I believe the most significant leap in understanding networking comes from learning how to turn a simple home network into a full-featured small business environment. Surprisingly, I’ve never come across a plain-language tutorial on how to do just that. However, I’ve learned a great deal throughout my career so far and today, I intend to write the article I wish I had found several years ago.
- Cable/DSL/FIOS Modem—Any internet connection device that has Ethernet out will do.
- Wireless Router or Switch—Either will do. Be sure to read the next section for clarification.
- Firewall Computer —The key to a business type environment is a dedicated hardware firewall. We’ll be using pfSense, and if you check the hardware requirements you’ll see that an older machine will do nicely. Any machine to be configured as a firewall requires a minimum of two Ethernet ports.
- Client Computer—A laptop or desktop computer to be used as a client. Windows or Linux will both work, but I’ll only be referencing Windows commands in this tutorial.
- Disable All Security Software on All Client Machines—Make sure you disable Windows Firewall and any other security software you may have. This introduces an added level of software security that will only hang you up while you’re trying to establish that your hardware firewall is working correctly.
Network Device Clarification
It’s very important to understand the similarities and differences between the core types of networking equipment. The following should shed some light on the subject, in order of simplest to most complex:
- Network Interface Card—Every type of wired networking device has at least 1 NIC, with 1 Ethernet port. A NIC can have multiple Ethernet ports. Each Ethernet port has a unique MAC address.
- Cross-Over Cable—A crossover cable is sometimes needed to connect two network devices together without a switch. This may be the case if you’re using older hardware, and you want to connect a single client computer to your firewall computer. Most of the newer hardware “autosenses” regular and crossover cables so both will work automatically, but if you’re not receiving a signal or seeing any flashing lights then try using a crossover cable.
- Switch—A switch adds more ports to your network and eliminates the need for a crossover cable. A typical 8-port switch will have 1 Ethernet cable running to the firewall, and the other 7 cables running to clients or other network devices. It’s important to remember that it doesn’t matter which cable goes in to which port, they are all the same.
- Router—A router provides an interface between two (or more) networks and will also usually act as a DHCP server. That’s why on a router you have a special WAN port for that huge network we call the internet, and then a port for your internal Local Area Network (LAN). As a DHCP server, it’s responsible for automatically assigning an IP address to any device connected to the LAN and then it routes all traffic between both networks.
- Wireless Access Point—A wireless access point (WAP) is simply a wireless switch. When you connect to one, it’s the same as if you would have plugged your computer into a switch.
- “Wireless Router”—I have put this item in quotes because it’s important to understand that this type of device that most of us own is usually a combination of all the devices above. It has built-in NICs with Ethernet ports. It auto-senses crossover connections so they are never an issue. It routes traffic from that special WAN (usually labeled “Internet”) port to other ports for you to use as a LAN. Those 4 other ports are all for the same single subnet (your LAN) so that means it’s actually a 4-port switch. Additionally, those antennas provide WAP functionality.
- WAN—Wide Area Network. Also known as the internet.
- LAN—Local Area Network. Your internal network, also known as your domain or your intranet.
- DMZ—De-Militarized Zone. A fancy name for just another type of internal network just like your LAN. The difference is, using firewall rules you prevent any traffic that comes into your DMZ subnet from going to your LAN subnet, for security purposes. This is where you would host a web server or FTP server, a place where anyone on the internet can access certain things without having access to your private LAN devices.
- DHCP—A type of service that automatically hands out IP addresses. Many types of network devices are configurable as DHCP servers.
- WAP—Wireless Access Point. Essentially, a wireless switch.
- NIC—Network Interface Card.
* WAN’s, LAN’s and DMZ’s are all the same type of Ethernet network. They all use the same hardware and work in the same way. They are just given special names to differentiate how these networks are used.
Part 1 – Understanding your Existing Home Network
The diagram above is very typical of home networks. Study the diagram carefully and note the following key points of interest:
- The wireless router can connect clients wirelessly using its built-in WAP.
- The wireless router can connect wired clients using its built-in 4-port switch.
- While not noticeable in the diagram, those wired clients could be connected via crossover cable (as long as the client’s NIC’s also support “autosensing”).
- And again, while not noticeable, the wireless router is likely configured as a DHCP server and will automatically hand out (and keep track of) IP addresses for each client that connects to it.
Unfortunately, this diagram fails to illustrate the importance of subnets. Also referred to as interfaces, subnets are the keystones of understanding how to take your network to the next level:
This illustration highlights a few more key benefits and limitations of a typical home network:
- The wireless router is the central piece of the network.
- The wireless router provides a ton of functionality for a single network device. It’s a router, autosensing switch, WAP, DHCP server and most even have very limited firewall functionality (allow/block IP’s, website filtering, port-forwarding, etc).
- The wireless router is limited to two interfaces, the WAN and the LAN.
So how do we resolve these limitations? How do we bump our network up a notch? We replace that wireless router with a serious hardware firewall. We take an old computer we have laying around and we turn it into router on steroids. Enter pfSense.
Part 2 – Creating a Small Business Network
Now that we thoroughly understand what we’ve already got, let’s take a look at what we want to create:
As you can see in the diagram above, our dedicated firewall is the centerpiece of our small business network. Any firewall requires a minimum of two different interfaces, which means it requires a minimum of two NICs. It should be obvious that the network illustrated above has four, but we’ll only be using two for this tutorial.