Not only that, but the old machine was badly maintained and stopped accepting updates without complete reinstall which I never found time to do. I was running kernel from 2005 for twelve years! Not just bad, this was a security nightmare!
I guess I don't have a lot of attack surface even if you get past the router/firewall, but I have been at least the target of DoS attacks on the router. Here is the old router, with its proud Pentium II CPU:
But, the hardware for the new router arrived earlier this year, and now I had time to set it up properly, and disconnect the old router. While the new router is not the newest gear still either, it has a modern architecture, hopefully better settings and maintenance, and much simplified configuration. The new machine is running an ASUS CS-B motherboard and the Intel Celeron G1850 CPU in a stylish but simple Bitphoenix Phenom micro-ATX case. There's a medium-sized SSD for the machine but no other disks. The machine will not run any other services than forwarding packets, firewalling, and DHCP for the internal network. And my OS is still Ubuntu, but this time version 16, not 4.
At the same time, I've reorganised my entire network around the following principles:
- Right things in the cloud: Keep as much of the functionality in the cloud as possible. But do not lose control of your own systems or materials. I rent my own space in the cloud and keep file storage in my own servers at home.
- Just make it fast: Build a fast, general-purpose and simple network that supports any new service that might come up in the future.
- Keep it simple: No unnecessary services, no extra complications, no complex architectures.
- Move all external-facing web services to the cloud. With one exception, all my websites -- such as planetskier.net -- are now hosted by Linode, and provide TLS certificates via Letsencrypt. I have yet to move arkko.com, because that is the only domain that handles e-mail, and I haven't found a reasonable, free alternative to hosting that outside our lab server at work.
- Simplify internal network organisation. I've disabled much of the old hardware and special purpose networks. I won't be needing NAT64 any longer, and I will work with a simpler network that doesn't require the HOMENET automatic routing setup. I will still maintain two special networks, for internal and visitor networks. But I've divided the two networks to use the two redundant uplinks that I have, on ADSL and LTE Advanced. This also allows easy (but manual) switching from one uplink and router to another when something breaks.
- Turn off dozens of services for which I had no use, or which were only partially functional.
- Upgrade the internal network to 10G. This is still in progress, as only one of my file servers has the necessary network card. Other cards have been ordered, but I'm still searching for a reasonably priced 10G switch with at least 3 but preferably 8 10GBase-T connectors. Pointers welcome.
- Employ IPv6 as a means to access individual services from elsewhere in the Internet.
- Employ smaller number but larger file servers. In my case it is still beneficial to have multiple physically separate devices for safety, but they need to be appropriately dimensioned. I.e., n * 10TB rather than measly 2-4 TB each as previously.
The primary new file server runs on a similar new computer as the router, but with the MSI A88XM-E45 motherboard and the AMD Athlon x4 760K black edition CPU. This particular CPU unit is by the way a world record holder for the Athlon x4 760Ks; it used to be overclocked up to 7.1 GHz with liquid nitrogen, but it is now enjoying retirement at a more relaxed 3.7 GHz.
- Employ redundant disk clusters. I've turned on ZFS on my new file server, running currently 2x10TB disks in mirroring mode, so being able to provide 10TB of storage. The really excellent thing with this is that I can add more storage on the go while keeping the same logical disk structure for users, even if I run out of the 10TB. Of course, redundancy within the same case is not sufficient for problems, so in addition to having manual backups I'm also considering hosting backup servers at alternate locations, with automatic network sync.
Not everything is quite up and running yet, in particular I spent five hours last night just getting the router to work. Turned out that the mere existence of a DHCP client package affected network interfaces that had been defined as static ones.
Setting up IPv6 to work with my ADSL connection to Nebula is the next step. The LTE side of the network already has it. There's also a couple of old laptops still running something that I need to figure out what it exactly is :-) as well. One of those laptops also drives the display to the sauna and its broken display... that needs replacement.
Here's the communications closet. The new router, file server, and old computations server are sitting side by side at the far end (this whole space is under a staircase), next to the new small rack that I had built earlier.
Ei kommentteja:
Lähetä kommentti