Mar 07 2008
Possibly the most elite home network ever…
Once we move back to Ontario, I’ll be working from a home office. Add that to the fact that we’re not using anything more than basic cable, but digital distribution (both the paid and the found-automatically-on-the-internet-and-you-can’t-convince-me-I-shouldn’t-have-it kind) for our entertainment, and I think I have some unusual problems to solve. Here’s what I’m dealing with:
- I want a reliable and dedicated “business” connection with no WiFi access so that my company’s source code is secure.
- But I want access to my stuff from my iPhone and my Craptop, and visitors and passers-by should have free access to Internet, because that’s the spirit of the thing, but they shouldn’t have fee access to my files and documents, so I want both a secure and an open WiFi network.
- The XBox 360’s method of getting shared content is incredibly noisy and resistant to QoS. The sharing program, in my case Connect360, uses broadcast messages to toss bits all over the network. The only way I’ve found to ensure Quality on this is to have a dedicated network just for sharing between the computer and the XBox.
- My media is going to be stored in different places depending on primary usage. High quality movie rips (legally obtained, of course) shouldn’t be transcoded by Connect360. Daily TV downloads and recordings using EyeTV (and can be transcoded since they’re already pretty low quality), MP3s and Photos will be frequently revolved and updated and should be managed from a PC (manually, or by script.) All of these files need to be available from anywhere in the house.
The solution to all of these problems can be seen in this diagram (click for a larger version):
As you can see, there will be no less than 3 individual networks, with bridge points between each, where appropriate.
- The green network represents the dedicated XBox network, allowing us to stream content from a PC regardless of the activity of other devices. We’ll open it up for free WiFi since there’s really nothing accessible on that network, but QoS all other devices as low priority.
- The blue network is the primary home network, your typical file/print sharing setup. Living on that network is a sweet little LaCie Mini NAS drive, which will share all our high quality movies and will also have a direct USB connection to HDTV via the XBox to avoid transcoding. Other media: recordings, downloads, MP3s and photos will be shared from the home Mac to all devices over this pipe. Two touch points in the home office will allow me to listen to my music while I’m at work, and sync my calendars and e-mail with the home Mac.
- Both the blue and the green network will be coming off a standard home Cable Internet connection, but each router will have its own public IP.
- The purple network is a dedicated 7+ MBPS DSL connection (shooting for 10MBPS, but we’ll see what’s available) used only for connecting my home office to the Internet. It will have no wireless connection, and won’t leave my office in any way. The Blue network connection into the home office will be firewalled and won’t be set-up for Internet — SMB file sharing only, but if something goes wrong with my DSL, I can re-configure for Cable over the blue network and still do my job. The purple network will allow communication between my work computers, both of them running Synergy so I only need one keyboard and mouse. And the little iMac will by my jukebox/Photoshop/personal mail rig.
- The two work computers will run up to 4 Virtual Machines each, but my primary VMs (represented by the monitors — and yes I’ll have 4!) will be: an e-mail/IM computer for connecting to work, a development workstation with occasional VPN access to sync source code, and a test server and client — more added as my current project dictates.
My newest work computer will be running Microsoft’s new Windows Server 2008 with Hyper-V virtualization, allowing incredible performance of the Guest machines.
- Any capable device can also get VPN access from any network, since its secure by nature, but only 3 machines will be configured to do it most of the time. My touch points with the physical office will be fairly limited, since I’ll be able to have local VMs of current server builds that I’ll refresh whenever I’m in the office for meetings.
I think that’s ambitious enough… but if you have a better home network, or ideas to improve this, I’d love to hear about them!
Popularity: 100% [?]
That’s quite a crazy network you’re running! Glad to hear you’re putting the Hyper-V virtualization to good use, and should you have any questions, feel free to check out one of the Heroes Happen Here launch events. There’ll be a number of workshops on WS 2008 and is Hyper-V functionality.
———————————————-
Fred Reckling
Microsoft 2008 Joint Launch Team
http://www.microsoft.com/2008jointlaunch/
Thanks, Fred. We’re MSDN licensed at work, so my boss has been running the RC versions and he’s a fan. I’m a VMWare-guy myself, but Hyper-V looks good enough that when it goes Gold, I’ll run it on one server and see if I don’t become a convert.
I’ll post a review when I get switched over.
So remember a while back when we were talking about the fact that setting the network up this way would allow those using the open wireless to gain access to the media server and home mac portions of the network. I think I have a solution for this.
http://www.ex-parrot.com/~pete/upside-down-ternet.html
The instructions at this URL talk about using a modification to your /etc/dhcpd.conf file to setup DHCP to assign different IP’s / routes / etc to different hosts. I think that there is probably an easy way to do this using the tomato firmware that we are running. You could put in your list of trusted computers (presumably by mac id) and set them up for the normal route. All public (untrusted) traffic could be assigned IP’s in a completely different different subnet, and set to route through a protected gateway. I would recommend using Parallels on the home mac running a virtual machine. This could allow you to setup bandwidth throttling in the for the virtual machine and if any hackers actually get into it, you can delete the virtual machine and restore from a backup image.
Just something for you to ponder.
jb
Jonathan:
You could have done this same topology with a single ISP connection and a router. When I say router … I mean a true router like a Cisco or NetScreen. Or you could have converted a beige box and run IPCop, Smoothwall, Astaro, etc. Per your diagram, it appears that you have multiple hosts dual-homed with multiple NICs. The dual NICs and extra cabling could be avoided.
A three segment network (home, XBOX, work) utilizing a single routing firewall device could handle this easily. DHCP services could be handled within the single device or via an external server somewhere in the network. Open wifi running in the XBOX zone as you have it shown - could be setup and controlled again by the routing device. VPN services could also be utilized. If required, secondary IP subnets within a single zone could provide additional services … say in the work zone for the VMs.
You’re very right, this is totally doable with a whitebox running Linux and some extra software. I like the router approach because of the low-maintenance/set-it-and-forget-it aspect, and because I haven’t got the time to learn all the ins and outs of another OS…
If you’d be interested in posting a “how-to” on configuring the apps you mentioned to do part or all of this set-up, I’d love to post it on my website, and try it out when I’ve got the time…
Wow. Suddenly I don’t feel quite so crazy.
I’ve got a Soekris Engineering box that I’m using as a firewall, running m0n0wall. It’s got 8 (yes, eight) interfaces. We’ve got the WAN (connected to the cable modem), LAN (connected to my main house network), DMZ (for the webserver, which also doubles as my remote webmail server) (which talks to the IMAP server on the main network’s primary file server).
Add to that a “trusted wireless” network (with mac filtering, absurdly long WPA2 keys, etc.) for my one-and-only wireless laptop, a “guest wireless” network (no mac filtering, an easier to type key, and no local access other than to my own webserver) (more general Internet filtering possible but not yet in place).
I plan to move all my media devices (hacked TiVos, Squeezeboxes, what-have-you) to a separate network, possibly as a VLAN but probably just as a separate LAN altogether, and dual-home the main server (so it can serve media to that LAN) but connect it to the real world through the 6th port on the FW.
So I’ll actually have 5 LANs (primary, DMZ, media, and two wireless). Will still have two ports left on the FW for a possible development / testing network.
Oh, and all the house wiring (36 ports, though to be fair 12 of them are in the “server room”) is Cat-6 (but the 110-block and patch panel are only Cat-5e). I plan to replace the Cisco with a gigabit switch in the future.
I’m pretty sure you could use something like this too — m0n0wall should certainly be able to route and FW two different WAN connections to the various networks within the house, and you’d help to further limit the possible unforeseen bridging issues alluded to in one of the posts here. And you might even be able to get some bonding between the two WAN circuits working for certain ports. The Soekris box isn’t cheap (like $250+ for my setup), but it’s Way Cool, runs off a 12v wall wart, and is the only small (that is, not Symantic or Cisco or other Enterprise-grade) firewall with more than two actual controlled interfaces.