PDA

View Full Version : Why is the recommended network setup ISP -> Snow Leopard Server -> Switch -> 5 iMacs?




learningapple
Jul 12, 2011, 09:47 AM
We have the internet service provider connected to a switch, and the switch has Snow Leopard Server and 5 iMacs connected to it. (ISP -> Switch -> Snow Leopard Server, 5 iMacs)

Why is the recommended network setup for Snow Leopard Server as follows ISP -> Snow Leopard Server -> Switch -> 5 iMacs?



hwojtek
Jul 12, 2011, 10:56 AM
It is not. The recommended and only reasonably possible setup would be ISP -> Router -> whatever number of computers, including the one running OS X Server. If you think there is a reason to do it in a different order, feel free to share the reasoning behind this idea.
I think you are about to break ballistic through the spam threshold. Or you just need to back to some very basics.

learningapple
Jul 12, 2011, 05:07 PM
@hwojtek

I should have had it ISP -> Router -> OX Server -> Switch -> 5 iMacs

Sorry, new to this and trying to figure out what I am doing.

Alrescha
Jul 12, 2011, 05:53 PM
You got that box because your Mac has two active network interfaces, and so OS X Server gives you the option of configuring your machine as a gateway. It's not necessarily 'recommended', and if you did not have two active interfaces, you would never have seen it.

A.

dark knight
Jul 13, 2011, 09:05 AM
@hwojtek

I should have had it ISP -> Router -> OX Server -> Switch -> 5 iMacs

Sorry, new to this and trying to figure out what I am doing.

basically your question is 'what is the advantage of using the server as an internet gateway for the other imacs (rather than them just connecting to the router themselves).

i would be interested in possible answers to this too. as far as i can tell your can instruct the server to allow/deny certain services, websites etc for the other computers. again, not sure of uses beyond this.

jtara
Jul 14, 2011, 01:30 PM
basically your question is 'what is the advantage of using the server as an internet gateway for the other imacs (rather than them just connecting to the router themselves).


The advantage is that the server is a larger, faster, more powerful router than your router.

Popular open-source replacement router firmware allows you to install just about any Linux application on your router. However, it'll still be running on a slow computer with very limited memory.

There's a wide range of useful software either included with OSX Server or that can be installed that is useful in a routing scenario. More sophisticated firewalls, VPN, etc. etc.

Consultant
Jul 14, 2011, 03:29 PM
How many IP do you have?
Do you already have a router?

hwojtek
Jul 18, 2011, 07:02 PM
The advantage is that the server is a larger, faster, more powerful router than your router.

Popular open-source replacement router firmware allows you to install just about any Linux application on your router. However, it'll still be running on a slow computer with very limited memory.

There's a wide range of useful software either included with OSX Server or that can be installed that is useful in a routing scenario. More sophisticated firewalls, VPN, etc. etc.

Only recommended if you have a separate machine running as a router/firewall. Crashing a server with a DoS attack is still quite simple and if the gateway machine is a production server with some other services like even a trivial file server, such an attack can lead to major losses. Imagine a small company running a shared volume on the gateway for Adobe Creative Suite files. Or using the powerful Mac Pro gateway as a file server for FCP projects (hey, we want our ROI quick, so let the expensive computer do as much work as possible). Once the network stack is killed by some idiot DoS-ing the server for no reason apart from it being there, the workstations have no connection to the file server and everything f@#$ up instantly.
That said, using a Mac Pro as a $2000 gateway is a bit over the top. For that kind of money one can buy a standalone router powerful enough to handle thousands of users with a proper firewall.
Also, replacing he el cheapo $150 router or even having a spare one with the very same config as the regular one is cheaper and a much more sensible approach. In network security it's not the size of the weapon you are using that is important - but the time your network is down due to an attack. When using a simple, easily replaceable router, you can be back online within minutes and if the network is properly set up (which would be ISP -> router/firewall -> switch -> internal network including servers) the internal network activity is not disrupted even if you physically destroy the router with an axe.

dark knight
Jul 19, 2011, 02:10 AM
When using a simple, easily replaceable router, you can be back online within minutes and if the network is properly set up (which would be ISP -> router/firewall -> switch -> internal network including servers) the internal network activity is not disrupted even if you physically destroy the router with an axe.

thanks for the info, very interesting. if the ISP distributed router has 4 ethernet ports would you still put the network switch in the path? (assuming 4 clients). any advantages?

also, if you do not have something constantly (like a 24/7 server) connected to the router does this in anyway contribute to what my ISP have called 'stale sessions' occurring? my home setup has a time capsule permanently connected to the router and never has a problem. the business setup turns all machines off at night and quite often the internet gets screwed by the morning. ISP describes a 'stale session' has occurred. i assumed the router gets board all alone. :)

hwojtek
Jul 19, 2011, 11:22 AM
I would include a switch (not a hub), as your internal IP routing (and network as a whole) would still work even if the ISP-provided router would be switched off completely. And even if the IP fails, the zeroconf functionality of the OS X will keep the internal computers connected.
Putting all the communication with the internet into a single ethernet cable between the switch and the router is not a problem. I am sure you do not have a 1 Gbit ISP connection ;) I have exactly this setup done with a WRT54G router running DDWRT and a couple of Airport Extreme Base Stations acting as bridges and access points only (with routing disabled).

The stale session can be a problem easily remedied with a cron script pinging a random site (google.com or apple.com being a good example) every hour or so. It will just keep the connection alive at night.
AFAIr the DDWRT firmware for Cisco/Linksys WRT54G is able to do it out of the box.