networking for a small corporation

Posted on 2004-08-10
Last Modified: 2010-04-11
I have never done any real networking job but is presented with this task, would like some help/guidance in this, thx

Looking to establish a network of 30 computers, with a mail server.

Our current setup is ISP ----> Router ----> Network

we can have 5 static ips but it's currently set at dynamic to allow all 30 computers  to be online at the same time.

The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

And of course, security is an issue too, since the ISP don't do port mapping, the ISP told us the only way to receive mail from the internet is for them to open up everything on the router for a particular IP address that the mail server will be setup at. The mail server will have no firewall protection from the router that way.

So i was thinking of making a proxy server with one of the computers, the setup i was thinking is:

ISP ---> Router ---> (spit):

1st IP address : Proxy Machine ----> Network
2nd IP : Firewall ----> Mail server
3-5th IP : future expantion

The Proxy machine will be protect by the router's firewall,.

The Mail server will be protected by additional firewall machine i will set up.

All computers run in MS enviroment, except the mailserver which is on Linux. Firewall haven't been decided yet.

Will this setup work? or can anything be modified to make it more efficient?

What firewall should I use? preferably free, stable and can be installed on a lower end machine.

Thx in advance for your help.
Question by:chaoslord
LVL 10

Assisted Solution

ngravatt earned 50 total points
ID: 11766962
Well, what you can do is, setup a Domain Controller and have DHCP enabled on it.  A computer with Windows Server can do this.  With DHCP, you can have hundreds of Private IP addresses.

Your email server and domain controller can have Static IP addresses, and the remaining 30 computers can use DHCP to obtain private IP addresses from the Domain Controller.


Assisted Solution

Marakush earned 150 total points
ID: 11767031
Okay not a problem..

Get a firewall like a Sonicwall Pro 100 or PIX 503 Something fairly cheap with a DMZ port.

You can use faux addresses on the LAN side of the firewall, kinda like 192.168.1.x

You can use one of your real addresses on the WAN port of the firewall

You can use one of your real addresses on the mail server sitting in the DMZ of your firewall

You can do it with a less expencive router then buying a full blown firewall. But if you want to add another server, you are kinda of limited using the built in DMZ function of a cheaper gateway router.

LVL 27

Assisted Solution

pseudocyber earned 250 total points
ID: 11767047
Your ISP is full of #$%$#%.

The way everyone else in the world does it (except evidently, your ISP), is to get an Internet connection with a public address or a block of addresses and either NAT everything, or almost everything.  Your email box, could have a STATIC NAT so the outside address is on the internet side, and the private address is in your DMZ.

Depending on your connection - the feed comes into a box (modem or csu/dsu) and then into a router (except dsl or cable).  I'm going to go with the scenario where you have a line, a modem, and a router.

Anway, you have a connection coming into your router.  It has an external address and you can NAT (Network Address Translation) to your internal networks.  In your scenario, I would put an IP on a GOOD firewall and then seperate your networks - have a private, internal network, where EVERYONE is NATted by the firewall.  Then, have a SEPERATE network which is your DMZ (Demilitarized zone), where your Internet facing servers sit.  Your firewlal would have the job of making sure requests to your email server are ONLY email and allowing connections coming from INSIDE your network to the DMZ.  Any other connections to the DMZ would be denied - unless you specifically set them up.  All inbound connections to your internal LAN are denied, unless specifically set up in the firewall, UNLESS they are a reply to an ESTABLISHED CONNECTION initiated by the inside machines.

It sounds like you're leaning toward the low end for your gear.  I would encourage you NOT to go this direction willingly.  Or if you do, to invest some time and learn how to use the open source software to do it - Linux IPTABLES.  Even if you go with a Linux firewall, you probably ought to go with one of the many companies that are doing them.

However, I would recommend something like a low end Cisco router to do your screening (denying bogus IP's, denying inbound PINGS and port scans, etc).  Then get a REAL firewall like a low end PIX or a Checkpoint box.

Hope this helps.
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 11

Accepted Solution

PennGwyn earned 50 total points
ID: 11768817
> The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip
> then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless
> we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

Your ISP is hoping that saying this will cause you to give them more money.

Any decent router/firewall will have no trouble providing a static address to an email server, and dynamic addressing (PAT) to client machines.  You *may* just possibly, have a current router that can't do this, but you can replace it for a one-time charge.


Expert Comment

ID: 11773188
Like others have stated, the correct router will do this and there's NO WAY they'll even know how many you have on it from their end.  Your router will be coded with your static IP, subnet, gateway for it's external address and will also be coded with an internal address to match up with your network.  For example, if you are running a 10.0.0.x addressing on your network, your router could have the internal address and become the gateway for all your internal machines.  It's really pretty easy.

Expert Comment

ID: 11777805
you really only need one public static IP for the entire network.

I would recomend for secruity reasons using  static nat port translations only to the mail server.

The  MX record for dns will be pointed to the router's public address and then you would forward tcp ports 25 and 110 inbound only to the mail server.  

Then you can have one static IP and many machines inside using dhcp on the inside

Don't let your ISP push you around.  It sounds like they are trying to take advantage of you.

I would never think of doing that to my customers.

Author Comment

ID: 11783340
K thx, great answers. Wish i could give all of you points

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Service Provider 3 55
Bandwidth issues? 5 42
Network bottleneck identifier 13 51
Sonicwall one way trust 2 38
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question