[Cialug] Network Layout

Claus cialug@cialug.org
Mon, 03 Jan 2005 11:52:37 -0600 

I'm trying to restructure my home network and have a few criteria, an 
idea how it should look and a bunch of questions.

Criteria:
==========
- Foreign access to the inside LAN has to be blocked since the computers 
there are less secure and files are shared openly.  No 
internal-to-internal traffic should leave the inside LAN (aka outsiders 
can't sniff it).  Anybody plugging in a computer at the inside LAN is 
trusted.
- WAN is untrusted and will need VPN to access inside LAN.  Visitors 
should be able to use the internet without VPN to inside LAN once I 
authorize them.  A web portal where username and passwords are entered 
would be cool.
- Outside LAN has the same criteria as WAN (yes, the ethernet jacks are 
outside of the building)
- Server for web, e-mail and DNS should be accessible from the internet, 
inside LAN, outside LAN, and WAN using the same domain name.
- Only one public IP should be used.  Inside LAN, outside, LAN and WAN 
should use DHCP, NAT and private IPs. The server should use a static 
private IP via NAT.
- OpenBSD is the operating system for the firewall and server.

Network Layout (proposal):
==========================
Best is to look at a picture of it at:
  http://www.public.iastate.edu/~cniesen/future-network.jpg

The Network is connected to the internet via DSL using a bridged DSL 
modem.  The first thing after the modem is a firewall with 4 ports 
(internet, server [web, email, dns], inside LAN, and WAN/outside LAN).
The WAN and outside LAN are supported via the Linksys WRT56GS wireless 
router that has 4 ethernet ports.

Questions:
==========
- For the VPN to the inside network does the VPN server have to be a 
server inside of the "inside network" or can the firewall do it?
- Should the DHCP be done by the server [web, email, dns] or the 
firewall?  Should the WAN access point run its own DHCP server for the 
WAN clients?
- Can the server [web, email, dns] provide DNS service to all network 
sections? It will run OpenBSD 3.6 with its version of bind 9.

Thanks
   Claus