Sign in with
Sign up | Sign in
Your question
Solved

Network re design

Tags:
  • Networking
  • Firewalls
  • Design
  • Office
Last response: in Networking
Share
March 31, 2014 4:23:50 PM

Hi.

Our office has a very simple network setup. Looking to introduce a Linux firewall (planning to use IPCop) to improve security and segregate the network a bit.

This is how our network looks at the moment.



At any given time there will be maybe...

    10-12 computers connected via ethernet
    10-15 wireless devices (laptops, phones etc)


Everything is on the same subnet 192.168.1.0/24 (DHCP provided by SBS server).


This is what I have planned.





Clients on "Public Wifi" are to get nothing but internet access. No access to any of the devices beyond the firewall.


Questions... :) 

#1 Does this look like a workable solution / any recommended changes?

#2 If I enable DHCP on the "Public WiFi" AP will this interfere with any devices beyond the firewall?
Similarly, I want the SBS server to provide DHCP/DNS for the wired devices. This won't interfere with anything on public/private Wifi?

#3 The "Private Wifi" clients need access to the SBS Server and a Printer connected to the 24-port switch. Is this possible or am I easier putting the Private Wifi on the same subnet/zone.


Any questions please ask. In my head this makes sense but to anyone else it's probably just a mess!

More about : network design

Best solution

March 31, 2014 5:38:50 PM

Your new setup looks fine. What problem are you trying to solve with your new solution? Getting the public wifi away from your private network? If your only talking like 40 machines I would put all the private network on one subnet. In using SBS as long as your shares and printers and all are registered in the DNS then you can browse for resources from one subnet to another but I would still put everything on one network. With your Linux firewall the DHCP from the public network should not interact with the private network and vice versa. Not sure how you plan to set up your Linux box in relation to your ADSL router but if your not careful you will end up double NATing. Personally I would hang the Public WIFI off of your Linus router on a different subnet from your private network and make sure you firewall between them. This way you could put your ADSL router in bridge mode and get your public IP at your Linux router. I will say I don't know anything about this Linux router but I assume it can route, firewall, and NAT.
Share
April 1, 2014 12:07:14 AM

Thanks.

Yes the main objective is to separate the Public WiFi from everything else. Side goals are to increase security in general and look into running a proxy on the firewall to cache certain websites. I also believe there is an add-on that can cache Windows Updates.

I only separated private LAN and WLAN is because that's what seems to be suggested everywhere else as "best practice." Maybe this is with larger networks in mind? If you don't think it will cause any issues I will put them on the same subnet, because it will be easier to configure :) 

I planned to have the router running at full functionality but you are correct, I would end up with double NAT. Glad someone spotted that one before it caused me a major headache! I think I will take your advice and put the router in bridge mode with Public WiFi attached to the firewall. I just thought it would be more secure having the WiFi completely outside the firewall. But hey, it's a firewall, if it can't block access between two interfaces it's really not good at it's job.

Also, with some luck fibre will be available in the next few months so the ADSL Router will be out of the picture anyway. Assuming I can simply run Ethernet cable directly from the VDSL box into the Firewall?

Thanks again for the help. I feel a lot more confident about this now.
m
0
l
Related resources
April 1, 2014 7:08:11 AM

Yes best practice is to seperate your private WiFi from your LAN. This is done for a number of reasons. It can help in troubleshooting and it helps keep broadcast packets to a minimum (that can tie up Wifi resources). But if your only talking 30 people on your network I doubt you will see much performance difference. If so you can always seperate the Wifi later, either hanging it off your router, or upgrading your switch to a smart switch so you can run subnets, and then hang the Wifi off the switch.
m
0
l
April 1, 2014 10:57:38 AM

Ok I'm going to give this a try later in the week, maybe tomorrow.


Once again, thank you for all the help.
m
0
l
April 4, 2014 1:05:30 PM

If you are interested, I have now set this up the way you recommended.

A few hiccups getting the PPOE connection to sync but otherwise the install went smoothly.


Thanks again for your advice.
m
0
l
!