[NTLUG:Discuss] LAN Planning II

[Aaron Goldblatt]

Based in part on the suggestions put forward here, I've decided to 
go the 802.11b solution.  I'd much prefer a wired LAN in my home, 
but the up-front cost is more than my wife can bear.  Plenum- and 
riser-grade cable is just too expensive for me to justify right now.  
With equipment purchased on Ebay, I was able to get an AP and 
card for $200 for decent equipment.

Now I'd like yall to take a look at, and critique, the current plan.

You can find my hand-drawn diagram of the network at 
http://www.goldblatt.net/network.png

Here's how it will work:

Internet connectivity will be provided by an Ascend Pipeline 85 I 
picked up.  ISDN is my only reasonable option at this time (ADSL 
not available, IDSL comes with a $600 startup price tag and 
$3x/mo more than ISDN, etc), so ... there we are.

The Pipeline 85 doesn't support many-to-many NAT (for my /28 IP 
block from the ISP) without a remote DHCP server (not possible), 
and its many-to-1 NAT capabilities are wildly limited, so NAT via 
the Pipe isn't a good option.

Also, I found that all the 802.11b APs I looked at had a 10BaseT 
(not 100BaseT/TX) port, so putting the AP on my 100BaseTX 
3Com hub (which will not switch down) was not an option.

Here's the legend for the picture:

- "PIPE85" is the Ascend Pipeline 85.
- "W2K" are Windows 2000 machines.
- "AP802.11b" is the 802.11b AP.  The W2K machine it talks to will 
have a live, routable IP.  It'll be running 2000 Professional, not 
Server.
- "3COM 100TX HUB" is my 100TX hub that won't switch down to 
10BaseT.  Everything plugging into it must have a 100 card.
- "HPDJ" is a Hewlett Packard Deskjet with a device akin to an HP 
JetDirect box on it, turning the DJ into a fully IP-capable printer.
- "LINUX" is, obviously, the Linux box, and the key to the whole 
project.  (See below.)
- The black lines represent 10BaseT or 802.11b links.  The red lines 
represent 100BaseTX links.

The 10BaseT and 100BaseTX networks will have separate address 
spaces.  In the map I selected 198.175.18.x/28 simply because I 
know it's routable and belongs to my ISP, but I don't actually know 
(or really care) exactly what block I'll get.

The 10.100.1.x network is, of course, private and non-routable.

I intend the Linux box to provide the following services to both 
networks:
- NFS
- Samba
- SMTP relay
- DNS
- IMAP
- FTP
- Web

The Linux box will also do IPMasq on a many-to-many basis and 
DHCP for the private network.

In each case, I know how to restrict incoming connections from the 
public side to acceptable IP address ranges.  If you're not in my 
block, I won't relay for you, for example.  That's not a big deal.

A bigger deal is name resolution, and suggestions on how to handle 
this are welcome.

I want to be able to resolve any machine from any other machine, 
and get the "optimum" connection.  That is:

Private W2K -> Printer == 10.x.x.x A record
Public W2K -> Printer == 10.x.x.x A record, routed by Linux box
Public W2K -> Linux box == 198.x.x.x interface
Private W2K -> Linux box == 10.x.x.x interface
Private W2K -> Private W2K == 10.x.x.x A record
Internet -> Private W2K == 198.x.x.x A record, masq'd by Linux
I'd like these resolutions to happen with the same name all the way 
around, so that "linux.goldblatt.net" resolves to the right address no 
matter who's asking, depending on which side of the network the 
request comes from.

Is this going to be a situation where I'll need two instances of my 
name server, and two different (but identically-named) zones?

Please advise on pitfalls I'll need to pay attention to, and any 
improvements I can make to this setup.  Also, pointers to a detailed 
description of IP Masquerade in Linux 2.4 would be very helpful.  
I've looked at the HOWTO's at the LDP, and they do seem to work, 
but I don't understand the syntax and meaning of what each table 
entry does, and that's what I want to know about.

Thanks.

ag