Jump to content

question for router/firewall experts


striker
 Share

Recommended Posts

Today someone asked me a question and I had an idea which I personally think of would be doable.The person has a modem/router/VoIP combination with an ADSL2+ account. That modem/router/VoIP combo has 4 ethernet outputs and also wireless, however the wifi is disabled. He wants to concentrate on wired only. His phone works through VoIP with his ISP. The person runs a one mans office from his home.The problem: he needs at least 6 computers to be connected individually each with their own IP, sometimes more than one computer at the same time is powered on and has to be able to access the internet and the intranet. That same person also wants to add an additional layer of security. So a switch is no option.My answer to this person was this: 'add a hardware firewall or another router (w/ NAT+SPI) with 8 ports' in series with the modem/router/VoIP combination.The person later got back to me and said he did some questioning left and right and was told it wouldn't be possible, because routers weren't made for that :huh: and it all would only get into problems. <_< He asked me what to do now.My question to you experts:I posted a picture of the set up in mind at: http://tinypic.com/view.php?pic=wtbpjn&s=5I've showed in there two possibilities marked 1 and 2.Would the above set up of my idea be possible? IMHO yes, however there are many roads leading to Rome, in other words you need to know exactly what you're doing.I've got a few good hints i.e. http://www.grc.com/nat/nat.htm and http://www.smallnetbuilder.com/content/view/24428/53/ and http://www.hardforum.com/showthread.php?t=1226866If you agree, any hints on a firewall/router with 'the better throughput' ? Any practical experience / hints ? Am I speaking nonsense, have my brains gone into illusionary mode ?

Link to comment
Share on other sites

Today someone asked me a question and I had an idea which I personally think of would be doable.The person has a modem/router/VoIP combination with an ADSL2+ account. That modem/router/VoIP combo has 4 ethernet outputs and also wireless, however the wifi is disabled. He wants to concentrate on wired only. His phone works through VoIP with his ISP. The person runs a one mans office from his home.The problem: he needs at least 6 computers to be connected individually each with their own IP, sometimes more than one computer at the same time is powered on and has to be able to access the internet and the intranet. That same person also wants to add an additional layer of security. So a switch is no option.My answer to this person was this: 'add a hardware firewall or another router (w/ NAT+SPI) with 8 ports' in series with the modem/router/VoIP combination.The person later got back to me and said he did some questioning left and right and was told it wouldn't be possible, because routers weren't made for that :huh: and it all would only get into problems. <_< He asked me what to do now.My question to you experts:I posted a picture of the set up in mind at: http://tinypic.com/view.php?pic=wtbpjn&s=5I've showed in there two possibilities marked 1 and 2.Would the above set up of my idea be possible? IMHO yes, however there are many roads leading to Rome, in other words you need to know exactly what you're doing.I've got a few good hints i.e. http://www.grc.com/nat/nat.htm and http://www.smallnetbuilder.com/content/view/24428/53/ and http://www.hardforum.com/showthread.php?t=1226866If you agree, any hints on a firewall/router with 'the better throughput' ? Any practical experience / hints ? Am I speaking nonsense, have my brains gone into illusionary mode ?
I don't really understand the part about "an additional layer of protection" and therefore no switch, but if that is really the case, then #1 is the answer. Number 2 would be no different than a switch because you would have to disable its dhcp and its firewall wouldn't be in play.The firewall exist between the WAN or Internet port and the LAN portsYou will also need to setup the DNS ports in the second roulter. Edited by lewmur
Link to comment
Share on other sites

Hello,The person will end up with a double-NAT'ed network on the "inside" LAN behind the second router. The computers there might be able to access the Internet for some applications (for example, sending email), but they will probably have difficult with any sort of inbound connection (receiving email, audio on VoIP calls and so forth). A good illustration can be found here on an Australian ISP's web site.It might be better if the person created two separate networks (subnets), each with its own route to the Internet connection, and bridged them.Regards,Aryeh Goretsky

Link to comment
Share on other sites

The person will end up with a double-NAT'ed network on the "inside" LAN behind the second router. The computers there might be able to access the Internet for some applications (for example, sending email), but they will probably have difficult with any sort of inbound connection (receiving email, audio on VoIP calls and so forth)
Erm... I happen to use a setup like that without problems. I have a Thomson cable modem/router [provided by the operator with crippled software - NAT is "forced"] with WLAN [disconnected] and ONLY ONE ethernet port. I have a two-puter setup, so I hooked up a 4-port wired router (because I happened to own one) between the cable modem and the two puters. And... well... I'm posting this message "with" that setup, so... erm... who says bumble bees can't fly?However: this setup was borne out of my being too cheap/lazy to go and buy a switch; I fail to see any additional security in this. <_<
Link to comment
Share on other sites

Thanks for the reactions so far.I just got a call from the local Netgear headquarter: no problem with the set up intended like showed above. There might be a little problem with the IP ranges, but that's easy solvable. (I've got the documents how to solve this from their site.)Anybody else have a recommendation?

Link to comment
Share on other sites

Some of the small-business class Linksys routers and managed switches have the ability to create VLANs, So even if you don't isolate two subnets physically you can do so logically.

Link to comment
Share on other sites

Why not just add a network switch to the router? Extra ports, and no potential issues with "double NATting".
That was my initial thought but Striker said:
The problem: he needs at least 6 computers to be connected individually each with their own IP, sometimes more than one computer at the same time is powered on and has to be able to access the internet and the intranet. That same person also wants to add an additional layer of security. So a switch is no option.
Link to comment
Share on other sites

Hello,If both devices support Universal Plug and Play, they may bridge themselves. I suspect the capability varies with specific devices, though.Just to check, both of your residential gateways provide DHCP service, or is it disabled on the second (inside) four-port residential gateway?Regards,Aryeh Goretsky

Erm... I happen to use a setup like that without problems. I have a Thomson cable modem/router [provided by the operator with crippled software - NAT is "forced"] with WLAN [disconnected] and ONLY ONE ethernet port. I have a two-puter setup, so I hooked up a 4-port wired router (because I happened to own one) between the cable modem and the two puters. And... well... I'm posting this message "with" that setup, so... erm... who says bumble bees can't fly?However: this setup was borne out of my being too cheap/lazy to go and buy a switch; I fail to see any additional security in this. <_<
Link to comment
Share on other sites

Indeed, a switch is not an option in this case.@goretsky: the intended set up is just a plan, it's not reality yet. When I disable DHCP in the 'inside' router, that would mean I could use a trick for print and file sharing to be used, however it would only be a workaround. When the 'inside' one is bridged, that would defeat the firewall in it which is the thing this man wants absolutely. The first router in the set up - the Siemens router/modem combo - can not be put into bridged mode, and it would also be unwanted because he wants an additional layer of security. That's why he asked for a second firewall to have this additional layer of security.- - - - - The more I think about it, the less possibilities remain: my intention was to let this man use a 8 port router a la netgear FVG318 (from which he could disable the wifi section). There's also another model, the FVS318 (without wifi) or the FVX538. However looking at the actual throughput of these models I doubt he would get what his ADSL2+ offers. So that leaves me with either a Linksys BEFSR81 or use a set up with two 4-port routers. (D-link comes to mind here, a bit more expensive but far better quality so I've read)The first option (the BEFSR81) would give all things needed in a handy package, the latter (two 4-port routers) will result in the same but with problems and needed workarounds regarding printer and file sharing.What I have read however on several forums is that the BEFSR81 has big problems reported by users. As long as one only uses 2 or 3 PCs at the same time it could work flawlessly, but when using more I've been reading about people pulling their hair out. I don't like to try that route because I don't have that much hair left :lol: , it's getting thinner and thinner.So in order to not pull up the price (by stepping up the pro way and use some enterprise router/vpn/firewall stuff) I'm left with either the risky BEFSR81 and a possible lacking of a natural or usual covering on my head, or get over it, use two 4-port routers and use a couple of workarounds regarding printer and file sharing.It's a difficult decision. That man is not that computer savvy, he knows his way around as long as it works, but when real problems arise he has a problem.Anyway, when I buy two 4-port routers to test this set up, if it doesn't work I can relatively easy get rid of them again; but with an 8 port router with it's way higher price tag it won't be that easy because most clients I have are not business users. (OTOH the BEFSR81 can be had for around 75 euros here.)I think I better get over to his place after closing time and have a thorough look myself and to have a talk with him about the possibilities I see at the moment.

Link to comment
Share on other sites

Indeed, a switch is not an option in this case.
Striker,Perhaps you might want to have your client consider going with the switch option. If he's behind a router with NAT, just why is that 2nd layer of security good for anyway?? I just don't get it. I would think not only is the switch the most simple solution, but it's also best option for a computer novice who doesn't understand computers for troubleshooting purproses.
Link to comment
Share on other sites

Indeed, a switch is not an option in this case.I think I better get over to his place after closing time and have a thorough look myself and to have a talk with him about the possibilities I see at the moment.
There is no point in buying an expensive router with a lot of ports. Whatever the final setup, you can always use a switch behind the last router to get additional ports. Original router to the WAN port of second four port router to five port switch will still give you eight ports behind the second firewall. You could even use a high speed switch to give you better file transfers on the LAN and save a ton on money compared to a high speed router. What you are buying the second router for is the hardware firewall and that is pretty much the same with a $20 router as it is a $200 one.I have done this and it works. The only issue is getting the second router's WAN setup and that isn't really difficult. If you have any problems, gives us the model numbers of the two routers and we can help with any problems. Edited by lewmur
Link to comment
Share on other sites

Alright, he ordered a Siemens Gigaset SE361 router (4 ports) and agreed with the set up Lew proposed. He can get it cheaper than I can because I don't run a real business like he does. He can get it for 38 euros, if I had to order it myself it would have cost him 55 euros excluding shipping and handling. He expects the router to arrive around the 14th of January, so if I'm not erring that's next weeks Wednesday. I think that little router combines perfectly with his modem/router combo, in fact it almost looks the same from the outside too. Being the same brand is what really took him I think. Anyway, next week we'll have a 'party' then. :lol:

Link to comment
Share on other sites

from experience with moderate sized networks, router and switch throughput makes a huge difference, or even the difference between it crashing all the time or not.i read he's already ordered a router, and that's all well and good, but if he wants to keep a server more-or-less secure from the internet, then he should consider something like a cisco asa 5505. to costly? depends. what's the data he's keeping private worth, or the lawsuits that may stem from its leaking.a step down would be a cisco 800 series which cisco propoganda says can support up to 10 users (my experience is, it will vomit on itself around 10 users)either of those can provide dhcp so his pc's will indeed have unique addresses.and everyone's right - a switch on the inside of any router will expand the network as large as he cares to get.i suppose my solution is about 10x more expensive than his... but again, how valuble is the data he's trying to protect?

Link to comment
Share on other sites

Agreed Temmu, but it's his decision and his money, so I can't do anything about it now. And I don't have any insights on his business.

Link to comment
Share on other sites

  • 2 weeks later...
Yep, exactly. Haven't heard back from him yet, that means the gear has not arrived yet.
This setup can also be used to isolate a wireless network from the wired network. I did this for a bar and grill that wanted to give its customers a wifi hotspot without allowing them access to their own LAN. Used a wireless router for the first or outside router and then put the LAN behind a second router with the second router's WAN port connected to the first router. Edited by lewmur
Link to comment
Share on other sites

Alrighty, the new gear arrived Thursday. So tonight I went over to his place and made some modifications to his set up. Read on...In fact he wasn't in for that - he preferred something simple like 'just connect it and get over with it' - so I thought 'OK, you asked for it...' and did exactly that. Then he started some testing and within a couple of minutes the first problem entered the surface: he couldn't scan through the network.Now it was my turn: 'do you allow me to modify your set up so it works the way you want?' Now he couldn't resist, so I had some fiddling to do and he watched while I was at work. 'What if it won't work, can you get it back the way it was'? was his question a couple of times. I previously had printed out a set up which I knew would work, so in fact it was easy. Besides that I had three alternatives printed out and in my case with my working gear. :thumbsup: The first router: I limited the IP range to no more IPs than required. The second router: ditto. From the first routers LAN port I made a connection to the second routers WAN port. Both routers use DHCP. The first routers IP range uses another 3rd octet range than the second router.His laser printer I left at one of the first routers LAN ports, just where it was. The second LAN port of it goes to the WAN port of his second router. The other LAN ports on his first router were left open to be used as a spare port.Two of his computers were at service, one of them probably won't coming back, possible a new one will get its place.The second routers LAN ports are all going to different PCs. One of the LAN ports of this router is designated and connected to an AIO. That's the only way to get the printer and also the scanner going from the computers connected to this second router. His main machine is also at this router.If one connects this AIO to the first router (like it used to be) one is able to print but no scanning is possible. So by reconnecting this AIO to the other router it now also works. Both this AIO and the laser printer I assigned new IPs and the AIO IP also another 3rd octet.Testing phase arrived: as the one who did the hard work it was my turn first. :thumbsup: All computers got an IP, they al could get to the internet, get the business mails, get his private mails, and all computers could print to both printers and scan via the AIO. No problems encountered whatsoever. In fact there's even a third printer in the house but it is not connected through the intranet. It's driven by an USB switch, after that there are four other computers and a whole set up, separated from his intranet.Anyway, now it was his turn: but that didn't took long :thumbsup: as he watched me testing the new set up,so there was nothing left to be tested. It all just worked flawlessly.After that it was coffee time. I then backed up both routers configurations and burned them to a CD/R. I also gave him a copy of the set up now in use with the IPs and ranges marked on it, and a card with the user names and passwords for both routers.The job was done successfully.I want to expres my thanks to those who chimed in in this thread and offered ideas. I used some of that after I did some studying and researching. Remember: it all can be easy as pie, except were an AIO comes into play. Luckily I was prepared for that, during researching Smallnetbuilder.com came to the rescue with some theory and explanations. :thumbsdown:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...