necessary.

As long as you use a password stronger than 'password' SME is very secure.

G

[NickCritten]

If you really want a seperate box between your router and Modem, You want to use something like IPCop for that... SME's Firewall is very secure, but not very configurable, so if I were to set up a Box to act purely as a firewall, I'd use a distro that is purely designed for the Job.

Having said that, unless you are worried about someone hacking into your router, there really is no need.

Just rig yourself up with

Code: [Select]

Internet
  |
Modem
  |
Router
  |
SME (Server/gateway)
  |
LAN----------¬
  |          |
PC1         PC2



If you have Multiple "Real" IP addresses, then you want something like this:

Code: [Select]

Internet
  |
Modem
  |
Router
  |
IP COP
  |
LAN----------¬-----------¬
  |          |           |
PC1         PC2   SME (Server Only)

[sicnus]

Thanks for the feedback

If I were to try and create a IPcop or SME firewall box behind the router and infront the LAN how would i share the connection...switch?

Ok I'm not very up to the times on firewall and security technology , if I have a router up (Dlink vpn router, new) should i not worry about firewalls?  By what means do i go about keeping people and viruses from getting into my network?

again Thanks

[NickCritten]

It depends upon how configurable you want the system to be, also it depends upon whether you get Static IP's or dynamic, and if you get static, how is it delivered? (Different countries do it in different ways on different technologies.


As an example, at home I've got a 8Meg ADSL Line, which feeds into a Westel ADSL Modem/Router.
This router has a vey clever mode on it whereby it actually 'Gives' its external, Static IP that was picked up by DHCP from the ISP to a device behind it. (Most routers are incapable of this, but have a similar function, where they forward all ports to an internal IP)

In this case the device it gives its IP to is an SME7 server in server/gateway mode (and is therefore my Firewall).
Behind the SME is an 8Port Swicth and off that I have Two PC's, a Network printer and a Wireless access point, which then connects to my and my Fiancee's laptops.


In several Businesses I have set up, they have ADSL, but they have Multiple Static IP's, which are routed the 'traditional' way (No-NAT) by a modem/router. This connects to an IPCop box, which does the firewalling and port forwarding, and connects to a switch, then the SME in server only mode and all the clients connect to that.


You don't really have to worry about protecting your router, as it will only allow you to log into it from inside your network - Just make sure its login is protected with a nice Strong password.

Can you give some more info and we can recommend a setup for you?

[sicnus]

Hope I am providing useful info.

I have a cable conection, dynamic IP (But rarely changes) that goes to a BestData modem.  The modem then goes to a DI-808HV D-Link router...8Port , VPN , Virtual Servers (instead of port forwarding).  After that I have a wireless router I use as an accesspoint (DHCP off , static IP, gains Domain from my DNS server).  My machines are as follows

Server 1: 1.2ghz , 512mb ram , 40gb
Server 2: 2 MP 1.2ghz , 1gb ram , 40gb
And then 3 host computers in the network.

What I'm trying to accomplish is based on the place where I work as a website programmer.

1) Web server - ASP.NET and SQL Server (so have to use windows IIS)
2) SQL Server Also a file storing sharing system for website and Intranet setup and for use with VPN
3) DNS Server (Like having static IPs...or SME DHCP w/ mac)
4) Print server (1 laser parallel port 1 color usb)
5) I want to use one strong firewall to protect my entire network.
6) Once my network is secure I intend to use Symantic anti-virus and what not

That's all I can think of at the moment.

If I use just one computer for security and servers I'd obviously use the dual proc computer...I built it 5 years ago but it still runs fine.  Maybe one day I might do FTP and Mail server but not yet.

Just an idea...Could I turn the slower of 2 servers into firewall , run that to my router which will turn into a switch ... only reason I'd hesitate is that'd probably mean I lose VPN server ability.

Anyway thanks for replies hope this info is useful

[NickCritten]

OK I recon you want

Code: [Select]

Modem
   |
Router
   |
IpCop
   |
Switch & Wireless Router---¬------¬
   |         |      |      |      |
SMEServer   PC     PC     PC   Laptop etc


Router has a firewall in it already
IPCop can be your second firewall and will do your your VPN stuff if you have trouble getting the router set up in this config
SME can do your Web, SQL, DNS, e-mail, Domain Controller, Network storage etc


You could also swap the IPCop & Router around if you wanted to retail the routers VPN abilities, or do away with teh IPCop box altogether - Depending upon how much you trust the firewall in the router...

[raem]

sicnus

I would think that a sme server in gateway server mode will do what you want quite well. I suggest rearranging your network though to simplfy things. Have a modem in front of the server and a hub on the LAN side.
Your existing router can function as the switch/hub if you reconfigure it.
Connect your wireless router to the hub for local wireless access.
Put your windows server for the asp.net stuff behind the sme, connected to the LAN hub, and port forward to it or proxy pass to it. Port forwarding is bulit in to sme and there is a contrib for proxy pass.


> I have a cable conection, dynamic IP

So for any domains you configure, you will need to use a dynamic IP management service like dyndns.org to track your dynamic IP as it changes. sme will do this automatically for yi.org & dyndns.org domains if configured for gateway server mode.
If set to server only behind another firewall/router, you will need to use the ddclient contrib or similar.


> 1) Web server - ASP.NET and SQL Server (so have to use windows IIS)
> 2) SQL Server Also a file storing sharing system for website and
> Intranet setup and for use with VPN
> 3) DNS Server (Like having static IPs...or SME DHCP w/ mac)
> 4) Print server (1 laser parallel port 1 color usb)
> 5) I want to use one strong firewall to protect my entire network.
> 6) Once my network is secure I intend to use Symantic anti-virus and
> what not

sme will do all the above except the asp.net stuff
It can be configured as a DHCP server (with automatic IP allocation) & domain controller OR you can configure hostnames and manually allocate static IPs to local users devices including workstations & network printers.
It has mysql built in which is a very powerful db, which can be configured for external access.
It has tinydns & dnscache built in (which access external root servers) to provide (web) DNS services to your local network. You do not need to use or specifiy external DNS servers in most situations unless you have very specific & non standard needs.
It has a printer server built in that works in pass through mode, so no driver conflicts etc & supports network devices.
It has a secure firewall built in, using iptables. If configured in gateway server mode, the sme server is very secure. I have never heard of any breaches of the firewall in 6 years of use. You do not need to use seperate firewalls as the sme firewall is secure.
It has built in virus & spam features, eg RBL rejection, executable content rejection, & other email system features to stop nasty mail from nasty sources, as well as clamav scanning of incomg & outgoing email and spam filtering using spamassassin. You can run full server scans using the built in clamscan as well.
sme has a fully functional web server using Apache, and you can set up & host unlimited domains & web sites.

With only three users either of those boxes you mention should run adequately, unless you use a lot of webmail externally or other web applications on your server. Just add more RAM if found necessary.


>  Maybe one day I might do FTP and Mail server but not yet.

The sme server has these features built in, but you simply don't use them if you don't need them. ftp is disabled by default, but the mail server is enabled.

Being on a Cable connection though, you may want to check if all services are supported, in Australia our cable providers tend to block ports to stop people setting up web & email servers & other services.


> Could I turn the slower of 2 servers into firewall , run that to my router which will turn into a switch ...

Just use sme in gateway server mode, no need for seperate firewalls as explained above, you are unlikely to gain any extra security benefit by having a seperate firewall. There are masq manager contribs for simple firewall tweaking and you can edit iptables rules via custom templates for advanced firewall adjustments, if needed.
sme7 has quite a few command line db entry possibilities to control connections eg for spam sources and ssh sources by IP eg Deny & Allow certain IPs. This provides the ability for relatively simple user control without needing to get involved in iptables complexities.

You can use your existing router as a switch and that can function as the LAN side hub/switch.


>...only reason I'd hesitate is that'd probably mean I lose VPN server ability.

sme server has a VPN server built in also, it allows access from Windows workstations running the VPN client quite OK despite some peoples comments to the contrary. I believe many peoples VPN problems relate to extra equipment in the pathway that is not fully VPN compliant.
sme in gateway server mode with only a ADSL modem in front of it works well for me.
There are also add on contribs for IPSEC VPN if you need more from VPN eg permanent tunnels between offices & between sme servers.

[sicnus]

Thanks for the guidance...I'll mull it over and try and decide which approach to take.  My computer recently took a few hits from malicious software and I have not recently installed or downloaded anything to my knowledge that could contain a virus so I got worried maybe there was a person in my network.  Also one the viruses I found is a well known trojan (some virus that hides as svchost.exe) and knowing that i started to want stronger firewalls and ability to monitor in coming and outgoing TCP/IP traffic and scan packets to make sure only thing going in and out of my network is what I or other users request.

I've searched for "multithread" and only 1 result comes up...any idea if SME is programmed to be multithreaded?  I know windows 2000 server (OS i use on servers) supports my dual machine.  Just curious.

Again thanks for the help, I'll have to figure out which way works best for me....be nice to rid of 1 server...gets hot in my room with laptop, gaming machine/main computer and 24/7 servers.

[raem]

sicnus

> My computer recently took a few hits from malicious software ....
> ...I got worried maybe there was a person in my network
> ...i started to want stronger firewalls....
>...make sure only thing going in and out of my network is what I or other users request.

What you or other users request is more likely to be the actual problem.
The firewall is not likely to be the culprit in letting viruses in to your network.
You probably got them in an email (therefore the need for good email virus filtering), or downloaded them inadavertantly from a infected or bogus website (both are issues with the browser you use & it's security & not with the firewall)

The most common way a hacker gets into your web connected server is via buggy web applications that you are running especially php apps eg forum or photo gallery or cms software etc.
You really need to keep all web connected applications on your servers up to date with the latest security fixes etc.

> ...any idea if SME is programmed to be multithreaded?  

sme supports multi processors or dual processor chips & Pentiums etc.