Tom <[EMAIL PROTECTED]> [2002-10-14 14:29:04 +0100]: > I manage a small office network that we can now afford to upgrade to an ADSL > internet connection. In researching ADSL support for Debian linux I am a > little confused on a few issues, mainly as I only have experience with Cable > Modem broadband, not DSL.
The concepts are very, very similar. The differences depend upon if you have a dynamic address or a static address. All else is driven behind that decision point. If you have a DSL with a dynamic address then what you end up with will be almost identical in behavior to a cable modem. This is probably the simplest route to go with DSL. If you have a static address then there are a number of configurations possible and life is more complicated. But more fun too and more capabilities possible. In this mode the options are usually routed or bridged. I prefer routed myself. But the choice is arbitrary and different preferences exist. Don't worry about this jargon for now. A question to ask is are you providing services only internal to your office? Or are you going to be serving data to the outside world outside of your firewall? If only the former then things are simple. If the latter as well then you will need to understand much and life can be more stressful and more complicated. So of course I would recommend the former. Make a list of what capabilities and services do you want. Hopefully they are all internal client services and life is simple. > I have already purchased a Hub for the network which consists of a Debian > MySql and Apache server, another Debian firewall box and some Win boxes. > > My confusion lies in both terminology and setup. I imagined before starting > that I would need to set up a firewall machine with 2 network > devices. A common configuration. > The firewall would then manage security and masquerading, where the > external eth device will be allocated the static IP (Non-NAT) I have > been given by my ISP. That assumes a bridging mode to the DSL. > However research of the most common Ethernet DSL modems (cheapest about $100 > / ? 66) suggests that Since there are at least two common and incompatible DSL types avialable I suggest you get a recommendation from your ISP as to the acceptable modems to purchase. Otherwise you might find yourself with an incompatible model. > 1) the modem has NAT, firewall etc all built in. Most have this built in which you can use or disable. I recommend that you use it. > 2) many manufacturers combine a network hub and modem. I prefer the modular approach. Build your internal network without relying upon the specific model of modem. Then if you decide to upgrade to a fiber(!) connection later you just unplug your modem from your hub and plug you hub into your new connection and you can upgrade without too much disruption to your internal installation. > 3) the modem itself must be assigned an IP not the machine it is fixed to???? Depends. Bridging or routed. Hold on, I will say more in a moment. > I'm assuming therefore that the firewall machine is not required. Correct for the former case described above. > I had previously thought that a gateway machine such as a firewall > was necessary for me to be able to SSH to do remote admin. Having an administration machine that can be remotely logged into is very convenient. You will almost certainly put that machine to work. > Details > ------- > Was thinking of buying Conexant AMX-CA61E (1 Port) > Isp-> > Protocol: PPP/VC (sometimes called: PPPoA or PPP over ATM) VPI=0 VCI=38 Recommendation. Since it sounds like you are just starting out I will suggest that you start small and work up up the complexity as you need it. Therefore don't run your own servers, web, mail, etc. Just use the DSL for network clients in your office to connect to the Internet. Use your ISP for those server applications if you need them. This is very easy to set up and hard to break so it will be robust and everyone will stay happy. All of your hosts are wired to the network hub. The hub is wired to the DSL modem. The modem to the Internet. Using PPP mode your modem will negotiate an address from your ISP. You are only using it for client side access and you don't care what IP address you get. Let the modem do NAT for the internal network. Anything that does NAT makes a good firewall therefore you won't _need_ a separate firewall machine. You might want one for the highest level of protection but generally it is not strictly required. The modem doing NAT will also provide a DHCP server for your internal network. Set your internal hosts to DHCP an address. This configuration is generally the default for DSL modems so no special configuration is required. Doing it this way everything pretty much runs out of the box. This is a good way to initiall wire things up and test that everything is working. But having the model do internal DHCP serving has some issues. You will never really know what your internal machine's addresses are. It makes logging in from one machine to another difficult. This is really only an issue for unix / debian hosts as windows does not really have this concept. If you only had windows machines you would not notice this. Therefore the next more complicated configuration which you will want pretty quick is to set up a local DHCP server that you can assign static IPs for your machines. (Or use dynamic DNS.) You can set up a both a local DNS server and a local DHCP server on your debian host. Turn the DHCP server off on the modem, it is still a DHCP client to your ISP, and use a DHCP server on your Debian machine instead. Now all machine names and addresses can be known and you can login from one host to another easily. That Debian machine also makes a good incoming DMZ box. If you need remote access to your network for administration then you can use it for this purpose. Add a static incoming route through the modem only to the Debian machine. Open only the SSH port. Keep that DMZ machine up to date with all of the security updates. Now you can log into that machine from the outside world and access your internal network from it. If you truly have a dynamic address to the modem you will have to find it. Use dyndns.org or similar redirecting site. Also it is possible to have your ISP assign you a static address which is always negotiated by PPP when your modem connects. In which case you will have a static external address. Note that to many allowing incoming connections will set off terror as they are concerned about a cracker compromising that box and thereby gaining access to your network behind your firewall. This is a classic configuration, however. A hard shell outside and a soft and chewy inside. It is up to you to keep the security of your machine up to date. HTH, Bob
msg07028/pgp00000.pgp
Description: PGP signature
