Help for designing a home network.

[KrisseZ]

Hi.

My home network has been a systematic chaos for the past few years and I know decided to sort it out. First of all I want to take everything out of my internet connection... or atleast as much as I can get from it... so the basic idea would be that everything would be possible in the network, p2p, gaming, lan etc...

So my biggest problem is how to achieve good WAN and LAN connections at the same time. If I have a direct connection to the internet, I can't be connected to the LAN and if I'm in the LAN my Internet connections for expample torrent isn't working as well as it should.

Here are my thoughts so far. I have Telewell 501v3 modem which has ethernet connections and this is going to act as my router, even thou I wanted something better it seems consumer level designated routers have come somewhat rare. I have ZyXEL ZyAIR G-1000 as my wireless ap. I don't know yet about the switch but it's going to be some unconfigurable gigabit switch with around 8-10 ports. There's also going to be a buffalo NAS in the network.

And for the configuration I was going to bet everything on UPnP to do proper NAT:ing. I've tested it so far on a minimal configuration and everything have worked thus far. I'm still unsure how it will handle online gaming and I'm not sure if the buffalo NAS is uncomptaible so I might have to write static routes for it. Why UPnP? cause I tried static NATs with my "old" ZyXEL modem and it wasn't good... it didn't have enough cpu power to handle the translations for a 24/1 internet connection. The telewell didn't have any problems with 2 torrent clients being run from different computers. It gave both something around 700kt/s of bandwith. 700kt/s? yes that's right... the phonelines to our house aren't shabby so the modem can only operate at 14/1 rate and even that can vary by 2mb.

For the ip table I thought something like this.
192.168.0.1 Modem
192.168.0.2 Wireless
192.168.0.3 NAS
192.168.0.4 - 192.168.0.50 reserved for other clients.

Everything is distributed via DHCP and 0.2, 0.3 will be static reserves.

I would like ideas and suggestions about this... If anyone even might have a better idea how to do this I'm all ears... the UPnP still feels like a magic gimmic to me so I'm still not very fond of the idea that I'm going to plan all this based on something I don't fully understand. I would appreciate any ideas and comments very much. And I can give more details if anyone needs them.

PS: now that I remmember I have 5 public IPs at my desposal.

[Jay]

just plug your router into your switch, your WAP into your switch, NAS into your swith (With a static IP) and your PCs into your switch and port forward on the router for your NAS (If you want access from outside your network). UPnP is for outgoing connections only.

[KrisseZ]

just plug your router into your switch, your WAP into your switch, NAS into your swith (With a static IP) and your PCs into your switch and port forward on the router for your NAS. UPnP is for outgoing connections only.

I don't agree on the UPnP is for outgoing connections only cause it list's as a route in the modem... for example I start uTorrent, it instantly creates a UPnP route which is something like this:

uTorrent (TCP) TCP 45050 45050 192.168.0.3
uTorrent (UDP) UDP 45050 45050 192.168.0.3

and utorrent port forward test pages reports that I have a valid port forwad... If I disable UPnP the page reports an error so UPnP must do forwarding from WAN to LAN. Atleast I think so.

[Jay]

I don't agree on the UPnP is for outgoing connections only cause it list's as a route in the modem... for example I start uTorrent, it instantly creates a UPnP route which is something like this:

uTorrent (TCP) TCP 45050 45050 192.168.0.3
uTorrent (UDP) UDP 45050 45050 192.168.0.3

and utorrent port forward test pages reports that I have a valid port forwad... If I disable UPnP the page reports an error so UPnP must do forwarding from WAN to LAN. Atleast I think so.

Who created the connection? Outgoing or incomming... then you have your answer.

An incomming connection can not use UPnP unless the outgoing connection has allowed it to do so. Any remote access or connections that are initalised outside of your network needs to have ports forwarded.

[KrisseZ]

Who created the connection? Outgoing or incomming... then you have your answer.

I don't really understand your question... with uTorrent I can't really define who created the connection cause of hundreds of connections... but my point was that when I start uTorrent, the modem instantly creates NAT rules for INCOMING connections and this is thanks to UPnP...

I mean what would be the point in UPnP if it was only for outbound connections only? NAT configurations have no problems with outgoing traffic but they have have to problems with incomming connections. There rly isn't need for anything that handles outbound connections separetly.

[Jay]

Ok mate. Good luck with your network and welcome to Hexus.

[smargh]

So my biggest problem is how to achieve good WAN and LAN connections at the same time. If I have a direct connection to the internet, I can't be connected to the LAN and if I'm in the LAN my Internet connections for expample torrent isn't working as well as it should.

Eh? Why would LAN activity impact your internet stuff? It shouldn't, even transferring stuff at full speed on the LAN.

Network cards can have more than one IP address, and there's nothing stopping you having two separate [physical/VLANs with managed switch] network segments: public and private. I have two network cards in my main PC - one with a public IP, one with a regular local IP. This allows me to be sure whether something will be exposed to the world and needs the firewall turned on. It also stops occasional problems when some OSes get confused that an ARP response was received on a different interface than on the one it was sent out on.

The "proper" way of doing all this is really quite simple. You need an ALIX 2D3 from linitx.com and use pfSense (more features) or m0n0wall (leaner, less features, maybe more stable but I've not noticed any difference) to provide NAT, QoS and firewalling. One port will be going to the DSL router, another the NAT network, and another going to all the PCs which have a public IP. They can all be plugged in to the same switch - I like to VLAN them off, and I use a simple web managed HP Procurve 1700-24. The 1800 series is all gigabit and there is an 8-port version.

Having a DHCP range is a requirement for random unimportant PCs, but it's far easier to keep them with a static IP and just have a list of which PCs are which. If IPs can change, it complicates NAT and firewall rules. You will need more space for static IPs - just use .200-.250 or something as the DHCP range.

UPnP is evil. And sometimes regarded as a security risk - malware, or misbehaving apps, can open any ports they like.

To summarise, get rid of unreliable hardware and invest in a good DSL modem (I use a DG834GT with Be) bridged to a good NAT or bridging firewall such as pfSense or m0n0wall. Separate network segments are great, and are only very occasionally annoying to work with. I use pfSense on an Alix 2C3 and with my internet connection at full speed both ways (22Mb/2.5Mb) it only uses about 3% CPU. The web interface of both is very nice and professional.

You don't seem to mention which ISP you use, how much money you have to spend, how much time you have to commit, nor what speed your internet connection is.

[KrisseZ]

Eh? Why would LAN activity impact your internet stuff? It shouldn't, even transferring stuff at full speed on the LAN...

Network cards can have more than one IP address, and there's nothing stopping you having two separate [physical/VLANs with managed switch] network segments: public and private. I have two network cards in my main PC - one with a public IP, one with a regular local IP...

UPnP is evil. And sometimes regarded as a security risk - malware, or misbehaving apps, can open any ports they like...

You don't seem to mention which ISP you use, how much money you have to spend, how much time you have to commit, nor what speed your internet connection is...

Thanks alot... your post was very helpfull and I will very much look into this... so to sort things out:

1. I didn't know a NIC can have two simultanious IP addresses, if that is what you meant... I could make my PCs connection like yours (using 2 NICs for local and global), but there will be 3 PCs with a wired connection and the furthest is 25m away, so double wiring it would take quite a mount of wire (imo). So using one physical route is a must.

2. Well as I said I wasn't quite comfortable with UPnP either, thanks for pointing out it's evilness

3. I live in Finland and I have Soneras (ISP) 24mb/1mb ADSL connection which operates at 14mb/1mb due to our poor phonelines. Money is somewhat an issue. I'm not paying for this, but the gear must be rly needed and they have to be reasonable. The intention is to build a reliable network and within reasonable limits there will be no compromises. I have very much time to commit since I'm starting my studies in network technology next week and they will last 4 years

I'll be waiting for your reply

EDIT: Oh and the Netgear modem seemd very professional BUT the modem and WAP will be in different locations probably, so before that confirms, I can't consider getting a combination WLAN+Modem.

[vicar]

All the best, happy networking and studying.

[KrisseZ]

I quess it isn't possible to obtain a global and a local ip address with one NIC? since ISP:s ip must be obtained via DHCP and atleast I didn't find anyway to configure a lan ip besides a dhcp ip. I only got 2 local ips to work at the same time.

I must stress that this network needs dynamic expanding capabilities... I host lans every now and then and I would like that my party ppl wouldn't have to scratch their heids with any static configs... just obtain IPs automatically and that would do the tricks...

Any possible way to achieve this smartly? So that I wouldn't have any hassles with online gaming, p2p or local gaming.

UPnP would do this somewhat if everyone had vista or XP with UPnP service installed, but as pointed out it seems kinda evil Please ppl more ideas.

[aidanjt]

One word. Kiss.

Over-thinking a problem is the first path to failure. If a machine absolutely does not need to be on the WAN segment, keep it on the LAN segment, if a machine on the WAN segment needs to communicate with the LAN segment, add that rule to the routing tables. You don't need virtual interfaces at all.

BTW, UPnP is *not* evil, idiots are evil. If you don't trust the machines or users on your network, don't give them access to it.

[KrisseZ]

C'mon... I know I could do this the simple way but I want to strive for something bigger and better... I could make this work on a decent level any given day but quess I just want perfection So if you please, keep the ideas rolling...

I'm currently researching Dynamic NAT and NAT overloading if they'd be of any help. Anyone have any experiences with them? I think they are somewhat features of cisco routers.