Topic: Best network configuration

[uomonet]

Hi SME people!
Just a few easy questions...
Today, every ADSL router has an internal firewall. Which is the best configuration of the router to work with SME?
- Set the NAT of the router to forward all ports to SME and disable the internal firewall;
- Set the NAT of the router to forward all ports to SME and use the internal firewall to forward only the ports needed as described in the FAQs;
- Set the NAT of the router to forward only the ports needed as described the FAQs and disable the internal firewall;
- Set the NAT of the router and firewall to forward only the ports needed as described the FAQs;
- Use the DMZ function in the router/firewall;
Which is the best, which one do you use?

As for the "local networks" feature, how can I set up 2 separated local networks?
I have an internet cafè and I need 2 different local networks, 1 for my PCs  and 1 for the costumers PCs wich I want to monitor with "SARG" contrib.
- Do I have to use 3 different NICs? (1 external, 1 internal, 1 internal for internet cafè costumers) ?
- How do I setup SME to work with 3  NICs?
- Do you know an open source internet cafè managing software?

[mmccarn]

How about this:

Code: [Select]

Internet
   |
DSL Router
 |       +--------Office_PCs
SME  
 |
Customer PCsYour customers have to go through the SME, but your Office machines don't.

As for port forwarding vs. DMZ - will you be hosting public services on the SME?  If so, I'd recommend simply forwarding the ports you need to have public to the SME.  If you only want Sarg reports on your customers, you don't need to have any ports open to the SME.

I tend to work on the theory that you can't have too much firewall -- so I wouldn't turn off the firewall in the router until you suspect it's causing problems, and I wouldn't switch from port-forwarding to DMZ mode until I suspected that that would solve some problem, too.  It's easier to open a new firewall port when needed than it is to close one once it's too late.

[uomonet]

Thank you for your answer mmccarn

How about this:

Code:
Internet
   |
DSL Router
 |       +--------Office_PCs
SME  
 |
Customer PCs
Your customers have to go through the SME, but your Office machines don't.

unfortunately I use SME also as File & Mail server for the office PCs, so I can't switch the server to the internet user, and I wouldn't put another server...
Can one SME manage 2 separated local networks?

[mmccarn]

SME only supports two physical networks - "LAN" and "WAN".

However, since you *do* have the dsl router acting as a firewall, you can add the "wan" network (your "office_pcs") as a "local network" and I think you'll be able to use the SME as a file & mail server...

[yahooking]

If you don't want your offline pcs to get on the internet manualy give them an ip addy, and leave the dns servers out, then manually add server names into the hosts file. that should work.

[CharlieBrady]

Today, every ADSL router has an internal firewall.

If possible, disable the router and firewall functions, and use the router as a modem. It might be called "bridged mode".

[Happy]

I have this setup.
I would like to know the easiest method to give both the Home_Pcs and the Friend's PCs access to the file server on SME server.
I figured I could do it using Server and Gateway mode, however that simply denies the Home_Pcs access to the file server as they would be accessing through the external nic.

When I gave separate ip subdomains to both the external and internal nic I found that using microsoft windows sharing they can not see each other.

I was wandering what options I could have to give friend's pcs access to both SME server and Home Pcs via windows shares (and vice versa for the Home PCs).

Any suggestions?

Code: [Select]

Internet
   |
4 port wireless DSL Router (192.168.1.254)
 |       +--------Home_Pcs (192.168.1.*)
SME (server only mode) (Currently 192.168.1.221)
 |
80 port switch (Not Currently in use, 2nd nic not configured)
 |
Friend's PCs

[mmccarn]

Why not just plug your Friend's PC into your home network - then the friend has all the same access your home machines do.

[Happy]

Short answer:
Curiousity, If it can be done, I would like to know how.

Long answer:
2 of the four ports on the router/wireless modem are taken up by my flatmates computer and the SME server box. 1 of the 4 wireless ports (only 802.11b mind you) is taken up by my machine.

I can theoretically lug the 80 port switch over to the 4 port router but it would   be in the way with cords and cables running everywhere from the kitchen to the living room.

As it is the switch is tucked away into a corner, only switched on when required and a single cable connects the router to the external nic on the sme server box.

If I have some friends over I just wish to be able to tell them to plug into the switch, at which point I turn it on and can have as many as I want on the lan.
Lets say I just use an 8 port hub in place of the switch, I still have the same difficulties.


Anyway. I know I can use hardware workarounds, but if the software can handle it then why not.

In my mind all I have to do is keep the router in server mode and:
Set up a second nic on another ip subdomain.
set up dhcp server on the second nic.
somehow allow the users on the second nic to access the windows workgroups/domains on the first nic.

[mmccarn]

Why not move the cable connecting the sme to the 80 port switch into the free port in your 4-port wi-fi router? If the SME is setup in server-only mode it should be functionally identical to what you have now...

[Happy]

Would that not be letting the router handle all the dhcp?

I like the idea of the separation provided by SME server. connecting the switch through sme server gives me the option to cache everything so patches and downloads and the like need only happen once.
Or am I misinterpreting the powers of the server-gateway mode =)


Is it possible to set up certain exclusions? Say give ip addresses 192.168.1.1-8 local access to sme server even though they are connecting through the external nic?

[duncan]

Would that not be letting the router handle all the dhcp?

Not if you turn it off on the router. Regardless - it`s not a problem to have another device doing dhcp.

Is it possible to set up certain exclusions? Say give ip addresses 192.168.1.1-8 local access to sme server even though they are connecting through the external nic?

Anything is possible - However this is not how SME works. mmccarn`s  suggestion is the way I would do it given what`s available.