David Christensen wrote:
On 2021-01-19 06:22, Dan Ritter wrote:
My firewall (yes, it runs Debian) has an Intel 4x 1gig ethernet
card in it, as well as the 1 gig port on the motherboard. Each
is completely independent, so I have:
- one connection to the public Internet
- one connection to my switched network of wifi access points
- one connection to my general wired network switch
- one connection to my remote power switch
- and a free connection for the future.
Each of these has one or more different IP addresses, including
IPv6 on three ports, and packets are routed between them and
blocked by the firewall.
On 2021-01-19 08:40, Dan Ritter wrote:
[The remote power switch] can turn on and off a set of wall outlets,
to which other computers are attached. In other words, if the firewall
is running, I can power-cycle several other machines.
I assume your Wi-Fi, LAN, and remote power switch interfaces are on
different network segments (?).
Do you have use-cases that require or benefit from this, or could you
replace the 4-port NIC with a 1-port NIC connected to a switch connected to
all of the inside devices (AP's, clients, servers, power gateway, etc.)?
The remote power switch doesn't have to be directly attached;
it could be attached to the switch that the general wired
network uses. However, it needs to be fully functional with just
the firewall being alive -- the idea is that if I can get into
my firewall, I can deal with a hung server.
The APs are deliberately separated from the wired network:
nothing on an AP is trusted more than the general Internet,
except that they get to see DHCP, DNS, NTP and a printer.
All the wired devices trust each other a bit more; there are
some NFS mounts that allow an entire subnet to read from them,
for example.
So I could drop down to a 2-port NIC, using 3 total and not
having any spares, but I already have this setup, and it's been
running nicely since 2014. I spent about $250 on it, including
some parts I had lying around, and with luck it will last until
something better than gigabit fiber comes to my neighborhood
with nothing worse than a power-supply replacement for $40 or
so. The best part is that it runs straight Debian, AMD64, so
unlike all the SOHO routers, it stays up to date.