1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Any suggestions for upgrading a small business network?

Discussion in 'Networking' started by cwwozniak, Apr 14, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. cwwozniak

    cwwozniak Trusted Advisor Spam Fighter Thread Starter

    Joined:
    Nov 28, 2005
    Messages:
    61,808
    First Name:
    Chuck
    I am looking for hardware suggestions to upgrade our network at work. Is there a business grade router that will give us reliable wired and wireless connections for up to about 20 users and visitors while still keeping guest WiFi users and a security DVR isolated from devices on the internal wired and wireless LANs? If not, any suggestions for combining two or three pieces of hardware to get what we need?

    Right now, we have ...

    1) A cable modem configured in bridge mode and using a static public IP address.

    2) A 10/100Base-T LAN port on the modem connects to the WAN port of Router #1 (A D-link SOHO wireless router).

    3) One 10/100Base-T LAN port on Router #1 connects to the 10/100Base-T LAN port of a security DVR inside the building. The DVR has a static IP address and Router #1 has port forwarding configured to allow Internet access to the DVR

    4) A second 10/100Base-T LAN port on Router #1 connects to the 10/100Base-T WAN port of Router #2 (Also a D-link SOHO wireless router). Router #2 has a static private IP address on its WAN port and Router #1 has that address set for DMZ.

    5) One 10/100Base-T LAN port on Router #2 connects to a 10/100Base-T LAN port on a 24 port unmanaged switch. All office desktop computers, networked printers, and our server connect to this 24 port switch.

    6) The LAN ports on the two routers are on different, non-overlapping, ranges of private IP addresses.

    7) The wireless access point in Router #1 uses WPA encryption with a short passphrase. This is used for Internet access for visitors and by employees to use with their personal laptops, notebooks, e-book readers, and smart phones.

    8) The wireless access point in Router #2 uses WPA encryption with a long, complex, passphrase. This is used by those in the office that are using a company approved laptop or notebook and need to access to the printers and the server.

    9) There are 15 desktop computers, three printers, and one server connected to the LAN port of Router #2. At any given time, two or three wireless devices may be connected to Router #2.

    10) At any given time, there may be four to ten wireless connections to Router #1.

    This has worked fairly well for a few years. Now, we are getting into a situation where Router #1 will occasionally stop passing all wired and wireless traffic and there is no access to its web based admin pages. The only way to resolve the situation is to power cycle Router #1. This has started to happen several times a week; sometimes, a few times in one day. On rare occasions, Router #2 will do the same thing.

    We like the idea of the double router configuration because it allows access to the DVR from both the internal LAN and from the Internet, while still isolating the visitor WiFi and DVR from the in house LAN. We have concerns about the DVR getting hacked (http://www.forbes.com/sites/andygre...amera-systems-vulnerable-to-hacker-hijacking/) and wish to make it extremely difficult (nothing is impossible) for someone to use a hacked DVR to launch an attack on the server and in house computers.
     
  2. CleaverX

    CleaverX

    Joined:
    Sep 27, 2012
    Messages:
    1,323
    are you using workgroups or and Active Directory forest? What are the roles of your server?
     
  3. joecool99

    joecool99

    Joined:
    Jan 6, 2010
    Messages:
    113
    get new LAN hardware 1Gbps wifi router and any other switches you need for the network. 100Mbps is just awfully slow.
    ASUS RT-AC68R would be good for router.
     
  4. cwwozniak

    cwwozniak Trusted Advisor Spam Fighter Thread Starter

    Joined:
    Nov 28, 2005
    Messages:
    61,808
    First Name:
    Chuck
    We are using a workgroup.

    The server is running our accounting host software, TrendMicro Small Business Security host software, and backup software. Individual desktop users use the accounting software client app to interface with the accounting software on the server. They also update their local antivirus definitions from the server.

    I will check into the ASUS RT-AC68R. Thank you for the lead.
     
  5. CleaverX

    CleaverX

    Joined:
    Sep 27, 2012
    Messages:
    1,323
    You may also want to consider placing your camera system on a different subnet; that is common practice along with IP phone systems.
     
  6. cwwozniak

    cwwozniak Trusted Advisor Spam Fighter Thread Starter

    Joined:
    Nov 28, 2005
    Messages:
    61,808
    First Name:
    Chuck
    Right now, the camera system is isolated from the internal LAN by our existing double router set-up, as described in post #1. I would suspect that a single router solution would require the router to include a managed switch that supports creating sub-nets and restricting communications between them.

    Our VoIP phones are a stand alone system, completely isolated from the LAN.
     
  7. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,013
    What's your budget on this project?

    At first stab, I'm thinking something like a SonicWall TZ would work pretty nicely for you. With the TZ, you can eliminate the need to have a separate router to form up a total physical separation between the other subnets/areas of your network. When you get into this class of networking device, you can do logical separation of networks without having to have physical hardware sprawl. I currently run a TZ215 in my home network which has about 5 subnets configured on it and all of them separated. Traffic doesn't move from one subnet to another without me creating a specific access rule. The nice thing about a product like this is the available security options contained in this single box. The TZs are UTM (unified threat management) devices. As such you have features like IPS/IDS, anti-spam, anti-virus at the client enforcement through McAfee, anti-virus gateway, anti botnets, content filtering (to create white or black lists to control web content the users can acces), and the big feature is the DPI (deep packet inspection) engine. DPI allows the firewall to peer into the actual packet of the data being sent through the firewall. Based on this packet inspection, you can create more granular rules than you would be able to with a stateful packet inspection firewall. So if you have someone that thinks they can fake out your security rules by using a different port to do P2P, the firewall can recognize this and block that traffic.

    With my setup, I chose to have the 5 subnets all set up as subinterfaces to the X2 physical Ethernet port on the firewall. All the traffic is segregated via VLAN tagging when it leaves the firewall into my LAN. Of course I have managed switches which can support this VLAN traffic. An alternative is to leverage the other physical ports on the firewall. There are a total of 6 internal Ethernet ports which you can configure each to be a routing interface. There is a context in these security appliance called zones which you can apply rules to that transfers over to various interfaces/subnets. Leveraging the physical interfaces will allow you to use unmanaged switches.

    As part of the wireless requirement, you can utilize the wireless capability of the SonicWall firewalls as they all can operate as wireless controllers. Their APs are called SonicPoints. There are also TZ models with built in wireless. The wireless system supports virtual APs where you can have multiple SSIDs. An alternative is to use a different wireless system that supports captive portal for guest access. Depending on the system, the guest access can be self automating not requiring direct administration of providing guest access. I can elaborate on this system if you wish. The enterprise level wireless systems will also support 802.1x authentication. This allows better security as it requires a certificate for authorization for the device to be allowed to talk on the network and then the user has to log in to gain any access.
     
  8. cwwozniak

    cwwozniak Trusted Advisor Spam Fighter Thread Starter

    Joined:
    Nov 28, 2005
    Messages:
    61,808
    First Name:
    Chuck
    I was not given any $ limits, but I'm guessing I would need to do some explaining and justifying if I started getting over about $800~$900.

    A quick look at the SonicWALL series shows the TZ 105 Wireless as a possible candidate, combined with our existing 24 port switch. I'll need to read up a bit on Sonicwall “Zones” and “Portshield Groups”.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - suggestions upgrading small
  1. Swiper
    Replies:
    0
    Views:
    177
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1146594

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice