Technical > Home/Office setup photos > Network Upgrade

Network Upgrade

Upgrade

I'm the friend. It's dope son. We got mad skills..

reply to XCOM
What a waste of a machine. Have you not considered visualising your pfsense and file/webserver into a single machine?

reply to Cyberprog

reply to XCOM
Well. I have a new PBX system (Asterisk) and a new ata. Also rewiring is been done this week and ill be installing the new switch.
Pics will be up soon.
--
[nUll@dcypher ~]$

reply to Cyberprog
Running anything alongside the firewall on the same hardware is high risk and considered out of compliance for various official standards. Yes you can do it in VMs, but, just no.

A P4 is old-hat these days. While 3ghz is far and away overkill for a firewall application, it's a good use for an old machine that may not be the best for running the latest OS and software.

A limited number of the 520s did have the infamous bad cap problem but not the ones you have - the ones with the slimline optical drives and the even smaller ones with external power supplies had the issue. You should be safe with yours. Glad to hear you keep backup copies of the machines (Well, that's one way to back up!) Workstation hardware with single hard drives aren't what I'd deploy for a server, but at $25 for those, you can't go wrong!

(Where do I sign for my $25 745?!

I have Comcast 50/10, which often goes much faster. I can get line speed out of a P3 866 running ipcop. Highest speed test I've achieved at speedtest.net is a 94/14.. and I'm sure the 100mbit cards in the firewall are the bottleneck there!

I might hunt down an old Optiplex for a firewall upgrade. Gbit interfaces and all..

[]------[745]------[Buffalo System RAID1 USB HDD]---------[DNS-323 NAS RAID1]
|         |
|         |
|   [745 Mirror]
|
|
|
[pfsense 2.0 Release]
          |
          |
[pfsense Mirror "Carp"]
 

reply to NgtFlyer
I got the dirty shivers the first time I even considered such a move. Aside from a standards compliance issue, there are many great reasons to avoid such a configuration when you are trying to enforce firm separation between your security devices and your offered services. In my particular environment I have two VM servers, each has an even split of VM's such as my web, mail and DNS. Each also has a firewall VM for one of my Internet connections. When I was initially deploying this I went through a variety of security steps, to see what type of traffic bleeding I could expect. While sniffing in promiscuous mode on a Xen VM I was unable to see any traffic other than what was broadcast or multicast on the LAN, or unicast to me. From a traffic isolation standpoint it is therefore safe to assume that there is no different between what a physical device would receive, and what this VM firewall would receive. I repeated this test using VLAN interfaces, offered to the VM, and found the same results. I then cooked up some arpfiltering, iptables, and ip6tables rules to lock IP addresses and MAC addresses to individual VM interfaces, and called it a day.

No amount of hypervisor voodoo, or firewall fairy dust will keep me safe if the vm server gets pwned, so there's always something to be said about physical hardware, and the isolate it provides. I would however say that the security offered by Xen and some basic firewalling on the host was sufficient of make this design acceptable for production, depending on the environment. Again, I wouldn't deploy this for large enterprise, or a financial sector business, but for a home, or even small/mid size office I believe this approach would work well. As always your mileage may vary.
--
Luminaire
My Blog

Thanks for the information. My setup is a bit more complicated than what it looks like. I like to keep it that way... I really don't like to give the key away to the door

I will describe a bit on the complexity of my network and the future upgrades that it will hold.

In sense I have 3 servers that need exposure and each sits on a different subnet for exclusion till I get my new switch in and configure vlans.

the pfsense box also runs snort/ntop/vnstat/bandwitd/ipblocklist/countryblock/
I monitor every single activity in my network. This way I am aware of whats going on inside and out of my network. I keep it pretty secure to avoid stupidity and headaches.

Note: Thats just at the border. Each system is configure with it's own iptables/wrappers/smahain/fail2ban. Not including the PBX server that has a whole different set of security.

I have done a lot more in the past weeks I just dont want to post the upgrades till I am fully done.

This should give you an idea of how things are running
--
[nUll@dcypher ~]$

Everyone's needs are different and it sounds like you're in good control of your network design and functionality. I still want to know where I can get Optiplex 745s for $25 a pop..

Cheers!

Ok so today I got the new switch in place. Pics coming up soon as I rewire the network.
--
[nUll@dcypher ~]$

reply to DaMaGeINC

Aye, but you see it all the time these days with people running several old space heater machines to do certain things, when they could have collapsed the whole lot down into a single machine using vmware or similar. And it's just wasteful of space, power and at the end of the day, your wallet!
Don't get me wrong, I've been there, indeed currently I have two machines in my cellar that are doing exactly the things you've got here, although I also have another machine sat there waiting to take both the tasks in due course, as well as running some test systems for my work.
I've also known someone who had an old dual/quad pentium pro compaq server, that he used to crank seti up on and actually use as a space heater in the winter... crazy!
--
Alex Threlfall
Cyberprog New Media
»www.cyberprog.net
Come to think of it, there are already a million monkeys on a million typewriters, and irc is NOTHING like Shakespeare.