Solved

Network Design

Posted on 2008-10-25
10
285 Views
Last Modified: 2010-03-18
I would like to add an off the shelf netgear wireless router to my existing network.
The hitch is this - this is for customers, and I don't want them to be able to access our server.

Right now,  I have a DSL modem connected to a ZyXel ZyWall 2 Plus Intenet Security Appliance  doing DHCP, connected to a switch, which connects out to the computers on the internal network.  The final wrinkle in all of this is that I will be bringing a windows server onto the network soon w/ one NIC - it will take over the DHCP and the DHCP on the Zyxel will be disabled.  

Which of the following should I do?  (or neither?)
DSL modem
    |
switch(a)
    |    
wireless router doing DHCP for the external wireless users
AND switch(a) to a
ZyXel ZyWall 2 doing DHCP for the internal users,
                      \
connected to a switch(b), which connects out to the computers on the internal network.

_______________

OR:

DSL modem
    |    
ZyXel ZyWall 2 doing DHCP for the internal users,
    |
wireless router NOT doing DHCP for the external wireless users
AND
connected Zyxel to a switch(b), which connects out to the computers on the internal network.
0
Comment
Question by:erkwong
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 13

Assisted Solution

by:Quori
Quori earned 50 total points
ID: 22802278
DSL modem
    |
switch
    |    
wireless router doing DHCP for the external wireless users
ZyXel ZyWall 2 doing DHCP for the internal users

One switch. On the wireless router add rules to prevent access to the server IP's either via firewall policy (if it has them) or just a static route for the individual server IP (use mask 255.255.255.255 to reference singular host and not subnet) redirecting it to a bitbucket so it isn't routable.
0
 
LVL 11

Assisted Solution

by:jgmontgo
jgmontgo earned 150 total points
ID: 22802693

I agree with the suggestions of Quori. I would only make a slight modification to how everything is arranged:

DSL modem
    |    
wireless router doing DHCP for the external wireless users
    |    
ZyXel ZyWall 2 doing DHCP for the internal users
  |
switch

This keeps the internal network behind the ZyXel so you can protect the internal network. This also frees the switch up for internal use. Also this makes it unnessisary to add rules to the public wireless router, but you can still add rules to the ZyXel to prohibit access (this shoudl already be on by default).

0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802698
Oops, one more thing. the ZyXel would be on a separate internal network. So, for example, you would address the internal network of the wireless router with 192.168.0.1 with all of the users using addresses of 192.168.0.x, the ZyXel  would be 192.168.1.1 with all of the internal users being 192.168.1.x
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 100 total points
ID: 22802712
Link to manual:
ftp://ftp.zyxel.com/ZyWALL_2_Plus/user_guide/ZyWALL%202%20Plus_4.03.pdf

Chapter 10 shows how to configure one of the ports specifically as a WLAN port, used to connect a wireless access point, separate from the internal network.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 200 total points
ID: 22802765
First, you may need more than 1 IP to put a switch right after the modem.
Is the WAN address of the ZyWall currently a private IP or public IP?
(the private ranges are 10.x.x.x, 169.254.x.x, 172.16.x.x to 172.32.x.x, and 192.168.x.x)
If it's already a private IP, then the modem probably has a DHCP server in it too and you won't need an extra IP address.


> On the wireless router add rules to prevent access to the server IP's either via firewall policy

The ZyWall appliance should take care of that if switch(a) is between the ZyWall and the DSL modem.

I recommend changing the wireless router to a different IP range than your local network uses, though. e.g. if you're using 192.168.1.0, make the wireless router's LAN address 192.168.168.1  subnet mask 255.255.255.0
The 3rd octet can be anything you want, but I recommend changing it from 0 or 1 because windows ICS uses the 192.168.0.0 network by default, and 192.168.1.0 is the default LAN network used by most routers (including ZyXel's).
That's just to make it easier to see who's connected to what network, not because it might confuse the ZyWall... the ZyWall should NOT automatically let 192.168.1.x through the WAN port to the LAN side.

Regardless of whether you need to buy an extra IP from your provider, ''switch(a)'' doesn't need to be a managed switch as long as you can physically secure it (to keep anyone that wants to from plugging into it and bypassing your ZyWall). An inexpensive 4 or 5 port switch should work fine for that.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 44

Expert Comment

by:Darr247
ID: 22802769
> First, you may need more than 1 IP to put a switch right after the modem.

kdearing's post takes care of that.  I guess I should have hit Refresh before I posted. :-)
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802810
Darr247, I checked teh user guide and I am not too comfortable with the method suggested by kdearing's post. This places the wireless (public) network inside the private network. The only thing I see that can be limited is NETBIOS traffic. So this may be a bad idea.
Placing the Switch between the modem and the 2 devices may be an issue depending on what addresses you have available. That said, if the switch were a manages switch with the ability to create subnets, you may increase the security level. This is a more expensive approach however.
Placing the ZyWall  after the public router is actually the proper way to deal with this situation because it keeps the public network away from the private network. Remember the ZyWall  is a firewall.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22803385
jgmontgo-
There is a note at the bottom of the screen, "you also need to create a firewall rule".
You can easily create the rule to disallow access to the internal network.

If that method isn't satisfactory, the put the port in the 'DMZ Zone'.
Chapter 9, same manual.
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22804951
kdearing that is true, and in fact it looks like the wireless configuration is pretty similar to that of the DMZ Zone. Sorry I didnt notice that when I first looked.
So yea, as long as you take the precautions mentioned by kdearing in creating an access rule, you are safe with that method.
0
 

Author Comment

by:erkwong
ID: 22805191
Thanks all - That answers almost all of my questions.
I'll refer back to this when I am actually installing, along w/ the instruction manual.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now