RE: Small network with lots of features, questions
- From: E. Thornton <EThornton@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 8 Apr 2009 22:47:01 -0700
Tom,
Your network sounds overly complicated to me. I can understand why internet
access is slow, because all the clients have to go through your server, which
is running 3 VM's, to get to the internet.
You stated that you would like to have the wireless hosts seperated from
your LAN. To do that, without using your server as a router, you need
another router.
I would connect your cable modem to the WAN port on Router 1. Set it up as
a DHCP server. Connect your wireless AP's to it with open authentication
(coffee-shop mode). Also connect Router 2 to it, set to acquire it's IP
address automatically from the first router. Since you will have 4 WAPs and
a router, you might need to get a small switch as well, since most routers
like that Linksys only have 4 ports.
Your server and internal LAN switch would be connected to the second router,
and on a different subnet. This is going to isolate your internal network
from the wireless guests, but still bring internet access to the internal
network. So it might look something like this:
Router 1:
WAN side IP address: ? (I'm sure you have this info)
LAN side IP address of router: 192.168.1.1 255.255.255.0
DHCP pool: 192.168.1.10 - 254
Default gateway: ? (from your ISP)
DNS: ? (your ISP's DNS servers)
Router 2:
WAN side IP address: 192.168.1.2 255.255.255.0 (on the same subnet as
Router 1)
Default gateway: 192.168.1.1 (the IP address of Router 1)
LAN side IP address: 192.168.10.1 255.255.255.0 (notice different subnet)
DHCP server turned off.
Set your server as 192.168.10.2, and run DHCP, DNS, etc on your server.
Internal LAN hosts use 192.168.10.1 as gateway, and 192.168.10.2 for DNS, of
course they will pick this up from your server's DHCP service.
To me, this seems like a simpler setup. Here's a very rough diagram:
---> Internet ---> Router 1 ---> Wireless clients
---> Router 2 ---> Server
--->
Internal LAN
Best of luck,
Eric
(sorry I can't help with the VPN stuff, I don't know much about that)
"Tom M" wrote:
Hello all,.
I have setup a working network for my church, but I'm second-guessing
the schema that I'm using. I would very much appreciate your thoughts
on this. But a caveat first: our budget is limited, so while I know
we do a lot more in terms of security with better equipment... for
now, we have what we have. So here's the hardware I have:
Servers: One box running Server 2008 Enterprse (Core) with 3 vm's.
The host machine is running only Hyper-V. 2 NIC's are installed. VM1
is primary DC, DHCP; VM2 is backup DC, file server; VM3 is RRAS, print
server.
Networking: we have one public IP and a cable modem. One router
(Linksys BEFSX41) as the gateway. A few basic switches.
Wireless: 4 WAP's. DHCP is turned off; set up as RADIUS clients,
authenticating to the domain.
Clients: mostly XP Pro, one Mac OSX 10.4 (don't ask), one Vista
Business
Stuff I'd like to have ASAP but have not yet implemented:
- VPN - Allow at least one user to VPN into the network (I say at
least 1 because I'm not sure if that's all our router will allow).
- Wireless DMZ -- Allows guests to have wireless access to the
Internet but not access the network.
The current setup:
- Router IP: 192.168.1.1
- Switch is not plugged into the router. I am keeping the LAN
separate from the router as a security measure.
- One NIC from the server is plugged into the router (192.168.1.13);
the other is plugged into the switch (10.0.0.13).
VM3 is acting as a router so that network clients can access the
Internet. It has two NIC's (192.168.1.14 and 10.0.0.14)
- VM1 (10.0.0.15) and VM2 (10.0.0.12) have static IP's.
- DHCP assigns 10.0.0.100-199, gateway 10.0.0.14 (VM3), DNS
10.0.0.15/12 (VM1 and 2).
- All static network clients (servers) have 10.0.0.14 (VM3) as their
gateway.
Problems:
- Internet connection for clients is dog-slow. This prompted my post
here -- http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/7915c78d-dd34-4367-86a0-01713c1212a7/
-- because I thought it was maybe Hyper-V related. It is a somewhat,
but that discussion has led me to re-think the network topology.
- Not sure how to implement VPN, which I'm itchin' to get running.
What I'm thinking:
- Plug the switch into the router directly. According to that post,
it's not really buying me the security I thought it was.
- Remove NAT from VM3. Client gateways will be the router instead of
the server.
Questions/concerns:
- Should the router be on totally different subnet than the domain
computers? Does it matter if the gateway IP for a 10.0.0.x network
client is 192.168.1.1?
- I've read it's good to have two NIC's for one's VPN server. I have
that on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x
IP? Which one is the "Internet" NIC that RRAS prompts for? Or does
it not matter?
- Bearing in mind I'd like to have wireless DMZ, how does that affect
IP address assignment for network devices? Does this force me to have
a different subnet than the network for the gateway? Since Internet
traffic for both DMZ and network clients will ultimately be going
through the router.
As you can tell, I'm a newbie, but I've gotten pretty far with this.
If you have an IP address schema that you think works better than my
10.0.0.x and 192.168.1.x, I'm all ears (10.0.x.x? 192.168.x.x?).
I've read a little on private subnets, but I've only absorbed so much.
Again, your help is much appreciated.
Thanks
Tom
Note: I have also posted this here:
http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/51c7c85f-46dc-42ad-be75-11597b65810f
But that board seems to be kind of slow.
- References:
- Small network with lots of features, questions
- From: Tom M
- Small network with lots of features, questions
- Prev by Date: Re: Extra MAC
- Next by Date: Network share problem
- Previous by thread: Re: Small network with lots of features, questions
- Next by thread: Re: Small network with lots of features, questions
- Index(es):
Relevant Pages
|
