Can someone help me untangle a LAN mess?


I manage the LAN at our small business. We have grown a lot over the past two years, and I would like to clean up the complicated network that has grown under my feet. Basically, we have a standalone Ethernet DSL modem, a Windows DHCP server, a WiFi access point/router, a switch and half of a WiFi bridge in Building 1, and the other half of the WiFi bridge and a WiFi access/point router in Building 2 across the street. Currently, the server only has 1 network interface, so the DSL Modem is connected to the WLAN port of the WiFi AP/router and then the DHCP server and the switch are connected to the LAN ports of the WiFi AP/router. The entire system is less than entirely reliable.

I've got a couple of images that can help clear things up: our current network and the components of our future network. Could a kind soul out there please indicate the best way to get all this interconnected? I am not averse to adding a second card to the server if necessary, although I am hesitant to connect it directly to the internet without some sort of hardware firewall (the DSL modem does not have a firewall capacity; the WiFi AP/router does but it is not currently active. Each PC uses the Norton Internet Security firewall)...

Thank you so much - if you're ever in western France I'll buy you dinner...
Jeff Spivack
17 answers Last reply
More about untangle mess
  1. well first of all, the dsl modem is a router which in turn translates address's, a NAT is the best firewall you can buy.... as for wireless bridges.... not toooo reliable, wireless is extremely trivial... ican run it by my boss we run a 250+ PC lan, 10 servers, and a vpn across town so i will get back to you ;)
  2. also why arent you using the asus500g WLAN "ROUTER" to do the dhcp... why do you have a dhcp server??? that is pointless if you have less than 254 pc/routers/managed switches then you have no need for that dedicated dhcp box
  3. Quote:
    why do you have a dhcp server?

    It's actually an ERP / order management server; it's also running Active Directory. We were told by the company that installed the ERP that it was best if that computer handled the DHCP. And we have less than 20 pc's on the network.
  4. Quote:
    as for wireless bridges.... not toooo reliable, wireless is extremely trivial

    building 2 is across the street, and we can't run a cable across the street. Building 2 has no telephone/internet service, so no potential for a VPN. Figured a wireless bridge was the way to go.
  5. Well first of all, A DSL modem is NOT a NAT router.

    Hmmm, according to here I might stand partially corrected. It MAY be NAT, but I highly doubt it.

  6. Sounds like you have a good handle on what you want to do according to your second diagram.

    I would look at getting a 3rd party firewall in place which can run fairly cheap:

    Hotbrick is a decent SoHo firewall in which I've have some experience in working with them. In your situation I would recommend checking into it and seeing if you can get some extra cash around to purchase one.

    The firewall would sit between your broadband and router, which should almost be UPNP capable, but you would want to check the settings for configuration.

    Getting your main building together, I think you have a handle on that one.

    As far as your second building, the wireless works. You may want to look at directional wireless to limit others from trying to get to your wireless network.
    Kwebb is a user on here that is very intelligent with wireless. Consider PM'ing him or posting in the Wireless section on how to do directional wireless.

    You also have an option of getting a cheap DSL/Cable line added to your 2nd building and using some products to set up a VPN between the two.
    Linksys offers a hardware VPN solution; one end will have the concentrator, the other will have an end point. I believe it runs around $500 or so.

    By doing this, you can gain limit bandwidth usage with your main buidling as the 2nd would have direct access with the built-in firewall on the Linksys equipment.

    Or you could pick up another Hotbrick product and put that in place in front of your VPN End point to get better security.

    But that all costs extra money, it really depends on your financial situation. It would eliminate having a wireless connection which could be used as a backup if the ISP/cable-dsl went down.

    The wireless would be the cheaper solution in the short run though.

    If you have a firewall, that will sit between your Router and Broadband Modem.
    At this point, you just need to hook your switches together with a standard ethernet cable (shouldn't need a crossover because the newer switches all tend to come MDIs compatable).
    Hook the server in at the switch level since everything will be communicating with the switch unless going out for the internet. If you hooked in at the router level, all data transmitting would need to go over the single ethernet cable connection the switch and router.

    I would try to leave the ports on the router alone for the most part except when hooking one line to your switch. Everything else, like your PCs and Wireless Access Points should hook into your switch since that connects everything together.

    You're on the right path, if you have any more questions, keep them coming.

    Your server will still only need 1 NIC in it. You can have everything hit your server first via DNS and set your DNS up to forward unresolved requests to your router. It's fairly simple to do. If you have questions on how to do it, post back and I'll give you directions, just let me know if you're on 2k or 2k3.
  7. I think your structure is fine and can handle the upgrades. Like qwerty, I wonder about the wireless bridge, but I've never had to do anything similar so I wouldn't know other options except in general terms.

    How's security on the wifi configured?

    Turn on the firewall for the wifi/AP router if it has a configurable one. If not, it's already using NAT, so that's good.

    Hmm, you say it's not 'entirely reliable'... What exactly happens? If I'm guessing right that you keep loosing connections because of the bridge, then you'll need to upgrade that to something a bit more robust; microwave, a dedicated cable or something.

  8. Actually a cable modem is not actually a modem. its a bridge. It just connects the two different networks together.
    Modulator-demodulator is for phone lines. The name just carried over.
  9. True! Same with ADSL.

    But sometimes people call a modem (er, Cable/DSL bridge) a router, and some products exist that combine the 'modem' and a 1 port NAT router.

  10. you are getting rid of that mac address bridge right? its pointless if you are using switches.
  11. OK... I have done a combination of all these things and I have experience in wireless.

    This is the equipment I would use......
    I would start with either the HOTBRICK LB2 or LB2 VPN router.
    The LB2 has QOS but not VPN.
    The LB2 VPN has VPN and no QOS.
    The SOHO 401 starts loseing performance around 20 users, I ve learned that the hard way.

    Either of these routers will future proof you for quite some time.

    I am not sure what you are doing at building 2 with the second router. I would remove that.

    The D-Link DWL-2000AP+ are better devices in the D-link line but I have found them unreliable.

    I would use Trendware TEW-450APB access points, the product description does them no justice. The documentation is rather poor but these access points can do it all and remarkably reliable.

    Purchase 9db+ directional antennas with reverse SMA connectors

    Configure the access points in bridge mode with WDS,WPA, and 801x authentication. Turn off extended mode and use standard G mode.

    I ll explain each very quickly because the manual is terrible.

    Bridge mode does exactly what is sounds, bridges wireless to a wired lan.
    WDS makes is so the access points only talk to each other and ignore all other traffic and wireless devices.
    WPA is an encryption mode that is hard as hell to break use TPIK!
    It isn t explained but these access points have built in 801x radius hash generators. You have to fill out the Hash password under advanced settings to get the WPA protocal to work on these things

    super G has asymetrical throughput on this device, you wanted a bridge right? not a waterfall enough said.

    What you get is a network with devices doing exactly what they are supposed to be doing and nothing more.

    1 router $250-$350
    1 switch $80
    2 access points (tiger direct) $65 each
    2 directional antenna (optional) $25 each

    Since your router is not doing DHCP you might be able to get away with using a HOTBRICK 401 or 401 VPN. The 401's are still worlds above D-link and Netgear in reliability.

    Keep in mind that wireless is an inexact science, unless you have the right equipment (10k worth of equipment!) to test for a proper setup.
    The equipment I listed above it my personal preference and has given me the least grief.

    I have used within the last year no less then
    7 linksys products
    17 netgear
    1 cisco
    9 trendware
    2 hotbrick

    No one yet has a perfect product. For the cost HOTBRICK is the king.

    Now that I said that........trendware makes the guts inside the hotbricks.....

    And before someone says it HotBricks are programmed completely differnently then trendwares OEM products. Infact they use similar IC chips as D-link, thats why they have alot of the same features.


  12. mackintire:

    thanks for the advice. I'll keep it in mind for the future - for now, my IT budget is pretty much tapped out, and Hotbrick isn't distributed here in France yet. General consensus seems to be that my current setup isn't all that bad; the basic improvements would be:
    - connect all equipment to the new 16-port netgear switch, rather than having some connected to the Asus WL500g and some to the Netgear, to avoid having a bottleneck in the cable connecting those two.
    - replace the Asus WL500G with a dedicated firewall (an old PC running SmoothWall?), and connect one of the LAN ports of the Asus to the switch so that it acts only as an access point

    Thank you all for your advice - I'll be rewiring things this saturday (can't work on the network when the rest of the office is trying to get work done!). Any last advice on reconfiguring a network from scratch? my first step will be to consult all of the existing equipment and write down all of their settings/screencapture them so that I can set them back to where they were if I screw everything up...


  13. Just get a backup plan ready.. and expect problems to pop up.. it just happens. You might be pulling an all-nighter..
    After you get your current setup documented, I'd go through and write down step by step of what you want to do and all that.. then, when the network is free, go to town.. one thing at a time.
    Don't try doing it all at once and don't rush.. but you won't really know of any user problems until Monday morning, so get your rest on Sunday night.
  14. Smoothwall is a good choice as long as your hardware is reliable and ASUS router should make a decent Access point, just make sure your security setup is correct.

    Have a good one....

  15. But his budget is tapped out which is the problem. We were reviewing what he currently had and what he was able to do with what he had.
  16. OK, well I rewired the LAN last saturday. it all went pretty smoothly; I was very happy to have a laptop that I could walk around with and connect directly to each device - that way I knew exactly which one I was dealing with, especially since I have multiple instance of the exact same hardware on the network (the Asus WL500G and the D-Link 2000AP+). I also made good use of the "export configuration" features, both at the beginning so that I could go back to a known good state and at the end so that in the future I have a reference.
    Thanks to everyone for your help and advice; the LAN mess is officially untangled!

  17. Quote:
    as for wireless bridges.... not toooo reliable, wireless is extremely trivial

    building 2 is across the street, and we can't run a cable across the street. Building 2 has no telephone/internet service, so no potential for a VPN. Figured a wireless bridge was the way to go.

    I believe there was a solution that came out of someone tinkering that was good for 10 miles of wireless it used point to point transmission with infared lights i cant find the link but its out there.
Ask a new question

Read More

Routers LAN WiFi and Home Networking Networking