?
Solved

Network Design

Posted on 2008-10-25
10
Medium Priority
?
312 Views
Last Modified: 2010-03-18
I would like to add an off the shelf netgear wireless router to my existing network.
The hitch is this - this is for customers, and I don't want them to be able to access our server.

Right now,  I have a DSL modem connected to a ZyXel ZyWall 2 Plus Intenet Security Appliance  doing DHCP, connected to a switch, which connects out to the computers on the internal network.  The final wrinkle in all of this is that I will be bringing a windows server onto the network soon w/ one NIC - it will take over the DHCP and the DHCP on the Zyxel will be disabled.  

Which of the following should I do?  (or neither?)
DSL modem
    |
switch(a)
    |    
wireless router doing DHCP for the external wireless users
AND switch(a) to a
ZyXel ZyWall 2 doing DHCP for the internal users,
                      \
connected to a switch(b), which connects out to the computers on the internal network.

_______________

OR:

DSL modem
    |    
ZyXel ZyWall 2 doing DHCP for the internal users,
    |
wireless router NOT doing DHCP for the external wireless users
AND
connected Zyxel to a switch(b), which connects out to the computers on the internal network.
0
Comment
Question by:erkwong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 13

Assisted Solution

by:Quori
Quori earned 200 total points
ID: 22802278
DSL modem
    |
switch
    |    
wireless router doing DHCP for the external wireless users
ZyXel ZyWall 2 doing DHCP for the internal users

One switch. On the wireless router add rules to prevent access to the server IP's either via firewall policy (if it has them) or just a static route for the individual server IP (use mask 255.255.255.255 to reference singular host and not subnet) redirecting it to a bitbucket so it isn't routable.
0
 
LVL 11

Assisted Solution

by:jgmontgo
jgmontgo earned 600 total points
ID: 22802693

I agree with the suggestions of Quori. I would only make a slight modification to how everything is arranged:

DSL modem
    |    
wireless router doing DHCP for the external wireless users
    |    
ZyXel ZyWall 2 doing DHCP for the internal users
  |
switch

This keeps the internal network behind the ZyXel so you can protect the internal network. This also frees the switch up for internal use. Also this makes it unnessisary to add rules to the public wireless router, but you can still add rules to the ZyXel to prohibit access (this shoudl already be on by default).

0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802698
Oops, one more thing. the ZyXel would be on a separate internal network. So, for example, you would address the internal network of the wireless router with 192.168.0.1 with all of the users using addresses of 192.168.0.x, the ZyXel  would be 192.168.1.1 with all of the internal users being 192.168.1.x
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 400 total points
ID: 22802712
Link to manual:
ftp://ftp.zyxel.com/ZyWALL_2_Plus/user_guide/ZyWALL%202%20Plus_4.03.pdf

Chapter 10 shows how to configure one of the ports specifically as a WLAN port, used to connect a wireless access point, separate from the internal network.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 800 total points
ID: 22802765
First, you may need more than 1 IP to put a switch right after the modem.
Is the WAN address of the ZyWall currently a private IP or public IP?
(the private ranges are 10.x.x.x, 169.254.x.x, 172.16.x.x to 172.32.x.x, and 192.168.x.x)
If it's already a private IP, then the modem probably has a DHCP server in it too and you won't need an extra IP address.


> On the wireless router add rules to prevent access to the server IP's either via firewall policy

The ZyWall appliance should take care of that if switch(a) is between the ZyWall and the DSL modem.

I recommend changing the wireless router to a different IP range than your local network uses, though. e.g. if you're using 192.168.1.0, make the wireless router's LAN address 192.168.168.1  subnet mask 255.255.255.0
The 3rd octet can be anything you want, but I recommend changing it from 0 or 1 because windows ICS uses the 192.168.0.0 network by default, and 192.168.1.0 is the default LAN network used by most routers (including ZyXel's).
That's just to make it easier to see who's connected to what network, not because it might confuse the ZyWall... the ZyWall should NOT automatically let 192.168.1.x through the WAN port to the LAN side.

Regardless of whether you need to buy an extra IP from your provider, ''switch(a)'' doesn't need to be a managed switch as long as you can physically secure it (to keep anyone that wants to from plugging into it and bypassing your ZyWall). An inexpensive 4 or 5 port switch should work fine for that.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22802769
> First, you may need more than 1 IP to put a switch right after the modem.

kdearing's post takes care of that.  I guess I should have hit Refresh before I posted. :-)
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22802810
Darr247, I checked teh user guide and I am not too comfortable with the method suggested by kdearing's post. This places the wireless (public) network inside the private network. The only thing I see that can be limited is NETBIOS traffic. So this may be a bad idea.
Placing the Switch between the modem and the 2 devices may be an issue depending on what addresses you have available. That said, if the switch were a manages switch with the ability to create subnets, you may increase the security level. This is a more expensive approach however.
Placing the ZyWall  after the public router is actually the proper way to deal with this situation because it keeps the public network away from the private network. Remember the ZyWall  is a firewall.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22803385
jgmontgo-
There is a note at the bottom of the screen, "you also need to create a firewall rule".
You can easily create the rule to disallow access to the internal network.

If that method isn't satisfactory, the put the port in the 'DMZ Zone'.
Chapter 9, same manual.
0
 
LVL 11

Expert Comment

by:jgmontgo
ID: 22804951
kdearing that is true, and in fact it looks like the wireless configuration is pretty similar to that of the DMZ Zone. Sorry I didnt notice that when I first looked.
So yea, as long as you take the precautions mentioned by kdearing in creating an access rule, you are safe with that method.
0
 

Author Comment

by:erkwong
ID: 22805191
Thanks all - That answers almost all of my questions.
I'll refer back to this when I am actually installing, along w/ the instruction manual.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question