Link to home
Start Free TrialLog in
Avatar of GCITech

asked on

small, multi network, problem

ISP provides 13 static WAN IPs in location A. The nature of the ISP's endpoint equipment is, if  a device with one of the static IP's is connected, it works. If a device request an IP via dhcp, they issue an address via dhcp, on their own IP address. This dhcp server cannot be disabled. Previous endpoint equipment had a port with no DHCP.  At location A, we have two physical networks, and two routers, each using one static WAN address. One for our business, (172. ips)  and one for customer network.
There is a wireless bridge between location A and location B.  At location B, we distribute to 5 more locations wirelessly, but each of those has a static IP from the range, with their own router. We also have the main internal server for our business, at location B.
We have a network cable from the 172. network, and from the port on the ISP endpoint, in a switch that is also connected to the wireless link to location B, thus providing WAN IPs and 172. IPs for the business equipment. However, that makes two DHCP servers on the same network, and after a few days, it all collapses. Previously, I had hooked up a small Mikrotik device, in the line coming from the ISP equipment, that blocked DHCP offers, and that worked, but it seemed not "snappy" for lack of a more technical description. That box died the other day, so now the problem is back, and I would like to make it as efficient as possible, without spending a fortune. I need advice on whether to just go back to blocking the undesired DHCP server, or use VLANs somehow ( I have switches to support that, but am unsure how to best use them), or put another router at location B, and then VPN back to location A for business network. Or a better simpler solution...
Avatar of Bill Bach
Bill Bach
Flag of United States of America image

I would NEVER recommend connecting ANY servers or workstations directly up to an ISP's network like this!  With all of the malware running around, this is pure madness!

What you REALLY need is a firewall (with DMZ support) at the network edge.  The firewall would NAT off all of the internal machines to help protect them (and provide internal DNS/DHCP if needed), and then you can place public-facing servers in the separate DMZ where they can be isolated from the inside of the network and somewhat protected.

I confess that I did not understand much of the rest of your text, as it starts getting a bit hard to read after a while.  If you need a more complete recommendation, I would first recommend that you draw up a simple diagram of your network and then take a snapshot of it from a digital camera or cellphone -- then post the picture.  The increase in readability will be dramatic.
Avatar of masnrock
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of GCITech


i appreciate your comments. I will work on a drawing to post, so it is more obvious what I am trying to describe. I found a network switch in my stock, that will block dhcp, so I impplemented it, and the immediate emergency is over. I do want to improve the network, so I will repost with more complete information, later. Thanks.