Network (hardware) setup diagram - correct?

[aljames2]

I am setting up an Ubunter server in my home network. As you can see from the diagram, I'm not sure which router to plug my server in. Plus, I want to make sure everything else is plugged in correctly?

My TP-Link router which is currently set up as my wireless access point, has the capability in the software to turn on OpenVPN with certificate generation. I'd like some suggestions if this feature is recommended and any other thoughts.

Thanks to @TheFu for his helpful blog, in particular the article on WiFi router security checklist here http://blog.jdpfu.com/pages/wifi-security
I've gone through this on each router to double check each router's settings. I'm not sure though how to enable only HTTPS for management of these routers.
I get unclear on when I need to purchase a domain to get the SSL certificates or if there is another way.

mynetwork-1.jpg

[LHammonds]

If your server does not have wireless, then you will have to plug into the router.

However, wireless is typically slower and prone to "air issues" which is why I always have my servers plugged into the fastest and most stable option possible. In this case, a LAN cable direct to your internet router.

This also simplifies troubleshooting. If a service is down, is it down on the server or the switch it is plugged into or the switch that switch is plugged into, etc. Less points of failure the better.

LHammonds

[aljames2]

Should I plug everything into my 2nd access point router? The Verizon FiOS device is my modem/router combo device issued by Verizon.

Also. what are the advantages of using a switch device in a home network and where would it go in my diagram?

[TheFu]

I can't tell what you are trying to accomplish since no IPs or subnets are listed. If you are trying to do what I suggested (vpn-only access or ssh-tunnel) or not, I cannot tell.

I wouldn't put a printer where is was accessible over the internet, unless you don't mind it being hacked and printing lots and lots of pages you didn't request. Is the TPLink a router or an AP? It matters.

I know nothing about verizon equipment or how they run their networking. Sorry. That means you'll need to share that information to get good advice from anyone unfamiliar with it.

I can recommend taking a look at LHammonds' blog too. Good stuff there.

[aljames2]

The TPLink is a router. In the Firmware, it's static IP address is x.x.x.2 with DHCP off. Currently, the Internet Settings in this router is 0.0.0.0 for all this...(Internet IP, Subnet Mask, Gateway, Primary & Secondary DNS). Connection type Dynamic IP. The Wireless radio is on to handle WiFi in the home. This router's firmware does have a VPN Server (OpenVPN) section that can be enabled...I guess where the router would handle my local VPN?

The Verizon FIOS Modem/Router device is the top-level device connected to the internet. (I can see now I need to move the Server & Printer behind the TPLink)

Thanks for suggesting LHammonds blog. I found his complete server setup & NextCloud tutorials. This is where I'm headed with my setup. I definitely like & understand the LVG methodology and will implement that. However, I do prefer a VPN setup because it will be simpler for my users so they don't have to worry about configuring a browser or other application to access. Also, better I think for when I travel and need to connect from hotels, airports, etc.

[TheFu]

Either the router is acting like a route/firewall with NAT or it is acting like a bridge. In bridge mode, it can't be a VPN server, but then the network is probably doing double-NAT. This is why I asked for the IPs to be labelled. The different subnets are critical and now is the time to fix them. The internal, non-routable, LAN subnet cannot be used by any location you visit if you want VPN access. This is required for routing to work.

BTW, I've never heard of LVG ... generally it is called LVM with PVs, VGs, and LVs. I think his use of LVG is normally called VGs, since everything is "logical" already.

Beware that getting OpenVPN working isn't trivial. It definitely isn't a checkbox-enable. OTOH, getting ssh working is almost as easy as running a non-secured HTTP server. Relatively bonehead. VPNs are much easier for end users, once setup and working.

[SeijiSensei]

I have an Archer C7 router connected to the Verizon router. I never use the Verizon router for anything other than interconnecting with their network. I've even turned off the wifi in that router. I have an Ethernet cable connecting one of the VZ LAN ports to the WAN port on the Archer.

If you take this route and put the TP-Link device behind the Verizon router, connect the server and printer to the TP-Link, and they should be visible to all users.

[TheFu]

But does the Verizon still do NAT or can it be setup in bridge mode?

[aljames2]

I will get the diagram updated with IPs this evening. I know currently the 2 routers are connected by 1 ethernet cable using LAN ports only. WAN ports are empty.

[aljames2]

Ok here is an updated diagram of how things are currently connected. It doesn't appear this is in bridge mode. My TP-Link router (I mislabeled it as "Access Point") is configured as a secondary router to handle wireless connections in the home.
These are the instructions I had used a few years ago when I set this all up ...if it helps. http://www.dslreports.com/faq/12506

mynetwork-1.jpg