Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


networking for a small corporation

Posted on 2004-08-10
Medium Priority
Last Modified: 2010-04-11
I have never done any real networking job but is presented with this task, would like some help/guidance in this, thx

Looking to establish a network of 30 computers, with a mail server.

Our current setup is ISP ----> Router ----> Network

we can have 5 static ips but it's currently set at dynamic to allow all 30 computers  to be online at the same time.

The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

And of course, security is an issue too, since the ISP don't do port mapping, the ISP told us the only way to receive mail from the internet is for them to open up everything on the router for a particular IP address that the mail server will be setup at. The mail server will have no firewall protection from the router that way.

So i was thinking of making a proxy server with one of the computers, the setup i was thinking is:

ISP ---> Router ---> (spit):

1st IP address : Proxy Machine ----> Network
2nd IP : Firewall ----> Mail server
3-5th IP : future expantion

The Proxy machine will be protect by the router's firewall,.

The Mail server will be protected by additional firewall machine i will set up.

All computers run in MS enviroment, except the mailserver which is on Linux. Firewall haven't been decided yet.

Will this setup work? or can anything be modified to make it more efficient?

What firewall should I use? preferably free, stable and can be installed on a lower end machine.

Thx in advance for your help.
Question by:chaoslord
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Assisted Solution

ngravatt earned 200 total points
ID: 11766962
Well, what you can do is, setup a Domain Controller and have DHCP enabled on it.  A computer with Windows Server can do this.  With DHCP, you can have hundreds of Private IP addresses.

Your email server and domain controller can have Static IP addresses, and the remaining 30 computers can use DHCP to obtain private IP addresses from the Domain Controller.


Assisted Solution

Marakush earned 600 total points
ID: 11767031
Okay not a problem..

Get a firewall like a Sonicwall Pro 100 or PIX 503 Something fairly cheap with a DMZ port.

You can use faux addresses on the LAN side of the firewall, kinda like 192.168.1.x

You can use one of your real addresses on the WAN port of the firewall

You can use one of your real addresses on the mail server sitting in the DMZ of your firewall

You can do it with a less expencive router then buying a full blown firewall. But if you want to add another server, you are kinda of limited using the built in DMZ function of a cheaper gateway router.

LVL 27

Assisted Solution

pseudocyber earned 1000 total points
ID: 11767047
Your ISP is full of #$%$#%.

The way everyone else in the world does it (except evidently, your ISP), is to get an Internet connection with a public address or a block of addresses and either NAT everything, or almost everything.  Your email box, could have a STATIC NAT so the outside address is on the internet side, and the private address is in your DMZ.

Depending on your connection - the feed comes into a box (modem or csu/dsu) and then into a router (except dsl or cable).  I'm going to go with the scenario where you have a line, a modem, and a router.

Anway, you have a connection coming into your router.  It has an external address and you can NAT (Network Address Translation) to your internal networks.  In your scenario, I would put an IP on a GOOD firewall and then seperate your networks - have a private, internal network, where EVERYONE is NATted by the firewall.  Then, have a SEPERATE network which is your DMZ (Demilitarized zone), where your Internet facing servers sit.  Your firewlal would have the job of making sure requests to your email server are ONLY email and allowing connections coming from INSIDE your network to the DMZ.  Any other connections to the DMZ would be denied - unless you specifically set them up.  All inbound connections to your internal LAN are denied, unless specifically set up in the firewall, UNLESS they are a reply to an ESTABLISHED CONNECTION initiated by the inside machines.

It sounds like you're leaning toward the low end for your gear.  I would encourage you NOT to go this direction willingly.  Or if you do, to invest some time and learn how to use the open source software to do it - Linux IPTABLES.  Even if you go with a Linux firewall, you probably ought to go with one of the many companies that are doing them.

However, I would recommend something like a low end Cisco router to do your screening (denying bogus IP's, denying inbound PINGS and port scans, etc).  Then get a REAL firewall like a low end PIX or a Checkpoint box.

Hope this helps.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 11

Accepted Solution

PennGwyn earned 200 total points
ID: 11768817
> The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip
> then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless
> we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

Your ISP is hoping that saying this will cause you to give them more money.

Any decent router/firewall will have no trouble providing a static address to an email server, and dynamic addressing (PAT) to client machines.  You *may* just possibly, have a current router that can't do this, but you can replace it for a one-time charge.


Expert Comment

ID: 11773188
Like others have stated, the correct router will do this and there's NO WAY they'll even know how many you have on it from their end.  Your router will be coded with your static IP, subnet, gateway for it's external address and will also be coded with an internal address to match up with your network.  For example, if you are running a 10.0.0.x addressing on your network, your router could have the internal address and become the gateway for all your internal machines.  It's really pretty easy.

Expert Comment

ID: 11777805
you really only need one public static IP for the entire network.

I would recomend for secruity reasons using  static nat port translations only to the mail server.

The  MX record for dns will be pointed to the router's public address and then you would forward tcp ports 25 and 110 inbound only to the mail server.  

Then you can have one static IP and many machines inside using dhcp on the inside

Don't let your ISP push you around.  It sounds like they are trying to take advantage of you.

I would never think of doing that to my customers.

Author Comment

ID: 11783340
K thx, great answers. Wish i could give all of you points

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question