Installing a Small Office Network
This article concerns the design and physical aspects of installing
a small TCP/IP network. Some of the content may be better
understood with a background knowledge of TCP/IP and routing.
I'm already cabled, skip to the connectivity
Please see the folowing links for that background:
For many of us in the SCO world, office networks are a fairly
new phenomenon. Many SCO systems are still happily using serial
connectivity exclusively, even when Windows machines are part of
the enterprise, and even when those machines maybe be networked
between each other. In fact, some people even refer to serially
connected terminals as a "network" (I won't use that here: if I say
network, I mean an Ethernet network).
At one time, both the cost and complexity of true networks made
it unlikely that small offices would even consider this as an
option. Network cards were expensive, cabling was expensive, and
the network software itself was additional cost. All that has
changed: a small office can be "networked" very inexpensively.
Before we get started though, do consider that if your needs are
complex, you really should hire professionals. You could easily run
afoul of local codes if wiring has to go through walls, for
example. And if your network is larger and more complex, you may
need design advice beyond the scope of this article. Also,
technologies change. This article was originally written in
December of 1998, and represents my opinions and knowledge at that
moment in time. While I do update articles, eventually technology
changes enough that corrections cease to make sense. So keep your
eyes open throughout all of this.
Although radio based networking is possible, at this writing it
is still expensive and somewhat problematical. There are also
security concerns, so it's not considered a reasonable choice just
yet. For the moment, at least, packets flow through wires, or
through glass fibers.
Although there are actually a number of possibilities here, only
two make sense at this writing: 10base2, and 10baseT. The older
"thicknet" is not used at all anymore, and fiber optic is still too
expensive for most of us.
10base2 or thinnet looks just like the coax cable that your
cable TV probably uses. The connectors are a little different; they
don't screw on like TV and Audio cable connectors do. Network cards
designed for thinnet have a post sticking out of them; the "T"
connector on the wire slips onto that post and a half-twist locks
it in place. This sort of wiring is done machine to machine. Every
machine has a "T" connector; the machine at each end have special
terminating resistors attached to one leg of the "T", and every
other machine is just part of the chain. That simplicity is also
the Achilles heel of this scheme: if the chain is broken at any
point, the machines beyond the break can't be reached, and because
the terminator at the other end is now out of the circuit, the
entire network may even fail.
The other method is 10baseT, which requires a special device
called a hub. This method runs an 8 wire (actually only 4 of the
wires are used for 10Mbs, but all 8 are needed for 100 Mbs)
connection from each machine to a central hub. The actual
connections are 8 wire RJ45, the overgrown telephone jacks that
most of us are familiar with from serial wiring. While hubs were
once fairly pricey, small 4 or 8 port hubs (you need 1 port for
each computer) are now very inexpensive. The advantage of this
scheme is that a failure of one component doesn't need to have any
effect on the rest of the network; a broken wire affects that one
machine, and nothing else. The other difficulty that pushed people
toward thinnet was that connectors for bringing 4 pair wire to a
RJ45 connection were hard to find and again expensive, requiring
special tools, but that's all changed, too. There really is no
reason to consider 10base2 today, so the rest of this article will
Hubs and LAN cards for this type of wiring come in two speeds:
10 Mb/second (that's 10 megabits, or 1 megabyte) and 100 Mbps (due
to overhead, effective speeds are only 70% of that and can be less
on a large network). The faster technology is getting less
expensive, but right now most offices use the 10 Mbps. It is
possible (with some additional equipment called a
switch ) to mix these speeds. Usually this would mean
putting heavily accessed machines on the faster wires, and leaving
the typical clients on 10 Mbs segments. But whatever choices are
made there, we'll need wiring.
Switches used to be expensive, but they have come way down
in price, and except for the smallest offices, there's really no
reason NOT to use a switch today.
The design phase of that depends on the layout of your office.
If all the machines are close enough, you can place the hub or
switch in a central location and perhaps connect with easily
purchased patch cords already made up with RJ45 connectors at both
ends. That works fine for my four computer office, for example.
However, not all offices are so compact, and there may be longer
runs necessary. You can even use more than one hub, chaining them
together to reach out to separated groups. However, you can't have
more than 328 feet of cable between any two devices, and you cannot
chain more than four hubs. There are other considerations and
limitations; if your physical requirements are beyond the simple
cases discussed here, you should seek professional assistance. You
can always do whatever it is you need to do; it's just going to
Again, consider using professionals, even if only for the raw
running of cable, with you planning to do the termination (the
connections) yourself. Whether you do it, or you hire an installer,
you want "Category 5" wire ("CAT 5"). This designation means that
it has a certain number of twists for every foot of cable, and
those twists mean more reliability for your network. You cannot (or
should not) do this with ordinary telephone grade wire. You can buy
CAT-5 cable and connectors at electronics stores, most computer
stores, and even over the net.
The termination or connection of this wire to an RJ45 plug
involves a specific scheme. You don't just connect it any old way
at all: see /Unixart/8wire.html
You can buy special crimping tools that would let you crimp an
RJ45 plug directly onto the wire. That's not the best way to do it,
though, and that kind of tool is expensive (no, the $12.00 crimper
at Radio Shack isn't up to the job!). What you should buy is what
are called 110 type RJ45 surface jacks (or wall jacks if you are
going within walls). These look like the jacks you'd plug your
phone into, but with the RJ45 size plug. There are various ways
that the CAT-5 wire is connected to these, but none of them involve
any tool more specialized than a pair of pliers. From these you run
store-bought patch cords to the computers.
Patch cords (you'd run these from the jacks/hub to each
computer) are available inexpensively in pre-made lengths.
NIC's (network Interface Cards)
The computers, of course, have had 10baseT network cards
installed. For Windows machines, almost anything you can buy will
come with an appropriate driver, but for the Unix side, you will
have to be more careful. You can get very inexpensive cards
nowadays, but I don't recommend using the cheapest cards in servers
and other important machines.
You also have to consider how you will be assigning IP
addresses. You need to understand ip addressing (see /Unixart/net101.html as a starting
point), and you are also going to want to think about the Internet:
will the machines on the network be able to browse web pages?
Should they be able to? Should you use a DHCP server? What is a
DHCP server? What about a firewall? A proxy server?
A lot of questions, right? I'll try to give you an overview of
all this, but it is complex, and you may need specific advice for
Let's tackle addressing first. I suggest that all your machines
use one of the "private" networks set aside for internal
(non-Internet) use. The use of these addresses does not mean
that you won't be able to connect to the Internet. There are three
networks available: 10.0.0.0, 172.16.0.0 and 192.168.0.0.
You can either assign addresses manually, or use DHCP (Dynamic
Host Configuration Protocol). That lets you set up a pool of
available addresses on the server, which then hands them out to
individual machines as they request them. For a large network, this
can save a lot of time and trouble. For a small network, it is
probably more trouble to set up DHCP than to assign the machines
manually. You do have to avoid duplication; using the same address
more than once will cause problems and confusion. It is common
practice to use the addresses .1 or .254 on routers, so you might
want to avoid using those on machines in case your network ever
grows larger enough to need routers, but that is simply convention,
and it really does not matter. Often, people give important
machines (servers) lower numbers. For example, your server might be
10.1.1.10, and your Windows machines might be 10.1.1.100 to
10.1.1.125. Again, this is nothing to do with anything but personal
preference. On a very small networks, I like to give the machines
addresses that relate to their port number on the patch panel: the
machine plugged into port 1 is 10.1.1.1, the one in port 25 is
10.1.1.25, etc. See Networking 101 for some specific examples of addressing.
Cards and addresses
Ethernet cards run from very cheap (under $20.00) to very
expensive (over $100.00). There are differences, and cheap cards
can be a problem, especially on larger networks.
On the Windows side, installing the card is almost always very
easy, because the card will undoubtedly come with drivers for
Windows. Assigning the network address is down from
"Settings->Control Panel->Network". You may have to add the
TCP-IP protocol to the card; that's just
Add->Protocol->Microsoft->TCP/IP. Once you have TCP-IP
pointing at your NIC, highlight it and click Properties.
SCO Unix can be a little tougher with drivers; it's best to buy
cards that you have drivers for- check the Hardware Compatibility List . Addresses are assigned
with "netconfig". Choose your NIC (or add it if you haven't already
done that: Hardware->Add New Lan Adaptor) and then add the
TCP/Ip protocol (Protocol->Add Protocol). If you do not
understand what address/net mask to use, see Networking 101
One strange thing I've seen with some PCI networks cards: any
PCI card should be found automatically when you Add New Lan
Adaptor, but sometimes that just doesn't work. Strangely, I've
found that if you add ANYTHING- just pick any card from the list-
configure it, and then remove it, the hidden PCI card will then pop
up when you try the Add again. I have no idea why this trick works
or even why I thought to try that.
Linux can be most easily configured with Linuxconf.
The hardest network to troubleshoot is two machines. If you only
have two machines, almost anything could be wrong and it's going to
be hard to find. Some things to check:
Most cards have a "link" led that will at least turn on if it
sees the hub that it is connected to. Likewise, most decent hubs
also have link lights so you can "see" the PC. If you don't have
link, then you probably have a physical problem: bad wiring, loose
connections, or a bad card.
For "Network Neighborhood" problems (can't see Visionfs or other
PC's), remember to be patient: it does take a few minutes for the
machines to find each other.
If you don't have DNS configured correctly (or at all), you will
experience slow telnet and ftp connections to the server. This is
because the server wants to find out what the name is of the
machine attempting the connection. The simplest way to fix this is
to list all the addresses in /etc/hosts. Note that it doesn't
matter if the names are correct: you can just make up names. I
often do something like this:
while [ $x -lt 255 ]
echo "192.168.2.$x host_$x"
x=$((x + 1 ))
done >> /etc/hosts
and then manually remove the duplicates that were already
present (like the server itself, etc.)
"Connected to the Internet" means different things to different
people. If all you want is for all the machines to be able to read
and send email, you don't need anything more than a PPP connection
to your ISP from your server, and Sendmail configured to get and
send mail using that ISP. Point all the Windows machines to pop
their mail from the Unix box, turn on the POP3 server on that box,
and that's all it takes.
If you have an intermittent connection, and can't use SMTP
to get mail, there are other ways to do this. See Internet Mail.
If you want people to be able to browse the Internet, or to
telnet or ftp to faraway places, that's a different story. You are
going to need a Proxy Server, or NAT (Network Address Translation).
You may or may not need a firewall or at least something like TCP
Wrappers to protect your site. Again, this can be confusing stuff,
and your specific situation may not meet the general discussion
laid out here. All I'm trying to do here is explain what your
The first problem is to get people connected to the outside
world. There are software packages, and dedicated hardware, too.
What you choose will depend on your budget and your own ideas about
what needs to be done.
With NAT, every machine can get to the Internet, but it does so
in disguise, with its actual IP address not being seen by the
This is usually done with hardware (a router with Network
Address Translation), but can be software. The idea is that you
have one or more "real" Internet addresses that will be used for
communicating with the outside world. When machine 10.1.1.122 wants
to browse, the NAT device or software translates that address to
one of the real addresses. When packets come back to that real
address, it translates in the other direction and the packets go to
10.1.1.122. The real addresses can get reused for different
machines, and sometimes can even be in use at the same time:
visualize Sally acting as translator for Bob and Bill. If Bob and
Bill are trying to talk to the same person, Sally could get
confused as to where to send the answers. But if Bob and Bill are
talking to two different people, Sally knows where the answers go
because she knows who they have been talking to. Therefor, even a
small number of real addresses can serve quite a few users.
A software solution for SCO is IPFILTER. This is TLS709,
available from ftp://stage.sco.com/TLS. To
configure this, you simply run "ipnat" telling it what network
addresses you want to allow through to the outside world. For
example, to NAT a 10.1.36.0 network, you'd execute:
ipnat -f - <<EOF
map net1 10.1.36.0/24 -> 0/32
If you have Windows machines, they'll need a default route
pointing at the SCO server, and they'll also need a DNS server
assigned- that would likely be the same DNS address that you'd put
in the SCO /etc/resolv.conf. You configure these things through the
"Properties" tab of the TCP-IP configuration of the NIC card in
Control Panel->Network. If you don't see TCP-IP listed under
your NIC, then you need to
/etc/resolv.conf (that's correct- no "e", just
resolv.conf) on the SCO side needs to contain something
hostresorder local bind
A Linux or BSD or whatever will be similar, though syntax will vary slightly
especially in that last line. You can list multiple nameservers, but
the resolver only goes to the next one if the previous nameserver
times out - if it returns "No such domain" or whatever, that's the
end of searching.
You replace the xyz.xyz.xyz.xyz with whatever your ISP tells you
to use for DNS- the domain entry doesn't matter unless your machine
really is part of a domain; if it's just the one machine, it does
not matter what you call it.
Note that you still need to be concerned about security: see
Linux machines would use "ipchains". At its most basic, that is
also a simple configuration:
ipchains -P forward DENY
ipchains -a forward -s 10.1.36.0/24 -j MASQ
The only other thing you'd have to do is set FORWARD_IPV4="yes"
in /etc/sysconfig/network. Again, there's more you need to do with
regard to security.
A Proxy Server approaches this differently. Local machines deal
only with the proxy (software running on the server). That software
goes out and gets the required data and delivers it back to the
internal machine. The difference between this and NAT is that the
proxy can cache data and can control who gets what and when.
Caching provides efficiency; if both Bob and Bill access the same
web page, there's no need to go out and get it twice. I suspect it
is obvious why you might want to control who has access to what,
Some possibilities here include SCO's Netscape Proxy Server
the Squid server from Skunkware
and stand alone products like Multitech's Proxy Server.
It's a sad fact that there are people out there who want to
bring down your machines, often just for the hell of it. No
personal animosity, but just because they can do it. If you have a
dedicated, always up, connection to the Internet, you are probably
foolish not to give yourself at least minimal protection. A dial up
connection may be safer, just because you aren't "there" all the
time, but even that does offer a path to your machine. It's a more
difficult path, because your hostname and PPP address are changing
each time you connect, but the path is still there (and if your
host name and ip address are fixed, obviously you don't have even
Let me quote from the warning that is given by my ISP:
... you will be a full, routed host on the internet during
your session. This means that anyone on the
internet can point their own software at your machine.
You will be responsible for security against unauthorized
access to your computer. For example, if you have
an FTP daemon (mostly only NT or Unix systems but
this software does exist for other systems) and have
an account without a password or an easily guessed
password then anyone could come into your system and
browse or transfer your files.
Consider this, also: while it may be unlikely that a casual
break in will occur on a dial-up line, someone who does have a
specific reason to want access to your data may be watching for
your connection. Again, it is much more difficult when your address
and host name changes all the time, but difficulties give way to
determination more often than not.
Also consider that the unpleasant folks who engage in this sort
of nuisance often devote considerable effort to the advancement of
their knowledge of ways to ruin your day. This is their hobby, it
is what they do for fun, and they are going to be spending
considerable more time at it than you or I will spend time learning
how to stop them.
See also /Security/general.html
Both ipfilter and ipchains
also provide security capabilities.
A firewall is usually a Proxy Server with a very untrusting
attitude. It usually provides exactly the same sort of proxying,
but it adds more rules and controls to the mix, and is paranoid
about security. Almost always, a firewall is a completely separate
machine, and in really paranoid companies, there may be multiple
levels of firewalls, each a separate machine, and probably running
different operating systems and completely different firewall
software. If you've a lot to lose, you really cannot be too
TCP Wrappers is a software program that intercepts TCP packets
and applies simple rules to them with the intent of avoiding
security breaches. Cheap (free), simple, and cerainly offers some
protection against the more likely intruders. See /Security/general.html for more
information on tcp-wrappers.
It's possible that your ISP may be able to offer some help. For
example, the ISP I use ( world.std.com) offers two different ways to make a ppp
connection. One is real ppp, and it is to that that the warning
above is addressed. The other option is "slirp", which effectively
is a proxy server: your machine gets to talk to the web, but
nothing out there can get to you. There are, of course, downsides
to that sort of configuration.
Got something to add? Send me email.
More Articles by Tony Lawrence
Find me on Google+
© 2011-03-18 Tony Lawrence