Is this setup ok?

[rk77]

Hi all

I have some questions about this setup:

Is the setup ok? Security, performance etc.
Should I move the computer (5) behind the router (2)? Security, performance etc.
Is the communication from a laptop (4) or RT-N66U (2) to the computer (5) "direct" or via Internet?



The setup:

1. 8 port managed switch with fiber connection to the Internet. Clients connected to the ports will receive public ip addresses (max 5) from the isp.
2. Asus RT-N66U with DHCP enabled, RT-N66U receives one public ip.
3. NAS connected directly to RT-N66U (ip from RT-N66U DHCP).
4. Laptops and phones connected via WiFi (ip from RT-N66U DHCP).
5. Computer connected to the switch (1), thus public ip, acting syslog and web server.

 

[coxhaus]

You want to use your router at the front door since it provides security for your network. Why do you need 5 IP addresses? Nothing in the network design looks like it needs more than 1 IP address. Your router will do all the sharing for the 1 IP address with all the machines. The only way you want to expose a computer to the internet is using the DMZ of the router. Never place a computer outside of the router.

 

[rk77]

Thank you coxhaus.

I apologise for not being clear about the 5 public ip addresses, perhaps that information wasn’t relevant at all.
My isp provides a maximum of 5 public addresses, but I will only use 2, one for the router (2) and one for the computer (5).

There will be a firewall running on the computer (5) and only 2 ports will be open. The reason why I consider placing the computer (5) at that position is strictly physical, the switch (1) is located at first floor (more space) and the router (2) at second floor (less space).

So one question remains:
Is the communication from a laptop (4) or RT-N66U (2) to the computer (5) "direct" or via Internet?

 

[TonyH]

Hi,
If you draw block diagram of your net work, it is easy to see what is going on. My first reaction to your config. was weird!, unusual.

 

[rk77]

Hi TonyH, thanks for the reply!

Hmm, please explain what’s weird and unusual about isolating segments of a network!

The computer (5) connected to the switch (1) will mostly serve wan side requests, but occasionally even requests from lan side (syslog).

I don’t want to persuade anyone, and are willing to learn more about this, but if properly installed, what are the security issues with this setup?

 

[coxhaus]

So one question remains:
Is the communication from a laptop (4) or RT-N66U (2) to the computer (5) "direct" or via Internet?[/QUOTE]

I think direct or internet would be determined whether you have a layer 3 switch or not. If it is a layer 2 switch then your traffic is going to touch your ISPs gateway for your block of your IP addresses.
I think your network will work but I would not expose a server that way.

 

[rk77]

Hi coxhaus

I must be missing something here!

How is the server (computer 5) exposed when a firewall is installed on it?
This will be my DMZ segment with a combined server/firewall!

 

[coxhaus]

I think with a router DMZ you still have a level of firewall running though not much. The router is controlling the packets to the DMZ. Using your diagram there is no router control at all. You will have to rely on your PC software. By the time you get software patches for your server it will be too late.
If you do this I would run the server as a virtual so you can quickly replace the software when you need to. You know people do this to see what they can catch in the wild, it is called a honey pot.

 

[devnull]

Only the router should face the internet. The router can be setup so that web requests to a certain public IP address will be forwarded to the PC.

This IP address can be the one that is given to your router or it can be one of your extra public IP addresses.

With that method you can have a web server without the risk of putting a PC directly on the internet. LAN access is much simpler with this method as well.

DMZ is risky because it reduces the efficacy of the router firewall. Firewall software on a PC is far less effective than a firewall running in a router.

Firewall software on a PC isn't very good because it's made with compromises to prevent slowdowns.

Firewall software on a router doesn't suffer slowdowns nearly as much as a PC, because the processor systems in the router are designed to optimize those functions. Because it's so much more efficient than a PC, the quality of the firewall is much higher than a PC.

 

[coxhaus]

Using port forwarding on the router, port 80, would be the safest setup for your web server. This would give you the best firewall coverage. This means your router would be first and your web server would connect to the router. Your web sever would only have port 80 exposed.

 

[rk77]

Ok, thank you all!

As mentioned before this setup idea was forced by physical space limitations.
Alternatively I have to use a second router at the switch to separate the two networks and maintain security.

 

[coxhaus]

Can’t you just kind of switch the router and the switch and add an wireless device where the laptops are?

 

[rk77]

Thank you for the tips coxhaus.
But as I mentioned earlier the switch also acts as a media converter, converting the fiber optical media at the first floor to TP running to second floor where the router is located.

Obviously this is simply a home network setup and nothing is written in stone, but I just didn’t wanted to restructure only for adding a webserver with no sensitive data.

Again, thank you all (specially coxhaus) for all the inputs and tips!

 

[ddelorme]

I have to agree with coxhaus...
your router should come before your computer and use port farward on the router if nessary. DMZ is dangerous. and yes to the second question you are sending info though the internet to access your computer.