Use Mac Mini as Wireless Router

[mainstay]

Hi All,

I've read a ton of articles that all seem to peeter out with non-conclusive answers / opinions.

Would you recommend:

a) Use a mac mini as a wireless router such that it handles DHCP, DNS, NAT, VPN, and internet sharing:

ISP >> apple usb ethernet adapter >> mac mini >> en0 >> network + wifi

or

b) Use an airport extreme as the wireless base station connected to your isp and mac mini

ISP >> airport extreme >> mac mini

In scenerio B, I understand that VPN passthrough can be configured, but would you also defer DHCP handling to the mini or use the airport extreme to do this?

Opinions, suggestions, please!

--Matthew

 

[funkahdafi]

While the Airport Extreme can do a lot of things, it's still very limited in terms of managability and feature "depth".

If you have a Mac Mini anyways, and you are using Mac OS X server on it, I would suggest to put most functions you want to use on the Mac.

HOWEVER: I would still use the Airport Extreme as a router towards your ISP (with VPN passthrough) as sorts of a firewall. It's got a small OS footprint (no Mac OS X, but a simple firmware) so it's less probable to get hacked.

If you want to do it completely right though, I would do this:

ISP -> true firewall -> ethernet switch with Mac Mini and Airport Extreme on it.

If you want real protection from outside threats, don't trust a "cheap" WLAN router or a box with some "hardened" OS on it. Do yourself a favor and invest in a real firewall. There are good choices out there for small business with a limited budget. For example the Check Point Safe@Office Firewalls are very good and easy to set up.

 

[mainstay]

Thank you very much!

This is exactly the sort of setup I was leaning towards.

ISP >> Aiport w/ WiFi Base Station and VPN Pass-through to Mini and no DHCP >> Mac Mini Server w/ DHCP, VPN, and DNS >> 24-port switch

But wait, if the Mini only has one Ethernet port and it is being used as incoming WAN, how do I get from the mini to the lan switch?

Or is it simply easier to use the airport as a dhcp server so that:

ISP >> Airport w/ WiFi and DHCP and VPN Pass-through >> Switch + Mac Mini Server w/ VPN and NO DHCP?


I will have a few additional airports sprinkled throughout the site that will extend the wireless network (not a TON of users, but it is spread out over a huge warehouse area).

That's a good lead on the firewall. I prefer "real life" recommendations over everything.

(I have become very disappointed in Cisco's VPN solutions and their support services - so am looking for a replacment option).

Thanks for the fast response!

--Matthew

 

[funkahdafi]

Matthew,

you would connect everything to the ethernet switch. The Mac Mini would not be connected directly to the Airport. The Airport has multiple ethernet ports. One of them is external (ISP faced). You connect that to the ISP. One of the other, remaining ports would go to your ethernet switch.

Then you put the Mac Mini to the ethernet switch as well.

That way all internal machines can see the Mac Mini and the Airport's internal interface.

Kind of like this:

ISP -> (external) Airport (internal) -> Switch -> the rest of your network (Mac Mini).

Hope this makes sense.

As for Cisco: You are right. They are expensive and impossible to set up if you don't have the knowledge. Those Check Points I recommended are much easier to set up. Also, Check Point have Safe@Office models with included WiFi, so you would not need to buy an additional Airport Extreme.

 

[funkahdafi]

One more thing about the Safe@Office Firewalls: You can purchase subscription based services for them, like Antivirus, Antispam, Intrusion Prevention, Reporting. If fully loaded, these devices will check every Internet connection for viruses, spam mails and application attacks.

For more info check here:
http://www.safeatoffice.com/landing/

For more questions, don't hesitate to ask.

 

[mainstay]

ISP -> (external) Airport (internal) -> Switch -> the rest of your network (Mac Mini).

I've always put the dhcp server before the switch, not connected with it.

I've never actually even considered this... which is what makes these forums so darn useful.

Thank you a ton for your amazing answers. I very much appreciate them.

(contrary to my questions, I am not a novice, but I've recently taken on a larger project than I am used to working on and am getting a touch panicky...).

thanks!

--Matthew

 

[funkahdafi]

You are welcome! Always glad when I can help.

Just remember: As long as you have everything from your internal network connected to the same ethernet switch, everything will be able to talk to each other. Including DHCP server with clients (as long as everything shares the same IP address range/network, that is).

The Airport (or any other router/firewall) will separate your internal network from the external network (Internet), so it will always need two interfaces for that. External (internet) and Internal (network). Any services the Airport provides are being provided on the internal interface.

Good luck with your project!

Cheers