> Arch Linux

>absolutely must flowchart
I think I'm in love with you.

use one of the old computers as a NAT/firewall/etc instead of the router/ap

Why do you use a router? You could use a switch instead and who doesn't have 1Gbit/s enabled devices nowadays? You DSL Modem isn't a combined Modem/Router I presume, (i.e. no wireless) ?

>>20317193
I don't care. It's binary-based, light, flexible, has a package manager and works.
>>20317197
Eh? D-D-Don't say something like that so suddenly!
>>20317211
Alright, I wanted to learn how to that anyway, gotta look for some free network cards.
>>20317221
The old computers are 100mbit only.

>>20317221
0/10.

>>20317248
>I don't care. It's binary-based, light, flexible, has a package manager and works.
arch linux brofist

>arch
>gentoo
you sure got trolled by /g/ aren't you?

First of all, get better flowcharting software.

XMind is good. Free like beer too.

>>20317293
Nah, I've used Arch before I've browsed /g/. It was this board that made me use Debian and Gentoo, though, but I've liked them.
>>20317297
I haven't got java on my laptop.

>any ideas of cool things to do
build a DMZ with the old computers

>>20317438
DMZ aka LAN

>>20317474

wut lol. In my land one of many reasons we call that DMz is because those computers are separated from the LAN.

And... why would OP need to put those old computers on a DMZ? Will he be running http, dns or mail servers on those? Makes no sense.

>>20317474
wat?

>>20317474
Firewalls and such? I could do that with the router computer after I get me some NICs.

>>20317221
>Why do you use a router?
He's probably using it for mac address based DHCP or PPOE which a switch wouldn't do and it'd be easier to set up as a LAN based output rather than trying to deal with that shit through various machines. If you want to throw a gigabit switch in there, you do it after the router. Unless his modem doubles as router/gateway.

forget BSD just get smoothwall and use that behind the router if you care.

>>20317583
You're right.
>>20317599
Eh, I really want to try out the BSDs, though I can just use a VM. A firewall makes sense, I'm gonna do it.

>>20317635
BSD is boring, put it on the testing computer you'll get sick of it when you realise its just linux with much more bullshit for desktop use. Last time I used OpenBSD wasabout 7 years ago now though, not sure about the rest.

needs moar pissing loli

>>20317162
>using Linux for a content server
>using Gentoo at all
lol someone got trolled hard.

>>20317666
why.png

>>20317599
>>20317635

Linux firewall is utter shit. Believe me I work with Linux.

You are stuck with shitty web UI's or an inane commandline like iptables. Don't get me started on shore-shit-this-is-horrible-wall.

pf is way cleaner and efficient (I can do with one line of pf what I would need 6-7 of iptables+iproute2) and even web-based firewall products based on BSD pf are far superior, like pfsense.

Try them. Both openbsd and pfsense are gforious for firewalls.

>>20317645
Well, I'll do that then.
>>20317666
I'm not this rich.
>>20317682
I don't care about your opinion. I'm used to Linux and it fits my needs (they aren't really big anyway).
>>20317687
what

>>20317753
Okay, but I'd have to get used to OpenBSD before I do that. I don't want to compromise my entire network because of one stupid misconfiguration.

>>20317753
If iptables is utter shit (which isn't too far from the truth), what is Microsoft's ISA server firewall stuff to you?

>>20317474
>>20317438
not the same guy, I don't have a clue why he said a dmz = lan

>>20317533
this is what I meant

>>20317799

Using the second router to block lan data from the server?
You could just as easilly DMZ the server and then write a filtering ruleset for the router than server won't send to any lan machines.
If not that, then why even bother splitting the network?

>>20317645
BSd is shit for desktop use yes, but as a router - this one of the few things that BSD can do better than linux.

OP, if you want something easily manageable, but that you can do whatever with still, try pfsense.
It's a BSD router distro based on m0n0wall but designed more for PC hardware over embedded systems.

If you need more information on 'Why BSD for routing' look up PF.

>>20317799

Its only me but two routers are bad in this situation? If you have network problems, You have two points for misconfiguration or performance issues.

Add another network adapter to your fist firewall and set that interface as the DMZ.

>>20317799
>>20317869
Uh, what? No, he's essentially got two networks, one divided from the other. So long as they don't start issuing DHCP requests overtop of one another, they'll get alone just fine.

This *IS* what the whole Internet is really. Just a bunch of routers connected together.

>>20317827
>If not that, then why even bother splitting the network?
op asked for cool things to do

>You could just as easilly DMZ the server and then write a filtering ruleset for the router than server won't send to any lan machines.
>>Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network.
read the wikipedia article

>>20317927

Your private network doesn't need to be overcomplicated. A "three-interfaced" firewall can split networks just fine:

lan interface: accesses all
external interface: only accepts specified responses and those initiated by a lan host or dmz.
dmz interface: accesses internet, but can only establish connections with the lan that are initiated by a host on the lan.

And whats this about DHCP requests? Those are non-ip LAN-only broadcasts. They can't be routed.

Like I've said... makes no sense.

Nice setup , you can't improve on that anymore it's not like you would have bandwidth problems , network bottlenecks, link congestion, broadcast domain/collision domain problems what do you think you are doing running an enterprise network with a lot of data flow? The only suggestion I can make is get rid of the fucking Windows bullshit.

>>20318036

No need for a DMZ or anything either. As long as you are using obscure ports and have strong passwords. Your using Linux for your servers so if your not a complete doofus, have only the ports you NEED open and no default shit you should be secure as a motherfucker.

>>20318036
Well, I need Windows for flexibility reasons (i.e. proprietary shit).

>>20317783

Its easyer to fuck up things with iptables than with pf. See this this:

iptables, default policy to block all, allow all lan outgoing trafic. Redirect external http requests to webserver (just the relevant rules):

iptables -A FORWARD -i $ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $int_if -j ACCEPT
iptables -t nat -A PREROUTING -i $ext_if -p tcp --dport 80 -s $client1 -j DNAT --to $webserver
iptables -t nat -A PREROUTING -i $ext_if -p tcp --dport 80 -s $client2 -j DNAT --to $webserver
iptables -t nat -A PREROUTING -i $ext_if -p tcp --dport 80 -s $client3 -j DNAT --to $webserver
iptables -A FORWARD -i $ext_if -p tcp --dport 80 -s $client1,$client2,$client3 -d $webserver -j ACCEPT (this will get expanded into 3 rules)

pf, default policy to block all:


pass in on { $int_if }
pass in on egress inet proto tcp from { $client1 $client2 $client3 } to (egresS) port 80 rdr-to $webserver flags S/SA synproxy state

Keep state is always default unless you don't want it. synproxy state is a cool feature that makes your firewall to handle all the tcp connections before passing it to the internal webserver, which can be potentially more vulnerable to tcp attacks.

>>20318075
yup you're right, one router with three interfaces could do the same thing. And nobody in private sector really needs a dmz unless he is a tinfoilhead, it's just an interesting thing to set one up

>>20318036
>get rid of windows
okay stallman.

>>20318189
whoops, wrong postnumber. was directed to:
>>20318009

>>20318186
Alright then, I'll be reading on pf before actually setting this up and then do it. These NICs won't magically materialize themselves anyway.