Jump to content



Photo

Redoing a existing network....


  • Please log in to reply
59 replies to this topic

#16 #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 11 March 2013 - 21:35

Not that I want to take away from this at all but gliffy is a really neat product. I am going to have to try it out on my next project.


#17 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 13 March 2013 - 08:22

Ok this http://www.tp-link.c...odel=TD-W8951ND is a ADSL2+ modem/router, ie gateway type device. I would doublecheck that its in bridge mode. If I had to guess its doing nat, is the wireless of this device being used?


Yup, it is in bridge mode. The reason is that I cannot access it directly thru a IP AFAIK. And no, the wireless of this device is not being used.

So can we verify the full model number on your zyxel? I can not seem to find any manuals for it, a quick google shows some reviews and such - but they are from 2002? Is that right? If your device is from 2002.. I would put it first on the list as needing a refresh!! If it is from 2002, even if fully functional - what would happen on failure, what is the backup plan. Does it have a support contract on it? Response time? I would also be concerned with even being able to handle your internet connection? There has been some real increases in performance since 2002 and internet speeds ;)

I can confirm you just using this:
ftp://ftp.zyxel.fi/ZyWALL_10/quick_start_guide/ZyWALL%2010_1.pdf
http://www.zyxel.com...07_709994.shtml
Being, old as you commented, I cant really find it on the site. I reconfirm that this is our main router so to speak.


As to the dir-600, AP tied plugged into what, one of your switches, w8951nd? If your not isolating your networks via nat, segment/vlan then anyone on your network could access this camera.. So not clear on why wpa2 for that and just wep for your other wireless? How your wireless ties into your network should be of major concern!! Really it should because if its not isolated from your wired network, anyone accessing the wireless has full access into your network. I would really move this up your list of concerns. If not of required use, then SHUT it down until you can correctly secure it or isolated it from your other systems.

Yes, anyone can access this camera. This is not a problem and/or limitation.

So your 1016D is just dumb gig switch, but your 1100-24 is a smart switch, so it does have some features like bandwidth control, vlans, qos, etc. So I would hope this is core switch and then your 1016d is just access switch - maybe in a closet somewhere - but sounds like in the same rack? So do you have any other switches anywhere else in the building, or just these 2 that everything is connected to?

Yes they are in the same rack. I dont know if its the main or not but I can confirm that it is as is "out-of-the-box"; eg, no configuration was made to this switch. Simply plugged in and thats it. If so, it would act as a normal switch, correct?

Building? Floor :p Its a small office, problably from one corner of the room to the other there are what, 20 steps max? And no, as far as I know, those are the only two switches. There are wall ethernet ports (normal, not PoE)

As to the KX-NCP500XNE yeah that is phone system, are you only analog phones or are you doing voip/sip? If doing voip is that traffic isolated from your other network traffic? That could be an issue - need to see the drawing to how this ties into the network. As to Panasonic KX-NCP0158CE, show that as a 8 Channel IP DECT Cell Station (VOIP) - again how is this tied into the network, is this traffic isolated?

Analog only. No VoIP/SIP.

As to the SL3054CB3, yeah that could be a AP, a bridge or repeater - so really need to understand how that is configured and connected into your network as well.

Upon further inspection, I can confirm that this is the AP for our main wireless network: We connect to this AP to navigate internet thru our phones/tablets/etc. It is with WEP and MAC filtered. Its the same network: Our network is 192.168.100.x/24

This a start, we got some model numbers now. And know some of the technology we are working with. Now need to just get some details of how everything is connected, ip space, vlans? double nat on that w8951nd to your zyxel??

Ill have until Friday to do true inventory sorry :(

Info wold be looking for is IPs, Number of computers, Servers - where these devices connect to, for example the phone stuff - really worried about running this bandwidth over your current switches. What is the dhcp server? Dns? Is that handled by the zyxel? What its IP? What is the network in use?

There is something that has caught my eye which I dont really understand why this decision. Maybe you can clear it up: I believe the DHCP server is the ZyXel BUT the PCS on the domain, are assigned their IP via MAC address by the DC. Why wouldnt the DC the DHCP server?

#18 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 95
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 March 2013 - 12:08

"The reason is that I cannot access it directly thru a IP AFAIK."

What??? That does not tell you its in bridge mode -- what IP do you have on the wan of your zyxel

Normally a DC would be the dhcp server - just look on any dhcp client and do a ipconfig /all and it will tell you the IP address its dhcp server.

And CHECK the IP address on your zyxel - I doubt that gateway is in bridge mode to be honest.

#19 AOXOMOXOA

AOXOMOXOA

    Gratefully Deadicated

  • Joined: 11-June 02
  • Location: Seattle wa.

Posted 13 March 2013 - 21:03

Hey pes2013 !!

Listen to BudMan,,

he has really good advice, he has helped me out of a jam once or twice as well. and I have been running networks since before windows was a household name.


:)

Edited by AOXOMOXOA, 13 March 2013 - 21:05.


#20 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 95
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 March 2013 - 21:56

I have been running networks before tcp/ip ;) hehhehe - I recall when we switched from ipx/spx to tcp/ip and had to install tcp on your windows 3.1 boxes. Ah the good old days ;)

#21 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 13 March 2013 - 23:02

"The reason is that I cannot access it directly thru a IP AFAIK."

What??? That does not tell you its in bridge mode -- what IP do you have on the wan of your zyxel

On the WAN side, its my public IP.

Normally a DC would be the dhcp server - just look on any dhcp client and do a ipconfig /all and it will tell you the IP address its dhcp server.

Which is the zyxel...

And CHECK the IP address on your zyxel - I doubt that gateway is in bridge mode to be honest.

Yes, the IP is indeed the gateway....


Guys, I know BudMan is good. You dont have to repeat it 1000 times... :)

#22 hitchcock4

hitchcock4

    Neowinian

  • Joined: 28-June 03
  • Location: NC, USA

Posted 13 March 2013 - 23:13

A few things -- since I work for a company that does this every day (or at least every week) I think I can give a few pointers. The points that Budman has made are very valid.

In general:
  • Don't be afraid to spend more on your firewall. In today's world, a firewall is very important. If you have less than 20 users (maybe even more). Something like the Dell SonicWALL TZ 205 provides a lot of security, even allows one to block certain groups of people (the "sales group") from things like Facebook (or allowing only certain people.
  • Plan, plan, plan. Part of this would be prioritorize what is important to get working. That is if email, the Internet, and your access to your CRM application don't work (yet) on the new firewall, what are you going to work on first?
  • As mentioned by several people, an accurate network diagram is important, especially for more help from other people.
Now some specifics:
  • Don't change anything on the DC, unless absolutely required. This falls into my rule of only change 1 thing at a time.
  • Find out very specifically how mail is arriving and departing your company. Is mail being filtered somewhere else and then arriving at your site?
  • As mentioned, either the firewall or your DC is supplying the DHCP (with reserved MAC addresses). You can quickly find this out with a simply IPCONFIG /ALL run from the command prompt on anything but your server. Look in the list for the DHCP server. You may need to change your DHCP lease to 1 day (or less) a few days before the firewall change (but only if the firewall is supplying the DHCP details).
  • How many static IP addresses do you have? Need to know this as well as what ports are used for incoming mail, any WWW that is hosted at your location, external access to the camera, etc. Each of these needs to be programmed into the new firewall.
  • Again, not changing too much at the same time -- don't change to a new ISP at the same time. If you are considering changing ISP, then do that 1 week before or after the new firewall install. If you change both at the same time -- and something isn't working -- then it is harder to track down the problem when too many things change.
  • I suggest gigabit switches for all new switches. If you need PoE (power over Ethernet) for VoIP phones or for the camera, be sure to get the appropriate switches.
If you happen to be within North Carolina (or neigboring states) let me know and we can set up an appointment.

#23 AOXOMOXOA

AOXOMOXOA

    Gratefully Deadicated

  • Joined: 11-June 02
  • Location: Seattle wa.

Posted 14 March 2013 - 01:08

I remember running network cables when it had to be coax. You had to run two coax cables in and out of every office. Two coax wires went to the back of each machine attached by a T connector that plugged into the NIC with a BNC connector. The entire network was run like that until at the last end you had to have a terminating bnc connector.

It was a big hassle to run network cable like that and still make it look neet in an office. and we were just hooking dos based machines to a novell network to run some client server money factoring software that my dad wrote. Now the company that he has built out of that is huge. http://www.factorsoft.com/ and I don't work there anymore.

#24 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 95
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 14 March 2013 - 03:24

"Why wouldnt the DC the DHCP server?"
"BUT the PCS on the domain, are assigned their IP via MAC address by the DC"

So your saying the dhcp server is the zyxel - but then you say the IPs are assigned vis mac by the DC -- so your mistaken there somewhere.

I agree in AD, there would be NO reason for the DC not to be the dhcp server. And actually should be since it helps in identification of members being registered in dns, etc.

#25 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 14 March 2013 - 09:31

"Why wouldnt the DC the DHCP server?"
"BUT the PCS on the domain, are assigned their IP via MAC address by the DC"

So your saying the dhcp server is the zyxel - but then you say the IPs are assigned vis mac by the DC -- so your mistaken there somewhere.

Even if it is incorrect, is it possible?

I just want to show you proof how you can see there that the DHCP server is NOT enabled in the ZyXEL:

Posted Image

Out of those addresses, the x.x.x.60 is nothing on my network (ping doesnt reply) and the x.x.x.29 is the DC.


I agree in AD, there would be NO reason for the DC not to be the dhcp server. And actually should be since it helps in identification of members being registered in dns, etc.

Then another step would be that: Make the DC the DHCP server. Ive played around with it but have never done it in a production system but I imagine it wouldnt be hard....

We are working with Windows Small Business Server 2003 as the DC; Just so you know BudMan :)

#26 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 14 March 2013 - 09:37

I want to repeat that part about small office :) Someone suggested a Dell SonicWALL TZ 205 and at 1000€s that is WAY over the top.

#27 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 95
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 14 March 2013 - 11:42

Well how does that make sense - if you show the dhcp disaabled. Then no its not your dhcp server.

Post an ipconfig /all of your one of your dhcp clients. Also you should NOT be handing out 8.8.8.8 as dns if your boxes are members of AD.. In AD - YOU ONLY point to the AD DNS - PERIOD! This dns then forwards for unknowns.

So lets see ipconfig /all

Then I ping the dhcp server listed there, and I want to see the arp table

arp -a to see the mac of that IP your showing as dhcp server.

#28 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 14 March 2013 - 12:41

I want to repeat that part about small office :) Someone suggested a Dell SonicWALL TZ 205 and at 1000€s that is WAY over the top.

you don't need a firewall class router. your router with nat firewall will be fine.

You have enough help without me muddying it up, I am just watching.

#29 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 95
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 14 March 2013 - 13:57

If you only have like 20-30 users, I would prob say the
ZyWALL USG 200/100/50/20W/20

line is good, if you want vpn access for your users prob go with the 50 or 100 model, if not then 20 prob work. Think that only runs about $150 so more in your ballpark? And then prob replace your wireless stuff with zyxel AP as well.

Lets get some numbers of devices and how everything is connected. I don't buy your zyxel is the dhcp server even when it shows disabled. And you put that wireless gateway in front of your firewall in bridge mode -- so the wireless is disabled? You posted up screen shot of your zyxel lan and dhcp server - could you post the wan side of that, you can black out the last couple of octets.

Why would you be using a adsl wireless gateway just to put it into bridge mode?

Also in sizing your firewall uplift, how much is your current bandwidth from your isp?

#30 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 14 March 2013 - 21:47

Well how does that make sense - if you show the dhcp disaabled. Then no its not your dhcp server.

Post an ipconfig /all of your one of your dhcp clients. Also you should NOT be handing out 8.8.8.8 as dns if your boxes are members of AD.. In AD - YOU ONLY point to the AD DNS - PERIOD! This dns then forwards for unknowns.

Please remember BudMan I did NOT build this network nor from scratch nor from anything; This is the first time they have asked me to look at it. My primary DNS address is the AD

So lets see ipconfig /all

Then I ping the dhcp server listed there, and I want to see the arp table

arp -a to see the mac of that IP your showing as dhcp server.

OK, Ill get you that information tommorow. Like I said, I think (I have a big plate of TODO on my list) I can get you equipment inventory. Do you need EXACT things or for standard PCs will a "desktop PC" be enough?

If you only have like 20-30 users, I would prob say the
ZyWALL USG 200/100/50/20W/20

line is good, if you want vpn access for your users prob go with the 50 or 100 model, if not then 20 prob work. Think that only runs about $150 so more in your ballpark? And then prob replace your wireless stuff with zyxel AP as well.

Lets get some numbers of devices and how everything is connected. I don't buy your zyxel is the dhcp server even when it shows disabled. And you put that wireless gateway in front of your firewall in bridge mode -- so the wireless is disabled? You posted up screen shot of your zyxel lan and dhcp server - could you post the wan side of that, you can black out the last couple of octets.

Why would you be using a adsl wireless gateway just to put it into bridge mode?

Also in sizing your firewall uplift, how much is your current bandwidth from your isp?

We are about 10 in the office (at days, less than 5), no outbound connections coming in.

Ill reread your post tommorow to get you arp tables and screenshots you asked.

BTW, we can do with anything, doesnt have to be zyxel; I perfer a good Cisco even if its a bit more expensive. OpenVPN server capability would be intresting although not deal breaking.