Windows Server 2012 network

Converting a peer-to-peer to a client-server configuration.

Current configuration:  4 computers connected peer to peer.  Two computers are old xps's that support a legacy accounting program that is stored on an NAS and run locally.  Two computer are Windows 7 that were purchased in anticipation of upgrading the accounting (legacy program will not work properly on anything after XP).  The accounting side is on it's own segment over 100baseT wiring.  No gateway.  Each computer except one has a wireless connection to connect to the internet.  One of the new computers is a higher end i7 that was going to be a workstation/server for running quickbooks and peachtree where the other win 7 would be the client.  

Well, QB and PT are not strong enough to be the replacement accounting, so we are going with a larger system that requires windows server 2012

So working on new configuration.  I am thinking i don't need the two segments anymore, but not looking forward to putting the accounting on same segment as rest of the office.  So thinking of ways to segregate it.  Can I just use the subnet mask to keep it separate?  Doesn't seem that strong.  So thinking maybe using one of the old computers and turning it into software firewall using IPCop or similar and have the wire from modem coming into it and then the other side is the accounting department.  Other possibility and I have no idea if this is any doable, but maybe having the WinServer as the firewall by having modem wire coming into one nic on server and then another nic to connect to accounting and segment it that way.

So looking for input from the experts.  Cost is definitely a factor in the decisions made.

Is IPCop the best of the free linux firewall to use?  are the configurations above doable and what would be the best in your opinion.

The questions may change as feedback comes in.

Thanks in advance for your time and attention to this matter!
jjackson2004Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryant SchaperCommented:
only 4 workstations?  Honestly I don't see any reason separate the networks with proper security.  Beyond that, if you still want to get a switch or router/switch that supports vlans.  Then you can secure the traffic there.
0
jjackson2004Author Commented:
The thought process behind the need for separate network is not the number of computers but rather the sensitivity of the data on the server.  This server will only be running the accounting software and no one needs access except the accounting people.  I will look into your solution to learn more about it.  I assume the users will still be able to reach the comcast modem even if they are on a separate vlan?
0
Bryant SchaperCommented:
Yes, you could separate for several reasons, security is one.  But that being said, on the accounting system what are we securing against?  With 4 computers, this is a very small network, and I think that physical separation would just result in users moving stuff around via other means.

That said, yes they can access the Comcast modem.  What you are doing is creating virtual networks, say 10.0.0.0/24 and 10.0.1.0/24.  The router basically sits on both networks and acts as the gatekeeper.  Each subnet would have their own gateway IP, so the Comcast would have an interface on say 10.0.0.1 and 10.0.1.1 , you would just prevent access from each subnet to the other with firewall rule/acl.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

jjackson2004Author Commented:
They would not be moving things around by other means as the accounting rooms are locked when the people are not in them and the accounting people have no need to move anything between the computers.

I am trying to understand your answer.  There is a wire that comes back to accounting from the modem.  That wire would be going into the vlan capable switch.  So accounting would be one subnet and the single wire to the comcast modem would be another subnet?  I would assume that wire would be on the same 192.168.1.xxx network that the comcast modem is on.  I do not control the rest of the network, only the accounting area.

So does the vlan capable switch have its own firewall capability built in?
0
Bryant SchaperCommented:
I could diagram if you diagram your end and what you are in control of.  A vlan switch can have a firewall, but I am thinking of something like a SonicWALL that will sit behind your Comcast modem
0
PerarduaadastraCommented:
If you have access to the modem then what part of the network do you not control?
Is the modem doing NAT?  If so, then to that extent it's functioning as a router, however basic.
If the modem can be configured as a bridge then you could use a device such as a Draytek router, which supports VLANS, to separate the accounts computers from the other machines.
0
jjackson2004Author Commented:
Looking into the SONICWall, I might be able to talk them into the TZ105.  Is that something that you were referring to?  As I mentioned cost is a big factor and they are already complaining about the cost of the software plus the new Windows server that is going in (that is why the ipcop on an old computer was an option).

Looking at it's description (TZ105), it might be what I was thinking of.  I will research more.

The comcast modem is doing port forwarding to a Windows server setup for terminal services.  There are current three different segments in the office, with the difference being in the third octet.

And they prefer for us not to mess with the modem, but we can if absolutely necessary.

If I used the TZ105, would I be doing port forwarding to the TZ for when we do remote desktop on the new server?
0
PerarduaadastraCommented:
As Bryant Schaper says, a diagram of your present setup would be helpful. What model of Comcast modem do you have?

Also, I came across this on EE; it seems as though someone else may have had a similar problem:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28240877.html
0
jjackson2004Author Commented:
Ok, a diagram is attached.
netlayout.jpg
0
jjackson2004Author Commented:
And here is what I think the new configuration might be if I used the SonicWall
newNetLayout.jpg
0
jjackson2004Author Commented:
Is anyone going to offer any further advice?  I am still curious how I would get to the SONICWall through the comcast modem.
0
jjackson2004Author Commented:
And the SONICWall tz 105 seems to have disappeared from the Dell Website.   Trying to find an alternative.
0
jjackson2004Author Commented:
The soho is the replacement and at a higher price.  So I guess I am back to the original question about using IPCop.
0
Bryant SchaperCommented:
the SonicWALL is a router, so you have an internal LAN or multiples on interfaces, and you have your WAN connection to the Comcast, it can either authenticate using PPPoE the DSL connection in which case the Comcast is just a modem, or if the Comcast is really just a DSL modem and not a router, it will get an IP from the ISP.
0
jjackson2004Author Commented:
The comcast is not using PPPoE and we are not able to change that.  there are 5 static ips available, but only 1 is currently being used if I remember correctly.  So from what you wrote, then it is most likely just a DSL modem.

It has taken most of the year, 3 different modems and about 7 visits from comcast to get the internet service from continually dropping out, so the big guy is very wary of anyone messing with the modem.
0
Bryant SchaperCommented:
what currently has the IP in use?  If that is the case, you would assign an IP to the SonicWALL, to use all five you either install a switch after the modem and before the SonicWALL.
0
jjackson2004Author Commented:
Does the SONICWall allow only one person to go in through it?
0
jjackson2004Author Commented:
I am just asking that for information.  Dell has priced the replacement for the tz105 out of our range.  So I am back to looking at the IPCop as a solution unless some other product is out there in the $300 range that will do what it looked like the SONICWall would do.
0
PerarduaadastraCommented:
How about the Draytek 2860? I have several of these deployed, and they handle multiple public IPs ad multiple LANs with aplomb. Its firewall features may not be Cisco or Juniper but they seem perfectly adequate, as I've had no problems with any of them.

This router is also sub-$300...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bryant SchaperCommented:
yeah probably, but if it is a cost issue for network and security at $300 then your controller should really be evaluating his priorities.  To me that seems like a small investment, many companies spend thousands are their firewalls and network devices.  Core network infrastructure is a must to business network or you will be chasing your tail with other problems,
0
PerarduaadastraCommented:
@ Bryant Schaper:

Agreed, but if the budget is written in stone regardless of the force of reasoned argument, then the asker could do a lot worse than the Draytek. I note from the network diagram that the whole network, such as it is, is a shoestring affair, so it's unsurprising that cost is a major factor.

I also note from said diagram that there are wireless connections, though no access points are shown. The 2860 can also function as a basic wireless controller, though only for the Draytek AP-810 and AP-900 WAPs. If the existing WLAN is small enough that both SSIDs can be seen by wireless clients then adopting Draytek equipment would significantly improve wireless performance by allowing basic roaming functionality and bandwidth management.

I would add that I have no connection with Draytek other than as someone who uses their kit and is happy with it.
0
jjackson2004Author Commented:
Yes, unfortunately price is a major issue, every purchase is like pulling teeth.  The comcast modem is the wireless access point.

The draytek looks decent.  Perhaps this would be a good time to clarify the capabilities I am looking for:

1,  Isolate this lan from the rest of the office
2.  Provide firewall protection.
3.  Allow access to the server for remote desktop (so payroll can be done remotely over the Christmas/New Year holiday), and possibly the laptops with logmein, teamviewer, etc.
4.  Switch to a single segment so that the wireless connections can be removed and all internet access for the computers will be through the firewall.
0
PerarduaadastraCommented:
The Draytek can be configured to meet all four of these requirements. LANs can be isolated from each other using VLANs, which the device supports; indeed, enabling multiple LANs requires that the VLAN feature is enabled.

When you say single segment, I take it that this doesn't include the accounting/payroll/whatever department? I would expect this to be set up on its own VLAN to isolate it from everything else without preventing remote access to it.

If you don't need wireless then don't have it! Cabled connections are faster and more reliable than the airwaves. The wireless controller functionality in the 2860 comes as standard but it doesn't have to be used.

One thing isn't clear to me though; how does the Comcast present the internet connection to the LAN? Your diagram shows that a Windows 7 computer receives the connection from the modem, so is it dual-homed, or what?
The 2860 has a built-in vDSL/ADSL modem, and also has a WAN port to accept an Ethernet internet connection from an external device. If the Comcast can be configured as a bridge then you would connect it to the Draytek's WAN port. If your ISP supplies an ADSL or vDSL connection (I don't know what's available across the pond) then you could use the integral modem instead.
0
jjackson2004Author Commented:
All the computers in the accounting department used to connect to the internet through wireless, and the accounting was done over the wired network.  

When the aforementioned problems with Comcast kept occurring (they were mostly wireless issues, something about the firmware), I ran a cable to the comptroller's computer so she could connect to the internet without dealing with wireless (through a second ethernet card).
0
PerarduaadastraCommented:
So the connection problems were actually with the wireless LAN side and not the WAN side of the connection?
If so, then provided that the Draytek supports your ISP's connection type then you could dispense with the Comcast altogether and use the Draytek's built-in xDSL modem instead.

Does your internet connection require credentials to login to your ISP's network? The Draytek can handle this, or PPPoE. You say the Comcast isn't using PPPoE, so what type of connection is it using?
0
jjackson2004Author Commented:
Will find out Monday (EST) when I am next back in their office.

And there were some problems on the wired side as well, but there was a problem with the modem and USB wireless adapters (someone in tech support finally admitted), which caused the network to continually reset.
0
jjackson2004Author Commented:
But as to replacing the Comcast, again, we are separate from them in that regard and do not control that modem.  But I can ask to change some settings so that we can vpn into our side as long as it does not affect their side.  

But if I can convince him the Draytek is a better solution then it might be a possibility.    I will have to looking into their current remote desktops into their old Windows Terminal Server 2003 (which I have told him needs to be replaced sooner than later, but we want to get our new accounting system in first so I did not push that issue).
0
PerarduaadastraCommented:
I appreciate that you don't control the Comcast modem, but it's not apparent to me if it's an immutable part of the deal with your ISP or whether you can remove it and use your own hardware instead. If the latter is an option then be aware that your ISP will not support any device you connect instead of the Comcast, but they would have to supply the information needed make the connection.
As I've said before, configuring the Comcast as a bridge would be the simplest option, leaving the Draytek to manage everything else including the VPNs.
0
jjackson2004Author Commented:
The Gataway at a glance page does not say how it is configured.  All is has is:

Bridge Mode:  Disabled.
0
jjackson2004Author Commented:
Should I consider this an abandoned question?
0
PerarduaadastraCommented:
Sorry, I've been very busy and forgot to return to this question.

The link is for the Draytek 2860, which is the model I suggested.

If the Comcast reports that bridge mode is disabled, then this implies that somewhere in its web interface is the control for enabling it. If you do configure the device as a bridge, make sure that you note down every setting of its present configuration in case it all goes pyriform and you need to revert. A better option before making any changes would be to make a configuration backup using the option provided in the Comcast web interface; I'm assuming that it does have that option...

Once the Comcast is in bridge mode you would connect it to the ethernet WAN port on the Draytek, unless you can connect the phone line directly to latter's xDSL port and configure the authentication accordingly. If it's possible, this latter method is far and away the best one to use as it means that the Comcast device can be removed without making any configuration changes to it, and simply replaced with the Draytek.
0
jjackson2004Author Commented:
Well, I already purchased the Draytek and are going to be configuring it at home before I try it at the office.  Assuming I can't change the comcast to bridge mode.  Cannot I just plug the ethernet cable into one of the LAN ports and the accounting segment into the other to separate the accounting subnet from the rest of the network?
0
PerarduaadastraCommented:
You have to enable VLANs on the Draytek in order to have multiple LANs. If you configure, say, LAN1 to be your general purpose LAN, and LAN2 to be the accounts LAN, and assign them to different physical ports (ports 1 and 2 would be logical) then you would achieve the required separation. You would be able to ping the gateway IP of each LAN from the other one, but nothing behind them would be accessible.

I find that in such setups it's helpful to use completely different network addresses to avoid confusion during configuration and maintenance. For example, in your situation you might use 192.168.1.0 for LAN1, and 172.16.2.0 for LAN2. This avoids the hammering of your head on the wall on realising that the last three hours of frustration were due to mixing up 192.168.1.2 and 192.168.2.1...
0
jjackson2004Author Commented:
They are already different subnets, 192.168.1.0 and 192.168.2.0.  I am curious as to you statement about not being able to access anything behind them as I ab need absolutely need internet access through the draytek.   It was one of the main reasons for getting the Draytek.  To separate the accounting subnet from the others and also to get rid of the wireless adapters and to access the internet through the wired network.
0
PerarduaadastraCommented:
Sorry, I didn't make myself clear. What I meant was that devices on each different LAN will only be able to see the gateway addresses of the other LANs and not any of the machines on those networks. Internet access for each LAN is unaffected because each LAN has its own gateway.
To illustrate: If LAN1's gateway address is 192.168.1.254 then a machine on LAN2 having an address of 172.16.2.10 would be able to ping 192.168.1.254 and get replies, but it couldn't reach any device on LAN1. Likewise, if LAN2's gateway is 172.16.2.254 then a computer on LAN1 could ping that address and get replies, but couldn't reach any devices on LAN2. The LANs are isolated from each other, which is the point of the exercise.

Regarding network addressing, I was only suggesting a scheme to avoid confusion. It seems that you are actually using the subnets I chose for my example scenario...
0
jjackson2004Author Commented:
Ah, thanks, was a little worried for a moment.  I will leave this open for a few more days while I am going through the test config.  Then I will close this question and open a new one about how I could access the file server for possible remote desktop once I have the daytek in place and the server set up.  Though there might be some issue with how the server needs to be set up (non domain) considering what I want to achieve.
0
PerarduaadastraCommented:
If you're accessing the server via RDP then whether or not it's a domain controller or member isn't relevant; RDP doesn't care!

I'd suggest configuring the the RDP host to listen on a non-standard port, and configure the Draytek firewall accordingly. You'll have to open the port though, under NAT-> Open Ports.
0
jjackson2004Author Commented:
how to I reach the Draytek?  Do I do port forwarding on the Comcast modem?
0
PerarduaadastraCommented:
Let's back up for a moment.

I'm in the UK and internet connectivity options here tend to differ somewhat from those in the US.
I'm assuming that your internet connection comes down the phone line like it does here, but what type of connection is it? I think ADSL and PPPoE are common there, but you'll have to tell me what your setup is using. How does your modem authenticate to the ISP's network? Is it username/password, or MAC address, or what?

If you have to forward the internet traffic to the router after the Comcast has applied NAT then you'll be in a double NAT situation, which, as Microsoft has been known to say, can lead to unexpected results...
0
jjackson2004Author Commented:
DSL, so perhaps aDSL and I believe it authenticates by name/password
0
jjackson2004Author Commented:
I will verify on Monday.
0
PerarduaadastraCommented:
I've done a little digging for you, and it appears that your connection uses a cable modem that supports the DOCSIS 2.0 or 3.0 standard; at least, that's what they seem to be saying here:

http://mydeviceinfo.comcast.net/

On the same page it says: Your device's DOCSIS version number matters if you subscribe to Comcast Performance, Blast!, or Extreme.

Not sure what your speed tier is?

You can find it listed on your monthly internet bill (click here to view a sample). For more information regarding your cable modem or speed tiers, please call 1-800-XFINITY for assistance.


(The emphasis is mine).

However, as I get the impression that keeping costs to the bare minimum is a policy pursued with religious zeal by your employer, it's unlikely that your connection is in any of the top three tiers, so the latest and greatest hardware probably isn't required.

This has cleared up one thing though; whatever modem you use, it must be configured as a bridge to avoid double NAT issues. The Draytek does not support the coaxial cable connection that the Comcast connection uses and so the modem's only (but vital) function as a bridge would be to present an ethernet interface to the WAN2 port of the Draytek. The Draytek would then handle the authentication via the PPPoE option.

Knowing the make and model of the modem would be very useful. It may be branded Comcast, but it will be made by someone else. If its configuration can be backed up to a file then you can restore the current configuration from the backup if configuring it as a bridge goes horribly wrong.

Another alternative would be to pick up a used item from eBay or the Amazon marketplace, so that you can tinker with it to your heart's content without jeopardising the Comcast modem's current working configuration.
0
jjackson2004Author Commented:
the modem is Cisco DCF3939, and it uses DOCSIS3
0
jjackson2004Author Commented:
Correction , DPC3939B
0
jjackson2004Author Commented:
After speaking with comcast for quite awhile, I am not much better informed.  But he did say we were DSL, then ADSL, but now we are just Cable.  No acronyms.
0
jjackson2004Author Commented:
And we are Deluxe 50 speed tier.
0
PerarduaadastraCommented:
I had no idea that this was going to be so complicated.

There is some information about this issue here:

http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/DPC3939B-in-true-bridge-mode-with-single-static-IP/td-p/22918

The last but one post suggests that it's perfectly possible to get the modem working as a true bridge, but that Comcast needs to cooperate as it has to make some kind of adjustment. You might have to give the ISP some additional information, such as the MAC address of the Draytek's WAN interface.

Why not tell Comcast exactly what it is you're trying to do, and ask them to help you set it up? Your Draytek will not do what you require unless the modem can deliver the internet connection to router's WAN ethernet port. The 2860 may already be on Comcast's list of supported third party routers, as I can't imagine that you're the only person who has come up against this issue. The DPC3939B doesn't support VLANs so far as I can discover, so it won't do what you want either...
0
jjackson2004Author Commented:
This has gotten to be quite complicated.  I would like if possible at this point to just go back to just having separate segments, with the DrayTek in the middle.  I would like to plug the cable from the modem into one port of the Draytek and the accounting lan into another port and have the lan separate from the rest of the office.

Later when we are not under such a crush and as I get to know more about setup of the rest of the office, I can try to do it properly.
0
PerarduaadastraCommented:
You should be able to cobble together something that works, although it will be far from ideal.

Connect the Comcast modem to the WAN ethernet port on the Draytek. In the latter's web interface, go to WAN -> Internet Access -> WAN2 and change the access mode from None to Static/Dynamic IP. The Details Page button becomes active; click on it and under WAN IP settings put the radio button in Obtain an IP Address Automatically. You probably won't need to change anything else, though I can't be sure as I really don't know how the Comcast system works, except that the modem seems to provide whatever authentication that the service needs.
The Draytek will need to be rebooted, after which, hopefully, you will have an internet connection. However, be aware that the address that the Comcast hands to the Draytek will be a from a private LAN range, so for routing to work the LAN subnet must be different from the one on the WAN port.
For example, if the Comcast modem assigns an address of 192.168.1.2 to the WAN port you already have a problem, as that is the default LAN subnet for LAN1 on the Draytek. If this is the case, change the LAN1 network address to another private address range, such as 172.16.1.0, so that routing will still work. If you have devices on any of the LANs with static IPs or DHCP reservations, these will need to be updated accordingly.

It's a horrible kludge, but it might get you out of trouble while you work out how it can be done properly.
0
jjackson2004Author Commented:
Thanks, that is what I thought I would have to do today when I was messing around with the Draytek, but I stopped to read the user guide.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.