Topic: Going from Win2k Server to SME , HELP

[sicnus]

OK I've searched a good amount of the forum and found little about DNS Servers.  Currently my network runs where all the host computers have static IPs and I have a computer setup as a DNS server.

My plan is to do "gateway and server" i think is what SME Documentation calls it.  Have DNS comp as the server / gateway / firewall and other server as webserver SQL server.

My question is , can SME allow me to keep my same settings as far as DNS is concerned?  Does any part of my plan conflict with what SME is capable of doing?

EDIT: For 'gateway and server' option would onboard LAN and 1 pci LAN card work?  Lost my other LAN card

Thanks

[NickCritten]

Hi Sicnus,

Do you mean that you want to keep a Win2k machine to do your DNS, and use the SME as your gateway only?
Or you want two SME's, with one doing your gateway and one doing your web/sql stuff?

Please clarify exactly what you want to do.


As for your network cards... It depends upon what they are! SME works with most common 10/100 cards and a few Gig cards.
Best bet is to just try it and see... SME only takes 15-30 minutes to install on newish hardware.

[sicnus]

I want to have the computer between my router and modem be a DNS server (so my host computers can keep static IPs) and be gateway.

Then have another SME server in my network to be my website / SQL server.

If SME is capable of doing what WIN2k is currently doing I'll go with SME, I just couldn't find the specific features in the documentation and wanted to see if people who have used the software might know if it's possible.

Thanks.

[NickCritten]

SME can do all that in one box - no need to have two servers.

Setup one box in server gateway mode.
If you really really want to continue using static IP's on your LAN (Why not use DHCP?) then you just configure them so that the Gateway, DNS and WINS servers are the LAN address of the server.

e.g. SME LAN IP = 192.168.1.1/24

set your clients to be
IP 192.168.1.x
SM 255.255.255.0
DG 192.168.1.1
DNS 192.168.1.1
WINS 192.168.1.1

External resolution is handled automatically.
To create Host records for your PC's on the SME server, add the entries into "Hostnames" in server-manager. (When you are doing this you can also enter the MAC address of your PC's so that if you switch them over to DHCP, they will always get given the same address.)


If this is not what you were after, please post back and let us know

[sicnus]

The initial reason I setup Static IPs was so port forwarding would be easier, because with changing IPs I would have to change which computer gets what incoming Ports...Also because I wanted to have very simple and secure windows domain file sharing...but glad to here SME can do what I want , Thanks

EDIT:  Would having everything (web , dns , sql and so on) on one box be a security issue compared to 2 boxes or is SME just that good when it comes to security?  I for sure want to have the box that sits between my modem and router to have a very strong firewall setup,  which is why a friend pointed me in SME's direction

[sicnus]

Currently I have a windows domain setup.  All the computers you eirther log in to local machine or to domain, and it makes file sharing and running the network and controlling users and groups easy...

Does SME allow me to still have a domain?

[sonoracomm]

Yes, SME servers work great as domain controllers.  Only under rare circumstances do I not turn on the domain controller functionality and join all the workstations to the domain.

Nick is right, make your life simpler.  Just install one SME server.  This ain't Windows.  And definitely switch to DHCP.  If you use Nick's suggestion to enter the MAC adresses, you then also get the benefits of static address reservations.

Not that SME is insecure as a gateway...it is not...but I almost never use them that way.  I generally install a firewall/router/NAT device on the 'edge' then I just forward a few ports into my (Server-Only) server as necessary.

As long as you use a password stronger than 'password' SME is very secure.

G

[NickCritten]

If you really want a seperate box between your router and Modem, You want to use something like IPCop for that... SME's Firewall is very secure, but not very configurable, so if I were to set up a Box to act purely as a firewall, I'd use a distro that is purely designed for the Job.

Having said that, unless you are worried about someone hacking into your router, there really is no need.

Just rig yourself up with

Code: [Select]

Internet
  |
Modem
  |
Router
  |
SME (Server/gateway)
  |
LAN----------¬
  |          |
PC1         PC2



If you have Multiple "Real" IP addresses, then you want something like this:

Code: [Select]

Internet
  |
Modem
  |
Router
  |
IP COP
  |
LAN----------¬-----------¬
  |          |           |
PC1         PC2   SME (Server Only)

[sicnus]

Thanks for the feedback

If I were to try and create a IPcop or SME firewall box behind the router and infront the LAN how would i share the connection...switch?

Ok I'm not very up to the times on firewall and security technology , if I have a router up (Dlink vpn router, new) should i not worry about firewalls?  By what means do i go about keeping people and viruses from getting into my network?

again Thanks

[NickCritten]

It depends upon how configurable you want the system to be, also it depends upon whether you get Static IP's or dynamic, and if you get static, how is it delivered? (Different countries do it in different ways on different technologies.


As an example, at home I've got a 8Meg ADSL Line, which feeds into a Westel ADSL Modem/Router.
This router has a vey clever mode on it whereby it actually 'Gives' its external, Static IP that was picked up by DHCP from the ISP to a device behind it. (Most routers are incapable of this, but have a similar function, where they forward all ports to an internal IP)

In this case the device it gives its IP to is an SME7 server in server/gateway mode (and is therefore my Firewall).
Behind the SME is an 8Port Swicth and off that I have Two PC's, a Network printer and a Wireless access point, which then connects to my and my Fiancee's laptops.


In several Businesses I have set up, they have ADSL, but they have Multiple Static IP's, which are routed the 'traditional' way (No-NAT) by a modem/router. This connects to an IPCop box, which does the firewalling and port forwarding, and connects to a switch, then the SME in server only mode and all the clients connect to that.


You don't really have to worry about protecting your router, as it will only allow you to log into it from inside your network - Just make sure its login is protected with a nice Strong password.

Can you give some more info and we can recommend a setup for you?

[sicnus]

Hope I am providing useful info.

I have a cable conection, dynamic IP (But rarely changes) that goes to a BestData modem.  The modem then goes to a DI-808HV D-Link router...8Port , VPN , Virtual Servers (instead of port forwarding).  After that I have a wireless router I use as an accesspoint (DHCP off , static IP, gains Domain from my DNS server).  My machines are as follows

Server 1: 1.2ghz , 512mb ram , 40gb
Server 2: 2 MP 1.2ghz , 1gb ram , 40gb
And then 3 host computers in the network.

What I'm trying to accomplish is based on the place where I work as a website programmer.

1) Web server - ASP.NET and SQL Server (so have to use windows IIS)
2) SQL Server Also a file storing sharing system for website and Intranet setup and for use with VPN
3) DNS Server (Like having static IPs...or SME DHCP w/ mac)
4) Print server (1 laser parallel port 1 color usb)
5) I want to use one strong firewall to protect my entire network.
6) Once my network is secure I intend to use Symantic anti-virus and what not

That's all I can think of at the moment.

If I use just one computer for security and servers I'd obviously use the dual proc computer...I built it 5 years ago but it still runs fine.  Maybe one day I might do FTP and Mail server but not yet.

Just an idea...Could I turn the slower of 2 servers into firewall , run that to my router which will turn into a switch ... only reason I'd hesitate is that'd probably mean I lose VPN server ability.

Anyway thanks for replies hope this info is useful

[NickCritten]

OK I recon you want

Code: [Select]

Modem
   |
Router
   |
IpCop
   |
Switch & Wireless Router---¬------¬
   |         |      |      |      |
SMEServer   PC     PC     PC   Laptop etc


Router has a firewall in it already
IPCop can be your second firewall and will do your your VPN stuff if you have trouble getting the router set up in this config
SME can do your Web, SQL, DNS, e-mail, Domain Controller, Network storage etc


You could also swap the IPCop & Router around if you wanted to retail the routers VPN abilities, or do away with teh IPCop box altogether - Depending upon how much you trust the firewall in the router...

[raem]

sicnus

I would think that a sme server in gateway server mode will do what you want quite well. I suggest rearranging your network though to simplfy things. Have a modem in front of the server and a hub on the LAN side.
Your existing router can function as the switch/hub if you reconfigure it.
Connect your wireless router to the hub for local wireless access.
Put your windows server for the asp.net stuff behind the sme, connected to the LAN hub, and port forward to it or proxy pass to it. Port forwarding is bulit in to sme and there is a contrib for proxy pass.


> I have a cable conection, dynamic IP

So for any domains you configure, you will need to use a dynamic IP management service like dyndns.org to track your dynamic IP as it changes. sme will do this automatically for yi.org & dyndns.org domains if configured for gateway server mode.
If set to server only behind another firewall/router, you will need to use the ddclient contrib or similar.


> 1) Web server - ASP.NET and SQL Server (so have to use windows IIS)
> 2) SQL Server Also a file storing sharing system for website and
> Intranet setup and for use with VPN
> 3) DNS Server (Like having static IPs...or SME DHCP w/ mac)
> 4) Print server (1 laser parallel port 1 color usb)
> 5) I want to use one strong firewall to protect my entire network.
> 6) Once my network is secure I intend to use Symantic anti-virus and
> what not

sme will do all the above except the asp.net stuff
It can be configured as a DHCP server (with automatic IP allocation) & domain controller OR you can configure hostnames and manually allocate static IPs to local users devices including workstations & network printers.
It has mysql built in which is a very powerful db, which can be configured for external access.
It has tinydns & dnscache built in (which access external root servers) to provide (web) DNS services to your local network. You do not need to use or specifiy external DNS servers in most situations unless you have very specific & non standard needs.
It has a printer server built in that works in pass through mode, so no driver conflicts etc & supports network devices.
It has a secure firewall built in, using iptables. If configured in gateway server mode, the sme server is very secure. I have never heard of any breaches of the firewall in 6 years of use. You do not need to use seperate firewalls as the sme firewall is secure.
It has built in virus & spam features, eg RBL rejection, executable content rejection, & other email system features to stop nasty mail from nasty sources, as well as clamav scanning of incomg & outgoing email and spam filtering using spamassassin. You can run full server scans using the built in clamscan as well.
sme has a fully functional web server using Apache, and you can set up & host unlimited domains & web sites.

With only three users either of those boxes you mention should run adequately, unless you use a lot of webmail externally or other web applications on your server. Just add more RAM if found necessary.


>  Maybe one day I might do FTP and Mail server but not yet.

The sme server has these features built in, but you simply don't use them if you don't need them. ftp is disabled by default, but the mail server is enabled.

Being on a Cable connection though, you may want to check if all services are supported, in Australia our cable providers tend to block ports to stop people setting up web & email servers & other services.


> Could I turn the slower of 2 servers into firewall , run that to my router which will turn into a switch ...

Just use sme in gateway server mode, no need for seperate firewalls as explained above, you are unlikely to gain any extra security benefit by having a seperate firewall. There are masq manager contribs for simple firewall tweaking and you can edit iptables rules via custom templates for advanced firewall adjustments, if needed.
sme7 has quite a few command line db entry possibilities to control connections eg for spam sources and ssh sources by IP eg Deny & Allow certain IPs. This provides the ability for relatively simple user control without needing to get involved in iptables complexities.

You can use your existing router as a switch and that can function as the LAN side hub/switch.


>...only reason I'd hesitate is that'd probably mean I lose VPN server ability.

sme server has a VPN server built in also, it allows access from Windows workstations running the VPN client quite OK despite some peoples comments to the contrary. I believe many peoples VPN problems relate to extra equipment in the pathway that is not fully VPN compliant.
sme in gateway server mode with only a ADSL modem in front of it works well for me.
There are also add on contribs for IPSEC VPN if you need more from VPN eg permanent tunnels between offices & between sme servers.

[sicnus]

Thanks for the guidance...I'll mull it over and try and decide which approach to take.  My computer recently took a few hits from malicious software and I have not recently installed or downloaded anything to my knowledge that could contain a virus so I got worried maybe there was a person in my network.  Also one the viruses I found is a well known trojan (some virus that hides as svchost.exe) and knowing that i started to want stronger firewalls and ability to monitor in coming and outgoing TCP/IP traffic and scan packets to make sure only thing going in and out of my network is what I or other users request.

I've searched for "multithread" and only 1 result comes up...any idea if SME is programmed to be multithreaded?  I know windows 2000 server (OS i use on servers) supports my dual machine.  Just curious.

Again thanks for the help, I'll have to figure out which way works best for me....be nice to rid of 1 server...gets hot in my room with laptop, gaming machine/main computer and 24/7 servers.

[raem]

sicnus

> My computer recently took a few hits from malicious software ....
> ...I got worried maybe there was a person in my network
> ...i started to want stronger firewalls....
>...make sure only thing going in and out of my network is what I or other users request.

What you or other users request is more likely to be the actual problem.
The firewall is not likely to be the culprit in letting viruses in to your network.
You probably got them in an email (therefore the need for good email virus filtering), or downloaded them inadavertantly from a infected or bogus website (both are issues with the browser you use & it's security & not with the firewall)

The most common way a hacker gets into your web connected server is via buggy web applications that you are running especially php apps eg forum or photo gallery or cms software etc.
You really need to keep all web connected applications on your servers up to date with the latest security fixes etc.

> ...any idea if SME is programmed to be multithreaded?  

sme supports multi processors or dual processor chips & Pentiums etc.

[NickCritten]

I missed the bit about a single dynamic IP - sorry.

In that case I agree with Ray - Don't use another Firewall Box, there's no need.

I personally have had issues with PPTP session and SME, but haven't used it on SME 7 final yet.
I also have had isses setting up IPSEC VPN's on SME before now, but again I haven't tried in a while.
IPCops IPSEC implemetation is very good and very mature, and I've never had issue with it, which was another reason for suggesting it.

Also remember that the Dyanamic DNS will ONLY work if your Modem gives the Dynamic IP to the SME, rather than passing all traffic through to an internal IP.

Let us know how you get on.

[sicnus]

Just to make sure I got this straight...

Modem>SME Server Gateway/Server>Router/Switch>Lan-WirelessAccesspoint-IIS ASP Server

Use the gateway server as the firewall and all the servers I need except webserver, also have those dynamic domain name sites connect to it...then turn router to a switch...and use the SME gateway server as my VPN Server?  And port forward and what not HTTP requests to my web server.

Looks like SME has it all.  thanks for the help...few more days till I'll be able to start installing.

[raem]

sicnus

>...Modem>SME Server Gateway/Server>Router/Switch>Lan-
>...WirelessAccesspoint-IIS ASP Server
> Use the gateway server as the firewall

Yes, that's the idea.


>...  and all the servers I need except webserver

Note that sme server is quite a capable web server running Apache, so you can do unlimited web site hosting on it, except for the asp stuff, which I gather needs a Windows IIS server.


>..also have those dynamic domain name sites connect to it..

configure those domians in dyndns.org or yi.org first, to point to your sme server's current dynamic IP, and configure sme to use the dynamic service in the initial setup screens to track changes in the servers dynamic IP and update external records.


>... then turn router to a switch...
>...use the SME gateway server as my VPN Server?  

Yes

> port forward and what not HTTP requests to my web server.

Port forwarding is built in, you may want to install the proxy pass  contrib to forward www requests to another server on your network, see the contribs server manager panel for details.
The proxy pass contrib is
ftp://ftp.firewall-services.com/smeserver-proxypass-0.0.2-1.noarch.rpm


> ...WirelessAccesspoint

Have a look at the specification of that device to see that it can happily reside as a LAN network device with a fixed local IP, and that you can configure it to use the sme servers local IP as it's gateway.


In the sme initial configurations screens, you will reserve a range of IPs to manually allocate to LAN devices, that are not then automatically used by sme DHCP server.

[raem]

sicnus

It sounds like you have never used sme server before, and are about to make major changes to your live production network.

I would suggest caution, you perhaps would be wise to install sme 7 on a test box (an old second hand low powered box would do) & configure it in server only mode, and allocate a unused local IP to it.
Attach it to your network and use it & get to know it & the feature set etc. At some point you can disconnect it from your network and reconfigure it in gateway/server mode to see what the differences are.
You can temporarily connect it to a dial up account or to your main Internet connection to test the dynamic IP functionality etc.
Then when you are familiar with configuring & using it, & understand it a whole lot better than you do now, you can look at rearranging your whole network as discussed.

[sicnus]

Ya I only have network experience with Win2k Server.

Quick question about hardware aspect of SME.  With SME is it better to have more ram/cpu power for the gateway/server or for the windows webserver/SME mail server.

Also in the network I currently work on; users CTRL ALT DELETE to log in and device/file sharing is very easy and so is setting permissions.  What is logging in and file sharing like with SME...read the manual but I'm curious as to what it is like from a SME user's point of view.

Thanks

[raem]

sicnus

>...With SME is it better to have more ram/cpu power for the
> gateway/server or for the windows webserver/SME mail server.

It depends on what you are doing on the server. If you need to run web applications with lots of concurrent users, then you need more processing power.
In most situations, more RAM will give better performance generally speaking. The virus scanning and spam filtering systems are pretty processor and RAM intensive.
From the usage you have suggested, either computer will do either job satisfactorily.

> Server 1: 1.2ghz , 512mb ram , 40gb
> Server 2: 2 MP 1.2ghz , 1gb ram , 40gb

Server2 would obviously be better to use as your main gateway server/mail server, as it has more processor speed and RAM to handle email & virus & spam scanning etc.
But then again your Windows server will likely be in more need of grunt, so perhaps the Windows server should be Server2 spec, and the sme gateway server/mail server can be Server1 spec (1.2Gb/512Mb will run OK just add more RAM if you find it neeeds it).


>..users CTRL ALT DELETE to log in and device/file sharing is very easy
> and so is setting permissions.  What is logging in and file sharing like
> with SME

You would be best to configure your sme server as Domain Controller & DHCP server & DNS server, and set up your users there. They can login & authenticate for access to other workstations/servers on the domain.
Disable these functions (& browsemaster too) in any Windows servers or you will have conflicts/problems.
You can set up a logon.bat script on the sme server domain controller.
File sharing is done by setting up ibays and mapping them as drive letters in the logon.bat file.
sme server is primarily designed to be used in networks with Windows workstations, although some of the more advanced proprietary Microsoft functionality is not available in samba (as it is proprietary) eg Active Directory. Permissions do not work the same, you have slightly less configuration control of groups & files with sme compared to Windows, but sme is still very secure it that regard.

[sicnus]

One last question...

I've got the hardware all setup, all components test fine.  Is it possible to install everything without annoying errors or problems having the machine not hooked up to the internet...since I'm going to use the machine as a server/gateway between a modem and switch I can't take down network too long and have SME installation take longer than expected.  For example, registering for a dynamic domain name from one the preset sites, will that be a problem if the machine is not in it's final possition as far as internet connections and possition in the network goes?

Thanks

[raem]

sicnus

The sme server in gateway mode will act as a router, so you must get the Internet connection up & running in order for workstations to get Internet access. There is a test menu on the admin console (login as admin to see this). If your hardware is OK, it should only take a few minutes to configure the basic settings once the OS install is complete.

You won't get connection errors on screen but they will be logged.

[sicnus]

having server as gateway/server and turning router to a switch...

to turn router to switch, disable dhcp, plug modem to gateway/server , plug gateway/server to switch's WAN then lan to switch's LAN?  Just double checking things again  

Thanks for the help

[NickCritten]

To use your router as switch, just disable DHCP, then only use the LAN ports -Ignore the WAN port

[Carbon]

I have a fixed IP
       ||
I have a ADSL modem/router.
The gateway is 192.168.0.1
I have set the DMZ in the modem/router to be 192.168.0.100
        ||
        ||
I have set up the external SME card to use the DMZ (192.168.0.100)
I have set the internal card to 10.0.0.1
        ||
I plug my switch into the internal card
and the switch feeds my LAN PC's (3)

Don't know what I'm doing but it feels right!

[NickCritten]

Carbon:

That looks good, That's a classic setup in Server/Gateway.

Although I wouldn't use a 10. range for your LAN (Unless you've subnetted it down to a /24 or higher BitMask)
I'd just use a different 192.168.x.x Network on your LAN... e.g.

192.168.0.0 for your outside, and 192.168.1.0 for your inside

[sicnus]

Hurray got SME installed , had a few problems passing the internet test but I worked after about 30minutes.

DUring installation after asks for admin pw, and I have to enter domain...say I enter home.com...and i use dyndns.org to register a domain.  how do the 2 relate?  Will they conflict?  or is the home.com domain only for the LAN side of things..just wanna clarify, rest assured I'll be spending all night after work setting things up, hopefully incedant free.

[NickCritten]

The DNS Server on your SME is internally facing only so it won't conflict with your DynDNS entry...

On the inside, your SME resolves server.example.com to the SME's LAN IP
On the outside, DynDNS resolves server.example.com to your public IP

[raem]

sicnus

>... I have to enter domain...say I enter home.com...and i use dyndns.org > to register a domain.  how do the 2 relate?

You should make the server's main domain name the same as your dyndns.org domain name.

[sicnus]

Ray, I understand and see the logic in what you mean but I'm unclear on one part...say my Dnydns.org host name is www.whatever.homeip.net

what should my primary domain be on my main server?  whatever.homeip.net?

Will the windows host in my network join the domain the server creates for the network?  I really didn't want to use workgroups, never liked them.

[NickCritten]

Yes, your server's domain should be whatever.domain.com

e.g. My domain is lmeit.co.uk, My Server is called aquarius so it is aquarius.lmeit.co.uk, but also has hostnames www.lmeit.co.uk and mail.lmeit.co.uk
I have DNS entries on Internet DNS servers that point www.lmeit.co.uk and mail.lmeit.co.uk to my Public IP address.


Once you are up and running, you can set your SME to be a domain controller, and add your 2K/XP clients to the domain.

A 'domain' in the windows sense is just a workgroup with centralised authentication & authorisation (i.e. a server does all the username/password stuff) apart from this and a little central control there is no difference between workgroups and domains.