Solved

networking for a small corporation

Posted on 2004-08-10
7
224 Views
Last Modified: 2010-04-11
I have never done any real networking job but is presented with this task, would like some help/guidance in this, thx

Looking to establish a network of 30 computers, with a mail server.

Our current setup is ISP ----> Router ----> Network

we can have 5 static ips but it's currently set at dynamic to allow all 30 computers  to be online at the same time.

The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

And of course, security is an issue too, since the ISP don't do port mapping, the ISP told us the only way to receive mail from the internet is for them to open up everything on the router for a particular IP address that the mail server will be setup at. The mail server will have no firewall protection from the router that way.

So i was thinking of making a proxy server with one of the computers, the setup i was thinking is:

ISP ---> Router ---> (spit):

1st IP address : Proxy Machine ----> Network
2nd IP : Firewall ----> Mail server
3-5th IP : future expantion

The Proxy machine will be protect by the router's firewall,.

The Mail server will be protected by additional firewall machine i will set up.

All computers run in MS enviroment, except the mailserver which is on Linux. Firewall haven't been decided yet.

Will this setup work? or can anything be modified to make it more efficient?

What firewall should I use? preferably free, stable and can be installed on a lower end machine.

Thx in advance for your help.
0
Comment
Question by:chaoslord
7 Comments
 
LVL 10

Assisted Solution

by:ngravatt
ngravatt earned 50 total points
ID: 11766962
Well, what you can do is, setup a Domain Controller and have DHCP enabled on it.  A computer with Windows Server can do this.  With DHCP, you can have hundreds of Private IP addresses.

Your email server and domain controller can have Static IP addresses, and the remaining 30 computers can use DHCP to obtain private IP addresses from the Domain Controller.

0
 
LVL 8

Assisted Solution

by:Marakush
Marakush earned 150 total points
ID: 11767031
Okay not a problem..

Get a firewall like a Sonicwall Pro 100 or PIX 503 Something fairly cheap with a DMZ port.

You can use faux addresses on the LAN side of the firewall, kinda like 192.168.1.x

You can use one of your real addresses on the WAN port of the firewall

You can use one of your real addresses on the mail server sitting in the DMZ of your firewall

You can do it with a less expencive router then buying a full blown firewall. But if you want to add another server, you are kinda of limited using the built in DMZ function of a cheaper gateway router.

Marakush
0
 
LVL 27

Assisted Solution

by:pseudocyber
pseudocyber earned 250 total points
ID: 11767047
Your ISP is full of #$%$#%.

The way everyone else in the world does it (except evidently, your ISP), is to get an Internet connection with a public address or a block of addresses and either NAT everything, or almost everything.  Your email box, could have a STATIC NAT so the outside address is on the internet side, and the private address is in your DMZ.

Depending on your connection - the feed comes into a box (modem or csu/dsu) and then into a router (except dsl or cable).  I'm going to go with the scenario where you have a line, a modem, and a router.

Anway, you have a connection coming into your router.  It has an external address and you can NAT (Network Address Translation) to your internal networks.  In your scenario, I would put an IP on a GOOD firewall and then seperate your networks - have a private, internal network, where EVERYONE is NATted by the firewall.  Then, have a SEPERATE network which is your DMZ (Demilitarized zone), where your Internet facing servers sit.  Your firewlal would have the job of making sure requests to your email server are ONLY email and allowing connections coming from INSIDE your network to the DMZ.  Any other connections to the DMZ would be denied - unless you specifically set them up.  All inbound connections to your internal LAN are denied, unless specifically set up in the firewall, UNLESS they are a reply to an ESTABLISHED CONNECTION initiated by the inside machines.

It sounds like you're leaning toward the low end for your gear.  I would encourage you NOT to go this direction willingly.  Or if you do, to invest some time and learn how to use the open source software to do it - Linux IPTABLES.  Even if you go with a Linux firewall, you probably ought to go with one of the many companies that are doing them.

However, I would recommend something like a low end Cisco router to do your screening (denying bogus IP's, denying inbound PINGS and port scans, etc).  Then get a REAL firewall like a low end PIX or a Checkpoint box.

Hope this helps.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Accepted Solution

by:
PennGwyn earned 50 total points
ID: 11768817
> The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip
> then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless
> we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

Your ISP is hoping that saying this will cause you to give them more money.

Any decent router/firewall will have no trouble providing a static address to an email server, and dynamic addressing (PAT) to client machines.  You *may* just possibly, have a current router that can't do this, but you can replace it for a one-time charge.

0
 
LVL 1

Expert Comment

by:BeerAngel
ID: 11773188
Like others have stated, the correct router will do this and there's NO WAY they'll even know how many you have on it from their end.  Your router will be coded with your static IP, subnet, gateway for it's external address and will also be coded with an internal address to match up with your network.  For example, if you are running a 10.0.0.x addressing on your network, your router could have the 10.0.0.1 internal address and become the gateway for all your internal machines.  It's really pretty easy.
0
 
LVL 2

Expert Comment

by:Fire_fly321
ID: 11777805
you really only need one public static IP for the entire network.

I would recomend for secruity reasons using  static nat port translations only to the mail server.

The  MX record for dns will be pointed to the router's public address and then you would forward tcp ports 25 and 110 inbound only to the mail server.  

Then you can have one static IP and many machines inside using dhcp on the inside

Don't let your ISP push you around.  It sounds like they are trying to take advantage of you.

I would never think of doing that to my customers.
0
 

Author Comment

by:chaoslord
ID: 11783340
K thx, great answers. Wish i could give all of you points
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now