BobLeeSwagger
asked on
How do I properly add a secondary DHCP network on a 2003 SBS domain?
Please bear with me as I describe our network. We have a 2003 SBS machine that hosts our network. For years we have been using this primary DHCP network scope:
192.168.1.x/255.255.255.0 with 192.168.1.254 as our gateway (Watchguard Firebox x750e).
We have a lot of networked devices on the LAN now and we wanted to move some of them to their own network. We created a secondary scope on DHCP (192.168.2.1 - 192.168.2.254). We decided move our IP cameras and their host PC to a 192.168.2.x on a 255.255.254.0 subnet. At first, we just added a second NIC to our PC's and set them to that network, and we were able to add them and remote into our 192.168.2.x pc and cameras. We didn't really have a second gateway set up but that didn't seem to be an issue since none of the 192.168.2.x devices needed internet access. We thought it might help to enable the SBS Server's second NIC on the 192.168.2.x network so we did that and plugged it into one of the switches. Then we noticed that a lot of devices tried to grab a 192.168.2.x address and then couldn't reach anything on the network. So, we gave static IP's to those devices back on the 192.168.1.x network.
Here is a basic layout of the starting point of our network:
Main Building:
Server Rack
ISP
|
Watchguard
|
Barracuda Spam Filter
|
HP Procurve Switch - SBS SERVER (hostname server1)
Dell Powerconnect Switch/
Netgear Switch
|
other servers and PC's (hostnames Trend, Cameras, etc.)
From the HP Procurve, we have fiber going to two different buildings (there will be a third building in the next couple weeks).
In one building we just installed some POE cameras. We have one fiber line going to a transceiver which goes via copper to an unmanaged POE switch. These cameras were programmed on the 192.168.2.x network. However, this building already has a PC, network printers and thin clients, all on the 192.168.1.x network.
Everything seemed to work just fine until we created a virtual 2008 server to host Trend Micro Worry Free Business (advanced). We did this so we could remove Trend Micro from the SBS Server. However before we could remove Trend Micro from SBS, we had to find a way to MOVE the camera host PC over to the new Trend server. At this point I could RDP into the virtual Trend machine. I tried to add a second NIC to that VM for the 192.168.2.x network so that I could move the PC that records the POE cameras. The camera PC did "move" to the Trend server, but I could no longer RDP into that server. I could ping Trend from Cameras (the pc) but could not ping Cameras from Trend. The only way I could log in to Trend was through the VM console.
We plan on buying some more managed POE switches next week if necessary.
I was told that we could enable one of the optional ports on our Watchguard to to be the gateway for our 192.168.2.x network. I can enable it, but I'm not sure how to configure it properly.
If anyone can help guide our network expansion, we would greatly appreciate it. Pleaes let me know if I need to provide any more information.
Thank you.
192.168.1.x/255.255.255.0 with 192.168.1.254 as our gateway (Watchguard Firebox x750e).
We have a lot of networked devices on the LAN now and we wanted to move some of them to their own network. We created a secondary scope on DHCP (192.168.2.1 - 192.168.2.254). We decided move our IP cameras and their host PC to a 192.168.2.x on a 255.255.254.0 subnet. At first, we just added a second NIC to our PC's and set them to that network, and we were able to add them and remote into our 192.168.2.x pc and cameras. We didn't really have a second gateway set up but that didn't seem to be an issue since none of the 192.168.2.x devices needed internet access. We thought it might help to enable the SBS Server's second NIC on the 192.168.2.x network so we did that and plugged it into one of the switches. Then we noticed that a lot of devices tried to grab a 192.168.2.x address and then couldn't reach anything on the network. So, we gave static IP's to those devices back on the 192.168.1.x network.
Here is a basic layout of the starting point of our network:
Main Building:
Server Rack
ISP
|
Watchguard
|
Barracuda Spam Filter
|
HP Procurve Switch - SBS SERVER (hostname server1)
Dell Powerconnect Switch/
Netgear Switch
|
other servers and PC's (hostnames Trend, Cameras, etc.)
From the HP Procurve, we have fiber going to two different buildings (there will be a third building in the next couple weeks).
In one building we just installed some POE cameras. We have one fiber line going to a transceiver which goes via copper to an unmanaged POE switch. These cameras were programmed on the 192.168.2.x network. However, this building already has a PC, network printers and thin clients, all on the 192.168.1.x network.
Everything seemed to work just fine until we created a virtual 2008 server to host Trend Micro Worry Free Business (advanced). We did this so we could remove Trend Micro from the SBS Server. However before we could remove Trend Micro from SBS, we had to find a way to MOVE the camera host PC over to the new Trend server. At this point I could RDP into the virtual Trend machine. I tried to add a second NIC to that VM for the 192.168.2.x network so that I could move the PC that records the POE cameras. The camera PC did "move" to the Trend server, but I could no longer RDP into that server. I could ping Trend from Cameras (the pc) but could not ping Cameras from Trend. The only way I could log in to Trend was through the VM console.
We plan on buying some more managed POE switches next week if necessary.
I was told that we could enable one of the optional ports on our Watchguard to to be the gateway for our 192.168.2.x network. I can enable it, but I'm not sure how to configure it properly.
If anyone can help guide our network expansion, we would greatly appreciate it. Pleaes let me know if I need to provide any more information.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I fail to see why you need two subnets?
SBS supports a maximum of 75 clients so I assume you have 170 or more IP's available ( 254-75-SBS-router-printers
Also:
-As Cris states Windows DC's do not handle being multihomed well at all
-SBS has two very specific network configurations, 1 NIC or 2. In the latter it is intended to act as a gateway for the LAN, Not as a multihomed server. SBS is not server Std.
-If you want to have a server with two DHCP scopes you have to have a way of assigning the correct subnet to clients. This is best done with reservations or Class ID's, both of which require additional management
If you need to isolate I would agree with Cris, physically isolate the two networks with their own cabling, switches, DHCP server and Gateway. I believe you can do that with the x750e, but for assistance with the configuration you would be best to post that in the Watchguard Zone.
SBS supports a maximum of 75 clients so I assume you have 170 or more IP's available ( 254-75-SBS-router-printers
Also:
-As Cris states Windows DC's do not handle being multihomed well at all
-SBS has two very specific network configurations, 1 NIC or 2. In the latter it is intended to act as a gateway for the LAN, Not as a multihomed server. SBS is not server Std.
-If you want to have a server with two DHCP scopes you have to have a way of assigning the correct subnet to clients. This is best done with reservations or Class ID's, both of which require additional management
If you need to isolate I would agree with Cris, physically isolate the two networks with their own cabling, switches, DHCP server and Gateway. I believe you can do that with the x750e, but for assistance with the configuration you would be best to post that in the Watchguard Zone.
ASKER
Ok let's forget about the Trend Micro server for now.
We are in the process of upgrading our 2003 SBS machine and splitting it up into several boxes. We will have Exchange 2007 by itself. Then we will need other machines to be dedicated for DC, AD, DHCP, DNS, etc. However, with a new phone system coming soon, the server project probably won't happen until late October.
Until then, we still run into the issue of the building being connected to the main switch (behind the Firebox) by one fiber line, yet hosting machines on the 192.168.1.x network and the cameras on the 192.168.2.x network. Would putting a managed switch in that remote building help out or would that single fiber line be a problem?
RobWill, since we are still running the SBS 2003, what are our options and limitations with its DHCP service? It allows for more than one scope, so I'm trying to learn what those extra scopes are intended for. We could try to separate the cameras from the main network, but if the single fiber line is a problem with the idea of physical separation, then we would have to move the Cameras PC over to that building.
We do not NEED the Cameras PC or the cameras themselves to be on the same network, but from a remote management standpoint it would be convenient.
Thank you for your expert advice to everyone who has replied so far.
We are in the process of upgrading our 2003 SBS machine and splitting it up into several boxes. We will have Exchange 2007 by itself. Then we will need other machines to be dedicated for DC, AD, DHCP, DNS, etc. However, with a new phone system coming soon, the server project probably won't happen until late October.
Until then, we still run into the issue of the building being connected to the main switch (behind the Firebox) by one fiber line, yet hosting machines on the 192.168.1.x network and the cameras on the 192.168.2.x network. Would putting a managed switch in that remote building help out or would that single fiber line be a problem?
RobWill, since we are still running the SBS 2003, what are our options and limitations with its DHCP service? It allows for more than one scope, so I'm trying to learn what those extra scopes are intended for. We could try to separate the cameras from the main network, but if the single fiber line is a problem with the idea of physical separation, then we would have to move the Cameras PC over to that building.
We do not NEED the Cameras PC or the cameras themselves to be on the same network, but from a remote management standpoint it would be convenient.
Thank you for your expert advice to everyone who has replied so far.
The problem with multiple DHCP scopes is how are you going to assign an IP from the proper scope to the appropriate device.
Using multiple scopes is not something I am terribly familiar with but you can assign using DHCP reservations, you can use Class ID's, or most often they are used in multi-segment networks where a router forwards the DHCP request to a DHCP relay (the server).
Do you really need DHCP for the cameras anyway? The instances I have seen cameras used they are assigned static IP's. You could even use a $30 router on the camera subnet as a DHCP server, but do not use it as a gateway (i.e. don't connect the WAN cable, and set gateway as the Firebox), you can still set the Firebox as the gateway.
To access the camera PC from the other network you can set up a route on the Firebox to allow connections from one device/PC or multiple to the camera PC. I am sorry but I am not familiar with the Firebox to instruct as to how to configure the route .
Using multiple scopes is not something I am terribly familiar with but you can assign using DHCP reservations, you can use Class ID's, or most often they are used in multi-segment networks where a router forwards the DHCP request to a DHCP relay (the server).
Do you really need DHCP for the cameras anyway? The instances I have seen cameras used they are assigned static IP's. You could even use a $30 router on the camera subnet as a DHCP server, but do not use it as a gateway (i.e. don't connect the WAN cable, and set gateway as the Firebox), you can still set the Firebox as the gateway.
To access the camera PC from the other network you can set up a route on the Firebox to allow connections from one device/PC or multiple to the camera PC. I am sorry but I am not familiar with the Firebox to instruct as to how to configure the route .
I still don't get (nor do I think Rob does) why you need to put the Camera's on separte subnet.
And I don't think you want the cameras getting DHCP addresses, so they have a different IP each time. One of my customers does lock and security work. when they go out to put cameras in, it's always on the LAN
And I don't think you want the cameras getting DHCP addresses, so they have a different IP each time. One of my customers does lock and security work. when they go out to put cameras in, it's always on the LAN
I'd have to agree, I don't see a need, at least from what you have said so far, for a separate LAN.
I did work on a network this week where the cameras were used for several purposes and completely managed by an outside company. For this reason they preferred to have them completely isolated. In this case there was a web utility that allowed the company to access the "camera PC" if needed. As it turns out this was a good choice as the camera PC was hacked due to a remote management service used by and not properly managed by the camera firm.
I did work on a network this week where the cameras were used for several purposes and completely managed by an outside company. For this reason they preferred to have them completely isolated. In this case there was a web utility that allowed the company to access the "camera PC" if needed. As it turns out this was a good choice as the camera PC was hacked due to a remote management service used by and not properly managed by the camera firm.
ASKER
I apologize if I'm having a hard time describing our network. I'm starting to see things in a different light now. We did set static IP's on the Camera PC and the camera units. We also set them as reservations within the secondary scope of DHCP on the SBS box. Was that part unnecessary?
I'd like to understand if I'm reading this correctly. From the main switch, we have one fiber line to a warehouse where the .1.x clients are AND where the .2.x cameras are. If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line?
I'd like to understand if I'm reading this correctly. From the main switch, we have one fiber line to a warehouse where the .1.x clients are AND where the .2.x cameras are. If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We haven't hit the 75 client mark yet, but we do have a lot of machines and networked devices that take up a lot of IP's. We just wanted to separate traffic....and we were running out of IP addresses, which is why we wanted to have a second network. Anyway, thanks again. We will try to NAT the cameras and re-simplify the DHCP setup in our SBS box for now.
ASKER
Clearly, we need to learn a few things about SBS, DHCP and TCPIP. It's not so much that we were looking for an answer to a specific problem, as we were looking for guidance, theories, and industry standard practices. We need to rethink our network design and these experts have set us on the right path. Thanks again!
You could increase the size of the subnet if necessary by changing the subnet mask, that is if you are running out of IP's. The default licensing with SBS is users so you can add as many cameras and such as you like. If doing so make sure you use the change server IP and connect to the internet wizards.
Thanks BobLeeSwagger. Good luck with the project.
Cheers!
--Rob
Thanks BobLeeSwagger. Good luck with the project.
Cheers!
--Rob
I assume SBS supports multiple scopes, but you should just be able to set the firewall up as a router on a different IP range, then set up a DHCP scope for that subnet on your existing DHCP server. Obviously, you'll need to be sure DHCP traffic is forwarded correctly.
If you go down this path, give it some thought and plan it so the network seperation is logical. Whether it be by location, or by type of device (all the cameras etc on the new net).