How do I network?

[Nicolai]

Hello all of you fantastic people here.

With all your feedback, I've bought some parts that's now in the mail for a storage server, for my business. Now it's time for some networking, and I hope you can help me once again.

Currently I just have the default router my ISP have provided, but I'd like a little bit of a better solution and that's where the problem is: I don't know what a better solution would be. I know it's common to run servers with 2 network cables, but I don't know why, is one for upload and one for download? Either way, I've been trying to find a bit of a network guide written in crayon colours. Yes, that is my actual knowledge of networking, so any amount of dumbing down would be prefered

What kind of switch would I need to take advantage of the dual GbE LAN on the motherboard for the server, and would my Intel Celeron G4900 even be able to handle that? The only thing I absolutely require from what ever switch I end up getting is, that is must not sound like a jet taking off. I've spent a good amount of money on getting the most silent fans I could find, so the switch must either have a replaceable fan or run silent in the first place. If it can be mounted in a rack, that's even better.

Best regards

 

[Mithril]

Some of this info/advice will be a bit generic, some things depend/change based on the OS(es) and protocol(s) involved.

One of the main reasons to have two (or more) network links is redundancy. Should a physical port or cable fail the two devices remain connected. A more advanced use of this idea is connecting a device to two switches at the same time.

There are several ways you can make either of those work, with the 2 connections to the same switch being usually the easiest. For this scenario their are two common paths: 1) You have a "dumb" switch 2) You have a switch that supports link aggregation, ideally LACP (which is dynamic, and will handle failures of a single link well).

Scenario 1 depends on the OS of (at minimum) the machine connected with multiple links to "do something". One of the more basic ways this can work is having one connection be "active" (actually sending and receiving traffic) while the other is backup/standby and will be assigned the primary's MAC address if the primary fails. While this may result in a small interruption to traffic the device remains online. There are permutations of that to give some additional advantage but that is the most basic form when using that layer. Another method used, for example, by the newer versions of the SMB protocol is to allow all connections to have an IP and actually multiplex the connection in software.

Scenario 2 is (mostly) transparent to the software running on all machines on the network, and the advanced versions where you connect multiple links to multiple switches which themselves have multiple links can be very robust; but will not give you an immediate speed boost. The reason is that any given TCP connection has to remain ordered, and the reasonable way to do that is to not try to multiplex it. You can see speed increase when talking to multiple other machines or sometimes when multiple data connections exist between two machines. The advantage of Scenario 2 is that it is mostly agnostic software wise, and leverages very well into setting up the entire network (or at least the critical parts) as fully fault tolerant.

How much CPU power you need for a given network speed somewhat depends on what you are doing. "Normal" gigabit traffic should be fine on any relatively modern processor so long as it isn't busy with other tasks. Firewalls, packet inspection, VPN servers and the like can easily place a much higher strain for the same bandwidth.The CPU you mentioned is fairly new and a decent clock speed. For simple file server and passing gigabit (or 2x gigabit) traffic it should be fine. But with only 2 cores if you start "asking" for too much you might have contention.

If you are content with scenario 1, any quality switch will do. However, if this is for a business I'd suggest going with option 2. The key capability you are looking for is LACP ( 802.3ax or the older 802.3ad ), this will almost certainly require the switch to be at least "web managed". There are a wealth of suggestions on switches elsewhere on the forum, both new and used, opten including actual power consumption, fan noise, and options for making it quieter.

Personally I would suggest a switch with at least 2 10Gb ports to serve as a potential upgrade path (it allows you to for example migrate your file server to 10Gb or add a 10Gb switch later and use your existing switch to bridge 1Gb devices to the 10Gb network), if the switch is going to "live" where your server(s) and any other switches will then SFP+ provides a very inexpensive option as quality 10Gb SFP+ cards and short run "DAC" cables abound on Ebay and more switches have SFP+ ports than 10Gb ethernet. Plus for most any switch a 10Gb ethernet module can go in a SFP+ port and the price on those is down to fairly reasonable levels.

For the switch itself: Identify your budget, figure out how many ports you need and if it is less painful to go bigger NOW vs expanding later, and decide if you need to go new or if the tradeoffs of going with used enterprise gear are worth the gain.

If you honest to goodness MUST have more than 1Gb to/from a device, it is far FAR easier to go with 10Gb networking, and if you value your time at minimum wage or higher almost always cheaper. If you are already needing to buy a switch then going for one with 2+ SFP+ ports need not be a large cost increase, a quality "working pull" SFP+ card (even a dual port one) should run you under 50 bucks, and even a 15M DAC cable should be under 50. For easily less than 200 bucks (honestly less than 100 if you choose carefully) you save yourself a week of f---ing about that may not even end in the results your are looking for.

 

[Nicolai]

Some of this info/advice will be a bit generic, some things depend/change based on the OS(es) and protocol(s) involved.

Generic is very good in my specific case, as my starting point is a 100 mb ISP provided router with 4 ports and some crappy wifi. As for the OS, I'm making an UNRAID server, which is literally just going to be a fileserver for now, down the line I might put a Xeon processor in it and run a website on it too. My workstation is going to be a Windows 10 Pro machine, then I want to link my TV and my soundbar in to the server too, add an access point and disable the wifi in my router for my wifes and my own laptops and phones.

If you honest to goodness MUST have more than 1Gb to/from a device, it is far FAR easier to go with 10Gb networking, and if you value your time at minimum wage or higher almost always cheaper.

1 Gb is more than plenty, it's 10 times the speed I have now. I wish I made minimum wage, but I'm a student at the moment and running a business on the side, well it's a 1 man business.

 

[ttabbal]

Generic is very good in my specific case, as my starting point is a 100 mb ISP provided router with 4 ports and some crappy wifi. As for the OS, I'm making an UNRAID server, which is literally just going to be a fileserver for now, down the line I might put a Xeon processor in it and run a website on it too. My workstation is going to be a Windows 10 Pro machine, then I want to link my TV and my soundbar in to the server too, add an access point and disable the wifi in my router for my wifes and my own laptops and phones.

If you want a website, rent a VPS or other hosted setup. You have to assume there will be a security issue you get hit by at some point. If you host it on your internal network, they now have access to your entire network. If you host it outside, they provide isolation between clients and any damage is on the web server itself. With good backups, a wipe and restore gets you back up without much hassle. If they hack your network, you're in a world of hurt. At the very least, run it on a VLAN or other isolated network. Same with any IoT devices and any non-company devices. I use a Ubiquiti wifi with a guest network on a VLAN for that sort of thing.

It sounds like this is a home business on a budget. So having a completely separated hardware environment probably isn't practical. I would suggest creating a separated file share with different accounts/passwords for the business data. Another option would be a VM on a VLAN. The idea is to prevent any issues on your home setup from affecting your business data and network. Keep your business VLAN for business only. So I suggest a managed switch with VLAN capability with 3 VLANS.

1) Guest/IOT network. Internet access only, no access to the other two networks or the file server.
2) Business network. Internet and file server access, limited clients should be able to connect to this. Just your business.
3) Home network. Family and other trusted devices, also able to access the file server.

You will need a good VLAN aware firewall/router. Something like an older PC with pfSense/OpnSense would be a reasonable choice available inexpensively. For this to work you need to put the ISP modem into "bridge mode", so it doesn't route anything, just connects to the ISP. Only your firewall will connect to the modem. It will also disable the ISP wifi, so you will need something to replace it. Do not use a VM for a firewall. This needs to be dedicated hardware. There have been too many exploits that can break VM isolation to trust it for internet facing security. For 100mb, you don't need a powerful machine, anything made in the last 10 years is likely more than enough. A Raspberry Pi with a USB ethernet adapter can likely mange. Another option would be one of the consumer wifi routers that you can install OpenWRT/DDWRT/Tomato on.


I know the wall of text looks like a lot. It's not that bad really. Start simple and work up to it. Once you get VLANs working, the steps are mostly repeats for each VLAN you want. It's also easier to do wired first, wifi adds more parts to break. It's a lot easier to think of security at the start, rather than trying to tack it on later when you have other people trying to use the network. You can learn on a lab setup and just keep the ISP stuff running for now for internet. Swap it out later when you feel more comfortable.

 

[Nicolai]

I know the wall of text looks like a lot.

I don't mind a "wall", it usually means a well documented answer with explanations I can understand.

It sounds like this is a home business on a budget.

It is. I'm not making a server and networking out of necessity, I'm making it out of interest. I'm also aware it won't be able to compete with a professional solution, but I'm okay with that.

You have to assume there will be a security issue you get hit by at some point. If you host it on your internal network, they now have access to your entire network.

I hadn't thought of that, thanks for pointing that out! I think I will follow your advice and use a hosted setup for that bit.

I would suggest creating a separated file share with different accounts/passwords for the business data. Another option would be a VM on a VLAN. The idea is to prevent any issues on your home setup from affecting your business data and network. Keep your business VLAN for business only. So I suggest a managed switch with VLAN capability with 3 VLANS.

1) Guest/IOT network. Internet access only, no access to the other two networks or the file server.
2) Business network. Internet and file server access, limited clients should be able to connect to this. Just your business.
3) Home network. Family and other trusted devices, also able to access the file server.

You will need a good VLAN aware firewall/router. Something like an older PC with pfSense/OpnSense would be a reasonable choice available inexpensively. For this to work you need to put the ISP modem into "bridge mode", so it doesn't route anything, just connects to the ISP. Only your firewall will connect to the modem. It will also disable the ISP wifi, so you will need something to replace it. Do not use a VM for a firewall. This needs to be dedicated hardware. There have been too many exploits that can break VM isolation to trust it for internet facing security. For 100mb, you don't need a powerful machine, anything made in the last 10 years is likely more than enough. A Raspberry Pi with a USB ethernet adapter can likely mange. Another option would be one of the consumer wifi routers that you can install OpenWRT/DDWRT/Tomato on.

Can I not use my ISP provided router, then just have the switch manage the VLANs? I'm not planning on ever having more than 10 devices connected at any given point and the shares on the fileserver is going to be hidden with the unraid settings. I'm also not planning on having untrusted devices on my network, so if I can isolate business and home/guests, I think it should be enough? The fileserver will be setup to require credentials, both for my personal files and my business

 

[computergeek]

Very useful information here! Will look more into it. Thanks

 

[ttabbal]

Can I not use my ISP provided router, then just have the switch manage the VLANs? I'm not planning on ever having more than 10 devices connected at any given point and the shares on the fileserver is going to be hidden with the unraid settings. I'm also not planning on having untrusted devices on my network, so if I can isolate business and home/guests, I think it should be enough? The fileserver will be setup to require credentials, both for my personal files and my business

Well, maybe. The ISP device probably isn't VLAN aware though, and switches usually don't handle things like NAT. You will need an L3 switch if you go this route as well. So unless you have a lot of public IP address space, you will probably need a better router. Each VLAN needs it's own subnet, so, for example, you would have 10.0.0.0/24 on one, while you have 10.0.1.0/24 on the other. Something needs to handle getting that sorted for the ISP link. Those little ISP boxes usually fall over if you want to do anything more complex than a single internal network connected to the internet with no internal routing. And the ISP will generally not be capable of providing any support for more than that. Half the time, they can't really provide support for the basic setup either...

You can probably get away with home/guest. I just like to keep business stuff completely separated, but perhaps your setup is simple enough that it's not a big issue. If nothing else, adding one more later isn't that hard.

 

[Nicolai]

Well, maybe. The ISP device probably isn't VLAN aware though, and switches usually don't handle things like NAT. You will need an L3 switch if you go this route as well. So unless you have a lot of public IP address space, you will probably need a better router. Each VLAN needs it's own subnet, so, for example, you would have 10.0.0.0/24 on one, while you have 10.0.1.0/24 on the other. Something needs to handle getting that sorted for the ISP link. Those little ISP boxes usually fall over if you want to do anything more complex than a single internal network connected to the internet with no internal routing. And the ISP will generally not be capable of providing any support for more than that. Half the time, they can't really provide support for the basic setup either...

You can probably get away with home/guest. I just like to keep business stuff completely separated, but perhaps your setup is simple enough that it's not a big issue. If nothing else, adding one more later isn't that hard.

My business setup is dirt simple: I have my PC, now I'm adding an unraid server, that's really it. I'm only making shares that's private and my business won't even show up on the network.

I think I'll keep it all on 1 subnet for now, I'm still learning about servers, learning about networking, while taking an education and running a small business, I think it'll be too much for me.