Sign in with
Sign up | Sign in
Your question
Solved

Please give me some feedback on my setup

Tags:
  • Computers
  • Business Computing
  • Servers
Last response: in Business Computing
Share
March 28, 2014 1:53:19 PM

I'm the "computer guy" at a camp and we need to upgrade our server this year. Since we get non-profit pricing, I have to get Server 2012 (as far as I know, I can't get older software that way). I'm fine with that server. There will be a learning curve, as we're on SBS2003 right now, but I'm ok with that.

My main concerns are with the setup of the network and domain. We would like to provide wifi to our guests, but I don't want the public wifi users to have access to the business part of the network. My thinking is that the server will host DHCP and DNS to the domain computers in the office and sit behind a Dell sonicwall. The rest of the camp will get DHCP and DNS from the DSL modem as usual. Computers on that side will be kept out of the office network by the sonicwall.

There are some business computers that sit in other buildings and will be outside the firewall. I was thinking they could still join the domain via vpn. I'm hoping that their network speed won't be affected too much since it shouldn't have to leave our little network through the modem.

I do know that the best way to split the network this way between public and private is just to run two sets of Ethernet cables to the other buildings. That is not feasible in our situation though. The reasons are kind of dumb, but if you've ever worked at a camp you'd understand. It has to be, and already is, a single cable.

So please ask clarifying questions if it would help you understand. I'm very much a lay person doing a pro's job, but I'm all we got. I would really like to be confident that this is going to work before I drop a couple thousand dollars on new hardware!

Thank you very much for your time.

More about : give feedback setup

March 30, 2014 6:31:05 AM

Hi ,
In your current setup layout you can use VLAN (virtual lan) to separate domain computers and server from guest network.
I would also use the sonicwall as dhcp for guests network , that way you can use qos (quality of service) for your guests.
I can also suggest you look into licensing for non profits organizations and maybe migrate your organization to the cloud ,
That way you can save on hardware + electric bills of running server 24x7.

m
0
l

Best solution

March 31, 2014 6:53:15 AM

As Cjar is pointing out above, the network infrastructure you have in place should utilize VLANs to achieve what you want. Your Sonicwall already should be able to do this, but you may need to get a VLAN capable switch.

Each individual interface on the Sonicwall can be configured as individual and separate network zones. So Interface X0 can be your private LAN and have a network range of 192.168.0.1-254, Interface X1 is your WAN (perhaps a dynamic address from your ISP or an address from your modem), and Interface X2 can be your public LAN and have a network range of 192.168.2.1-254 etc.

This way, you can set up DHCP pools and DNS information for both networks all from one central device, and manage network traffic there as well. You can also easily block access from the public network to the private network withing the Firewall Access rules.

Connecting all of your devices together, you need to have a switch of course. You should find a managed switch that is VLAN capable. I personally recommend the HP 1810 series switches as these are very great value, great performance for small business needs, and for managed switches these are very easy to configure. You will have two ethernet ports on your switch that will connection to each of the interfaces on your Sonicwall. That will be the default gateway out for each of the individual VLANs. You also need to create two VLANs, such as VLAN100 for private network which coordinates with your Sonicwall X0 Interface, and VLAN102 for public network which coordinates with your Sonicwall X2 Interface.

The confusing part of this whole thing is tagged/untagged for VLANs on each ethernet port. On Cisco equipment this is referred to as trunk or access switchmode, but most other switches I have seen use tagged/untagged. Basically any connection directly connected to an end device such as your computers, servers, printers, etc. is going to be untagged, while interfaces that connect other switches or routers which need to identify which VLAN those packets come from need to be tagged.

So, your staff computers all get plugged into ports and then Untagged for VLAN100. Your public computers will get plugged into ports and then Untagged for VLAN102. There are some things that get confusing. For example, your default gateway (the two ethernet cables going to your Sonicwall) will have Untagged VLAN100 for the port going to the X0 Interface, and will have Untagged VLAN102 for the port going to the X2 Interface. Also, setting up wireless access points can be a little confusing as well, and will depend upon if you are using true access points capable of multiple VLANs or if you are just using basic wireless routers.
Share
Related resources
March 31, 2014 8:49:53 AM

VLANS! Totally forgot about those.

choucove said:
As Cjar is pointing out above, the network infrastructure you have in place should utilize VLANs to achieve what you want. Your Sonicwall already should be able to do this, but you may need to get a VLAN capable switch.

The VLAN capable switch would go between the sonic and the Dining Hall switch, correct? Or do all of the switches on the public side need to be VLAN capable? (There are two right now, one in the Dining Hall, one at the Shop)

choucove said:
Also, setting up wireless access points can be a little confusing as well, and will depend upon if you are using true access points capable of multiple VLANs or if you are just using basic wireless routers.

Noted. We use routers now and probably will continue for now simply because we already have them. But I'd like to switch over the APs in the future, the routers are a constant source of frustration for me.

m
0
l
March 31, 2014 8:57:59 AM

Cjar said:
I would also use the sonicwall as dhcp for guests network , that way you can use qos (quality of service) for your guests.


Will it allow me to server DHCP for the public VLAN, but not for the private one? It is my understanding that the server should serve the DHCP and DNS on the domain side.

Cjar said:
I can also suggest you look into licensing for non profits organizations...


non-profit licensing is amazing. That's the only reason I'm able to consider this!

Cjar said:
...and maybe migrate your organization to the cloud, That way you can save on hardware + electric bills of running server 24x7.


That would be nice, but our internet is too flaky and too slow for that to be comfortable. You city folks have it real nice with your speedy internets and choice of providers :) 
m
0
l
March 31, 2014 2:01:07 PM

It is hard to say if you would need to replace both of your switches. Basically, if network traffic for BOTH private and public networks must pass through it, then yes you need a managed VLAN capable switch, which is able to make sense of the VLANs and keep them separated as needed. If you have one switch that only connects devices and passes traffic to only one of those networks, then no it would not need to be a VLAN capable switch.

With the Sonicwall you can set up several dynamic DHCP pools for different network zones, but yes you should also be able to just set up DHCP on your domain controller. I tend to leave the DHCP running and utilize the Sonicwall for my configurations because if the domain controller goes down or must be taken offline, you are still able to get computers in the network to get a valid IP address if they are connecting up.

Doing wireless with simple wireless routers in this environment is a little more tricky, mainly because simple wireless routers can't broadcast multiple wireless networks and keep VLANs separated. So, in this scenario you'd have to have one wireless router connected to a VLAN capable switch with an Untagged port for VLAN100, and have that wireless router broadcasting your wireless network for your private network (with proper secure password and all in place of course.) Then you'd have to have a completely separate wireless router, connected to an Untagged port for VLAN102 on that switch, and that wireless router would be broadcasting your wireless network for your public network. So now it requires twice the number of wireless routers to provide separate public and private networks within the VLANs, which also means more wireless channel congestion and more switch ports, cabling, configuration, etc.
m
0
l
April 1, 2014 3:56:35 PM

Thank you Choucove and Cjar for all your help. I feeling much more confident that I can set this up. Now I just need to convince the director to pay for it all!
m
0
l
!