APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> A.P. Lawrence, Linux/Unix Consultant-Installing a SmallNetwork


Installing a Small Office Network




This article concerns the design and physical aspects of installing a small TCP/IP network. Some of the content may be better understood with a background knowledge of TCP/IP and routing.

I'm already cabled, skip to the connectivity issues

Please see the folowing links for that background:


For many of us in the SCO world, office networks are a fairly new phenomenon. Many SCO systems are still happily using serial connectivity exclusively, even when Windows machines are part of the enterprise, and even when those machines maybe be networked between each other. In fact, some people even refer to serially connected terminals as a "network" (I won't use that here: if I say network, I mean an Ethernet network).

At one time, both the cost and complexity of true networks made it unlikely that small offices would even consider this as an option. Network cards were expensive, cabling was expensive, and the network software itself was additional cost. All that has changed: a small office can be "networked" very inexpensively.

Before we get started though, do consider that if your needs are complex, you really should hire professionals. You could easily run afoul of local codes if wiring has to go through walls, for example. And if your network is larger and more complex, you may need design advice beyond the scope of this article. Also, technologies change. This article was originally written in December of 1998, and represents my opinions and knowledge at that moment in time. While I do update articles, eventually technology changes enough that corrections cease to make sense. So keep your eyes open throughout all of this.

Wiring

Although radio based networking is possible, at this writing it is still expensive and somewhat problematical. There are also security concerns, so it's not considered a reasonable choice just yet. For the moment, at least, packets flow through wires, or through glass fibers.

Although there are actually a number of possibilities here, only two make sense at this writing: 10base2, and 10baseT. The older "thicknet" is not used at all anymore, and fiber optic is still too expensive for most of us.

10base2 or thinnet looks just like the coax cable that your cable TV probably uses. The connectors are a little different; they don't screw on like TV and Audio cable connectors do. Network cards designed for thinnet have a post sticking out of them; the "T" connector on the wire slips onto that post and a half-twist locks it in place. This sort of wiring is done machine to machine. Every machine has a "T" connector; the machine at each end have special terminating resistors attached to one leg of the "T", and every other machine is just part of the chain. That simplicity is also the Achilles heel of this scheme: if the chain is broken at any point, the machines beyond the break can't be reached, and because the terminator at the other end is now out of the circuit, the entire network may even fail.

The other method is 10baseT, which requires a special device called a hub. This method runs an 8 wire (actually only 4 of the wires are used for 10Mbs, but all 8 are needed for 100 Mbs) connection from each machine to a central hub. The actual connections are 8 wire RJ45, the overgrown telephone jacks that most of us are familiar with from serial wiring. While hubs were once fairly pricey, small 4 or 8 port hubs (you need 1 port for each computer) are now very inexpensive. The advantage of this scheme is that a failure of one component doesn't need to have any effect on the rest of the network; a broken wire affects that one machine, and nothing else. The other difficulty that pushed people toward thinnet was that connectors for bringing 4 pair wire to a RJ45 connection were hard to find and again expensive, requiring special tools, but that's all changed, too. There really is no reason to consider 10base2 today, so the rest of this article will assume 10baseT.

Hubs and LAN cards for this type of wiring come in two speeds: 10 Mb/second (that's 10 megabits, or 1 megabyte) and 100 Mbps (due to overhead, effective speeds are only 70% of that and can be less on a large network). The faster technology is getting less expensive, but right now most offices use the 10 Mbps. It is possible (with some additional equipment called a switch ) to mix these speeds. Usually this would mean putting heavily accessed machines on the faster wires, and leaving the typical clients on 10 Mbs segments. But whatever choices are made there, we'll need wiring.

Switches used to be expensive, but they have come way down in price, and except for the smallest offices, there's really no reason NOT to use a switch today.

The design phase of that depends on the layout of your office. If all the machines are close enough, you can place the hub or switch in a central location and perhaps connect with easily purchased patch cords already made up with RJ45 connectors at both ends. That works fine for my four computer office, for example. However, not all offices are so compact, and there may be longer runs necessary. You can even use more than one hub, chaining them together to reach out to separated groups. However, you can't have more than 328 feet of cable between any two devices, and you cannot chain more than four hubs. There are other considerations and limitations; if your physical requirements are beyond the simple cases discussed here, you should seek professional assistance. You can always do whatever it is you need to do; it's just going to cost more.

Again, consider using professionals, even if only for the raw running of cable, with you planning to do the termination (the connections) yourself. Whether you do it, or you hire an installer, you want "Category 5" wire ("CAT 5"). This designation means that it has a certain number of twists for every foot of cable, and those twists mean more reliability for your network. You cannot (or should not) do this with ordinary telephone grade wire. You can buy CAT-5 cable and connectors at electronics stores, most computer stores, and even over the net.

Connections

The termination or connection of this wire to an RJ45 plug involves a specific scheme. You don't just connect it any old way at all: see /Unixart/8wire.html

You can buy special crimping tools that would let you crimp an RJ45 plug directly onto the wire. That's not the best way to do it, though, and that kind of tool is expensive (no, the $12.00 crimper at Radio Shack isn't up to the job!). What you should buy is what are called 110 type RJ45 surface jacks (or wall jacks if you are going within walls). These look like the jacks you'd plug your phone into, but with the RJ45 size plug. There are various ways that the CAT-5 wire is connected to these, but none of them involve any tool more specialized than a pair of pliers. From these you run store-bought patch cords to the computers.

Patch cords (you'd run these from the jacks/hub to each computer) are available inexpensively in pre-made lengths.

NIC's (network Interface Cards)

The computers, of course, have had 10baseT network cards installed. For Windows machines, almost anything you can buy will come with an appropriate driver, but for the Unix side, you will have to be more careful. You can get very inexpensive cards nowadays, but I don't recommend using the cheapest cards in servers and other important machines.

Questions, questions

You also have to consider how you will be assigning IP addresses. You need to understand ip addressing (see /Unixart/net101.html as a starting point), and you are also going to want to think about the Internet: will the machines on the network be able to browse web pages? Should they be able to? Should you use a DHCP server? What is a DHCP server? What about a firewall? A proxy server?

A lot of questions, right? I'll try to give you an overview of all this, but it is complex, and you may need specific advice for your situation.

Addressing

Let's tackle addressing first. I suggest that all your machines use one of the "private" networks set aside for internal (non-Internet) use. The use of these addresses does not mean that you won't be able to connect to the Internet. There are three networks available: 10.0.0.0, 172.16.0.0 and 192.168.0.0.

You can either assign addresses manually, or use DHCP (Dynamic Host Configuration Protocol). That lets you set up a pool of available addresses on the server, which then hands them out to individual machines as they request them. For a large network, this can save a lot of time and trouble. For a small network, it is probably more trouble to set up DHCP than to assign the machines manually. You do have to avoid duplication; using the same address more than once will cause problems and confusion. It is common practice to use the addresses .1 or .254 on routers, so you might want to avoid using those on machines in case your network ever grows larger enough to need routers, but that is simply convention, and it really does not matter. Often, people give important machines (servers) lower numbers. For example, your server might be 10.1.1.10, and your Windows machines might be 10.1.1.100 to 10.1.1.125. Again, this is nothing to do with anything but personal preference. On a very small networks, I like to give the machines addresses that relate to their port number on the patch panel: the machine plugged into port 1 is 10.1.1.1, the one in port 25 is 10.1.1.25, etc. See Networking 101 for some specific examples of addressing.

Cards and addresses

Ethernet cards run from very cheap (under $20.00) to very expensive (over $100.00). There are differences, and cheap cards can be a problem, especially on larger networks.

On the Windows side, installing the card is almost always very easy, because the card will undoubtedly come with drivers for Windows. Assigning the network address is down from "Settings->Control Panel->Network". You may have to add the TCP-IP protocol to the card; that's just Add->Protocol->Microsoft->TCP/IP. Once you have TCP-IP pointing at your NIC, highlight it and click Properties.

SCO Unix can be a little tougher with drivers; it's best to buy cards that you have drivers for- check the Hardware Compatibility List . Addresses are assigned with "netconfig". Choose your NIC (or add it if you haven't already done that: Hardware->Add New Lan Adaptor) and then add the TCP/Ip protocol (Protocol->Add Protocol). If you do not understand what address/net mask to use, see Networking 101

One strange thing I've seen with some PCI networks cards: any PCI card should be found automatically when you Add New Lan Adaptor, but sometimes that just doesn't work. Strangely, I've found that if you add ANYTHING- just pick any card from the list- configure it, and then remove it, the hidden PCI card will then pop up when you try the Add again. I have no idea why this trick works or even why I thought to try that.

Linux can be most easily configured with Linuxconf.

Troubles

The hardest network to troubleshoot is two machines. If you only have two machines, almost anything could be wrong and it's going to be hard to find. Some things to check:

Most cards have a "link" led that will at least turn on if it sees the hub that it is connected to. Likewise, most decent hubs also have link lights so you can "see" the PC. If you don't have link, then you probably have a physical problem: bad wiring, loose connections, or a bad card.

For "Network Neighborhood" problems (can't see Visionfs or other PC's), remember to be patient: it does take a few minutes for the machines to find each other.

If you don't have DNS configured correctly (or at all), you will experience slow telnet and ftp connections to the server. This is because the server wants to find out what the name is of the machine attempting the connection. The simplest way to fix this is to list all the addresses in /etc/hosts. Note that it doesn't matter if the names are correct: you can just make up names. I often do something like this:

#!/bin/ksh
x=1
while [ $x -lt 255 ]
do
echo "192.168.2.$x host_$x"
x=$((x + 1 ))
done >> /etc/hosts
 

and then manually remove the duplicates that were already present (like the server itself, etc.)

The Internet

"Connected to the Internet" means different things to different people. If all you want is for all the machines to be able to read and send email, you don't need anything more than a PPP connection to your ISP from your server, and Sendmail configured to get and send mail using that ISP. Point all the Windows machines to pop their mail from the Unix box, turn on the POP3 server on that box, and that's all it takes.

If you have an intermittent connection, and can't use SMTP to get mail, there are other ways to do this. See Internet Mail.

If you want people to be able to browse the Internet, or to telnet or ftp to faraway places, that's a different story. You are going to need a Proxy Server, or NAT (Network Address Translation). You may or may not need a firewall or at least something like TCP Wrappers to protect your site. Again, this can be confusing stuff, and your specific situation may not meet the general discussion laid out here. All I'm trying to do here is explain what your options are:

Access

The first problem is to get people connected to the outside world. There are software packages, and dedicated hardware, too. What you choose will depend on your budget and your own ideas about what needs to be done.

NAT

With NAT, every machine can get to the Internet, but it does so in disguise, with its actual IP address not being seen by the outside world.

This is usually done with hardware (a router with Network Address Translation), but can be software. The idea is that you have one or more "real" Internet addresses that will be used for communicating with the outside world. When machine 10.1.1.122 wants to browse, the NAT device or software translates that address to one of the real addresses. When packets come back to that real address, it translates in the other direction and the packets go to 10.1.1.122. The real addresses can get reused for different machines, and sometimes can even be in use at the same time: visualize Sally acting as translator for Bob and Bill. If Bob and Bill are trying to talk to the same person, Sally could get confused as to where to send the answers. But if Bob and Bill are talking to two different people, Sally knows where the answers go because she knows who they have been talking to. Therefor, even a small number of real addresses can serve quite a few users.

A software solution for SCO is IPFILTER. This is TLS709, available from ftp://stage.sco.com/TLS. To configure this, you simply run "ipnat" telling it what network addresses you want to allow through to the outside world. For example, to NAT a 10.1.36.0 network, you'd execute:

ipnat -f - <<EOF
map net1 10.1.36.0/24 -> 0/32
EOF
 

If you have Windows machines, they'll need a default route pointing at the SCO server, and they'll also need a DNS server assigned- that would likely be the same DNS address that you'd put in the SCO /etc/resolv.conf. You configure these things through the "Properties" tab of the TCP-IP configuration of the NIC card in Control Panel->Network. If you don't see TCP-IP listed under your NIC, then you need to Add->Protocol->Microsoft->TCP/IP.

/etc/resolv.conf (that's correct- no "e", just resolv.conf) on the SCO side needs to contain something like:

domain mydomain.com
nameserver xxx.xxx.xxx.xxx
hostresorder local bind

 

A Linux or BSD or whatever will be similar, though syntax will vary slightly especially in that last line. You can list multiple nameservers, but the resolver only goes to the next one if the previous nameserver times out - if it returns "No such domain" or whatever, that's the end of searching.

You replace the xxx.xxx.xxx.xxx with whatever your ISP tells you to use for DNS- the domain entry doesn't matter unless your machine really is part of a domain; if it's just the one machine, it does not matter what you call it.

Note that you still need to be concerned about security: see Security

Linux machines would use "ipchains". At its most basic, that is also a simple configuration:

ipchains -P forward DENY
ipchains -a forward -s 10.1.36.0/24 -j MASQ
 

The only other thing you'd have to do is set FORWARD_IPV4="yes" in /etc/sysconfig/network. Again, there's more you need to do with regard to security.

Proxy Server

A Proxy Server approaches this differently. Local machines deal only with the proxy (software running on the server). That software goes out and gets the required data and delivers it back to the internal machine. The difference between this and NAT is that the proxy can cache data and can control who gets what and when. Caching provides efficiency; if both Bob and Bill access the same web page, there's no need to go out and get it twice. I suspect it is obvious why you might want to control who has access to what, etc.

Some possibilities here include SCO's Netscape Proxy Server

the Squid server from Skunkware

and stand alone products like Multitech's Proxy Server.

Security

It's a sad fact that there are people out there who want to bring down your machines, often just for the hell of it. No personal animosity, but just because they can do it. If you have a dedicated, always up, connection to the Internet, you are probably foolish not to give yourself at least minimal protection. A dial up connection may be safer, just because you aren't "there" all the time, but even that does offer a path to your machine. It's a more difficult path, because your hostname and PPP address are changing each time you connect, but the path is still there (and if your host name and ip address are fixed, obviously you don't have even that protection).

Let me quote from the warning that is given by my ISP:

        
        ... you will be a full, routed host on the internet during
        your session. This means that anyone on the
        internet can point their own software at your machine.

        You will be responsible for security against unauthorized
        access to your computer. For example, if you have
        an FTP daemon (mostly only NT or Unix systems but
        this software does exist for other systems) and have
        an account without a password or an easily guessed
        password then anyone could come into your system and
        browse or transfer your files.
 

Consider this, also: while it may be unlikely that a casual break in will occur on a dial-up line, someone who does have a specific reason to want access to your data may be watching for your connection. Again, it is much more difficult when your address and host name changes all the time, but difficulties give way to determination more often than not.

Also consider that the unpleasant folks who engage in this sort of nuisance often devote considerable effort to the advancement of their knowledge of ways to ruin your day. This is their hobby, it is what they do for fun, and they are going to be spending considerable more time at it than you or I will spend time learning how to stop them.

See also /Security/general.html

Both ipfilter and ipchains also provide security capabilities.

A Firewall

A firewall is usually a Proxy Server with a very untrusting attitude. It usually provides exactly the same sort of proxying, but it adds more rules and controls to the mix, and is paranoid about security. Almost always, a firewall is a completely separate machine, and in really paranoid companies, there may be multiple levels of firewalls, each a separate machine, and probably running different operating systems and completely different firewall software. If you've a lot to lose, you really cannot be too careful.

TCP Wrappers

TCP Wrappers is a software program that intercepts TCP packets and applies simple rules to them with the intent of avoiding security breaches. Cheap (free), simple, and cerainly offers some protection against the more likely intruders. See /Security/general.html for more information on tcp-wrappers.

Your ISP

It's possible that your ISP may be able to offer some help. For example, the ISP I use ( world.std.com) offers two different ways to make a ppp connection. One is real ppp, and it is to that that the warning above is addressed. The other option is "slirp", which effectively is a proxy server: your machine gets to talk to the web, but nothing out there can get to you. There are, of course, downsides to that sort of configuration.




If this page was useful to you, please help others find it:  





Comments?




More Articles by - Find me on Google+



Click here to add your comments
- no registration needed!


Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments


If you want a picture to show with your comment, go get a Gravatar

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

pavatar.jpg

This post tagged:

       - Administration
       - Install/Upgrade
       - Microsoft
       - Networking
       - Security















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



Click and enter your name and phone number to call me about Kerio® products right now (Flash required)