Solved

Network Design

Posted on 2008-10-25
10
305 Views
Last Modified: 2010-03-18
I would like to add an off the shelf netgear wireless router to my existing network.
The hitch is this - this is for customers, and I don't want them to be able to access our server.

Right now,  I have a DSL modem connected to a ZyXel ZyWall 2 Plus Intenet Security Appliance  doing DHCP, connected to a switch, which connects out to the computers on the internal network.  The final wrinkle in all of this is that I will be bringing a windows server onto the network soon w/ one NIC - it will take over the DHCP and the DHCP on the Zyxel will be disabled.  

Which of the following should I do?  (or neither?)
DSL modem
    |
switch(a)
    |    
wireless router doing DHCP for the external wireless users
AND switch(a) to a
ZyXel ZyWall 2 doing DHCP for the internal users,
                      \
connected to a switch(b), which connects out to the computers on the internal network.

_______________

OR:

DSL modem
    |    
ZyXel ZyWall 2 doing DHCP for the internal users,
    |
wireless router NOT doing DHCP for the external wireless users
AND
connected Zyxel to a switch(b), which connects out to the computers on the internal network.
0
Comment
Question by:erkwong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 13

Assisted Solution

by:Quori
Quori earned 50 total points
ID: 22802278
DSL modem
    |
switch
    |    
wireless router doing DHCP for the external wireless users
ZyXel ZyWall 2 doing DHCP for the internal users

One switch. On the wireless router add rules to prevent access to the server IP's either via firewall policy (if it has them) or just a static route for the individual server IP (use mask 255.255.255.255 to reference singular host and not subnet) redirecting it to a bitbucket so it isn't routable.
0
 
LVL 11

Assisted Solution

by:jgmontgo
jgmontgo earned 150 total points
ID: 22802693

I agree with the suggestions of Quori. I would only make a slight modification to how everything is arranged:

DSL modem
    |    
wireless router doing DHCP for the external wireless users
    |    
ZyXel ZyWall 2 doing DHCP for the internal users
  |
switch

This keeps the internal network behind the ZyXel so you can protect the internal network. This also frees the switch up for internal use. Also this makes it unnessisary to add rules to the public wireless router, but you can still add rules to the ZyXel to prohibit access (this shoudl already be on by default).

0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802698
Oops, one more thing. the ZyXel would be on a separate internal network. So, for example, you would address the internal network of the wireless router with 192.168.0.1 with all of the users using addresses of 192.168.0.x, the ZyXel  would be 192.168.1.1 with all of the internal users being 192.168.1.x
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 100 total points
ID: 22802712
Link to manual:
ftp://ftp.zyxel.com/ZyWALL_2_Plus/user_guide/ZyWALL%202%20Plus_4.03.pdf

Chapter 10 shows how to configure one of the ports specifically as a WLAN port, used to connect a wireless access point, separate from the internal network.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 200 total points
ID: 22802765
First, you may need more than 1 IP to put a switch right after the modem.
Is the WAN address of the ZyWall currently a private IP or public IP?
(the private ranges are 10.x.x.x, 169.254.x.x, 172.16.x.x to 172.32.x.x, and 192.168.x.x)
If it's already a private IP, then the modem probably has a DHCP server in it too and you won't need an extra IP address.


> On the wireless router add rules to prevent access to the server IP's either via firewall policy

The ZyWall appliance should take care of that if switch(a) is between the ZyWall and the DSL modem.

I recommend changing the wireless router to a different IP range than your local network uses, though. e.g. if you're using 192.168.1.0, make the wireless router's LAN address 192.168.168.1  subnet mask 255.255.255.0
The 3rd octet can be anything you want, but I recommend changing it from 0 or 1 because windows ICS uses the 192.168.0.0 network by default, and 192.168.1.0 is the default LAN network used by most routers (including ZyXel's).
That's just to make it easier to see who's connected to what network, not because it might confuse the ZyWall... the ZyWall should NOT automatically let 192.168.1.x through the WAN port to the LAN side.

Regardless of whether you need to buy an extra IP from your provider, ''switch(a)'' doesn't need to be a managed switch as long as you can physically secure it (to keep anyone that wants to from plugging into it and bypassing your ZyWall). An inexpensive 4 or 5 port switch should work fine for that.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22802769
> First, you may need more than 1 IP to put a switch right after the modem.

kdearing's post takes care of that.  I guess I should have hit Refresh before I posted. :-)
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802810
Darr247, I checked teh user guide and I am not too comfortable with the method suggested by kdearing's post. This places the wireless (public) network inside the private network. The only thing I see that can be limited is NETBIOS traffic. So this may be a bad idea.
Placing the Switch between the modem and the 2 devices may be an issue depending on what addresses you have available. That said, if the switch were a manages switch with the ability to create subnets, you may increase the security level. This is a more expensive approach however.
Placing the ZyWall  after the public router is actually the proper way to deal with this situation because it keeps the public network away from the private network. Remember the ZyWall  is a firewall.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22803385
jgmontgo-
There is a note at the bottom of the screen, "you also need to create a firewall rule".
You can easily create the rule to disallow access to the internal network.

If that method isn't satisfactory, the put the port in the 'DMZ Zone'.
Chapter 9, same manual.
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22804951
kdearing that is true, and in fact it looks like the wireless configuration is pretty similar to that of the DMZ Zone. Sorry I didnt notice that when I first looked.
So yea, as long as you take the precautions mentioned by kdearing in creating an access rule, you are safe with that method.
0
 

Author Comment

by:erkwong
ID: 22805191
Thanks all - That answers almost all of my questions.
I'll refer back to this when I am actually installing, along w/ the instruction manual.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question