[Tfug] Topology questions

Bexley Hall bexley401 at yahoo.com
Fri Oct 5 22:36:08 MST 2012 

Hi,

A couple of questions re: network topology choices...

I've got a multihomed device that serves up lightweight
services (NTP, DNS, DHCP, etc.) and acts as a router
between the "exposed" internet (the interface that talks
to the firewall) and the "internal" internets.

E.g., there is a "routed" internet, a "private" internet
and dedicated connections to wireless access points
(so traffic from the AP's can't "get anywhere" without
the router explicitly handling it).

For the most part, there is little traffic *between*
the internets.  The router moves data between the
"exposed" interface and the "routed" one; *some*
(usually a single wireless client) traffic between AP's
and exposed/routed/etc.; and mainly "control" information
between the "routed" and "private" networks.

[Keep in mind, it is also providing those lightweight
services]

The router has to be on 24/7 so I've tried to keep it
as lean as possible.  I.e., the firewall can be powered down
(assuming nothing needs to "get outside") as well as other
internal hosts -- but the router has to provide its services
24/7/365 (i.e., if something wants to talk to the outside,
*it* has to ensure the firewall is powered up!)

I've moved heavier-weight (HTTPd, FTPd, etc.) services to a 
different host that can handle the heavier load -- and, that
can afford to  be powered down when those services are not
required.

I have an obvious choice as to how to connect this host to
the network:
- I can *pick* one of the internets and just stick it there
  and add rules to the router to ensure <whatever> *should*
  be able to access it, can.  This forces any traffic from/to
  any of the "other" internets to pass through the router.
- I can add additional interfaces to this "heavyweight" host
  and let it have a real presence on the internets that need
  to access its services.  This takes the router out of the
  picture for all of that traffic.  (remember, router can be
  regarded as a thin pipe that potentially reduces bandwidth)

Expounding on the second of these options, there is a question
as to how I make those services available to the "outside world":
- Have the router filter traffic from the outside world to decide
  what gets through to the server (in addition to actually having
  to forward those packets).  This allows the server to sit on
  any/multiple internets and lets the router's configuration
  determine how packets get to/from it.
- Have the server *also* sit on the "exposed" internet and service
  requests GATED BY THE FIREWALL without the router's involvement.

This last option also could be used for a "single interface"
server -- put that interface on the exposed internet and have
the router pass all internal traffic destined for one of those
services *onto* that internet (i.e., the router is involved in
*all* internal accesses regardless of the internet from which
they arose).

I see configuration and performance consequences with all of
the above.  And, of course, they compete with each other to ensure
there's no obvious winner  :-/

Suggestions from folks who've been down this road?

Thx,
--don

More information about the tfug mailing list