1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Network Setup

Discussion in 'Networking' started by ultragrain, Jun 15, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. ultragrain

    ultragrain Thread Starter

    Joined:
    Jun 15, 2011
    Messages:
    7
    Hi,

    I am in the planning stages of setting up a new network, I have drawn a diagram of the new setup. What do you think, do you propose any changes anywhere? or see any pitfalls.

    Thanks
    Sam
     

    Attached Files:

  2. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    I guess you have at least 3 NICs in the firewall/router and it allows you to configure 3 networks?
    BTW your modem will not have a private IP, it will have a public IP and this will be assigned the WAN interface of the firewall...unless it is a modem/router but your diagram doesnt say this?

    I also presume that your SBS server is going to be plugged into its own switch/hub with the clients?
    Actually....your SBS won't have internet access...at least with that diagram because it won't be able to talk directly to the firewall with them being on diffrent subnets. You will need to apply some sort of NAT at the virtual server to allow the SBS to NAT through it's interface (whther you can do that I don't know as i don't know what server OS would be on there).
     
  3. ultragrain

    ultragrain Thread Starter

    Joined:
    Jun 15, 2011
    Messages:
    7
    Hi,

    The router has 8 ports on there is thats what you mean (3 networks? the firewall allows the creation is sub lans). The SBS is a virtual server, I have updated the diagram now to show more information

    Thanks
    Sam
     

    Attached Files:

  4. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    ports are different to networks. So you can create VLans's then when you say sublans?
    Basically you are going to have to assign one port on 192.168.1.x network, another on 192.168.1.x network and one on your public internet access (provdied by ISP). If you can do that and assign it 3 IP's as diffeent networks/Vlans then you can do it. You will still need some way of gettthing the SBS access to the interent via the VMware server. I don't use this, I use Hyper-V so I don't know whether it has NAT capbilities, I guess it does as I know it is a good product.
     
  5. ultragrain

    ultragrain Thread Starter

    Joined:
    Jun 15, 2011
    Messages:
    7
    Hello,

    Its a Billion firewall/router, and I swear they have tried to use terminology that is as far away from industry standard as possible. From what I can tell they call Vlans "LAN Address Mapping". It allows me to specify a gateway, subnet mask etc and if I enter some details it puts it into the routing table (see attached).

    VMWare does have NAT capabilities.

    The thing is the Billion does allow VLAN bridge but not sure how to configure that.

    -Sam
     

    Attached Files:

  6. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    I think billion routers aren't that good to be honest but it looks like you can create Vlans.
    your second pic shows the VLans. At a guess I would say the default VLan ID it has created on port 8 is for your WAN connection.
    but...I made a mistake, you don't even need vlans on your set up. I thought you WAP was on a different subnet for some reason but as it isn't (you only have two subnets) you only need two networks that any bog standard router can do, sorry!! Stupid eyesight!!
    The router should work without any additional config.

    you now have two ways to connect your SBS:
    The NAT way that I orginally suggested or
    An addtional VLan for this subnet 192.168.0.x and assign one port to that vlan. plug sbs into this.

    I presume the VM server will have dedicated NICs for each VM? So you can use that NIC assigned to SBS and plug into Vlan id 192.168.0.x?
     
  7. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,373
    Ok. So I'm totally confused with your setup. First question I have is if your router can support more than one internal router interface or have a single router interface support multiple IP addresses. I know Netgear routers can do this and it's called multi-homing by Netgear. Cisco routers support this by either VLAN interfaces, individual physical interfaces, or secondary IPs assigned to existing interfaces.

    Based on what I see in your diagram, you need to have two internal router interfaces for a total of three to include the WAN interface. Or you have to be able to assign a secondary/multi-homed IP address to the single existing internal router interface.

    I see a wireless AP on your network. Is this AP a pure AP or a router running as a AP with DHCP capability? Who are the wireless clients that are connecting to it and what subnet are they going to be running on?

    You don't need to do any NAT'ing if you plan this correctly. So far I see two subnets 192.168.0.x and 192.168.1.x. How many physical interfaces are you running on your ESXi server?

    As a talking point, I have two ESXi servers running on my home network. One currently supports 2 VMs with 4 configured. The other has another 2 with more to be brought on line with 4 configured. I have at least 7 subnets running on my LAN and the VMs are sitting on 3 different subnets. I have a single interface from the ESXi server providing "production" facing connections running as a VLAN trunk into one of my switches. There are 3 Vswitches on each ESXi server.
     
  8. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    Zx please don't take this as me kicking off but I find it annoying when you dismiss other peoples suggestions sometimes before even knowing the full setup, it is disrespectful. I have given him two options, one of them that you are just repeating with more info but dismissing the NAT one.

    What we don't know is:
    a) on the VM server is each VM machine going to have its own dedicated NIC?
    b) at least from your own question you're asking whether the router can support multiple IP addresses?

    Lets say you can't do b so we assign it 192.168.1.4 and all VM's will share one NIC. Tell me now how will you get the SBS working working without NAT??
     
  9. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,373
    You know. I can go on about similar examples of this from you. But I won't go there.

    One. I don't care what has been said. ESXi does NOT have NAT capabilities. It's a host OS to provide an environment for VMs to be built on. The vSwitch on the OS is nothing more than a software layer 2 switch. Nothing more.

    Even if there were a physical NIC assigned to each VM, that still won't solve the underlying network design issues. Not to mention throwing a dedicated NIC to each VM is totally counter to the goals of virtuallization and scaleability unless there is an extremely compelling reason to do so.

    How do I know all this? Like I said, I have two ESXi servers running on my LAN I built from the ground up running VMs which are: domain controller, collaboration server (Email, Jabber Chat, and message board), two simulated NetApp filers, a What's Up Gold server, a SolarWinds Orion NMS server, and a Windows XP Pro 64 bit workstation streaming audio. I don't know anything about MS' HyperV so I didn't and won't comment on that.
     
  10. ultragrain

    ultragrain Thread Starter

    Joined:
    Jun 15, 2011
    Messages:
    7
    Hello,

    The router/firewall does support multiple IP addresses.

    All I have done here is disable DCHP on the wireless interface (its a router) and change the router (wireless interface) to an IP thats on my internal network (192.168.1.x).

    This is an router with DCHP as the only DCHP server in the network will be the SBS 2011 server, there will be internal staff connecting to the network as well as mobile devices and visitors etc.

    There is one physical nic on the ESXi.
     

    Attached Files:

  11. ultragrain

    ultragrain Thread Starter

    Joined:
    Jun 15, 2011
    Messages:
    7
    Hi,

    Ok, so the network setup has begun.

    So just to clarify it looks like the Billion is using the same sort of features as netgear multihome. So I added a new subnet (192.168.0.1) and I have set the SBS server to 192.168.0.2 and its gateway to 192.168.0.1 and so far its dishing out the requests via DCHP to connecting computers (192.168.0.x) and now they are able to connect to the net.

    Now am I correct in thinking that since the wiresless is on 192.168.1.x that going to cause file sharing problems and it would be best if it was on the same subnet 192.168.0.x?

    -Sam
     
  12. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    Why don't you just test it. It might work because when you create the VLans (from your pics) I noticed it said bridged mode etc. I going to have a guess and say that means it will route traffic between the two subnets. Is there any particular reason for wanting to put the WAP on a different subnet?
     
  13. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,373
    Actually, I think, you'll be fine. The reason is that based on what you've said recently, you're not running any VLANs or more specifically, your 192.168.0.0 subnet is not on one VLAN and 192.168.1.0 is on a different VLAN. Since both 192.168.0.0 and 192.168.1.0 are sharing the same layer 2 transport, the DHCP requests will still be seen by clients connecting to the wireless AP even though the AP has a management IP on the 192.168.1.0 subnet. From a security stand point this isn't an ideal design especially if you have guest users with access to the network.

    Who is going to use the wireless services on your network?

    Depending on the answer there are specific design criteria to consider. What type of wireless AP is this? As an example, I have two Netgear APs running on my home network: a WG102 and a WNDAP350. Each of these APs have the capability of running multiple SSIDs. A SSID can be created for guest access only and another for the company employees. Each of these SSIDs can run different encryption schemes and are separated at the AP via VLAN tagging when the traffic is placed onto the LAN. There is also the ability to set the management interface (IP) of the AP onto a different management VLAN which is best practices for security.
     
  14. mucker2010

    mucker2010

    Joined:
    May 24, 2011
    Messages:
    505
    for my own understanding Zx I understand how the clients on the AP will get IP's through DHCP but what I am not sure of is how AP's handle or relay packets. Once the clients have IP's on the 192.168.0.x subnet will they be able to comminicate with the SBS through the AP even though it is on a different subnet (similar but not exact to the DHCP request process)? what i mean is does this also operate at layer 2? As in all AP's basically act as bridge and re-transmit packets it receives on one interface out the other? I originally thought that IP was somehow involved because you have to relay through the AP?
     
  15. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,373
    This can be confusing and I had to pause for a second to think through how this all will work. You have to separate out the functions of what an AP is and what many people are used to which is an AP integrated into a layer 3 device such as the plethera of wireless routers. Because the OP is doing "multi-homing" (Netgear speak) or multiple IPs on the same layer 2 network, the issue of the AP being on a different subnet is not an issue...provided the only DHCP server is the SBS server the OP is running. If the AP is a wireless router doing duty as an AP and functioning as a DHCP server too, well there will be problems not only for wireless clients but for wired workstations too.

    So let's walk this through. A wireless client comes in and connects to the AP. Because the AP is not a DHCP server, it doesn't assign a DHCP address to the client. But, the DHCP broadcast request is dropped onto the LAN where the SBS server sees it and does it's normal routine in assigning the address and replying. Once the wireless client gets its IP, it just functions on the network as normal. The management IP of the AP being on a different subnet has no bearing on how the client talks onto the network. Again, this is all assuming the AP isn't just a wireless router doing duty as an AP and is functioning as a DHCP server too.

    Now, if the OP is running VLANs, then that's where problems will come into play. Let's say VLAN 1 is for 192.168.0.0 and VLAN 2 is for 192.168.1.0. The AP will obviously be on VLAN 2 because of its assigned IP. A wireless client comes on and is looking for an IP address from the DHCP server. Well, the only option is to assign an IP address from a DHCP server with a scope in the 192.168.1.0 subnet because the wireless client is coming in on VLAN 2. This is not what the OP wants as he wants the clients to be on 192.168.0.0. Even if a DHCP relay agent is used to get the DHCP request broadcast from VLAN 2 to the SBS server on VLAN 1, this won't work as the packet is going to have a wrapper which shows it came from the 192.168.1.0 subnet which the SBS server won't have a scope for. This is the reason why I mentioned the Netgear APs I have. They allow multiple SSIDs separated by VLAN tagging.

    Moreover, a discussion needs to happen concerning the network design. If guests are going to be treated like a normal employee client, then the OP is going to open the entire network to security vulnerabilities. The common method of creating a secure environment for guest access is to VLAN them off to only have internet access and no access to the corporate LAN. Recent developments in wireless technology now make it possible to secure guest access but without the need to generate "VLAN sprawl." This is done via various technologies as device fingerprinting, device profiling/patch checking, and user account authentication.

    Hope this makes things a bit more clear.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1002360