|
|
|
Hi guys,
I've asked a little about this before but I'm really struggling to get my head round it - I know people have recommended Mikrotik routers and I've looked into them and they look interesting but for this project I need to use currently available kit (though I do keep and eye on eBay for any cheap Mikrotik routers).
The situation is thus:
We have a Virgin Business Router that gives internet to the office PCs but we also need to provide internet to members of the public that use our premises (though only through wifi).
The building is old and used to have a lift shaft which is metal lined so wifi doesn't get from where the router is to where I can plug in a repeater (and there's no mains between the two rooms to plug a repeater in as it's a stairwell). As a side note, the Virgin Business routers only allow 10 guest wifi connections which is no good for us. I know I could use the VM box in modem mode but I still think I'd have the same problem with the router we've got.
I'm currently using a cheap (~£25) switch that does VLAN, plugged into the VM router to create a separate network that goes to an ethernet over power adapter and then an ethernet over power adapter in the room where we need internet.
These mains adapters work fine and are reliable enough and give decent speed (~100MBps) for our guests' needs (they also act as speed limiters so people cannot use all our bandwidth so that's an added bonus).
This solution has been working fine for a few months, we initially had some connection issues with the VM connection that seem to have been resolved now.
What I don't like is that the guest network is on the same subnet as our internal network (not really a huge issue with a /24 network but I wouldn't want to think that our internal network could be affected if we had a rogue device or many people connecting up - I've already had to change the DHCP lease time to two hours where normally I'dd leave it at the week or whatever the router defaults to).
I know cheap routers use VLAN to separate out the networks but I'd like something that has firewall rules to block traffic and also can dish out its own DHCP IP addresses.
That's where I was thinking openwrt - I've got an old Sky SR102 router that I've got OpenWRT 23.something on (really enjoyed the challenge/learning curve of having to get serial access to the router to put OpenWRT on it but that's another story).
I know the wifi doesn't work on the old Sky routers because of an issue with the Broadcom chipset it uses but I don't really care - that would only complicate things for me in any case).
So - what I want to do is use the SR102 as a wired guest network that has its own DHCP server and IP range (something like 192.168.99.0/24 for ease of distinction), can access the internet but definitely not the internal network.
It's got 4 ethernet ports, I only need 2 of them, one to go to the ethernet over mains and one to uplink to the internet via VM router.
At this point I can't even work out if I need to use the WAN port as the uplink connection or the guest network - it seems to be backwards to a normal setup.
I've currently got the WAN port set to obtain its IP from DHCP which it gets from the VM router but this doesn't seem to make sense as even though it's on a different subnet, all it would be able to see the internal network.
I've got to the point where I cannot see the wood for the trees so any help would be appreciated.
Cheers
Dave.
|
|
|
|
If you are running a separate subnet for guest network, this subnet needs to be routed. So you need to use a router to route between your guest network on the LAN side and a WAN connection to the LAN side of your main router. The WAN side of the guest router needs an IP address on your office subnet, preferably fixed, either manually or by config of DHCP on the main router. The LAN side of the guest router needs an address on the gust network. The guest router also needs the default route to the main router. You don't need to use NAT on the guest router, but you should firewall your guest network against access to your office subnet apart from the main router.
I suggest that if your office subnet is on 192.168.x.x that you make your guest network live on a /24 subnet of 172.16.0.0 – 172.31.255.255. This is a private IP range and the obviously different addresses can help no end if you are going cross eyed with IP addresses.
And remember that routers and computers and anything does not have an IP address. It is always the interface which has the IP address. Thus the WAN interface of your guest router would have a 192.168.x.x address and the LAN interface would have a 172.x.x.x address.
|
|
|
|
What does this company do? Are they some sort of startup or a family business of some sort?
Forgive me but they don’t seem to have much clue or assigning you any sort of proper budget, have any sort of strategy or ascribe any sort of importance to their networking and IT infrastructure - it appears to be cobbled together with wet string almost.
I could give you some very broad steers and recommendations- but it would help to know the lay of the land here?
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
What does this company do? Are they some sort of startup or a family business of some sort?
Explained here https://forums.thinkbroadband.com/general/t/4771335-...
|
|
|
|
Thanks DFScale for linking to my previous post but to answer the question Pheasant asked with a bit more brevity -
We're a charity and don't have much money to spend on IT equipment as we rely heavily on support from local businesses and members of the public.
I'm not actually employed by the charity (I do bits of work for them, gratis, and any equipment I supply is charged at cost).
I've previously worked with Cisco & Checkpoint kit but for companies where they had a significant budget for IT infrastructure.
We also have other constraints such as where the VM connection comes in to the building - the router is on a small shelf six feet up a wall so we have limited space for additional devices.
The building is very old so doesn't have many mains sockets as these were retro-fitted and has very little facility for cat6 cabling without incurring significant costs.
The other problem, and I understand this is of my own making, is that the way things are currently set up is working and the manager and staff are happy with it - it's me that would like it to be a little bit more secure based on my background in IT but obviously they see that it's working so don't understand why anything needs to change.
I know some will say that it should have been set up properly (more securely) in the first place and I take this onboard but at the time there were issues with the connection (partly due to VM connection issues, partly due to wifi strength issues) causing problems with courses that were being run so I simply reacted and put something in place that I never planned on leaving as a permanent solution to ensure the courses were not impacted (again as a charity, they rely heavily on their ability to run courses).
Hope this gives a bit more insight into the issues I'm facing.
Ideally, I'd like to use something like OpnSense or pfSense and have old computers I could supply for free to run these on but due to restrictions of space a full size PC (or even anything larger than a router sized box) isn't possible as a permanent solution and the smaller boxes that can run pfSense are out of my price range, hence cheap ADSL routers and looking at using OpenWRT on them.
Thanks - and ignore the fact that I used the word 'brevity' earlier, I think I've blown that one out of the water.
As a good friend of mine used to say 'Why use one word when a thousand will do?'. RIP Mike.
D.
|
|
|
|
Many thanks for this, and an excellent suggestion about using a 172 subnet to avoid confusion, never thought of it before but I can see it would make it very obvious which network the traffic was from and if using something like tcpdump (or using pftop in pfSense) would make it easy to spot traffic easily while it's scrolling up screen.
|
|
|
Thanks for the additional background and context. Given that its a charity with an extremely constrained budget, In terms of getting additional support, have you approached Charity Digital to see if they can help you?
https://charitydigital.org.uk/products/cisco-and-cis...
I believe that Virgin also have similar sorts of programs running. It's worth an ask.
|
|
|
|
It may help you to sketch out a 'straw man' how you think the network ought to look (versus how it is now). This will help you to understand where the pinch points/problems are and how to best tackle and prioritise them.
You should be able to achieve most things with a fairly modest network. For example VLAN's don't really cost you any money (if you can get hold of any fairly modest switch) but they will make your life much easier as you can logically segment and separate your network traffic. There is no real need here I don't think, to firewall internal traffic.
A single router (not the VM box) should allow you to manage the internal traffic, undertake firewall duties and manage traffic, run multiple DHCP scopes and subnets.
Start with a network diagram and go from there.
|
|
|
|
Thanks. The connection we have through Virgin is subsidised as we are a charity and do digital inclusion courses but I'll check out Charity Digital to see what they can offer us.
|
|
|
|
Many thanks for this, as ever, this community has come to my aid with many useful suggestions and pointers and I'm extremely grateful for all the assistance offered.
|
Print Thread
