How to configure a small network of computers within a larger university network?

I have a small computer lab (8 HP workstations, 1 HP server, 2 NAS boxes, 1 HP networked printer) where currently all the devices are connected directly to my university's network. Each device has an IP address allocated by the network via DHCP (but I am told that these are effectively bound to the MAC addresses for a long time, so the device gets the same IP each time it is powered up), and I have had hostnames assigned to each device, managed by the university's DNS server.

The problem I have is that once connected to the university network the devices are open to anyone on the internet; there is no campus-wide firewall for example. I would like to isolate some or all of these devices from the internet so I can control what ports/services on these devices are accessible from within the university (for example my colleagues want to print, or store data on / access data from the NAS boxes) and which are accessible from beyond the university network. All the devices I mention are in the same physical location (the one computer room), but my workstation is in a separate room and I want to access each of the devices myself for administration.

The workstations are all (or will be) running Scientific Linux. The NAS boxes are Synology products running their own OS.

How should I go about setting up this mini-network? Would it make sense to put all the devices behind a router? If I do that, will it still be possible to connect to each device by the hostnames that have been configured (say from my workstation that will not be behind the router), and if it is, what do I need to set-up to make that happen?


Solution 1:

To follow up on what @KatherineVillyard said, if you need to access your NAS or other systems from the campus in general, here's what I'd do:

Campus connections

Talk to whoever manages the campus router, and ask them to reserve you a block of 256 IP addresses, which I'll call A.B.C.0/24. The values of A, B, and C are specific to your campus. If you can't get 256 addresses, you'll live, but get at least 16. Smaller reserved blocks will change the 0 and the /24 to different numbers, up to /28 if you only get 16 IPs allocated.

They'll also need to configure various campus routers to route your reserved block through a specific IP address in a different network block (like the one that already reaches to your room).

If you can't get a block of addresses reserved, you'll have a harder time making your NAS accessible from the rest of campus, but everything else should work ok from inside the network to the outside world. It's certainly not impossible, but it might not be worth the extra effort. Try as hard as you can to get the block of addresses -- you might need to talk to a few different people if the first one doesn't understand what you need.

If you got a block of reserved addresses, you need to record the block's network address and netmask, and also the outside IP the block will be routed through. If you didn't get a block of reserved addresses, you're probably going to end up using a home router/firewall, and you can just use whatever settings it has by default.

If campus IT is really easy to work with, you can also ask for a delegated DNS subdomain for your lab, too. Something like gavinslab.campus.edu. It's really not critical if they don't give this to you, but it's convenient.

Physical

If you got campus IT to reserve you a block of addresses, find an old PC you can put three network interfaces in. It doesn't have to be powerful at all. I've routed 100 Mbit traffic over an original Pentium, and gigabit over a Pentium III. I've really not tested the lower limits, just worked with whatever was easily available.

If campus IT couldn't allocate you a block of addresses, just get a home router/firewall instead.

Then, grab gigabit ethernet switches from somewhere. A home office switch should be plenty, as long as it has enough ports. If you got IT to allocate a block of addresses, get two switches. Label one switch "DMZ", and the other one "Internal". If they didn't allocate you a block of addresses, only get one switch.

Routing/Firewalling (assuming no allocated network block)

If you didn't get a block of addresses, just hook up the home router with the external network interface plugged into the campus, and one internal network interface plugged into your gigabit switch. Treat the room like a home network, where you can get to the campus and outside world without problems, but the campus and outside world will have a hard time getting back to you.

Routing/Firewalling (with an allocated network block)

If you did get a block of addresses, then hook up the onboard network interface of the old PC to the campus network. I'd normally install Debian on it.

Afterwards, I'd install the second and third network cards, and then use my firewall-bootstrap tarball to configure firewalling, DNS, DHCP, and other critical services (we've beaten the crap out of that script in a class I'm running labs for, but wider testing and feedback is welcome). If you have the experience, feel free to do something else equivalent.

Everything else (with an allocated network block)

Plug one powered-up switch into one of the additional network interfaces in the firewall. Check kernel messages to see which ethernet interface just came up. If you're using my script, you want to make sure the Internal switch is on eth1, and the DMZ switch is on eth2.

Plug systems that need to be directly accessible from outside the room onto the DMZ switch. Plug all other systems into the Internal switch.

And from there, honestly, you're going to need to ask more questions as needed. I trust my script to set up a working DNS and DHCP setup for both network segments, and to block outside connections by default. But everything else tends to be site-specific.

Solution 2:

First of all, as an escapee from academia, you have my sincere condolences. Unlike the commenters above, I have no trouble whatsoever believing you have no campus firewall.

The simplest, most elegant way to do this would be, alas, to have a campus firewall. The next best solution, depending on whom you want to have access to your lab, would be to have some kind of department firewall where everyone who needed access was inside said department firewall.

If you can't do either of those--and I fear you won't--you're probably going to have to configure a firewall with "allow from [campus ip ranges]/deny from everyone else." If you want to access these machines from outside that firewall, you'll probably have to use your campuses' routable numbers.

And as you said in your comment:

Thanks, so if I use my own firewall, I either configure each individual device I mentioned accordingly (iptables on Linux), or I have to arrange for traffic going to these devices to pass through a separate firewall device.

Correct. I'd probably just throw my hands up in despair and use iptables, but someone else might have a better answer for you.

Lastly, I just wanted to confirm that this:

Each device has an IP address allocated by the network via DHCP (but I am told that these are effectively bound to the MAC addresses for a long time, so the device gets the same IP each time it is powered up), and I have had hostnames assigned to each device, managed by the university's DNS server.

means that you have a static DHCP reservation. Otherwise, the university's DNS server will have to be updated if those numbers happen to change.

Good luck!