Scott Bush

Exactly one year ago today was the last day I worked at the CESNW/Small Schools Project office in Greenlake. As a way to mark that occasion, I’m finishing a post that I began back then but failed to complete. It was an excellent place to work: an important mission, friendly and dedicated coworkers, and an exceptional view from my desk of the lake.

One of the coolest things I did as the Technology Director with CESNW/SSP was to set up a very robust and secure network. To be honest, this came only after a few months of very rough network problems (appearing on spam lists, frequent e-mail issues, etc.) and I had the very capable help of Dan Schwalbe of Doktor PC. The result was a very fine network, which I then mapped so it could be understood by anyone who would come after me (and, indeed, myself after a few weeks of not thinking about the network).

Hardware

The device that rescued us is from Soekris Engineering. Never heard of them? Neither had I or just about anyone else I asked. But Dan had, and we bought their mid-grade device: the net4801. It’s a solid-state, low-power, 586-class PC in a small box. We went this route after going through three consumer-grade wireless routers (two Linksys WRT45Gs and one D-Link something-or-other). They had pathetic logging capabilities, very limited flexibility in their firewall rules, terrible web-based user interfaces, and the damn things needed rebooting at least once a week. I tried upgrading the firmware, a frustrating IE-partial process (one version eve broke DHCP for Mac clients!) that didn’t help. The open-source DDRT firmware for the WRT45G looked promising, but I could never get it to load. These boxes may be fine for your two-computer setup at home, but they fail miserably at doing any serious work. But, that’s why they cost ~$50.

Software

We installed m0n0wall on the Soekris box to actually manage the network. M0n0wall is great because it offers all the functionality of a much more expensive router on a cheap box. It’s open source so it’s free, which is great especially when you have no budget (like SSP) but need the feature set to get certain things done that cheap routers don’t offer.

I configured the router to allocate two separate IP address ranges to wired and wireless connections. That way it would be easier to track where problems were coming from if they were to happen (they didn’t, though!). Also I set up a number of special rules to allow traffic on some ports through—like Appleshare and MeetingMaker—while everything else was blocked. Of course the whole object of setting up the router was to block spam being sent from our network so I blocked IMAP traffic (port 143 for those network nerds out there, though you probably already knew that) except for our outside mail server at Triversal, Earthlink, and a few other known-good mail servers.

The problem with setting this up was how to make sense of it all. For that I diagramed this SSP network infrastructure map [Update: I removed the link since it's probably not wise to advertise the network config, open ports, etc. on teh intarwebs. Trust me though, the map is cool.] to show what was blocked and what was allowed on each network. It was very helpful in keeping track of everything myself as well as explaining how the network is set up to those who are interested (sadly, there weren’t many ;-)