David Christensen wrote: > On 2021-01-19 06:22, Dan Ritter wrote: > > > > My firewall (yes, it runs Debian) has an Intel 4x 1gig ethernet > > card in it, as well as the 1 gig port on the motherboard. Each > > is completely independent, so I have: > > > > - one connection to the public Internet > > - one connection to my switched network of wifi access points > > - one connection to my general wired network switch > > - one connection to my remote power switch > > - and a free connection for the future. > > > > Each of these has one or more different IP addresses, including > > IPv6 on three ports, and packets are routed between them and > > blocked by the firewall. > > On 2021-01-19 08:40, Dan Ritter wrote: > > [The remote power switch] can turn on and off a set of wall outlets, > > to which other computers are attached. In other words, if the firewall > > is running, I can power-cycle several other machines. > > > I assume your Wi-Fi, LAN, and remote power switch interfaces are on > different network segments (?). > > > Do you have use-cases that require or benefit from this, or could you > replace the 4-port NIC with a 1-port NIC connected to a switch connected to > all of the inside devices (AP's, clients, servers, power gateway, etc.)?
The remote power switch doesn't have to be directly attached; it could be attached to the switch that the general wired network uses. However, it needs to be fully functional with just the firewall being alive -- the idea is that if I can get into my firewall, I can deal with a hung server. The APs are deliberately separated from the wired network: nothing on an AP is trusted more than the general Internet, except that they get to see DHCP, DNS, NTP and a printer. All the wired devices trust each other a bit more; there are some NFS mounts that allow an entire subnet to read from them, for example. So I could drop down to a 2-port NIC, using 3 total and not having any spares, but I already have this setup, and it's been running nicely since 2014. I spent about $250 on it, including some parts I had lying around, and with luck it will last until something better than gigabit fiber comes to my neighborhood with nothing worse than a power-supply replacement for $40 or so. The best part is that it runs straight Debian, AMD64, so unlike all the SOHO routers, it stays up to date. -dsr-
