• 0
Sign in to follow this  
Followers 0

Question

Posted

Hello

First off I have never done a small office network before so....

Ive been asked to redo a existing network in my office. Mainly because the connection to the main router fails and the firewall is pretty basic/weak.

The first thing Ill have to do is recon some of the network devices.

This is what I know 100%:
Our IP is static
The number of devices connected to the network.
There are two wireless networks
The wireless clients are MACed controll and WEP
The other network only controls a security camera (WPA2)
There is a Windows DC
There are 2 active Linux boxes
All the phyically connected devices (except the unix boxes) are part of the domain.
The IPs are assigned via MAC addresses.

Thats pretty much all I know, where should I contiue from here?

What ideas I have:

A way better firewall; pFsense seems complicated so Im thinking Cisco or DD-WRT.
Change the wireless to WPA2
Make sure all routers (except the main) are acting as switches (as sometimes conflicts occur)


Also, since this is a office which is already running, downtime is impossible.....or max for reboots of devices.

Share this post


Link to post
Share on other sites

59 answers to this question

  • 0

Posted

Well how does that make sense - if you show the dhcp disaabled. Then no its not your dhcp server.

Post an ipconfig /all of your one of your dhcp clients. Also you should NOT be handing out 8.8.8.8 as dns if your boxes are members of AD.. In AD - YOU ONLY point to the AD DNS - PERIOD! This dns then forwards for unknowns.

So lets see ipconfig /all

Then I ping the dhcp server listed there, and I want to see the arp table

arp -a to see the mac of that IP your showing as dhcp server.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='pes2013' timestamp='1363253853' post='595576724']
I want to repeat that part about small office :) Someone suggested a Dell SonicWALL TZ 205 and at 1000
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

If you only have like 20-30 users, I would prob say the
[b] ZyWALL USG 200/100/50/20W/20[/b]

line is good, if you want vpn access for your users prob go with the 50 or 100 model, if not then 20 prob work. Think that only runs about $150 so more in your ballpark? And then prob replace your wireless stuff with zyxel AP as well.

Lets get some numbers of devices and how everything is connected. I don't buy your zyxel is the dhcp server even when it shows disabled. And you put that wireless gateway in front of your firewall in bridge mode -- so the wireless is disabled? You posted up screen shot of your zyxel lan and dhcp server - could you post the wan side of that, you can black out the last couple of octets.

Why would you be using a adsl wireless gateway just to put it into bridge mode?

Also in sizing your firewall uplift, how much is your current bandwidth from your isp?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1363261336' post='595576928']
Well how does that make sense - if you show the dhcp disaabled. Then no its not your dhcp server.

Post an ipconfig /all of your one of your dhcp clients. Also you should NOT be handing out 8.8.8.8 as dns if your boxes are members of AD.. In AD - YOU ONLY point to the AD DNS - PERIOD! This dns then forwards for unknowns.
[/quote]
Please remember BudMan I did NOT build this network nor from scratch nor from anything; This is the first time they have asked me to look at it. My primary DNS address is the AD

[quote name='BudMan' timestamp='1363261336' post='595576928']
So lets see ipconfig /all

Then I ping the dhcp server listed there, and I want to see the arp table

arp -a to see the mac of that IP your showing as dhcp server.
[/quote]
OK, Ill get you that information tommorow. Like I said, I think (I have a big plate of TODO on my list) I can get you equipment inventory. Do you need EXACT things or for standard PCs will a "desktop PC" be enough?

[quote name='BudMan' timestamp='1363269465' post='595577164']
If you only have like 20-30 users, I would prob say the
[b] ZyWALL USG 200/100/50/20W/20[/b]

line is good, if you want vpn access for your users prob go with the 50 or 100 model, if not then 20 prob work. Think that only runs about $150 so more in your ballpark? And then prob replace your wireless stuff with zyxel AP as well.

Lets get some numbers of devices and how everything is connected. I don't buy your zyxel is the dhcp server even when it shows disabled. And you put that wireless gateway in front of your firewall in bridge mode -- so the wireless is disabled? You posted up screen shot of your zyxel lan and dhcp server - could you post the wan side of that, you can black out the last couple of octets.

Why would you be using a adsl wireless gateway just to put it into bridge mode?

Also in sizing your firewall uplift, how much is your current bandwidth from your isp?
[/quote]
We are about 10 in the office (at days, less than 5), no outbound connections coming in.

Ill reread your post tommorow to get you arp tables and screenshots you asked.

BTW, we can do with anything, doesnt have to be zyxel; I perfer a good Cisco even if its a bit more expensive. OpenVPN server capability would be intresting although not deal breaking.

Share this post


Link to post
Share on other sites
  • 0

Posted

As 99% of the time, the great BudMan is correct: My DHCP server is the DC:

[img]http://img585.imageshack.us/img585/883/configc.png[/img]

Arp table:

[img]http://img542.imageshack.us/img542/4894/arpc.png[/img]

WAN side:

[img]http://img521.imageshack.us/img521/2874/wanside.png[/img]

Share this post


Link to post
Share on other sites
  • 0

Posted

You forgot the five 9s on you 99 ;)

Welll I can tell right off why you might have issues with your network, your using the gateway as DNS. As I mentioned before in AD, you ONLY talk to AD dns -- your zyxel has not a clue to your AD structure, he might be able to resolve google.com for you -- but he sure and the hell can not resolve your AD domain entries. You point to your DC, your DC forwards queries he does not have the answer to your isp or googledns, or opendns, etc.

Another issue I see, why is your dhcp lease only 1 hour?? That is utterly pointless in a network of so few using a /24 network. That is just unnecessary traffic and possible issues with not renewing, etc.

Is this your machine - why is vmware interfaces on it? Looks like you have ipv6 still enabled - you using that? Doubt it, so just other **** that can cause problem your network.

I personally would do some clean up on your boxes and disable ipv6 if your not using it. Purely from a security aspect you don't run protocols you don't need! Simple fix to disable via a reg entry

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

If your going to run ipv6 on your network, then set it up.. Your clents don't need a 6to4 interface, they don't need teredo interface..

Your network hardware is prob not the problem, your problem when you say your rebooting everything might be as simple as your clients are not pointing to ONLY AD for dns.. And or your dhcp server craps, and your clients lease expire in 1 hour so then everyone would be dead in the water.

And if everyone has ipv6 enabled but not using it - bunch of again unnecessary traffic flowing, a lot of it broadcast that would just be wasting your wireless bandwidth since your wireless is not isolated to wireless segment and you have 19 active devices from your arp on your network. You got your clients asking for renews every 30 minutes.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1363345973' post='595578886']
You forgot the five 9s on you 99 ;)
[/quote]
?

[quote name='BudMan' timestamp='1363345973' post='595578886']
Welll I can tell right off why you might have issues with your network, your using the gateway as DNS. As I mentioned before in AD, you ONLY talk to AD dns -- your zyxel has not a clue to your AD structure, he might be able to resolve google.com for you -- but he sure and the hell can not resolve your AD domain entries. You point to your DC, your DC forwards queries he does not have the answer to your isp or googledns, or opendns, etc.
[/quote]
OK so then what should I chance?

[quote name='BudMan' timestamp='1363345973' post='595578886']
Another issue I see, why is your dhcp lease only 1 hour??
[/quote]
Could this be a DC setting (since we have come to the conclusion that it is the DHCP server as well)>


[quote name='BudMan' timestamp='1363345973' post='595578886']
Is this your machine - why is vmware interfaces on it? Looks like you have ipv6 still enabled - you using that? Doubt it, so just other **** that can cause problem your network.
[/quote]
Yes, I use VMWare on this machine and it is my machine. Noone is using IPv6 nor is there intrest.

[quote name='BudMan' timestamp='1363345973' post='595578886']
I personally would do some clean up on your boxes and disable ipv6 if your not using it. Purely from a security aspect you don't run protocols you don't need! Simple fix to disable via a reg entry

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

If your going to run ipv6 on your network, then set it up.. Your clents don't need a 6to4 interface, they don't need teredo interface..
[/quote]
Is disabling really a necceary step? AFAIK, all common Windows 7 installations come with IPv6 installed and enabled. The only way I would disabled it is via GP.

[quote name='BudMan' timestamp='1363345973' post='595578886']
Your network hardware is prob not the problem, your problem when you say your rebooting everything might be as simple as your clients are not pointing to ONLY AD for dns.. And or your dhcp server craps, and your clients lease expire in 1 hour so then everyone would be dead in the water.

And if everyone has ipv6 enabled but not using it - bunch of again unnecessary traffic flowing, a lot of it broadcast that would just be wasting your wireless bandwidth since your wireless is not isolated to wireless segment and you have 19 active devices from your arp on your network. You got your clients asking for renews every 30 minutes.
[/quote]
No IPv6 what so ever.

Share this post


Link to post
Share on other sites
  • 0

Posted

In your dhcp server on the DC, remove 192.168.100.100 as dns! And change the lease to something more realistic -- like 1 day or 4 days.. Not ever freaking hour, that means your clients are asking for renewal every 30 minutes - why?

192.168.100.100 your zyxel doesn't have a clue about any of your AD dns records.

So if you have no desire for IPv6 - then disable it! I gave you the simple reg key to disable it. If you want to enable it again, just remove the reg key.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1363396636' post='595580256']
In your dhcp server on the DC, remove 192.168.100.100 as dns! And change the lease to something more realistic -- like 1 day or 4 days.. Not ever freaking hour, that means your clients are asking for renewal every 30 minutes - why?
[/quote]
OK, Ill remove any entries on the DHCP server on the DC relating to 192.168.100.100 being the DNS. Ill change the renewal to 1 day.


[quote name='BudMan' timestamp='1363396636' post='595580256']
So if you have no desire for IPv6 - then disable it! I gave you the simple reg key to disable it. If you want to enable it again, just remove the reg key.
[/quote]
My doubt was that every Windows 7 installation by default has IPv6 enabled so meaning a lot of small office networks have IPv6 enabled and are running just fine. Also, that registry modification, would I have to do it to EVERY computer in the office or can I force it via GP?

Share this post


Link to post
Share on other sites
  • 0

Posted

Not saying it wont work - I am saying what you would do if you set it up correctly ;)

I am quite sure most small offices have it enabled yes, doesn't make it right.. If you do not use a protocol, then that protocol should not be enabled - this is security 101. And from a performance and clean up perspective - why do you want or need unused traffic on your network. If ipv6 is enabled its going to be generating traffic. And since your not using it, is completely useless.

As to deployment of a registry key via gp - sure here
[url="https://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx?Redirected=true"]https://blogs.techne...Redirected=true[/url]

Here is another method of doing it via gp
[url="https://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx"]https://social.techn...oup-policy.aspx[/url]

If you don't want to disable it - then correctly set it up, not leave the freaking mess MS enables from the git go.. Teredo, 6to4 and isatap - I run it in my home network, but is is correctly configured to be used and remove the teredo, isatap and 6to4 nonsense since there is no use for those.

[attachment=329762:ipv6output.png]

You notice my ipconfig /all output only list my actual nic, not the teredo, 6to4 and isatap and notice actually work on ipv6.. You boxes have all that stuff enabled sending out noise on your network for what? Can you even ping ipv6.google.com ?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1363437313' post='595580862']
Not saying it wont work - I am saying what you would do if you set it up correctly ;)
[/quote]
Im trying to just get things working in general; Not really looking for efficiency.

[quote name='BudMan' timestamp='1363437313' post='595580862']
I am quite sure most small offices have it enabled yes, doesn't make it right.. If you do not use a protocol, then that protocol should not be enabled - this is security 101.
[/quote]
BudMan, I understand this is a security issue but this is not my focus right now.

[quote name='BudMan' timestamp='1363437313' post='595580862']
And from a performance and clean up perspective - why do you want or need unused traffic on your network. If ipv6 is enabled its going to be generating traffic. And since your not using it, is completely useless.

As to deployment of a registry key via gp - sure here
[url="https://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx?Redirected=true"]https://blogs.techne...Redirected=true[/url]

Here is another method of doing it via gp
[url="https://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx"]https://social.techn...oup-policy.aspx[/url]

If you don't want to disable it - then correctly set it up, not leave the freaking mess MS enables from the git go.. Teredo, 6to4 and isatap - I run it in my home network, but is is correctly configured to be used and remove the teredo, isatap and 6to4 nonsense since there is no use for those.

[attachment=329762:ipv6output.png]

You notice my ipconfig /all output only list my actual nic, not the teredo, 6to4 and isatap and notice actually work on ipv6.. You boxes have all that stuff enabled sending out noise on your network for what? Can you even ping ipv6.google.com ?
[/quote]
I still dont really understand that IPv6 generates SO MUCH traffic to it be a performance issue....


Anyways, my office wants to change the firewall ASAP. Like I said, pfSense is going to take me up some time as I do NOT have to time to set it up correctly (besides networking, I do a lot of other stuff here so....). I just need a good firewall.

Thanks to all helping

Share this post


Link to post
Share on other sites
  • 0

Posted

pfsense takes all of about 10 minutes to setup from a BARE box! It will be working config after it gets an IP from your wan, and you give it an IP on its lan. It will have the same default rules as any off the shelf soho router.

It will allow ALL traffic outbound from the lan segment, and BLOCK all unsolicated traffic inbound. It will have dhcp server and dnsmasq running after you run through the setup.. Again if you are dicking with it more than 20 minutes your doing it wrong ;)

There really is not much to configure for a standard setup.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1363624822' post='595584546']
pfsense takes all of about 10 minutes to setup from a BARE box! It will be working config after it gets an IP from your wan, and you give it an IP on its lan. It will have the same default rules as any off the shelf soho router.

It will allow ALL traffic outbound from the lan segment, and BLOCK all unsolicated traffic inbound. It will have dhcp server and dnsmasq running after you run through the setup.. Again if you are dicking with it more than 20 minutes your doing it wrong ;)

There really is not much to configure for a standard setup.
[/quote]
We are crossing threads here (this is about the network setup and the other is about a firewall only) but....

Example of me trying to set up pfSense quickly (I problably did something wrong but).

I booted a LiveUSB of pfSense and did the default config: Unplugged all my network cables. When the time came, I choose autodetection and plugged one of my network cards to a switch with internet conectivity. It detected it as WAN. Next, I choose autodetection and plugged in my other network card into a standalone switch (only the pfSense was plugged in). The WAN side got a local DHCP IP, the LAN got the standard 192.168.1.1 Next, I plugged in my PC to that standalone switch, changed the IP on my PC to 192.168.1.23, subnet /24 and gateway 192.168.1.1

I could not access thru my web browser or ping 192.168.1.1 If I spent 5 minutes configuring that, I cannot simply take time to troubleshoot where the problem is. I need some that just works :) I know many do no understand that but....

Tommorow Ill try the lan side only...

Share this post


Link to post
Share on other sites
  • 0

Posted

OK, done doing 0.000000001% of redoing the existing network. We are getting a ZyXEL ZyWALL USG 50 in about two days.

Share this post


Link to post
Share on other sites
  • 0

Posted

Well obvious questions are obvious....

1: How do I open ports? Tried doing it thru firewall but nothing
2: How do I port forward?


I searched and a thread came up but and did it but it doesnt seem to work

Share this post


Link to post
Share on other sites
  • 0

Posted

yes it is done in the firewall rules. You need to create a wan to lan or a wan to any rule and allow the ports to transverse to a specific ip within your network.

this is a 20 but it is a similar interface.

http://www.youtube.com/watch?v=MKHSWR759n0

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='pes2013' timestamp='1363874860' post='595590262']
OK, done doing 0.000000001% of redoing the existing network. We are getting a ZyXEL ZyWALL USG 50 in about two days.
[/quote]

Did zyxel fix their throughput issues? We had a zyxel firewall lthat got nowhere near their advertised through put. Even their tech support gave up on helping us. That's why we switched to pfsense.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1364295882' post='595598576'] yes it is done in the firewall rules. You need to create a wan to lan or a wan to any rule and allow the ports to transverse to a specific ip within your network. this is a 20 but it is a similar interface. http://www.youtube.com/watch?v=MKHSWR759n0 [/quote]

I can confirm you that does NOT work. Using web tools (check my port sites) and actually trying to connect thru that port does not allow me.

Share this post


Link to post
Share on other sites
  • 0

Posted

call zyxel, you should have support with your device.

from the post from where this video came from.
"simply change the IPv4 Destination from "any" To the IP address of the end devices IP address. And then your done."

Share this post


Link to post
Share on other sites
  • 0

Posted

Nope, no phone support from ZyXEL and like I mentioned, the video is incorrect.

I finally got it to work by tinkering around.

Share this post


Link to post
Share on other sites
  • 0

Posted

I was going to disable IPv6 thru GP but reading, this came up:

[url="http://msmvps.com/blogs/acefekay/archive/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6.aspx"]http://msmvps.com/blogs/acefekay/archive/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6.aspx[/url]

[quote]Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.[/quote]
I simply from a bandwidth point of view do not see the need to diabled IPv6. From a security point of view, of course.

Share this post


Link to post
Share on other sites
  • 0

Posted

it is completely up to you. But if you ever watch packets on the network to troubleshoot network issues, having those packets that you don't need to take up space and processing power during a capture helps. I just did a 30 second capture on my laptop to troubleshoot a network issue here (we also have ipv6 enabled)...a 30 second capture created about 1.5GB of log, there was a bit of ipv6 traffic in there and if we had it disabled the file wouldn't have been as large. Unfortunately to test will take a bit of time that we don't have (small IT department with a ton of projects going on at the same time).

Share this post


Link to post
Share on other sites
  • 0

Posted

are you running any of those services that "need" ipv6 - if not then disable it. From a security point of view alone.. You don't run protocols your not using, period!

If you are using something that requires it, then you should be correctly enabling it on your network.. Not leaving the 3 different methods MS turns on by default. teredo, isatap and 6to4.. I doubt your using any of those, so disable them and let native ipv6 run and set it up correctly so it actually works.

What AD/Windows servers are you running - are you on 2k8? If your using 2003 server IPv6 is not even there by default and you would have to install it. So I doubt your running any services that require ipv6

And I agree with sc302, unwanted traffic on your network be it a bandwidth issue or not is noise - why would you want it there? It just makes troubleshooting any thing more cumbersome having to weed through noise. And it might not be a bandwidth issue, but sure its going to create dns queries - that most likely are going to just get forward out your wan because your AD dns can not respond... Don't you have a very small upload pipe? something like 500kbits or something.. Every packet requesting something you have no use for, is just getting in the way of packets you want to go out and get answers from.

Do you need ipx? Then why would you run it on your network, what about appletalk? If you don't need/use a protocol then it shouldn't be running on your network. But if you don't control settings on OSes and Devices that you put on your network - these protocols are most likely there as unwanted noise.

Not something you have to do right this minute, but I would put cleanup of such things on your list of things to do to make your network the best it can be. A simple GP push to disable ipv6 would remove quite a bit of noise. If you have concerns do it on a few machines first - does everything still work? If so then you have no use of it!

btw
"I finally got it to work by tinkering around."

I wince every time I hear something like this - what did you do? You need to understand what was wrong.. not just randomly trying ****.

Share this post


Link to post
Share on other sites
  • 0

Posted

Removed the router's IP from the AD's DNS list and updated the DHCP lease to 1 day. :)

[quote name='BudMan' timestamp='1364400260' post='595601478']

btw
"I finally got it to work by tinkering around."

I wince every time I hear something like this - what did you do? You need to understand what was wrong.. not just randomly trying ****.
[/quote]
Well, there was a object basically called "WAN" then any then "WAN1_PPP". I tried any as I literally wanted it to come from anywhere but that didnt work out. Later I believe I either tried WAN (which is a service group containing WAN1_PPP, WAN2_PPP etc) or WAN1_PPP. One of those as source did it so....

I want to disable/enable ping ICMP but I cant seem to set it up correctly. Hmmm.......

Also, since [b]ONCE AGAIN [/b]I am not aiming for security, Im not going to do the IPv6; Also I pointed out a article (from MS) that certain things might break so.........Im not risking it.

Ill get a ipconfig /all up on Tuesday and show you results.

Share this post


Link to post
Share on other sites
  • 0

Posted

whatever dude - removing **** your NOT using CAN NOT BREAK ANYTHING -- are you using teredo?? NO - its a tunneling protocol for ipv6 over 4, are you using isatap?(Intra-Site Automatic Tunnel Addressing Protocol) -- again a method of doing ipv6 over ipv4, not USING IT

6to4 tunnel, again NOT using it!! if you want to leave a IPv6 stack in place sure go ahead, you sure do not need these tunneling methods enabled. If you want your nic to have a local link IPv6 address, sure go for it - pointless unless your actually using ipv6.. Do your servers even have it enabled? If your running 2k3 server then NO its not.

So what do you want to do enable or disable icmp - I would guess you want to enable, because most likely out of the box its disabled.. I would have to lookup up the manual, I don't use those firewalls - did you read the manual? Which should of be step one before you even took it out of the box!!

I don't know what kind of connection you have, so I could not tell you if your PPP or not..

And again - yes its good security practice to disable protocols your not using, and its also just over all good house keeping.. But sure if you don't care if your house is a complete and utter mess then leave all your tunnels that your not using enabled and just beeping away on your network.. Pointless nonsense you could clean up with a few key strokes in your GP.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.