sb5917
asked on
Network design issue for small office setup. Issue relates to wireless access point and DHCP settings.
I am setting up a small office set up for a Charity and have almost finished but have come across an issue with adding a wireless access point.
The Curent Set-Up
The internet ---> Cable Modem -------> Netgear RP11 Websafe Router ---------> Ethernet card 1 on a SBS2003 Server ||| Ethernet Card 2 on the SBS2003 Server -------> the rest of the office.
This set up works well. Router has an internal address of 192.168.0.1 . Server has 192.168.0.2 and is the DHCP server for the offfice. The router passes all request for ports 0 to 1000 through to 10.168.0.2
Requirement:
To add a wireless access point so laptop users can get access to the internet but not the office network. To do this I added a LinkSys WAP 11 by a cable to the Netgear router. Now the issue is I don't know what DHCP setting I need to make on the Wireless access point to make it all work. I can plug my laptop via an ethernet cable to the Netgear router, give my laptop a static IP and it will get out to the internet. If i give the WAP 11 a static IP and then my laptop a different static IP and try to connect my laptop wirelessly through the WAP 11 then it won't work. The laptop is connecting to the WAP 11 ok. I have tried getting the WAP 11 to be the DHCp sever but that doesn't work either. I do not want to make the netgear router the DHCP sever as that will break the SBS2003 server.
What setting should I be using for the Wireless Acess point. Should I bin the WAp11 and try a different model.
Feel free to ask more questions.
The Curent Set-Up
The internet ---> Cable Modem -------> Netgear RP11 Websafe Router ---------> Ethernet card 1 on a SBS2003 Server ||| Ethernet Card 2 on the SBS2003 Server -------> the rest of the office.
This set up works well. Router has an internal address of 192.168.0.1 . Server has 192.168.0.2 and is the DHCP server for the offfice. The router passes all request for ports 0 to 1000 through to 10.168.0.2
Requirement:
To add a wireless access point so laptop users can get access to the internet but not the office network. To do this I added a LinkSys WAP 11 by a cable to the Netgear router. Now the issue is I don't know what DHCP setting I need to make on the Wireless access point to make it all work. I can plug my laptop via an ethernet cable to the Netgear router, give my laptop a static IP and it will get out to the internet. If i give the WAP 11 a static IP and then my laptop a different static IP and try to connect my laptop wirelessly through the WAP 11 then it won't work. The laptop is connecting to the WAP 11 ok. I have tried getting the WAP 11 to be the DHCp sever but that doesn't work either. I do not want to make the netgear router the DHCP sever as that will break the SBS2003 server.
What setting should I be using for the Wireless Acess point. Should I bin the WAp11 and try a different model.
Feel free to ask more questions.
Lets take a step back here.
Adding dhcp to the netgear will not cause you an issue assuming you set the start address of the dhcp scope above those already statically assigned; 192.168.0.10 to 192.168.0.50 for example. As the server has a static of 192.168.0.2, this will not cause any issues.
Now you can follow Jay_Jay's suggestion and enable dhcp relay. This lets the WAP device forward on DHCP requests which should be answered by your Netgear.
Adding dhcp to the netgear will not cause you an issue assuming you set the start address of the dhcp scope above those already statically assigned; 192.168.0.10 to 192.168.0.50 for example. As the server has a static of 192.168.0.2, this will not cause any issues.
Now you can follow Jay_Jay's suggestion and enable dhcp relay. This lets the WAP device forward on DHCP requests which should be answered by your Netgear.
is the netgear providing DHCP or is the server providing DHCP? i thought it was the server
It is currently the SBS server but the Asker was not comfortable enabling it on the Netgear.
Requirement:
To add a wireless access point so laptop users can get access to the internet but not the office network.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
1) I'm really confused by the statement that you are allowing all ports 0-1000 INTO your network...that's not smart. Why do that?
but I digress.
For that WAP to be a guest access AP separate from your local network I would think you would need a way to have it on a separate subnet overall, but that would require a separate gateway IP, either on the existing router, or an additional router.
regardless of the way DHCP is handled, if you give wireless clients an IP on the 192.168.0.x range and a gateway IP of 192.168.0.1, then those clients WILL be on the local office network.
To add a wireless access point so laptop users can get access to the internet but not the office network.
--------------------------
1) I'm really confused by the statement that you are allowing all ports 0-1000 INTO your network...that's not smart. Why do that?
but I digress.
For that WAP to be a guest access AP separate from your local network I would think you would need a way to have it on a separate subnet overall, but that would require a separate gateway IP, either on the existing router, or an additional router.
regardless of the way DHCP is handled, if you give wireless clients an IP on the 192.168.0.x range and a gateway IP of 192.168.0.1, then those clients WILL be on the local office network.
Its sometimes easier.... As SBS comes with ISA server it is easier to let ISA just deal with it:)
ASKER
Digression - the ports 0 -1000 are not open just the usual ones 80,443etc.. The Netgear Router is just set to forward on any trafic to the server.
The server is the DHCP server.
If we go back to the requirement "To add a wireless access point so laptop users can get access to the internet but not the office network"
I was under the impresion that if I add the WAP to the router rather than to the office network then this would mean the office network was more secure as any wireless client would have to come through the SBS firewall. Is this flawed logic? The WAP doesn't have DHCP relay on it that I can see. I could change Router to be the DHCP server but not being an experienced sys admin I am worried that this might break everything.
The server is the DHCP server.
If we go back to the requirement "To add a wireless access point so laptop users can get access to the internet but not the office network"
I was under the impresion that if I add the WAP to the router rather than to the office network then this would mean the office network was more secure as any wireless client would have to come through the SBS firewall. Is this flawed logic? The WAP doesn't have DHCP relay on it that I can see. I could change Router to be the DHCP server but not being an experienced sys admin I am worried that this might break everything.
I refer you to my answer above. Not quite sure what else we can tell you.
Keith's comment about ISA being on the server is true, and he's the ISA expert, but I was under the impression that it would end up bypassing the firewall because it's on the same local "LAN segment" based on it's IP addresses it's giving to clients, etc.
So I guess what Keith is stating is that in essence it becomes 2 separate Lan's with the same subnet info, and if they "try" to come back through the external NIC on the SBS server that it considers it "external traffic" and will block it from coming in.
So I guess what Keith is stating is that in essence it becomes 2 separate Lan's with the same subnet info, and if they "try" to come back through the external NIC on the SBS server that it considers it "external traffic" and will block it from coming in.
Hello Cleaner.
Think of it this way (regardless of ISA actually but assuming ISA is there as well its perfect).
Internet
|
|
Netgear(static IP but runs dhcp starting above static entries already issued)
|
-------------------------- --------WA P ---- Wireless clients on a workgroup/standalone
|
SBS External NIC (static IP)
|--SBS server with either isa2000/2004
SBS Internal NIC (with DHCP set for internal NIC only)
|
----- Internal LAN & Clients----
Anyway, said my bit.
Think of it this way (regardless of ISA actually but assuming ISA is there as well its perfect).
Internet
|
|
Netgear(static IP but runs dhcp starting above static entries already issued)
|
--------------------------
|
SBS External NIC (static IP)
|--SBS server with either isa2000/2004
SBS Internal NIC (with DHCP set for internal NIC only)
|
----- Internal LAN & Clients----
Anyway, said my bit.
Yep, makes perfect sense of course.
I wasn't paying much attention to the dual-homed nature of the server, and treating it as a single NIC on the SBS server at first.
I wasn't paying much attention to the dual-homed nature of the server, and treating it as a single NIC on the SBS server at first.
:)
ASKER
Ok I'll have a go at that. Can someone point me in the direction of how to do this bit though:
SBS Internal NIC (with DHCP set for internal NIC only).
Many Thanks
Simon
SBS Internal NIC (with DHCP set for internal NIC only).
Many Thanks
Simon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exactly :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ie Right-click the dhcp server and select properties - bindings in the dhcp manager
you need to set your Access Point to allow DHCP Relay - most of them have this option, it then relays DHCP from an existing server in your case, your SBS server