networking for a small corporation

Posted on 2004-08-10
Last Modified: 2010-04-11
I have never done any real networking job but is presented with this task, would like some help/guidance in this, thx

Looking to establish a network of 30 computers, with a mail server.

Our current setup is ISP ----> Router ----> Network

we can have 5 static ips but it's currently set at dynamic to allow all 30 computers  to be online at the same time.

The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

And of course, security is an issue too, since the ISP don't do port mapping, the ISP told us the only way to receive mail from the internet is for them to open up everything on the router for a particular IP address that the mail server will be setup at. The mail server will have no firewall protection from the router that way.

So i was thinking of making a proxy server with one of the computers, the setup i was thinking is:

ISP ---> Router ---> (spit):

1st IP address : Proxy Machine ----> Network
2nd IP : Firewall ----> Mail server
3-5th IP : future expantion

The Proxy machine will be protect by the router's firewall,.

The Mail server will be protected by additional firewall machine i will set up.

All computers run in MS enviroment, except the mailserver which is on Linux. Firewall haven't been decided yet.

Will this setup work? or can anything be modified to make it more efficient?

What firewall should I use? preferably free, stable and can be installed on a lower end machine.

Thx in advance for your help.
Question by:chaoslord
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Assisted Solution

ngravatt earned 50 total points
ID: 11766962
Well, what you can do is, setup a Domain Controller and have DHCP enabled on it.  A computer with Windows Server can do this.  With DHCP, you can have hundreds of Private IP addresses.

Your email server and domain controller can have Static IP addresses, and the remaining 30 computers can use DHCP to obtain private IP addresses from the Domain Controller.


Assisted Solution

Marakush earned 150 total points
ID: 11767031
Okay not a problem..

Get a firewall like a Sonicwall Pro 100 or PIX 503 Something fairly cheap with a DMZ port.

You can use faux addresses on the LAN side of the firewall, kinda like 192.168.1.x

You can use one of your real addresses on the WAN port of the firewall

You can use one of your real addresses on the mail server sitting in the DMZ of your firewall

You can do it with a less expencive router then buying a full blown firewall. But if you want to add another server, you are kinda of limited using the built in DMZ function of a cheaper gateway router.

LVL 27

Assisted Solution

pseudocyber earned 250 total points
ID: 11767047
Your ISP is full of #$%$#%.

The way everyone else in the world does it (except evidently, your ISP), is to get an Internet connection with a public address or a block of addresses and either NAT everything, or almost everything.  Your email box, could have a STATIC NAT so the outside address is on the internet side, and the private address is in your DMZ.

Depending on your connection - the feed comes into a box (modem or csu/dsu) and then into a router (except dsl or cable).  I'm going to go with the scenario where you have a line, a modem, and a router.

Anway, you have a connection coming into your router.  It has an external address and you can NAT (Network Address Translation) to your internal networks.  In your scenario, I would put an IP on a GOOD firewall and then seperate your networks - have a private, internal network, where EVERYONE is NATted by the firewall.  Then, have a SEPERATE network which is your DMZ (Demilitarized zone), where your Internet facing servers sit.  Your firewlal would have the job of making sure requests to your email server are ONLY email and allowing connections coming from INSIDE your network to the DMZ.  Any other connections to the DMZ would be denied - unless you specifically set them up.  All inbound connections to your internal LAN are denied, unless specifically set up in the firewall, UNLESS they are a reply to an ESTABLISHED CONNECTION initiated by the inside machines.

It sounds like you're leaning toward the low end for your gear.  I would encourage you NOT to go this direction willingly.  Or if you do, to invest some time and learn how to use the open source software to do it - Linux IPTABLES.  Even if you go with a Linux firewall, you probably ought to go with one of the many companies that are doing them.

However, I would recommend something like a low end Cisco router to do your screening (denying bogus IP's, denying inbound PINGS and port scans, etc).  Then get a REAL firewall like a low end PIX or a Checkpoint box.

Hope this helps.
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

LVL 11

Accepted Solution

PennGwyn earned 50 total points
ID: 11768817
> The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip
> then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless
> we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

Your ISP is hoping that saying this will cause you to give them more money.

Any decent router/firewall will have no trouble providing a static address to an email server, and dynamic addressing (PAT) to client machines.  You *may* just possibly, have a current router that can't do this, but you can replace it for a one-time charge.


Expert Comment

ID: 11773188
Like others have stated, the correct router will do this and there's NO WAY they'll even know how many you have on it from their end.  Your router will be coded with your static IP, subnet, gateway for it's external address and will also be coded with an internal address to match up with your network.  For example, if you are running a 10.0.0.x addressing on your network, your router could have the internal address and become the gateway for all your internal machines.  It's really pretty easy.

Expert Comment

ID: 11777805
you really only need one public static IP for the entire network.

I would recomend for secruity reasons using  static nat port translations only to the mail server.

The  MX record for dns will be pointed to the router's public address and then you would forward tcp ports 25 and 110 inbound only to the mail server.  

Then you can have one static IP and many machines inside using dhcp on the inside

Don't let your ISP push you around.  It sounds like they are trying to take advantage of you.

I would never think of doing that to my customers.

Author Comment

ID: 11783340
K thx, great answers. Wish i could give all of you points

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing "From" field - Exchange 2013 5 58
Questions on USB 4 ports hub 4 61
Network latency question 9 85
Routers to buy for MDT Multitasking 6 80
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question