The network will be a combined Linux, FreeBSD and Windows network. Routers, firewalls firewalls and servers will use Linux or FreeBSD while workstations and laptops will use both Linux and some version of Windows.
Figure 1 shows the logical topology of the network.
To Internet
.
/_\
|
+----+-----+
| |
| Firewall |
| |
+----+-----+
|
+------------------------------+
| |
+----+-----+ #######
| | # DMZ #
| Wireless | #######
| Router | |
| | +---+----+
+----+-----+ | |
| | Switch |
+----------+----------+ | |
| | | +---+----+
+---+----+ | +-----+------+ |
| | | | | _|_
| Media | | | NAS Server | \|/
| Center | | | | '
| | | +------------+ External
+--------+ | Servers
|
+------+------+
| |
+----+----+ |
| | _|_
| Display | \|/
| Laptop | '
| | Laptops /
+----+----+ WorkstationsFigure 1. Logical Network Topology
| Network | Subnet | Router | Interface | DHCP Pool |
|---|---|---|---|---|
| Guest | 172.27.1.0/29 | MI424WR | 172.27.1.1 | 172.27.1.2-.6 |
| Wired | 192.168.2.0/28 | WRT54G2 | Port 1: 192.168.2.1 | 192.168.2.3-.14 |
| Uplink: 192.168.2.2 | ||||
| Server | 10.36.2.0/25 | WRT54G2 | Port 4 | |
| Device | 10.36.2.128/26 | MI422WR | WiFi | |
| Client Network | 10.36.2.192/26 | WRT54G2 | Ports 1-3 & WiFi |
| Router | SSID | Security |
|---|---|---|
| ??? | orion-guest | WPA2-AES |
| WRT54G2 V1 | orion | WPA2-AES |
| ??? | orion-dev | WPA2-AES |
| Home | Fios-F5Scq | WPA2-AES |
| Extender | TP-Link_Extender | WPA2-AES |
The network will use 192.168.8.0/24 as the network address. Table 1 shows the IP address blocks that will be used for each type of system. Adddresses will be assigned consecutively from each block with no gaps.
| System Type | IP Address Block |
|---|---|
| Routers/Firewalls | 192.168.8.1 - 192.168.8.19 |
| Infrastructure | 192.168.8.20 - 192.168.8.49 |
| Services | 192.168.8.50 - 192.168.8.254 |
Table 1. IP Address Blocks
Table 2 shows the initial hostnames and IP adddresses that will be used by each system adddress.
| Hostname | IP Address | Function | System |
|---|---|---|---|
| aragorn | DHCP | Windows laptop | Surface Book |
| beren | 192.168.8.1 | Router/WireGuard server | ??? |
| cirdan | 192.168.8.2 | Proxmox server | NUC |
| dior | 192.168.1.x | Kodi / RetroPie | Raspberry Pi 3 |
| elendil | DHCP | Windows laptop | Dell 7470 |
| faramir | DHCP | Linux laptop | Dell 7540 |
| galdor | 192.168.8.x | Gitea | |
| fili | 192.168.8.11 | Directory server (pri) | Rocky Linux LXC (cirdan) |
| kili | 192.168.8.12 | Directory server (alt) | Rocky Linux LXC (cirdan) |
| dain | 192.168.8.21 | DNS | Rocky Liux LXC (cirdan) |
| nain | 192.168.1.201 | DNS | Raspberry Pi Zero |
| orodreth | Public IP | VPS | ? |
| pippin | 192.168.1.x | Colleen’s camera | Raspberry Pi Zero |
huor | | | idril | | | luthien | | | mandos | | | nienor | | | rose | | | samwise | | | thorin | | | ulmo | | | voronwe | | | wulf | | | yavanna | | | zimrahin | | |
Radius server Web server Ansible server Gopher/Gemini server Mail server Crossfire
Table 2. Initial Hostname Set
| Function | Username | Password |
|---|---|---|
| Linux Administrator | root | Jm+1883@Ts |
| Windows Administrator | administrator | Jm+1883@Ts |
| Baseline Linux user account | xadmin | password |
| Pi-hole Webadmin | NA | criznap7 |
| Kodi Administrator | osmc | Jm+1883@Ts |
| Patrick | patrickb | aaacps123 |
| Joseph | josephb | … |
| Jeremy | jbrubake | criznap7 |
All logons will be authenticated through the network logon server (dior) using LDAP. Users may log onto systems using either character mode or graphical (assuming X is installed on the system).
SSH access will provided for all systems in the network. Root logons are only permitted in single user mode. The firewall (beren) will provide port forwarding so that each system in the network has its own address for SSH. Ports are assigned by adding 50000 to the final octet of the system’s IP address. This system is summarized in Table 4.
| System Type | TCP Port Range |
|---|---|
| Routers/Firewalls | 50001 - 50010 |
| Servers | 50011 - 50049 |
| Workstations | 50050 - 50199 |
| Laptops | 50200 - 50254 |
Table 4.
In general, all users will have access to all workstations and laptops, unless there is a specific need to limit access to certain systems. However, access to routers, firewalls and servers will be strictly limited. Access is broken down into four groups: root, system, service-name and users.
EXPLANATION HERE
Keep the root account local but put all other accounts in LDAP.
Use sudo to allow service-based and system-based access.
The users group includes all network users. These accounts have normal access only to workstations and laptops.
NOTE: Use LDAP to authenticate users using the following /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap
Account names will be eight characters in length and will be made of the user’s first initial and the first seven letters of the last name. If the user’s last name is less than seven letters then the account name will be less than eight letters. As an example, a user named Jeremy Brubaker would have a user name jbrubake.
In the case of duplicate names sequential numbers will be added to all names after the first. For example, given three users whose account names would be jscott, the first user would have an account name of jscott, the second would be jscott1 and the third would be jscott2. These numbers may not cause the account name to exceed eight characters in length. As an example
Passwords will be eight to ten characters and must contain at least one of the following: capital letter, number or symbol. A new user’s password will be randomly generated. Passwords can be changed at any time, but do not expire.
The following lists detail what software packages will be installed on each system.
Base System Packages Router/Firewall Packages Web/Email/DNS Server Packages Network Services Packages Workstation/Laptop Packages