[Tfug] Topology questions

Bender bender at bendertherobot.com
Sun Oct 7 22:07:51 MST 2012 

why don't you draw a picture?



----- Original Message ----- 
From: "Bexley Hall" <bexley401 at yahoo.com>
To: <tfug at tfug.org>
Sent: Friday, October 05, 2012 10:36 PM
Subject: [Tfug] Topology questions


> Hi,
> 
> A couple of questions re: network topology choices...
> 
> I've got a multihomed device that serves up lightweight
> services (NTP, DNS, DHCP, etc.) and acts as a router
> between the "exposed" internet (the interface that talks
> to the firewall) and the "internal" internets.
> 
> E.g., there is a "routed" internet, a "private" internet
> and dedicated connections to wireless access points
> (so traffic from the AP's can't "get anywhere" without
> the router explicitly handling it).
> 
> For the most part, there is little traffic *between*
> the internets.  The router moves data between the
> "exposed" interface and the "routed" one; *some*
> (usually a single wireless client) traffic between AP's
> and exposed/routed/etc.; and mainly "control" information
> between the "routed" and "private" networks.
> 
> [Keep in mind, it is also providing those lightweight
> services]
> 
> The router has to be on 24/7 so I've tried to keep it
> as lean as possible.  I.e., the firewall can be powered down
> (assuming nothing needs to "get outside") as well as other
> internal hosts -- but the router has to provide its services
> 24/7/365 (i.e., if something wants to talk to the outside,
> *it* has to ensure the firewall is powered up!)
> 
> I've moved heavier-weight (HTTPd, FTPd, etc.) services to a 
> different host that can handle the heavier load -- and, that
> can afford to  be powered down when those services are not
> required.
> 
> I have an obvious choice as to how to connect this host to
> the network:
> - I can *pick* one of the internets and just stick it there
>  and add rules to the router to ensure <whatever> *should*
>  be able to access it, can.  This forces any traffic from/to
>  any of the "other" internets to pass through the router.
> - I can add additional interfaces to this "heavyweight" host
>  and let it have a real presence on the internets that need
>  to access its services.  This takes the router out of the
>  picture for all of that traffic.  (remember, router can be
>  regarded as a thin pipe that potentially reduces bandwidth)
> 
> Expounding on the second of these options, there is a question
> as to how I make those services available to the "outside world":
> - Have the router filter traffic from the outside world to decide
>  what gets through to the server (in addition to actually having
>  to forward those packets).  This allows the server to sit on
>  any/multiple internets and lets the router's configuration
>  determine how packets get to/from it.
> - Have the server *also* sit on the "exposed" internet and service
>  requests GATED BY THE FIREWALL without the router's involvement.
> 
> This last option also could be used for a "single interface"
> server -- put that interface on the exposed internet and have
> the router pass all internal traffic destined for one of those
> services *onto* that internet (i.e., the router is involved in
> *all* internal accesses regardless of the internet from which
> they arose).
> 
> I see configuration and performance consequences with all of
> the above.  And, of course, they compete with each other to ensure
> there's no obvious winner  :-/
> 
> Suggestions from folks who've been down this road?
> 
> Thx,
> --don
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>

More information about the tfug mailing list