How do I create my own intranet that plays nice with the Internet?
June 4, 2010 3:15 PM   Subscribe

Help me setup a home intranet or suggest other ways to solve my problems involving a netbook, xp, ubuntu, linksys, and a 1tb ext. drive.

So, I have an xp desktop, an xp netbook, an ubuntu box, an external 1TB, and a linksys router. I want to setup the ubuntu box as a server for backups, streaming music to the desktop and netbook, and for hosting data such as porn evangelical gospel hymn sheet music and whatnot.

As far as the network topology is concerned, this is what makes the most sense: a picture drawn with MS Paint

The internet arrives via a wifi router that I have no access to. XP should always be online via that wifi, while Ubuntu should only access it occasionally for updates and whatnot. Netbook should be able to be online via wifi and ethernet-ed to the intranet at the same time but will mostly choose between wifi internet or wifi intranet.

XP and Ubuntu will always be ethernet-ed together for glorious backups and always able access to data, music, and whatnot. They are also KVM-ed together for at least the setup process to reduce the tedium involved.

I have no problem seeing how Ubuntu interfaces with the intranet. I pop some server apps on there and they'll be accessed via Ubuntu's ip address.

Netbook has no problem picking and choosing which wifi to connect to.

The problem I have is understanding how to manage both the wifi-ed internet along side the ethernet-ed intranet. Both routers want to be but that's not going to work. At the same time, I don't want this to interfere or be particularly accessible to other users of the wifi internet connection.

As far as backup, streaming music, and/or server side apps, that will be a fun game that I'll play later (but am open to suggestions regarding). Right now my focus is to get the computers all able to talk to each other properly.

Maybe this is over kill. help.

p.s. I'm wanting a solution that is future proof in that I will someday obtain more hardware to add to the intranet and/or have an internet connection that I don't have to share via a router i'm not allowed to play with.
posted by samurphy to Computers & Internet (5 answers total) 1 user marked this as a favorite
192.168.1.x is the subnet of that wifi you want to protect yourself from right? Take your router and have it take a DHCP address on its WAN connection and on the LAN side of things use a different subnet like 192.168.10.x or 10.100.0.x. Plug it into the external wifi.

Essentially, you'll treat the IP address you get from that external wifi connection as you would typically treat a real public IP.

Now plug all your devices into that local wifi. At this point there is no reason to ever connect to that other wifi directly. Your router will route all your packets.

The hard part will be to connect the two routers wirelessly. You can run DD-WRT to run a wireless bridge. Plug your intranet router into that.

Please note that this is kind of a hack. Double-natting can cause a lot of problems, but if you have absolutely no control over the external wifi router then you may not have any other choice. The other alternative I would suggest would be to simply not build an intranet but run local firewalls on all the devices to drop connections from anything that isnt yours. You can give your devices IP addresses high in the DHCP range like .250 and .251 so as to not interfere with other devices on that LAN. This will simplify your firewall rule writing. Thats what I would do. Double-NAT is too much trouble (no opening of ports, etc.)
posted by damn dirty ape at 9:27 PM on June 4, 2010

The answer to your question, as asked, is fairly simple - set your Linksys to hand out IP addresses in a different range e.g. 10.x.x.x or 172.16.x.x, as per RFC 1918. How you configure your router to do that is model and firmware-dependent; there'll be settings in the GUI/web config somewhere.

That said, I think that's the wrong way to do it. Though I understand the desire to keep your local intranet as isolated as possible from the internet, unless you have specific and important reasons for doing so I'd suggest giving the Ubuntu machine permanent access to the WiFi internet, and using it to bridge/route/NAT that connection to the local hard-wired intranet. On the local intranet, you then hang your Linksys (configured as a bridge/AP) to give you occasional local WiFi access for the Netbook. Exactly how the Ubuntu machine needs to be configured (as a bridge, router, or NAT router) will depend on several things, including how the internet WiFi router is configured.

Basically, your diagram will look the same - but with all the dotted lines removed, bar the one between Ubuntu and the internet WiFi router. All internet traffic heads through the Ubuntu machine, which then passes it on to the Internet via WiFi.

Either way, you're going to have to set up the firewall and routing tables on the Ubuntu machine as appropriate - either as a dual-homed machine on both networks, or as a bridge / router / NAT router.

The advantages of doing it the second way include being able to access both the intranet and internet from all machines all the time without the headache-inducing confusion of multiple routes and route weights on every machine, and being able to access both intranet and internet at the same time from the Netbook via WiFi.

I realise I've been sparse with the details on how to do the actual routing / firewall configuration on the Ubuntu machine - that's because I haven't looked at Ubuntu, or done anything more than very basic single-machine network configs on Linux machines (I'm a pf on OpenBSD man myself ;-). Hopefully someone more up-to-date on Linux will chime in with ideas…
posted by Pinback at 9:36 PM on June 4, 2010

Response by poster: hmm. Well my main reason for keeping Ubuntu off the internet as much as possible is that it's will be my backup server and it feels like isolation from the internet would help secure the backups.

I can definitely see how it would simplify things to have Ubuntu pipe the internet into the intranet, but it seems to me that xp -> intranet -> ubuntu -> internet would slow performance.

Maybe the better solution would be to have xp handle internet and intranet and then if I need something from the internet for ubuntu (which would be a rarer case) I can move that over the intranet?

Then it looks like my question boils down to:

1. How do I setup XP to use a wireless internet connection while having a wired intranet connection?

2. How do I occasionally give Ubuntu access to the internet through the intranet? (or is it just easier to transfer files across the intranet?

Connecting the linksys to whatever wifi router my landlord uses seems like it may be more work than it's worth.

I guess I thought that it would be something pretty straight forward like changing the .hosts file so that in addition to localhost there'd be intranet 10.x.x.x or whatever.

keep throwing ideas at me though
posted by samurphy at 4:57 AM on June 5, 2010

>How do I setup XP to use a wireless internet connection while having a wired intranet connection?

Off the top of my head, I think setting up cygwin will open up a few options for you.

Config 1:

Run sshd and set it to allow being a proxy SOCKS server. SOCKS compliant apps could just use this to get on the internet. You can set a firewall rule to just reject traffic from any subnet outside of your own. At this point you'll be bridging the two interfaces in XP and plugging your router into the laptops ethernet port.

Config 2:

Run OpenVPN and just run VPN clients on all your equipment. This is a lot more secure but will be more difficult to configure.

Both will incur performace costs but on modern hardware it won't be noticable. Your real bottleneck will be wifi bandwidth in this scenario anyway.

>2. How do I occasionally give Ubuntu access to the internet through the intranet? (or is it just easier to transfer files across the intranet?

Configure your VPN to only route to the remote gateway for subnets that are not your LAN submets. If youre gonna try the SOCKS approach, do nothing. Don't give your ubuntu box a remote gateway setting at all.

>Connecting the linksys to whatever wifi router my landlord uses seems like it may be more work than it's worth.

There's no easy fix here. You can't simulatenous be on an untrusted network and a trusted network at the same time. My earlier suggestion of just running local firewalls, I feel, is still valid. I would simply do all file transfers via ssh/sftp/ftps/scp instead of CIFS/SMB. Certainly not as secure as running VPN but doable and probably difficult for a casual hacker to penetrate or sniff your traffic.
posted by damn dirty ape at 12:15 AM on June 6, 2010

damn dirty ape - cygwin, proxies, VPNs? That's getting a little over-the-top, isn't it?

All you need to do is set up the routing properly - one route via the hardwired NIC for the intranet address range (10.x.x.x or 172.16.x.x), and the other via the WiFi NIC for everything else. Provided you don't turn on bridging or get infected by some virus/trojan, the 2 networks will remain totally separate.

I'm not in a position to nut it all out right now, but I've done it before on XP and it's relatively simple (for certain values of "relatively" ;-). This looks like a reasonable place to start; more info can be found by Googling "xp 2 network cards" or variations on that phrase…
posted by Pinback at 8:24 PM on June 6, 2010

« Older Need to find an article in Playboy about Swiss...   |   English friendly Web hosting in Spain? Newer »
This thread is closed to new comments.