Solved

Network Design

Posted on 2008-10-25
10
274 Views
Last Modified: 2010-03-18
I would like to add an off the shelf netgear wireless router to my existing network.
The hitch is this - this is for customers, and I don't want them to be able to access our server.

Right now,  I have a DSL modem connected to a ZyXel ZyWall 2 Plus Intenet Security Appliance  doing DHCP, connected to a switch, which connects out to the computers on the internal network.  The final wrinkle in all of this is that I will be bringing a windows server onto the network soon w/ one NIC - it will take over the DHCP and the DHCP on the Zyxel will be disabled.  

Which of the following should I do?  (or neither?)
DSL modem
    |
switch(a)
    |    
wireless router doing DHCP for the external wireless users
AND switch(a) to a
ZyXel ZyWall 2 doing DHCP for the internal users,
                      \
connected to a switch(b), which connects out to the computers on the internal network.

_______________

OR:

DSL modem
    |    
ZyXel ZyWall 2 doing DHCP for the internal users,
    |
wireless router NOT doing DHCP for the external wireless users
AND
connected Zyxel to a switch(b), which connects out to the computers on the internal network.
0
Comment
Question by:erkwong
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 13

Assisted Solution

by:Quori
Quori earned 50 total points
Comment Utility
DSL modem
    |
switch
    |    
wireless router doing DHCP for the external wireless users
ZyXel ZyWall 2 doing DHCP for the internal users

One switch. On the wireless router add rules to prevent access to the server IP's either via firewall policy (if it has them) or just a static route for the individual server IP (use mask 255.255.255.255 to reference singular host and not subnet) redirecting it to a bitbucket so it isn't routable.
0
 
LVL 11

Assisted Solution

by:jgmontgo
jgmontgo earned 150 total points
Comment Utility

I agree with the suggestions of Quori. I would only make a slight modification to how everything is arranged:

DSL modem
    |    
wireless router doing DHCP for the external wireless users
    |    
ZyXel ZyWall 2 doing DHCP for the internal users
  |
switch

This keeps the internal network behind the ZyXel so you can protect the internal network. This also frees the switch up for internal use. Also this makes it unnessisary to add rules to the public wireless router, but you can still add rules to the ZyXel to prohibit access (this shoudl already be on by default).

0
 
LVL 11

Expert Comment

by:jgmontgo
Comment Utility
Oops, one more thing. the ZyXel would be on a separate internal network. So, for example, you would address the internal network of the wireless router with 192.168.0.1 with all of the users using addresses of 192.168.0.x, the ZyXel  would be 192.168.1.1 with all of the internal users being 192.168.1.x
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 100 total points
Comment Utility
Link to manual:
ftp://ftp.zyxel.com/ZyWALL_2_Plus/user_guide/ZyWALL%202%20Plus_4.03.pdf

Chapter 10 shows how to configure one of the ports specifically as a WLAN port, used to connect a wireless access point, separate from the internal network.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 200 total points
Comment Utility
First, you may need more than 1 IP to put a switch right after the modem.
Is the WAN address of the ZyWall currently a private IP or public IP?
(the private ranges are 10.x.x.x, 169.254.x.x, 172.16.x.x to 172.32.x.x, and 192.168.x.x)
If it's already a private IP, then the modem probably has a DHCP server in it too and you won't need an extra IP address.


> On the wireless router add rules to prevent access to the server IP's either via firewall policy

The ZyWall appliance should take care of that if switch(a) is between the ZyWall and the DSL modem.

I recommend changing the wireless router to a different IP range than your local network uses, though. e.g. if you're using 192.168.1.0, make the wireless router's LAN address 192.168.168.1  subnet mask 255.255.255.0
The 3rd octet can be anything you want, but I recommend changing it from 0 or 1 because windows ICS uses the 192.168.0.0 network by default, and 192.168.1.0 is the default LAN network used by most routers (including ZyXel's).
That's just to make it easier to see who's connected to what network, not because it might confuse the ZyWall... the ZyWall should NOT automatically let 192.168.1.x through the WAN port to the LAN side.

Regardless of whether you need to buy an extra IP from your provider, ''switch(a)'' doesn't need to be a managed switch as long as you can physically secure it (to keep anyone that wants to from plugging into it and bypassing your ZyWall). An inexpensive 4 or 5 port switch should work fine for that.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 44

Expert Comment

by:Darr247
Comment Utility
> First, you may need more than 1 IP to put a switch right after the modem.

kdearing's post takes care of that.  I guess I should have hit Refresh before I posted. :-)
0
 
LVL 11

Expert Comment

by:jgmontgo
Comment Utility
Darr247, I checked teh user guide and I am not too comfortable with the method suggested by kdearing's post. This places the wireless (public) network inside the private network. The only thing I see that can be limited is NETBIOS traffic. So this may be a bad idea.
Placing the Switch between the modem and the 2 devices may be an issue depending on what addresses you have available. That said, if the switch were a manages switch with the ability to create subnets, you may increase the security level. This is a more expensive approach however.
Placing the ZyWall  after the public router is actually the proper way to deal with this situation because it keeps the public network away from the private network. Remember the ZyWall  is a firewall.
0
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
jgmontgo-
There is a note at the bottom of the screen, "you also need to create a firewall rule".
You can easily create the rule to disallow access to the internal network.

If that method isn't satisfactory, the put the port in the 'DMZ Zone'.
Chapter 9, same manual.
0
 
LVL 11

Expert Comment

by:jgmontgo
Comment Utility
kdearing that is true, and in fact it looks like the wireless configuration is pretty similar to that of the DMZ Zone. Sorry I didnt notice that when I first looked.
So yea, as long as you take the precautions mentioned by kdearing in creating an access rule, you are safe with that method.
0
 

Author Comment

by:erkwong
Comment Utility
Thanks all - That answers almost all of my questions.
I'll refer back to this when I am actually installing, along w/ the instruction manual.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now