Access file server on external network

[colinjones]

NikAmi - you need to do MUCH more research before commenting on this. There are hundred's of people on these forums that know, in depth, about routing. Don't assume ignorance on such a simple topic. There are many other reasons for this that you need to understand first.

Simple point: if you want a LMCE network that is supported and you can get help for, your core must have 2 NICs, connected to your external home network and your new internal LMCE network. Of course they must be different subnets, that's a given. The external can be anything you want, the internal needs to be 192.168.80.0/24. And you should move all your equipment into the internal network for simplicity, whether or not you think you want it to interact with LMCE at this point. Effectively making your "external network" a simple cat5 cable from your core to your broadband router.

Start your research here - http://wiki.linuxmce.org/index.php/Network_Setup but carry on reading into the FAQs, hardware requirements, and basic concepts of LMCE. There is much to understand such as playing with LMCE's routing is both unnecessary and highly inadvisable, never attempting manual mounts/symlinks for media, etc, etc... but most fundamentally, don't start redesigning/re-engineering a highly complex system until you understand it very well. Implement it as designed, and let it do its thing, don't second guess it or you will fall into a trap that many have where you end up fighting for control with it, without all the facts. In that fight you will loose and break your system in the process! Once you have a working system .... THEN start tinkering...

[Dale_K]

If you PROPERLY set things up, your core stays up.

*hmm*

why do you guys fight this?

Just set it up like we tell you to, and stuff works, and it works well.

"nooo, i'm a control freak, and I want to control __EEEVERYTHING___"

Fine, augment Smoothwall onto your lmce core after you set it up. But let the core be the center of the network. The system works better for it, and you'll have access to all the features.

-Thom

Thom, I respect you immensely for both your knowledge and effort in this project.  However, this post is as realistic as the LinuxMCE video touting the ease and functionality of LinuxMCE installation.

Please consider that these forums are absolutely riddled with posts demonstrating that the core WILL go down.  I can't say this strenuously enough, if you build a LinuxMCE core and you plan to expand it's capabilities, IT WILL GO DOWN.  I could point to many posts that demonstrate people having to reinstall because everything got screwed while they were trying to make their TV, STB, Phone, whatever work (it has happened to me on more than one occasion). 

Imagine a scenario where a regular guy like me is working on his LinuxMCE installation at 11PM (as I usually do) and for whatever reason, hardware failure, my own ignorance of LinuxMCE, etc. my core now boots to an SQL database error.  It's now about 1AM and I have to get up for work in 5 hours so I can't reinstall or attempt to research this error.  Now, I have to go to work in the morning and I won't be home until about 6PM and a repair/reinstall will take at least 2 hours.  So, in the recommended configuration this scenario creates these problems:  My wife and son will have no internet that day, my Web/FTP server is down AND my TV doesn't work.  In the above configuration the Core has no affect on my computers whatsoever and a happy wife = a happy life.

I agree that the intention is to have the core control everything, it's simply not realistic in most people's situation.  For you it probably is, but please remember that your knowledge makes short work of minor problems that for most of us with little LinuxMCE knowledge are catastrophic.

The other issue I have with your reply and the many others wherein you say the same thing is that the impression is that your LinuxMCE won't work correctly in this configuration.   That is simply untrue.  The core doesn't give two shits about what's on the other side of the external NIC as long as the internet is there.  To the core, the above setup is exactly the same as the recommended setup.  I guarantee you can not point out a LinuxMCE feature that does not work because of this configuration.  The only difference is that the network devices on that external network are 'external' to the LinuxMCE network and special configuration has to occur if you want interactions between the two (it's really not even that 'special' just standard routing/firewall stuff).  But special configuration to make stuff work is a staple of LinuxMCE so there's not much difference there.

I do apologize if there is an aggressive tone to this post but it's a passionate response to what seems like you always having a "you're an idiot" tone to the posts you make on this topic.  It really is insulting to us that prefer this setup for stability and reliability of our home networks.

[tschak909]

NikAmi. Why wouldn't you? this system is designed to handle every single machine inside a house, and it works better this way. It drives me crazy when I see people with over-complicated network setups simply because they feel this need to segment off LinuxMCE from the rest of the system, and thus miss out on all the features.

-Thom

[NikAmi]

Thom-

I don't know about most people, but I would be a little wary of making a machine my Internet gateway when it has control over my home's lighting, phones, and security. If anything, I would want to either lock that off from the Internet completely or only allow certain devices to communicate with it at all. Not to mention that in my house, and possibly in many others, I have an existing network that splits WAN, LAN, and WLAN traffic to form a captive portal for all WLAN users and disallows communication between WLAN users and the LAN unless specifically granted. I am sure that this is all possible in LMCE, but if this system has been in place for years and has worked flawlessly, why take it down? I will admit, if I only had one or two computers (or for that matter one network), it would make the most sense to just use the Core as the router.

Also, from what I am hearing, going from one release to another can cause problems which could potentially render the Core useless. I don't know about most users, but I would certainly want to update my Core whenever you guys come out with updates, patches, and new features. Any of these updates could, potentially, cripple the Core whereas my router hasn't needed an update since I installed it 2 years ago (granted the software is old and I am contemplating installing the newer version when I get home). I definitely see the merit in including the router in the software and using it for your entire network, but many of us have our reasons for wanting to separate the two.

Even though I only installed LMCE once just to muck around with it after 710 had been released I really appreciate the work that you and all the other devs are putting into the project and the enormity of it.

[merkur2k]

Why dont you actually install and use the system before making coments like this?
To hit some of your points;
LinuxMCE includes a firewall. The *exact* same firewall code found in many consumer grade hardware routers.
but
nothing is stopping you from puting another firewall in front of it if it makes you feel any better.
of course you just add another piece of hardware that must be configured, maintained, and adds a point of failure. all for redundancy of features that the system already does.
A captive portal wifi system is great for an untrusted environment such as a coffee house. Do you really have that much riffraff on your private wifi network that you feel the need to segregate it?
If you are worried about breaking the system during an upgrade, isn't that what backups are for? Commercial entities dont just slap a new cd into a server and hope for the best, they use parallel hardware to do a test first or use other methods of ensuring success and having a fallback in case it doesnt work. This could be as simple as swapping out a hard drive for a home user and dealing with a couple hours of downtime. Or use the method you seem to be pushing for your needlessly overcomplicated network; "if it aint broken, dont fix it" (ie dont upgrade unless you need to).
What I see here is a needlessly overcomplicated network that you made up at one point for geek points with friends or something, and now pride keeps you from wanting to change it or something, i dunno. Its not a logical argument in any case. LinuxMCE is designed with the requirements it has for a reason, it needs to be setup in a specific way to deliver the features it promises. This is not optional, you cant just make up these requirements yourself and hope it will work just because thats the way you want it or god forbid you would actually have to change something.

[wierdbeard65]

I agree with merkur2k, but will be doing what NikAmi suggests, at least at first. In my case, different reasons.

Its all politics and WAF. The fact is, I have an ADSL router. I have a WiFi AP. I have switches. Thse are points of failure whichever "side" of MCE they sit. I work out of the country. My family's internet simply has to work. All the time. No excuses.

I used to have a linux-based firewall/router/busybox configured very much as MCE is intended to work. I was nearly hung, drawn and quartered by the family whjen it went wrong. In the year it was "up" failures were all beyond my control. One day a guy came round to change the electricity meter. The resulting corruption to the HDD because the power was simply "switched off" took me several ours to fix when I got home. Very unhappy wife  Then there as the time my youngest son found the server and switched it off. That's just two occasions. (Did I mention the occasional crash?)

I accept that having the family machines "outside" excludes them from MCE. I accept that it isn't optimal. I accept that you guys will throw your arms up in the air in horror.

My plan is to start like this. One MCE core and one MD. Everything else "outside". Add a few more MDs and an "inside" WAP. Next comes wifi orbiters.

Once family are happy / I am confident, other machines MIGHT be moved over if the benefits are there to be seen. (If course a UPS will need to be purchased first!)

Guys, the ideal way is just that - but we don't live in an ideal world. If my MCE box shuts down the internet just ONCE, for ANY reason, then the project will be perminantly terminated by the rest of the family. Routers / switches etc can be power-cycled and they just start working again. Server's can't cope with that.

NikAmi - WHAT??? I have to agree with merkur2k completely here. Are you paranoid or just after geek points? Do you live in an area where people regularly try to hack in through your wifi to get at your LAN network? Is what you have there that valuable? I reckon, if so, it would be easier to move to a less inhospitable area! 

[colinjones]

Why dont you actually install and use the system before making coments like this?
To hit some of your points;
LinuxMCE includes a firewall. The *exact* same firewall code found in many consumer grade hardware routers.
but
nothing is stopping you from puting another firewall in front of it if it makes you feel any better.
of course you just add another piece of hardware that must be configured, maintained, and adds a point of failure. all for redundancy of features that the system already does.
A captive portal wifi system is great for an untrusted environment such as a coffee house. Do you really have that much riffraff on your private wifi network that you feel the need to segregate it?
If you are worried about breaking the system during an upgrade, isn't that what backups are for? Commercial entities dont just slap a new cd into a server and hope for the best, they use parallel hardware to do a test first or use other methods of ensuring success and having a fallback in case it doesnt work. This could be as simple as swapping out a hard drive for a home user and dealing with a couple hours of downtime. Or use the method you seem to be pushing for your needlessly overcomplicated network; "if it aint broken, dont fix it" (ie dont upgrade unless you need to).
What I see here is a needlessly overcomplicated network that you made up at one point for geek points with friends or something, and now pride keeps you from wanting to change it or something, i dunno. Its not a logical argument in any case. LinuxMCE is designed with the requirements it has for a reason, it needs to be setup in a specific way to deliver the features it promises. This is not optional, you cant just make up these requirements yourself and hope it will work just because thats the way you want it or god forbid you would actually have to change something.

Merkur2k - whilst I agree with your points.... I would like to ask the tone be scaled back a little we are in agreement, yet lets be less pointed in the expression! NikAmi just dropped in.... s/he clearly has significant technical background, and is attempting to apply it here. There are many areas that stand out in our environment that can only be absorbed with exposure. But I did particularly connect with the "*exact*" bit

[NikAmi]

The reason I set up the network this way is because my parents and siblings regularly have people over that bring their own devices (PDAs, iPhones, laptops, etc.) that need to use our internet connection and in the past, I have found people sitting on our network who weren't authorized. This little system allows me to authorize our home laptops and smartphones to use the encrypted AP while allowing my siblings and parents to authorize guests to use the system over the unencrypted AP. A small webpage pops up when someone not recognized connects to the open access points and requires that someone in the family type in a password that grants the user access to the network for a certain amount of time.

[wierdbeard65]

I'm sorry, but where on earth do you live that this such a huge problem?

Just to repeat what you said, you have people who, by definition, you know and trust well enough to invite into your home, yet you are worried that once they leave they might come back within range of your AP and steal some bandwidth?

You said you found people sitting on the network who were not authorized. What problem were they causing? Hacking your bank details from your secure servers? Maybe you were worried that your best mate was accessing your online "little black book" and stealing all your best leads for a Saturday night? Ok, perhaps that last comment was a bit cheap, but PLEASE.

The simple fact is, if you put a BIG lock on a door, then thieves will wonder what you're protecting and will be all the more interested in breaking in.

In any case, there is no reason why both of your AP types couldn't be on the "inside" in this situation. Once you have access (because you belong or because you are an authorized guest (do you frisk them on the way in and out, by the way )) the why do you need to segregate the traffic? Or do people sit in your kitchen on their iPhones trying to hack your music collection?

You clearly have some knowledge of network security, but a little knowledge can be a dangerous thing. Don't even get me started on password security (I teach this stuff to VoIP engineers for a living, BTW, so I know what I'm talking about here).

Let us get this straight and recap, you want to re-engineer MCE to ensure that visitors, who you trust enough to invite into your home, cannot access the network from "inside", yet you think you might need to tear down the security built into MCE to allow access from "outside". Is that correct?

[itspac]

hey guys,, this post turned from a simple type "can i do this" to a philosophical discussion on networks. 

The basic answer was, yes you can put a file share on an external network, but its not the recommended way to do things.

If you must know i put the file server on the external and i have linuxmce on a different segment thsn the rest of my network is because i only have a 810 alpha box which i'm still experimenting with hardware seeing what i cant change and if i screw it up i can reinstall it and not have problems with other computers and devices not being on the network.