Go Premium for a chance to win a PS4. Enter to Win


networking for a small corporation

Posted on 2004-08-10
Medium Priority
Last Modified: 2010-04-11
I have never done any real networking job but is presented with this task, would like some help/guidance in this, thx

Looking to establish a network of 30 computers, with a mail server.

Our current setup is ISP ----> Router ----> Network

we can have 5 static ips but it's currently set at dynamic to allow all 30 computers  to be online at the same time.

The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

And of course, security is an issue too, since the ISP don't do port mapping, the ISP told us the only way to receive mail from the internet is for them to open up everything on the router for a particular IP address that the mail server will be setup at. The mail server will have no firewall protection from the router that way.

So i was thinking of making a proxy server with one of the computers, the setup i was thinking is:

ISP ---> Router ---> (spit):

1st IP address : Proxy Machine ----> Network
2nd IP : Firewall ----> Mail server
3-5th IP : future expantion

The Proxy machine will be protect by the router's firewall,.

The Mail server will be protected by additional firewall machine i will set up.

All computers run in MS enviroment, except the mailserver which is on Linux. Firewall haven't been decided yet.

Will this setup work? or can anything be modified to make it more efficient?

What firewall should I use? preferably free, stable and can be installed on a lower end machine.

Thx in advance for your help.
Question by:chaoslord
LVL 10

Assisted Solution

ngravatt earned 200 total points
ID: 11766962
Well, what you can do is, setup a Domain Controller and have DHCP enabled on it.  A computer with Windows Server can do this.  With DHCP, you can have hundreds of Private IP addresses.

Your email server and domain controller can have Static IP addresses, and the remaining 30 computers can use DHCP to obtain private IP addresses from the Domain Controller.


Assisted Solution

Marakush earned 600 total points
ID: 11767031
Okay not a problem..

Get a firewall like a Sonicwall Pro 100 or PIX 503 Something fairly cheap with a DMZ port.

You can use faux addresses on the LAN side of the firewall, kinda like 192.168.1.x

You can use one of your real addresses on the WAN port of the firewall

You can use one of your real addresses on the mail server sitting in the DMZ of your firewall

You can do it with a less expencive router then buying a full blown firewall. But if you want to add another server, you are kinda of limited using the built in DMZ function of a cheaper gateway router.

LVL 27

Assisted Solution

pseudocyber earned 1000 total points
ID: 11767047
Your ISP is full of #$%$#%.

The way everyone else in the world does it (except evidently, your ISP), is to get an Internet connection with a public address or a block of addresses and either NAT everything, or almost everything.  Your email box, could have a STATIC NAT so the outside address is on the internet side, and the private address is in your DMZ.

Depending on your connection - the feed comes into a box (modem or csu/dsu) and then into a router (except dsl or cable).  I'm going to go with the scenario where you have a line, a modem, and a router.

Anway, you have a connection coming into your router.  It has an external address and you can NAT (Network Address Translation) to your internal networks.  In your scenario, I would put an IP on a GOOD firewall and then seperate your networks - have a private, internal network, where EVERYONE is NATted by the firewall.  Then, have a SEPERATE network which is your DMZ (Demilitarized zone), where your Internet facing servers sit.  Your firewlal would have the job of making sure requests to your email server are ONLY email and allowing connections coming from INSIDE your network to the DMZ.  Any other connections to the DMZ would be denied - unless you specifically set them up.  All inbound connections to your internal LAN are denied, unless specifically set up in the firewall, UNLESS they are a reply to an ESTABLISHED CONNECTION initiated by the inside machines.

It sounds like you're leaning toward the low end for your gear.  I would encourage you NOT to go this direction willingly.  Or if you do, to invest some time and learn how to use the open source software to do it - Linux IPTABLES.  Even if you go with a Linux firewall, you probably ought to go with one of the many companies that are doing them.

However, I would recommend something like a low end Cisco router to do your screening (denying bogus IP's, denying inbound PINGS and port scans, etc).  Then get a REAL firewall like a low end PIX or a Checkpoint box.

Hope this helps.
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

LVL 11

Accepted Solution

PennGwyn earned 200 total points
ID: 11768817
> The problem come with the mail server which require a static IP,  and the ISP told us that if we were to set 1 static ip
> then the whole dynamic setting will be taken out and only 5 computers in the organization can go online at a time unless
> we buy more ip address. It's a all or nothing situation. Which is something we are not looking forward to do.

Your ISP is hoping that saying this will cause you to give them more money.

Any decent router/firewall will have no trouble providing a static address to an email server, and dynamic addressing (PAT) to client machines.  You *may* just possibly, have a current router that can't do this, but you can replace it for a one-time charge.


Expert Comment

ID: 11773188
Like others have stated, the correct router will do this and there's NO WAY they'll even know how many you have on it from their end.  Your router will be coded with your static IP, subnet, gateway for it's external address and will also be coded with an internal address to match up with your network.  For example, if you are running a 10.0.0.x addressing on your network, your router could have the internal address and become the gateway for all your internal machines.  It's really pretty easy.

Expert Comment

ID: 11777805
you really only need one public static IP for the entire network.

I would recomend for secruity reasons using  static nat port translations only to the mail server.

The  MX record for dns will be pointed to the router's public address and then you would forward tcp ports 25 and 110 inbound only to the mail server.  

Then you can have one static IP and many machines inside using dhcp on the inside

Don't let your ISP push you around.  It sounds like they are trying to take advantage of you.

I would never think of doing that to my customers.

Author Comment

ID: 11783340
K thx, great answers. Wish i could give all of you points

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question