Redoing a existing network....


Recommended Posts

Hello

First off I have never done a small office network before so....

Ive been asked to redo a existing network in my office. Mainly because the connection to the main router fails and the firewall is pretty basic/weak.

The first thing Ill have to do is recon some of the network devices.

This is what I know 100%:

Our IP is static

The number of devices connected to the network.

There are two wireless networks

The wireless clients are MACed controll and WEP

The other network only controls a security camera (WPA2)

There is a Windows DC

There are 2 active Linux boxes

All the phyically connected devices (except the unix boxes) are part of the domain.

The IPs are assigned via MAC addresses.

Thats pretty much all I know, where should I contiue from here?

What ideas I have:

A way better firewall; pFsense seems complicated so Im thinking Cisco or DD-WRT.

Change the wireless to WPA2

Make sure all routers (except the main) are acting as switches (as sometimes conflicts occur)

Also, since this is a office which is already running, downtime is impossible.....or max for reboots of devices.

Link to comment
Share on other sites

"The wireless clients are MACed controll and WEP"

So completely open to anyone that can google then ;) Since both are completely and utterly useless as security measures.

Yeah so fixing that would be good start ;)

So what are you using as your gateway to the internet now? As to pfsense being complicated??? Yeah clearly you have never used it - its web gui! Just like your any other soho router.

So you mention "routers" so I am taking it your double natting on your wireless devices vs using them as just AP, yeah I would fix that. Also What are you using for your wired switches? How many total devices do you have? How many are wireless?

Happy to help you get the network in order, but need some actual info to work with. Sorry but something running dd-wrt is not really a better router for a BUSINESS setup.

Link to comment
Share on other sites

Hello

~snip~

Hello back :) now, although I cannot help you, as I have almost zero knowledge in this area, I would simply like to say, trust me, if anyone can do what you're asking, ^ he can, the man is a certifiable (oh he's certifiable alright) genius, I've had to from time to time go through his old posts to find fixes for my network.

Now that's my ass kissing done for today, BudMan, where's that $50 you promised...? :p

Link to comment
Share on other sites

$50 I promised? hehehe

So here is what I would suggest now that I am not running out the door to work.

Prework

Document your current network, how is it connected, make and model numbers of the networking hardware we are working with. Do you have access to visio? If so great software for drawing you network up and documenting the details of your network. If not - you could use say http://www.gliffy.com/ for free.

Goals - what are the goals of the project? Fix current issues, allow for growth? Security? etc..?

Planning

Once you have this, you can work out the weaknesses in the current design. And can propose the new design that meet your goals. We can match up the goals with what we currently have to work with to come up with a budget to accomplish the goals. Once we have a budget or lack of one, we can work within that constraint to plan for many of the goals as possible.

It may be possible to work with what you have to correct any design flaws, if not we can work out the best bang for the buck to get us where we want to be. But without a clear understanding of what we have currently it is difficult to determine the best path.

Need to understand how many current computers/devices access the network - printers, scanners? How they access the network and what services they need or you want to provide with the network.

You mention AD, what about email - how do your current clients access email. Do you host it with exchange, some other email server on your network or is offsite/hosted? I would assume file sharing, do your linux boxes access this via ftp/cifs/smb/nfs?

Do you currently do any internet content filtering? Would you want to? Is this a primary goal or just something that would be nice to do if can fit it into the budget? Once we have basic services down, can talk about other things like how do you manage window machine updates/patches, do you have central managed antivirus? Do you want/need to provide access control lists between your devices? Say your wireless does this need to isolated from your work network and only allow for internet access for guest? Do you need both.

Rollout

Once we have a plan that fits within the budget, can then determine how best to rollout the new design. Be it staged in pieces, but it a all at once uplift over a weekend. Done in steps to minimize any downtime, etc.

---

Maybe management of current services is outside scope? Are you just concerned with the network? If so still need to understand what services are currently provided or will be so that can best design network to allow for those services. Bandwidth, location of devices and servers. Is spread out over large area - closet switches needed? Just a core switch? What kind of wireless coverage is required, etc.

I would really suggest you start with drawing of your current setup and inventory of networking equipment and we can move forward from there.

Link to comment
Share on other sites

I actually replied but for some reason it didnt go thru :(

"The wireless clients are MACed controll and WEP"

So completely open to anyone that can google then ;) Since both are completely and utterly useless as security measures.

Yeah so fixing that would be good start ;)

Without a doubt, that would be one of my first steps

So what are you using as your gateway to the internet now? As to pfsense being complicated??? Yeah clearly you have never used it - its web gui! Just like your any other soho router.

Right now, we are using a router which is our gateway AND our firewall. pFsense looked complicated for the first time I set it up.

So you mention "routers" so I am taking it your double natting on your wireless devices vs using them as just AP, yeah I would fix that. Also What are you using for your wired switches? How many total devices do you have? How many are wireless?

No. One of the routers is doing natting and the other is just a simply access point. I am not sure if they are BOTH doing natting, Id have to check.

Happy to help you get the network in order, but need some actual info to work with. Sorry but something running dd-wrt is not really a better router for a BUSINESS setup.

Then what would be a good router/gateway? The goal here isnt really to throw money because we have plent of equipment, its to design the network better than it already is.

So here is what I would suggest now that I am not running out the door to work.

Prework

Document your current network, how is it connected, make and model numbers of the networking hardware we are working with. Do you have access to visio? If so great software for drawing you network up and documenting the details of your network. If not - you could use say http://www.gliffy.com/ for free.

I dont have Visio so I can diagram it; Ill problably do it manually...

Goals - what are the goals of the project? Fix current issues, allow for growth? Security? etc..?

Id say fix current issues. Im not a fan of securing (cant fit in my head :p ) but its something I have to do as one of my servers stores orders and similar...

Planning

Once you have this, you can work out the weaknesses in the current design. And can propose the new design that meet your goals. We can match up the goals with what we currently have to work with to come up with a budget to accomplish the goals. Once we have a budget or lack of one, we can work within that constraint to plan for many of the goals as possible.

It may be possible to work with what you have to correct any design flaws, if not we can work out the best bang for the buck to get us where we want to be. But without a clear understanding of what we have currently it is difficult to determine the best path.

I honestly think we have enough equipment; We just have to redesign a few things :)

Need to understand how many current computers/devices access the network - printers, scanners? How they access the network and what services they need or you want to provide with the network.

Inventory is one of the first things I want to do...

You mention AD, what about email - how do your current clients access email. Do you host it with exchange, some other email server on your network or is offsite/hosted? I would assume file sharing, do your linux boxes access this via ftp/cifs/smb/nfs?

Email is hosted offsite but I wonder: Would it be better that everyone fetches their email from the offsite (how it is configured) or from the AD?

Do you currently do any internet content filtering? Would you want to? Is this a primary goal or just something that would be nice to do if can fit it into the budget?

No intrest in this

Once we have basic services down, can talk about other things like how do you manage window machine updates/patches, do you have central managed antivirus? Do you want/need to provide access control lists between your devices? Say your wireless does this need to isolated from your work network and only allow for internet access for guest? Do you need both.

Right now, updates/patches are DISABLED domain-wide: The AD does not recieve them nor does it distribute them. Central antivirus would be intresting depending on cost (we have individual and right now I count....9 PCs....using Norton)

Rollout

Once we have a plan that fits within the budget, can then determine how best to rollout the new design. Be it staged in pieces, but it a all at once uplift over a weekend. Done in steps to minimize any downtime, etc.

I have no doubt that the best time would be Friday (less people) and in one day. I say one day because I dont work on Saturdays nor would I get paid if I come

Maybe management of current services is outside scope? Are you just concerned with the network? If so still need to understand what services are currently provided or will be so that can best design network to allow for those services. Bandwidth, location of devices and servers. Is spread out over large area - closet switches needed? Just a core switch? What kind of wireless coverage is required, etc.

I would really suggest you start with drawing of your current setup and inventory of networking equipment and we can move forward from there.

My main goal is to design the better so it works better because our main router currently is falling every what 24 hours? That is not only unacceptable but it affects my server. We plan to get a secundary line just for it.

For some reason the quote system doesnt work right so I had to post it unquoted. Sorry.

Link to comment
Share on other sites

on the wireless.

WPA2 - use a strong key

use MAC FILTERING

don't broadcast SSID.

if at possible, narrow the bands you'll be using

A, and N use the 5GHZ band

B, G, N use the 2.4GHZ band <- B, G

on the routing.. you might want to check if you already have access to IPV6. This might be the time to have to upgrade or discard devices. IPV6 adds routing speed due to fixed header lengths and bypasses having NAT entirely. bad news, all your devices IP addresses will be front facing the internet

B, and G devices are extremely common, and N is catching up

A is almost non-existant and slow today

try to make your network a pure N network making it fully uncompatible with a multitude of older devices.

Link to comment
Share on other sites

on the wireless.

WPA2 - use a strong key

use MAC FILTERING

don't broadcast SSID.

Ill have one of the networks like this except SSID broadcasting; People who are not tech orienated use that network for internet access and I would have to configure their phones myself

if at possible, narrow the bands you'll be using

A, and N use the 5GHZ band

B, G, N use the 2.4GHZ band <- B, G

We will be using G for compatibilty reasons on the 2.4GHZ network. No reason at all to update to N/5GHZ plus none of our current routers support it.

on the routing.. you might want to check if you already have access to IPV6. This might be the time to have to upgrade or discard devices. IPV6 adds routing speed due to fixed header lengths

Currently, this does not bring anything to our network as this is a small office network.

try to make your network a pure N network making it fully uncompatible with a multitude of older devices.

...and who says we dont have older devices?

Link to comment
Share on other sites

That wasnt my suggestion. I personally do not like it either. Does nothing as people can snif it out anyways.

true, it's easy enough to sniff the packets... but then again wireless security is rarely no more secure than a cheap masterlock. It's there to keep out the honest and lazy by making it inconvenient.

...and who says we dont have older devices?

as I said. wireless security is all about inconvenience.

Link to comment
Share on other sites

If this is the sort of info your going to give might as well stop now

"Right now, we are using a router which is our gateway AND our firewal"

Come on - what is the make and model?? Is it really that hard, is it a wrt54g or a cisco ASA 5500?

As to drawing it out manually?? What you going to use paint? Or you going to sketch on paper and then scan it? So use gliffy - its free and you can draw up a network info in a few minutes that everyone can read and we can even share it and edit together, etc.

Here was a OLD drawing from when was helping uplift work an issue, this was start of documentation of his network. Something like this is going to be much easier to work with then hand drawn thing.

post-14624-0-51657000-1363006186.png

As to not caring about wireless - yeah again wrong attitude, its prob your weak spot and what is causing you grief. Using home routers, prob even double natting vs actual business type gear. Lets get some DETAILS and this drawing.

Link to comment
Share on other sites

If this is the sort of info your going to give might as well stop now

"Right now, we are using a router which is our gateway AND our firewal"

Come on - what is the make and model?? Is it really that hard, is it a wrt54g or a cisco ASA 5500?

Well I wanted to initially just post the situation. Like I mentioned, I have to do inventory which is where I will write down all the TCP/IP equipment with their make/model number.

As to not caring about wireless - yeah again wrong attitude, its prob your weak spot and what is causing you grief. Using home routers, prob even double natting vs actual business type gear. Lets get some DETAILS and this drawing.

Wireless is what is less used here. Only ours phones (on one access point) and a wireless camera (on another access point) use it. Nothing else. That is why I dont really care about it.

OK, BudMan, got you the main rack's equipment models.....Rest is pretty much dumb switches AFAIK.

TP-Link TD-W8951ND - This is our modem. I am supposing it is in bridge mode with....

ZyXel ZyWall 10 - Our firewall. This is acting as our gateway.

D-Link DGS-1016D

D-Link DGS-1100-24 - These two basically move all the network.

Panasonic KX-NCP500XNE - No idea what this devices does but I imagine it controls our analog land lines so we can transfers calls between internal phones.

More:

D-Link DIR-600 - This is the access point for the wireless camera. Has everything disabled (NAT/DHCP/etc)

Senao SL3054CB3 PLUS DELUXE - Looks like a wireless extender. No idea if for our network or the cam's

Panasonic KX-NCP0158CE - Similar to Panasonic KX-NCP500XNE; I think this is the main point and the Panasonic KX-NCP500XNE is the switch for it. No idea.

Ill make PC inventory a bit later. The Windows PCs are all part of the domain

Link to comment
Share on other sites

Ok this http://www.tp-link.com/en/products/details/?model=TD-W8951ND is a ADSL2+ modem/router, ie gateway type device. I would doublecheck that its in bridge mode. If I had to guess its doing nat, is the wireless of this device being used?

So can we verify the full model number on your zyxel? I can not seem to find any manuals for it, a quick google shows some reviews and such - but they are from 2002? Is that right? If your device is from 2002.. I would put it first on the list as needing a refresh!! If it is from 2002, even if fully functional - what would happen on failure, what is the backup plan. Does it have a support contract on it? Response time? I would also be concerned with even being able to handle your internet connection? There has been some real increases in performance since 2002 and internet speeds ;)

As to the dir-600, AP tied plugged into what, one of your switches, w8951nd? If your not isolating your networks via nat, segment/vlan then anyone on your network could access this camera.. So not clear on why wpa2 for that and just wep for your other wireless? How your wireless ties into your network should be of major concern!! Really it should because if its not isolated from your wired network, anyone accessing the wireless has full access into your network. I would really move this up your list of concerns. If not of required use, then SHUT it down until you can correctly secure it or isolated it from your other systems.

So your 1016D is just dumb gig switch, but your 1100-24 is a smart switch, so it does have some features like bandwidth control, vlans, qos, etc. So I would hope this is core switch and then your 1016d is just access switch - maybe in a closet somewhere - but sounds like in the same rack? So do you have any other switches anywhere else in the building, or just these 2 that everything is connected to?

As to the KX-NCP500XNE yeah that is phone system, are you only analog phones or are you doing voip/sip? If doing voip is that traffic isolated from your other network traffic? That could be an issue - need to see the drawing to how this ties into the network. As to Panasonic KX-NCP0158CE, show that as a 8 Channel IP DECT Cell Station (VOIP) - again how is this tied into the network, is this traffic isolated?

As to the SL3054CB3, yeah that could be a AP, a bridge or repeater - so really need to understand how that is configured and connected into your network as well.

This a start, we got some model numbers now. And know some of the technology we are working with. Now need to just get some details of how everything is connected, ip space, vlans? double nat on that w8951nd to your zyxel??

I am concerned with running voip traffic over your normal network, and concerned with unsecured wireless (wep) that has access to your network.

Link to comment
Share on other sites

ok - took a few minutes while boring work call to start a drawing. Not sure how this all connected yet, but these are devices we know about.

This is why would like to use something like gliffy vs you scratching out something on paper. We can edit, have revisions, take current drawing and modify it on a copy for new design, etc.

post-14624-0-15163500-1363034976.jpg

As you feed me info, happy to keep this updated. And we have 30 day trial of the FULL version, so could even give you direct access to it for edits, etc.

Info wold be looking for is IPs, Number of computers, Servers - where these devices connect to, for example the phone stuff - really worried about running this bandwidth over your current switches. What is the dhcp server? Dns? Is that handled by the zyxel? What its IP? What is the network in use?

Link to comment
Share on other sites

Ok this http://www.tp-link.com/en/products/details/?model=TD-W8951ND is a ADSL2+ modem/router, ie gateway type device. I would doublecheck that its in bridge mode. If I had to guess its doing nat, is the wireless of this device being used?

Yup, it is in bridge mode. The reason is that I cannot access it directly thru a IP AFAIK. And no, the wireless of this device is not being used.

So can we verify the full model number on your zyxel? I can not seem to find any manuals for it, a quick google shows some reviews and such - but they are from 2002? Is that right? If your device is from 2002.. I would put it first on the list as needing a refresh!! If it is from 2002, even if fully functional - what would happen on failure, what is the backup plan. Does it have a support contract on it? Response time? I would also be concerned with even being able to handle your internet connection? There has been some real increases in performance since 2002 and internet speeds ;)

I can confirm you just using this:

ftp://ftp.zyxel.fi/ZyWALL_10/quick_start_guide/ZyWALL%2010_1.pdf

http://www.zyxel.com/news/press_room_20101207_709994.shtml

Being, old as you commented, I cant really find it on the site. I reconfirm that this is our main router so to speak.

As to the dir-600, AP tied plugged into what, one of your switches, w8951nd? If your not isolating your networks via nat, segment/vlan then anyone on your network could access this camera.. So not clear on why wpa2 for that and just wep for your other wireless? How your wireless ties into your network should be of major concern!! Really it should because if its not isolated from your wired network, anyone accessing the wireless has full access into your network. I would really move this up your list of concerns. If not of required use, then SHUT it down until you can correctly secure it or isolated it from your other systems.

Yes, anyone can access this camera. This is not a problem and/or limitation.

So your 1016D is just dumb gig switch, but your 1100-24 is a smart switch, so it does have some features like bandwidth control, vlans, qos, etc. So I would hope this is core switch and then your 1016d is just access switch - maybe in a closet somewhere - but sounds like in the same rack? So do you have any other switches anywhere else in the building, or just these 2 that everything is connected to?

Yes they are in the same rack. I dont know if its the main or not but I can confirm that it is as is "out-of-the-box"; eg, no configuration was made to this switch. Simply plugged in and thats it. If so, it would act as a normal switch, correct?

Building? Floor :p Its a small office, problably from one corner of the room to the other there are what, 20 steps max? And no, as far as I know, those are the only two switches. There are wall ethernet ports (normal, not PoE)

As to the KX-NCP500XNE yeah that is phone system, are you only analog phones or are you doing voip/sip? If doing voip is that traffic isolated from your other network traffic? That could be an issue - need to see the drawing to how this ties into the network. As to Panasonic KX-NCP0158CE, show that as a 8 Channel IP DECT Cell Station (VOIP) - again how is this tied into the network, is this traffic isolated?

Analog only. No VoIP/SIP.

As to the SL3054CB3, yeah that could be a AP, a bridge or repeater - so really need to understand how that is configured and connected into your network as well.

Upon further inspection, I can confirm that this is the AP for our main wireless network: We connect to this AP to navigate internet thru our phones/tablets/etc. It is with WEP and MAC filtered. Its the same network: Our network is 192.168.100.x/24

This a start, we got some model numbers now. And know some of the technology we are working with. Now need to just get some details of how everything is connected, ip space, vlans? double nat on that w8951nd to your zyxel??

Ill have until Friday to do true inventory sorry :(

Info wold be looking for is IPs, Number of computers, Servers - where these devices connect to, for example the phone stuff - really worried about running this bandwidth over your current switches. What is the dhcp server? Dns? Is that handled by the zyxel? What its IP? What is the network in use?

There is something that has caught my eye which I dont really understand why this decision. Maybe you can clear it up: I believe the DHCP server is the ZyXel BUT the PCS on the domain, are assigned their IP via MAC address by the DC. Why wouldnt the DC the DHCP server?

Link to comment
Share on other sites

"The reason is that I cannot access it directly thru a IP AFAIK."

What??? That does not tell you its in bridge mode -- what IP do you have on the wan of your zyxel

Normally a DC would be the dhcp server - just look on any dhcp client and do a ipconfig /all and it will tell you the IP address its dhcp server.

And CHECK the IP address on your zyxel - I doubt that gateway is in bridge mode to be honest.

Link to comment
Share on other sites

Hey pes2013 !!

Listen to BudMan,,

he has really good advice, he has helped me out of a jam once or twice as well. and I have been running networks since before windows was a household name.

:)

Link to comment
Share on other sites

I have been running networks before tcp/ip ;) hehhehe - I recall when we switched from ipx/spx to tcp/ip and had to install tcp on your windows 3.1 boxes. Ah the good old days ;)

Link to comment
Share on other sites

"The reason is that I cannot access it directly thru a IP AFAIK."

What??? That does not tell you its in bridge mode -- what IP do you have on the wan of your zyxel

On the WAN side, its my public IP.

Normally a DC would be the dhcp server - just look on any dhcp client and do a ipconfig /all and it will tell you the IP address its dhcp server.

Which is the zyxel...

And CHECK the IP address on your zyxel - I doubt that gateway is in bridge mode to be honest.

Yes, the IP is indeed the gateway....

Guys, I know BudMan is good. You dont have to repeat it 1000 times... :)

Link to comment
Share on other sites

A few things -- since I work for a company that does this every day (or at least every week) I think I can give a few pointers. The points that Budman has made are very valid.

In general:

  • Don't be afraid to spend more on your firewall. In today's world, a firewall is very important. If you have less than 20 users (maybe even more). Something like the Dell SonicWALL TZ 205 provides a lot of security, even allows one to block certain groups of people (the "sales group") from things like Facebook (or allowing only certain people.
  • Plan, plan, plan. Part of this would be prioritorize what is important to get working. That is if email, the Internet, and your access to your CRM application don't work (yet) on the new firewall, what are you going to work on first?
  • As mentioned by several people, an accurate network diagram is important, especially for more help from other people.

Now some specifics:

  1. Don't change anything on the DC, unless absolutely required. This falls into my rule of only change 1 thing at a time.
  2. Find out very specifically how mail is arriving and departing your company. Is mail being filtered somewhere else and then arriving at your site?
  3. As mentioned, either the firewall or your DC is supplying the DHCP (with reserved MAC addresses). You can quickly find this out with a simply IPCONFIG /ALL run from the command prompt on anything but your server. Look in the list for the DHCP server. You may need to change your DHCP lease to 1 day (or less) a few days before the firewall change (but only if the firewall is supplying the DHCP details).
  4. How many static IP addresses do you have? Need to know this as well as what ports are used for incoming mail, any WWW that is hosted at your location, external access to the camera, etc. Each of these needs to be programmed into the new firewall.
  5. Again, not changing too much at the same time -- don't change to a new ISP at the same time. If you are considering changing ISP, then do that 1 week before or after the new firewall install. If you change both at the same time -- and something isn't working -- then it is harder to track down the problem when too many things change.
  6. I suggest gigabit switches for all new switches. If you need PoE (power over Ethernet) for VoIP phones or for the camera, be sure to get the appropriate switches.

If you happen to be within North Carolina (or neigboring states) let me know and we can set up an appointment.

Link to comment
Share on other sites

I remember running network cables when it had to be coax. You had to run two coax cables in and out of every office. Two coax wires went to the back of each machine attached by a T connector that plugged into the NIC with a BNC connector. The entire network was run like that until at the last end you had to have a terminating bnc connector.

It was a big hassle to run network cable like that and still make it look neet in an office. and we were just hooking dos based machines to a novell network to run some client server money factoring software that my dad wrote. Now the company that he has built out of that is huge. http://www.factorsoft.com/ and I don't work there anymore.

Link to comment
Share on other sites

"Why wouldnt the DC the DHCP server?"

"BUT the PCS on the domain, are assigned their IP via MAC address by the DC"

So your saying the dhcp server is the zyxel - but then you say the IPs are assigned vis mac by the DC -- so your mistaken there somewhere.

I agree in AD, there would be NO reason for the DC not to be the dhcp server. And actually should be since it helps in identification of members being registered in dns, etc.

Link to comment
Share on other sites

"Why wouldnt the DC the DHCP server?"

"BUT the PCS on the domain, are assigned their IP via MAC address by the DC"

So your saying the dhcp server is the zyxel - but then you say the IPs are assigned vis mac by the DC -- so your mistaken there somewhere.

Even if it is incorrect, is it possible?

I just want to show you proof how you can see there that the DHCP server is NOT enabled in the ZyXEL:

zywel.png

Out of those addresses, the x.x.x.60 is nothing on my network (ping doesnt reply) and the x.x.x.29 is the DC.

I agree in AD, there would be NO reason for the DC not to be the dhcp server. And actually should be since it helps in identification of members being registered in dns, etc.

Then another step would be that: Make the DC the DHCP server. Ive played around with it but have never done it in a production system but I imagine it wouldnt be hard....

We are working with Windows Small Business Server 2003 as the DC; Just so you know BudMan :)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.