Network design vm virtualization in small office

Question

I just recently bought a 16gb ram, Intel i7 quad core Mac mini to be used as the central point of entry to my network and am looking for advice on how to design a network suitable for a small office.

My hardware consist of a couple of laptops, pc with a connected printer, network camera, some wireless devices such as phones and tablets, router and of course the mac mini. Diagram

Requirements for the mac mini server:

LAMP webserver (internet & local)
Git server (internet & local)
DNS (local)
filesharing (local)
Active Directory (local)

The Mac mini will use OSX as the primary operating system and I will make use of virtualization to create the needed servers.

My Questions:

Should I create seperate virtual machine instances for each server or is it acceptable to group some of the servers e.g. LAMP server and Git server?
How do I secure the web server from the local network? Is it possible to create a "virtual" DMZ to host the web server in? I don't want a possible attacker to gain access to the entire local network (especially network camera) if the webserver get's compromised.
What virtualization software do you recommend for such a setup?

Wlan. Whow. Saving a dollar in cables at the price of a crappy company infrastructure. Welcome to insanity. — TomTom, Aug 04 '13 at 12:48

Tom O'Connor · Accepted Answer · 2013-08-05T09:04:12.267

I'm sorry, but you can't.

There's no sane mechanism of virtualising on top of OSX. There's VMware Fusion, but that's not designed for running servers, not in production use, well, I certainly wouldn't.

I wish you'd asked this question before buying hardware.

If I were designing this network layout, I'd do the following:

 Internets   x
            +
           x|
          x |
xxxxxxxxxxx |                                                                           Wired Stuff
            |
            |                                                                           ^ ^
            |                                                                           | |
          +-v------------------+                                                        | |
          |Firewall            |                                                        | |
          |                    +-----------------------------------------+              | |
          +-+--+---------------+                                         |              | |
            |  |DMZ on VLAN 3                                            |              | |
            |  |Internal on VLAN 2                                       |              | |
          +-v--v-----------------------------------------------+   +-----v--------------+-+---+
          |Dell R720 running ESXi                              |   |24-port Managed Switch    | Management on VLAN1
          |----------------------------------------------------|   |                          |
          +----------------------------------------------------+   +-+------------------------+
          |  Active Directory Server (Windows 2012) VLAN 2,4   |     |
          |                                                    |   +-v------------------------+
          +----------------------------------------------------+   |Wireless Access Point     |
          |  LAMP Server (Internal)                 VLAN 2,4   |   |                          |
          |                                                    |   +-+----+-------+-----------+
          +----------------------------------------------------+     |    |       |
          | LAMP Server External                    VLAN 3     |     |    |       |
          |                                                    |     |    |       |
          +----------------------------------------------------+     v    +-->    v
          | Internal Git Repos                      VLAN 2,4   |     Wireless Stuff
          |                                                    |
          +-------------------------+--------------------------+
          |  Internal DNS   VLAN 2  |                          |
          |                         |                          |
          |                         |                          |
          +----------------------------------------------------+
          | File Storage    VLAN 2,4                           |
          |                                                    |
          |                                                    |
          |                                                    |
          |                                                    |
          |                                                    |
          +----------------------------------------------------+
          | Unprovisioned Resources                            |
          |                                                    |
          |                                                    |
          |                                                    |
          |                                                    |
          |                                                    |
          +----------------------------------------------------+

So you've got a firewall, unclean traffic comes in, and is filtered either to be inbound access, or DMZ traffic, onto 2 VLANs.

You've got a proper server, running enterprise-grade virtualisation software, with a couple of NIC ports (depending how you want to segregate..)

Internet inbound traffic comes into the firewall, and depending on where it's headed, and the rules, either goes DMZ or internal.

The VMs then have a NIC on one or other of the VLANs, and the file server is on a different VLAN.

Given the choice, I'd probably go with a double-skinned firewall, where you'd have two differing vendors between the outside and inside edges, for a greater defence in depth approach.

You should be able to choose a decent firewall based on your throughput, and also on the number of virtual security zones that the device supports.

You should be looking to use a managed switch, to give you the ability to handle VLANs and further segregate traffic for security reasons.

For the server running all this, I'd be looking for somewhere in the region of 12 cores, and about 24-32 GB of RAM to give you room for further growth. You'll also need disks, lots of them if you're to get any performance and level of redundancy from failure.

Don't even entertain the idea of RAID 5, it's past its prime, and will cause you to lose data. 10x300GB SAS disks in RAID 6 should be fine.

That said, if you're building for future growth and maintainability, then it'll be worth looking at a dedicated NAS filer which you can use for filesharing, as well as the primary storage for your VM Servers. I mean something from Dell's storage range, or Hitachi's Virtual Storage Platform, NOT something designed for home or small office use.

+1, but the disc layout is off. 6x500gb are only fine for a very very very calm network. My own company has problems on storage with 8x300gb raptors (that are 10k sas discs) and that is without the database that runs on other discs. If you do a lot of IO then the Raid 6 will die, mostly due to very slow discs to start with. — TomTom, Aug 04 '13 at 12:50
I do believe that Mac Minis can be installed with ESXi, and I recall hearing that they were even on the HCL, though I've never verified that. Of course this doesn't improve the crappy hardware situation. — EEAA, Aug 04 '13 at 13:01
It also is not what the OP wanted as he states explicitly it should run OSX ;) and no - my phone has a LOT more than 8x300. It has thousands of petabyte storage available (though the net) ;) — TomTom, Aug 04 '13 at 15:54
I'm rarely, if ever, interested in what the OP wants. All I care about is doing the right thing. — Tom O'Connor, Aug 04 '13 at 21:17

score 2 · Answer 2 · edited Aug 04 '13 at 13:07

am looking for advice on how to design a network suitable for a small office.

Put cheap switch in corner, run cables from there. What design is needed there?

I just recently bought a 16 GB ram, Intel i7 quad core Mac mini to be used

Man, you really like that crappy, or?

When I planned my small office (mind you, at that time that was 4 people + 3 working from home) I went with 2x (I do not like my company down when a server fails) micro ATX systems with 16 GB each (that was years ago) and place for 8 hard discs. Today I am upgrading those to 64 GB AMD servers, still micro ATX and they are still around.

Should I create separate virtual machine instances for each server or is it acceptable to group some of the servers e.g. LAMP server and Git server?

Depends totally what you do, what you require. I would be more concerned about crappy hard disc performance and totally crappy disc space as well as RAM space for any real use.

How do I secure the web server from the local network?

What for? Seriously. While I am all security, you seem to assume your little computer houses medical data. Unless you absolutely do not trust the people you work with, that is totally over the top in terms of security. Especially as likely anyone can just walk out of the door with your hardware.

What virtualization software do you recommend for such a setup

You mean running on top of Mac OS X that noone would use as a server?

What about you use something like Linux, Windows or VmWare as server. Then this is a relevant question.

Yeah. I wish @marlin had asked here before storming off and buying a mac mini. — Tom O'Connor, Aug 04 '13 at 12:00

Network design vm virtualization in small office

2 Answers2