Jump to content



Photo

Redoing a existing network....


  • Please log in to reply
59 replies to this topic

#1 pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 08 March 2013 - 14:34

Hello

First off I have never done a small office network before so....

Ive been asked to redo a existing network in my office. Mainly because the connection to the main router fails and the firewall is pretty basic/weak.

The first thing Ill have to do is recon some of the network devices.

This is what I know 100%:
Our IP is static
The number of devices connected to the network.
There are two wireless networks
The wireless clients are MACed controll and WEP
The other network only controls a security camera (WPA2)
There is a Windows DC
There are 2 active Linux boxes
All the phyically connected devices (except the unix boxes) are part of the domain.
The IPs are assigned via MAC addresses.

Thats pretty much all I know, where should I contiue from here?

What ideas I have:

A way better firewall; pFsense seems complicated so Im thinking Cisco or DD-WRT.
Change the wireless to WPA2
Make sure all routers (except the main) are acting as switches (as sometimes conflicts occur)


Also, since this is a office which is already running, downtime is impossible.....or max for reboots of devices.


#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 08 March 2013 - 14:46

"The wireless clients are MACed controll and WEP"

So completely open to anyone that can google then ;) Since both are completely and utterly useless as security measures.

Yeah so fixing that would be good start ;)

So what are you using as your gateway to the internet now? As to pfsense being complicated??? Yeah clearly you have never used it - its web gui! Just like your any other soho router.

So you mention "routers" so I am taking it your double natting on your wireless devices vs using them as just AP, yeah I would fix that. Also What are you using for your wired switches? How many total devices do you have? How many are wireless?

Happy to help you get the network in order, but need some actual info to work with. Sorry but something running dd-wrt is not really a better router for a BUSINESS setup.

#3 +Aheer.R.S.

Aheer.R.S.

    I cannot Teach Him, the Boy has no Patience!

  • Tech Issues Solved: 9
  • Joined: 15-October 10
  • Location: Wolverhampton, United Kingdom
  • OS: Windows 7 X64 Ultimate Edition
  • Phone: Sony Xperia Z1 Compact

Posted 08 March 2013 - 14:52

Hello
~snip~

Hello back :) now, although I cannot help you, as I have almost zero knowledge in this area, I would simply like to say, trust me, if anyone can do what you're asking, ^ he can, the man is a certifiable (oh he's certifiable alright) genius, I've had to from time to time go through his old posts to find fixes for my network.
Now that's my ass kissing done for today, BudMan, where's that $50 you promised...? :p

#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 08 March 2013 - 16:04

$50 I promised? hehehe

So here is what I would suggest now that I am not running out the door to work.

Prework

Document your current network, how is it connected, make and model numbers of the networking hardware we are working with. Do you have access to visio? If so great software for drawing you network up and documenting the details of your network. If not - you could use say http://www.gliffy.com/ for free.

Goals - what are the goals of the project? Fix current issues, allow for growth? Security? etc..?

Planning

Once you have this, you can work out the weaknesses in the current design. And can propose the new design that meet your goals. We can match up the goals with what we currently have to work with to come up with a budget to accomplish the goals. Once we have a budget or lack of one, we can work within that constraint to plan for many of the goals as possible.

It may be possible to work with what you have to correct any design flaws, if not we can work out the best bang for the buck to get us where we want to be. But without a clear understanding of what we have currently it is difficult to determine the best path.

Need to understand how many current computers/devices access the network - printers, scanners? How they access the network and what services they need or you want to provide with the network.

You mention AD, what about email - how do your current clients access email. Do you host it with exchange, some other email server on your network or is offsite/hosted? I would assume file sharing, do your linux boxes access this via ftp/cifs/smb/nfs?

Do you currently do any internet content filtering? Would you want to? Is this a primary goal or just something that would be nice to do if can fit it into the budget? Once we have basic services down, can talk about other things like how do you manage window machine updates/patches, do you have central managed antivirus? Do you want/need to provide access control lists between your devices? Say your wireless does this need to isolated from your work network and only allow for internet access for guest? Do you need both.

Rollout

Once we have a plan that fits within the budget, can then determine how best to rollout the new design. Be it staged in pieces, but it a all at once uplift over a weekend. Done in steps to minimize any downtime, etc.

---
Maybe management of current services is outside scope? Are you just concerned with the network? If so still need to understand what services are currently provided or will be so that can best design network to allow for those services. Bandwidth, location of devices and servers. Is spread out over large area - closet switches needed? Just a core switch? What kind of wireless coverage is required, etc.

I would really suggest you start with drawing of your current setup and inventory of networking equipment and we can move forward from there.

#5 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 11 March 2013 - 09:10

I actually replied but for some reason it didnt go thru :(


"The wireless clients are MACed controll and WEP"

So completely open to anyone that can google then ;) Since both are completely and utterly useless as security measures.

Yeah so fixing that would be good start ;)

Without a doubt, that would be one of my first steps


So what are you using as your gateway to the internet now? As to pfsense being complicated??? Yeah clearly you have never used it - its web gui! Just like your any other soho router.

Right now, we are using a router which is our gateway AND our firewall. pFsense looked complicated for the first time I set it up.


So you mention "routers" so I am taking it your double natting on your wireless devices vs using them as just AP, yeah I would fix that. Also What are you using for your wired switches? How many total devices do you have? How many are wireless?

No. One of the routers is doing natting and the other is just a simply access point. I am not sure if they are BOTH doing natting, Id have to check.


Happy to help you get the network in order, but need some actual info to work with. Sorry but something running dd-wrt is not really a better router for a BUSINESS setup.

Then what would be a good router/gateway? The goal here isnt really to throw money because we have plent of equipment, its to design the network better than it already is.


So here is what I would suggest now that I am not running out the door to work.

Prework

Document your current network, how is it connected, make and model numbers of the networking hardware we are working with. Do you have access to visio? If so great software for drawing you network up and documenting the details of your network. If not - you could use say http://www.gliffy.com/ for free.

I dont have Visio so I can diagram it; Ill problably do it manually...



Goals - what are the goals of the project? Fix current issues, allow for growth? Security? etc..?

Id say fix current issues. Im not a fan of securing (cant fit in my head :p ) but its something I have to do as one of my servers stores orders and similar...

Planning

Once you have this, you can work out the weaknesses in the current design. And can propose the new design that meet your goals. We can match up the goals with what we currently have to work with to come up with a budget to accomplish the goals. Once we have a budget or lack of one, we can work within that constraint to plan for many of the goals as possible.

It may be possible to work with what you have to correct any design flaws, if not we can work out the best bang for the buck to get us where we want to be. But without a clear understanding of what we have currently it is difficult to determine the best path.

I honestly think we have enough equipment; We just have to redesign a few things :)


Need to understand how many current computers/devices access the network - printers, scanners? How they access the network and what services they need or you want to provide with the network.

Inventory is one of the first things I want to do...


You mention AD, what about email - how do your current clients access email. Do you host it with exchange, some other email server on your network or is offsite/hosted? I would assume file sharing, do your linux boxes access this via ftp/cifs/smb/nfs?

Email is hosted offsite but I wonder: Would it be better that everyone fetches their email from the offsite (how it is configured) or from the AD?


Do you currently do any internet content filtering? Would you want to? Is this a primary goal or just something that would be nice to do if can fit it into the budget?

No intrest in this


Once we have basic services down, can talk about other things like how do you manage window machine updates/patches, do you have central managed antivirus? Do you want/need to provide access control lists between your devices? Say your wireless does this need to isolated from your work network and only allow for internet access for guest? Do you need both.

Right now, updates/patches are DISABLED domain-wide: The AD does not recieve them nor does it distribute them. Central antivirus would be intresting depending on cost (we have individual and right now I count....9 PCs....using Norton)


Rollout

Once we have a plan that fits within the budget, can then determine how best to rollout the new design. Be it staged in pieces, but it a all at once uplift over a weekend. Done in steps to minimize any downtime, etc.

I have no doubt that the best time would be Friday (less people) and in one day. I say one day because I dont work on Saturdays nor would I get paid if I come


Maybe management of current services is outside scope? Are you just concerned with the network? If so still need to understand what services are currently provided or will be so that can best design network to allow for those services. Bandwidth, location of devices and servers. Is spread out over large area - closet switches needed? Just a core switch? What kind of wireless coverage is required, etc.

I would really suggest you start with drawing of your current setup and inventory of networking equipment and we can move forward from there.

My main goal is to design the better so it works better because our main router currently is falling every what 24 hours? That is not only unacceptable but it affects my server. We plan to get a secundary line just for it.

For some reason the quote system doesnt work right so I had to post it unquoted. Sorry.



#6 seta-san

seta-san

    Neowinian Senior

  • Joined: 17-February 05

Posted 11 March 2013 - 09:38

on the wireless.

WPA2 - use a strong key
use MAC FILTERING
don't broadcast SSID.

if at possible, narrow the bands you'll be using

A, and N use the 5GHZ band
B, G, N use the 2.4GHZ band <- B, G

on the routing.. you might want to check if you already have access to IPV6. This might be the time to have to upgrade or discard devices. IPV6 adds routing speed due to fixed header lengths and bypasses having NAT entirely. bad news, all your devices IP addresses will be front facing the internet

B, and G devices are extremely common, and N is catching up
A is almost non-existant and slow today

try to make your network a pure N network making it fully uncompatible with a multitude of older devices.

#7 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 11 March 2013 - 09:43

on the wireless.

WPA2 - use a strong key
use MAC FILTERING
don't broadcast SSID.

Ill have one of the networks like this except SSID broadcasting; People who are not tech orienated use that network for internet access and I would have to configure their phones myself

if at possible, narrow the bands you'll be using

A, and N use the 5GHZ band
B, G, N use the 2.4GHZ band <- B, G

We will be using G for compatibilty reasons on the 2.4GHZ network. No reason at all to update to N/5GHZ plus none of our current routers support it.

on the routing.. you might want to check if you already have access to IPV6. This might be the time to have to upgrade or discard devices. IPV6 adds routing speed due to fixed header lengths

Currently, this does not bring anything to our network as this is a small office network.


try to make your network a pure N network making it fully uncompatible with a multitude of older devices.

...and who says we dont have older devices?

#8 Haggis

Haggis

    Neowinian Senior

  • Tech Issues Solved: 9
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 11 March 2013 - 09:45

Why make the SSID Invisible?

devices broadcast it anyway

#9 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 11 March 2013 - 09:47

Why make the SSID Invisible?

devices broadcast it anyway

That wasnt my suggestion. I personally do not like it either. Does nothing as people can snif it out anyways.

#10 seta-san

seta-san

    Neowinian Senior

  • Joined: 17-February 05

Posted 11 March 2013 - 09:53

That wasnt my suggestion. I personally do not like it either. Does nothing as people can snif it out anyways.


true, it's easy enough to sniff the packets... but then again wireless security is rarely no more secure than a cheap masterlock. It's there to keep out the honest and lazy by making it inconvenient.

...and who says we dont have older devices?


as I said. wireless security is all about inconvenience.

#11 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 11 March 2013 - 09:56

Lets not focus on wireless as I could careless about wireless

#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 March 2013 - 12:50

If this is the sort of info your going to give might as well stop now

"Right now, we are using a router which is our gateway AND our firewal"

Come on - what is the make and model?? Is it really that hard, is it a wrt54g or a cisco ASA 5500?

As to drawing it out manually?? What you going to use paint? Or you going to sketch on paper and then scan it? So use gliffy - its free and you can draw up a network info in a few minutes that everyone can read and we can even share it and edit together, etc.

Here was a OLD drawing from when was helping uplift work an issue, this was start of documentation of his network. Something like this is going to be much easier to work with then hand drawn thing.

uplift_current.png

As to not caring about wireless - yeah again wrong attitude, its prob your weak spot and what is causing you grief. Using home routers, prob even double natting vs actual business type gear. Lets get some DETAILS and this drawing.

#13 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 11 March 2013 - 17:15

If this is the sort of info your going to give might as well stop now

"Right now, we are using a router which is our gateway AND our firewal"

Come on - what is the make and model?? Is it really that hard, is it a wrt54g or a cisco ASA 5500?

Well I wanted to initially just post the situation. Like I mentioned, I have to do inventory which is where I will write down all the TCP/IP equipment with their make/model number.


As to not caring about wireless - yeah again wrong attitude, its prob your weak spot and what is causing you grief. Using home routers, prob even double natting vs actual business type gear. Lets get some DETAILS and this drawing.

Wireless is what is less used here. Only ours phones (on one access point) and a wireless camera (on another access point) use it. Nothing else. That is why I dont really care about it.

OK, BudMan, got you the main rack's equipment models.....Rest is pretty much dumb switches AFAIK.

TP-Link TD-W8951ND - This is our modem. I am supposing it is in bridge mode with....
ZyXel ZyWall 10 - Our firewall. This is acting as our gateway.
D-Link DGS-1016D
D-Link DGS-1100-24 - These two basically move all the network.
Panasonic KX-NCP500XNE - No idea what this devices does but I imagine it controls our analog land lines so we can transfers calls between internal phones.

More:
D-Link DIR-600 - This is the access point for the wireless camera. Has everything disabled (NAT/DHCP/etc)
Senao SL3054CB3 PLUS DELUXE - Looks like a wireless extender. No idea if for our network or the cam's
Panasonic KX-NCP0158CE - Similar to Panasonic KX-NCP500XNE; I think this is the main point and the Panasonic KX-NCP500XNE is the switch for it. No idea.

Ill make PC inventory a bit later. The Windows PCs are all part of the domain

#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 March 2013 - 18:43

Ok this http://www.tp-link.c...odel=TD-W8951ND is a ADSL2+ modem/router, ie gateway type device. I would doublecheck that its in bridge mode. If I had to guess its doing nat, is the wireless of this device being used?

So can we verify the full model number on your zyxel? I can not seem to find any manuals for it, a quick google shows some reviews and such - but they are from 2002? Is that right? If your device is from 2002.. I would put it first on the list as needing a refresh!! If it is from 2002, even if fully functional - what would happen on failure, what is the backup plan. Does it have a support contract on it? Response time? I would also be concerned with even being able to handle your internet connection? There has been some real increases in performance since 2002 and internet speeds ;)

As to the dir-600, AP tied plugged into what, one of your switches, w8951nd? If your not isolating your networks via nat, segment/vlan then anyone on your network could access this camera.. So not clear on why wpa2 for that and just wep for your other wireless? How your wireless ties into your network should be of major concern!! Really it should because if its not isolated from your wired network, anyone accessing the wireless has full access into your network. I would really move this up your list of concerns. If not of required use, then SHUT it down until you can correctly secure it or isolated it from your other systems.

So your 1016D is just dumb gig switch, but your 1100-24 is a smart switch, so it does have some features like bandwidth control, vlans, qos, etc. So I would hope this is core switch and then your 1016d is just access switch - maybe in a closet somewhere - but sounds like in the same rack? So do you have any other switches anywhere else in the building, or just these 2 that everything is connected to?

As to the KX-NCP500XNE yeah that is phone system, are you only analog phones or are you doing voip/sip? If doing voip is that traffic isolated from your other network traffic? That could be an issue - need to see the drawing to how this ties into the network. As to Panasonic KX-NCP0158CE, show that as a 8 Channel IP DECT Cell Station (VOIP) - again how is this tied into the network, is this traffic isolated?

As to the SL3054CB3, yeah that could be a AP, a bridge or repeater - so really need to understand how that is configured and connected into your network as well.

This a start, we got some model numbers now. And know some of the technology we are working with. Now need to just get some details of how everything is connected, ip space, vlans? double nat on that w8951nd to your zyxel??

I am concerned with running voip traffic over your normal network, and concerned with unsecured wireless (wep) that has access to your network.

#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 March 2013 - 20:29

ok - took a few minutes while boring work call to start a drawing. Not sure how this all connected yet, but these are devices we know about.

This is why would like to use something like gliffy vs you scratching out something on paper. We can edit, have revisions, take current drawing and modify it on a copy for new design, etc.

neowin-d2.jpg

As you feed me info, happy to keep this updated. And we have 30 day trial of the FULL version, so could even give you direct access to it for edits, etc.

Info wold be looking for is IPs, Number of computers, Servers - where these devices connect to, for example the phone stuff - really worried about running this bandwidth over your current switches. What is the dhcp server? Dns? Is that handled by the zyxel? What its IP? What is the network in use?



Click here to login or here to register to remove this ad, it's free!