Help with network layout

[AgusAlexander]

Hi, I work as IT in a small office and I'm really a newb at this. But because it is a really small office with my help their setup improved quite a bit (it was all WiFi before), however not as much as I would have intended (I'm guessing there is some bottle-necking).

All PCs in the network have to hit the Server in order to access Word files and the server does some management. All wired connections are gigabit but speed is not the issue here. The problem is reliability sometimes network hangs when doing lets say internet browsing or accessing a file on the Server and if I try to access the router at those times it will not respond. My main guess is that the router just doesn't cut it, its a Cheapo TP-Link running DD-WRT.

I was thinking of getting another router or maybe turning off WiFi and running the printers wired (it would suck because we need those printers shared and PC-agnostic).

Well here is the graph its the first time I do something like this so please tell me if I'm completely wrong . Thanks in advance!

 

 

 

 

 

[Electronics Wizardy]

I'd get a new router and WiFi  

For you use id get something like a edgerouter and a and few unify apart across lites it's about 250 for 2 aps and a router. 

 

For printers you can use a small pc running Linux or Windows server to act as a printer server. 

[beavo451]

Well first off, you are probably double NAT'd if that is a router between the firewall and the rest of your network. 

 

What does the aDSL router do? Are you intending to have a standalone firewall as indicated on the drawing?

 

How do the printers function on the network now? If they have built in print servers, their connection type doesn't matter. 

[U.Ho]

What firewall is this?

Why not go like this?

 

 

 

 

 

 

[AgusAlexander]

On 11/12/2016 at 3:00 PM, U.Ho said:

What firewall is this?

Why not go like this?

 

 

 

Ignore firewall it's just a default template I forgot to remove .

I thought about that but then the modem would be the one doing the routing and that would suck. Correct me if I'm wrong though

[Falconevo]

To do this properly, you need to have something a little better than a TP-Link shitbox, in my opinion the easiest for you here would be pfSense, simply because (no disrespect intended) you are unlikely to have the expertise to configure a Cisco or command line based firewall. 

 

PfSense - https://pfsense.org/

You can simply use an old PC with sufficient enough network interfaces to accomplish this task.  For what you are doing it doesn't even need to be anything of high specification.   I have attached an image to make this look a little easier on the eye, bare in mind this was done in paint and I'm not an MSPaint god.;

 

The ADSL modem should be able to provide a PPPoA or PPPoE bridge to allow the public address to be routed to a firewall/gateway appliance.  This allows the firewall to take care of the NAT (Network Address Translation) and prevent a double NAT scenario that is just pain when it comes to networking environments.

ADSL Modem (Bridge Mode) >> pfSense WAN port (this provides the external WAN connection

pfSense LAN port (second network interface in the machine) >> Internal Switches >> Business Client Devices

pfSense OPT1 port (third network interface in the machine) >> Wireless AP >> Guest WiFi clients

 

You can create firewall rules between interfaces to prevent Guest WiFi users accessing the internal network of your business and visa versa.  Some things to be aware of for security reasons when providing WiFi to 'Guest' users.  Assume everyone is a bellend and wants to break in to your network or disrupt it.  By doing what you currently have, you have left a wide open access route for Guest users to attack the internal business network.  I could roll up outside your offices, get my laptop in range of your Guest wifi and cause havok, I won't do that but bare in mind that someone could.

 

So, we need to separate the Guest Wifi on its own interface, subnet and to give it traffic shaping to prevent the guest members from affecting normal business operations.  You don't want someone on your guest network crippling the internet because they are downloading 40MB gif images of cats from imgur.  You will also need to make sure the AP supports Isolation mode to prevent each Guest user from seeing another Guest users device on the WiFi network, this is pretty common these days and is found on 90% of access points from reputable vendors.

 

I would be happy to help give you some pointers on how to setup pfSense, what firewall rules you would likely need and an overview of how to navigate around the interface.  It is a community project at the end of the day.

This would give you the feature set of an enterprise grade firewall, whether you use them features or not is up to you.   Think for the future, you may need to traffic shape, add additional redundant adsl connections etc etc the list goes on.  If you do this now, you can have a feature set on the firewall/edge device which is future proof.

 

[AgusAlexander]

On 11/12/2016 at 0:41 PM, beavo451 said:

Well first off, you are probably double NAT'd if that is a router between the firewall and the rest of your network. 

 

What does the aDSL router do? Are you intending to have a standalone firewall as indicated on the drawing?

 

How do the printers function on the network now? If they have built in print servers, their connection type doesn't matter. 

No actually ignore the firewall thingy im sorry I forgot to remove from template. I would be fine with no firewall at all.

 

Definetly double nat but its because I cannot pur that isps modem into bridge-mode saddly.

Right now the modem-router is with wifi off and has two rj45 outs one goes into the guest wifi router and the other into the ddwrt router

They do not have a print server built in. The print server for both is runing on the server and they connect to it vía wifi

[leadeater]

2 minutes ago, AgusAlexander said:

No actually ignore the firewall thingy im sorry I forgot to remove from template. I would be fine with no firewall at all.

 

Definetly double nat but its because I cannot pur that isps modem into bridge-mode saddly.

Right now the modem-router is with wifi off and has two rj45 outs one goes into the guest wifi router and the other into the ddwrt router

They do not have a print server built in. The print server for both is runing on the server and they connect to it vía wifi

Can you add static routes to the ISP modem? If so do the NAT on that and setup routing between that and the ddwrt router.

[leadeater]

3 hours ago, Falconevo said:

-snip-

Sophos is also another good option.

[Falconevo]

5 minutes ago, AgusAlexander said:

No actually ignore the firewall thingy im sorry I forgot to remove from template. I would be fine with no firewall at all.

 

Definetly double nat but its because I cannot pur that isps modem into bridge-mode saddly.

Right now the modem-router is with wifi off and has two rj45 outs one goes into the guest wifi router and the other into the ddwrt router

They do not have a print server built in. The print server for both is runing on the server and they connect to it vía wifi

Its likely you can swap out that modem for a different one that supports bridging, the dsl protocol is the same for every vendor, however they vendor may use different VCI/VPI configurations for their network.  They will use PPPoA or PPPoE to provide authentication via the RAS for you.  Its very doubtful they have locked this down to the MAC address of the modem like a cable company would.

 

I would start by getting an adsl modem capable of bridging and go from there.  You can usually pick one up for £10 off ebay these days.  Are you based in the UK or?

[AgusAlexander]

2 minutes ago, leadeater said:

Can you add static routes to the ISP modem? If so do the NAT on that and setup routing between that and the ddwrt router.

I think I can, I did that with an even crappier modem. But in what way will that improve the setup other than allowing me to forward ports and stuff? Sorry I don't know much, I did that once in a similar double nat scenario in order to host a Plex server and access it remotely.

[leadeater]

Just now, Falconevo said:

Its likely you can swap out that modem for a different one that supports bridging, the dsl protocol is the same for every vendor, however they vendor may use different VCI/VPI configurations for their network.  They will use PPPoA or PPPoE to provide authentication via the RAS for you.  Its very doubtful they have locked this down to the MAC address of the modem like a cable company would.

 

I would start by getting an adsl modem capable of bridging and go from there.  You can usually pick one up for £10 off ebay these days.  Are you based in the UK or?

Draytek Vigor 120 is the best and also the cheapest option I know of that supports every bridge method possible. Not all ADSL modems support PPPoE to PPPoA interception and conversion so if that is required you'll need this or something else that supports it, I do this between my Vigor 120 and FortiGate 60D.

 

I can definitely say all the Linksys ones I tried did not support half-bridge mode.

[leadeater]

1 minute ago, AgusAlexander said:

I think I can, I did that with an even crappier modem. But in what way will that improve the setup other than allowing me to forward ports and stuff? Sorry I don't know much, I did that once in a similar double nat scenario in order to host a Plex server and access it remotely.

Not much it only avoids double NAT, if you want a proper setup with isolation go with @Falconevo solution you marked as the best answer.

[Falconevo]

2 minutes ago, leadeater said:

Draytek Vigor 120 is the best and also the cheapest option I know of that supports every bridge method possible. Not all ADSL modems support PPPoE to PPPoA interception and conversion so if that is required you'll need this or something else that supports it, I do this between my Vigor 120 and FortiGate 60D.

 

I can definitely say all the Linksys ones I tried did not support half-bridge mode.

I use a few Huawei HG612 with custom firmwares on them which do the job, they may be a little cheaper to get hold of 2nd hand They also cover off any upgrades from adsl to vdsl in the future as the modem unit is capable of both :D.  Draytek stuff is good, but rarely vendor supplied so usually comes with a slightly bigger price tag but has more feature support for sure.

[AgusAlexander]

3 hours ago, Falconevo said:

To do this properly, you need to have something a little better than a TP-Link shitbox, in my opinion the easiest for you here would be pfSense, simply because (no disrespect intended) you are unlikely to have the expertise to configure a Cisco or command line based firewall. 

 

PfSense - https://pfsense.org/

You can simply use an old PC with sufficient enough network interfaces to accomplish this task.  For what you are doing it doesn't even need to be anything of high specification.   I have attached an image to make this look a little easier on the eye, bare in mind this was done in paint and I'm not an MSPaint god.;

 

The ADSL modem should be able to provide a PPPoA or PPPoE bridge to allow the public address to be routed to a firewall/gateway appliance.  This allows the firewall to take care of the NAT (Network Address Translation) and prevent a double NAT scenario that is just pain when it comes to networking environments.

ADSL Modem (Bridge Mode) >> pfSense WAN port (this provides the external WAN connection

pfSense LAN port (second network interface in the machine) >> Internal Switches >> Business Client Devices

pfSense OPT1 port (third network interface in the machine) >> Wireless AP >> Guest WiFi clients

 

You can create firewall rules between interfaces to prevent Guest WiFi users accessing the internet network of your business and visa versa.  Some things to be aware of for security reasons when providing WiFi to 'Guest' users.  Assume everyone is a bellend and wants to break in to your network or disrupt it.  By doing what you currently have, you have left a wide open access route for Guest users to attack the internal business network.  I could roll up outside your offices, get my laptop in range of your Guest wifi and cause havok, I won't do that but bare in mind that someone could.

 

So, we need to separate the Guest Wifi on its own interface, subnet and to give it traffic shaping to prevent the guest members from affecting normal business operations.  You don't want someone on your guest network crippling the internet because they are downloading 40MB gif images of cats from imgur.  You will also need to make sure the AP supports Isolation mode to prevent each Guest user from seeing another Guest users device on the WiFi network, this is pretty common these days and is found on 90% of access points from reputable vendors.

 

I would be happy to help give you some pointers on how to setup pfSense, what firewall rules you would likely need and an overview of how to navigate around the interface.  It is a community project at the end of the day.

This would give you the feature set of an enterprise grade firewall, whether you use them features or not is up to you.   Think for the future, you may need to traffic shape, add additional redundant adsl connections etc etc the list goes on.  If you do this now, you can have a feature set on the firewall/edge device which is future proof.

 

That sounds quite, good thanks a lot! Now I'll try convincing my boss that we need another PC to be used as a router she is quite reasonable so I guess she will agree.

[Falconevo]

Just now, AgusAlexander said:

That sounds quite, good thanks a lot! Now I'll try convincing my boss that we need another PC to be used as a router she is quite reasonable so I guess she will agree.

Give me a shout when you get to implementation, I would be happy to go through the install, setup and some general help on configuring firewall rules etc. 

Its not difficult but it will be a fast learning curve, you will pick it up no problems

There are alternatives to pfSense, I just personally think pfSense will work best for you as its got almost zero command line requirements for setup.

[leadeater]

@AgusAlexander You could also look at getting a used firewall appliance off ebay like a FortiGate 60D, their about $200US. I would consider this slightly better in some ways and slightly worse in others. If it were a new PC being setup with pfSense it'll have a warranty which is better but if both are used I would go with the firewall appliance.

[AgusAlexander]

9 minutes ago, Falconevo said:

Its likely you can swap out that modem for a different one that supports bridging, the dsl protocol is the same for every vendor, however they vendor may use different VCI/VPI configurations for their network.  They will use PPPoA or PPPoE to provide authentication via the RAS for you.  Its very doubtful they have locked this down to the MAC address of the modem like a cable company would.

 

I would start by getting an adsl modem capable of bridging and go from there.  You can usually pick one up for £10 off ebay these days.  Are you based in the UK or?

OK I'll do the research. Nope I'm from Argentina. But I'll try eBay.

[AgusAlexander]

2 minutes ago, Falconevo said:

Give me a shout when you get to implementation, I would be happy to go through the install, setup and some general help on configuring firewall rules etc. 

Its not difficult but it will be a fast learning curve, you will pick it up no problems

There are alternatives to pfSense, I just personally think pfSense will work best for you as its got almost zero command line requirements for setup.

That's nice, I always wanted to try pfsense but never had the excuse to do so. I'll tell you when I get to it, thanks man!

[Falconevo]

41 minutes ago, AgusAlexander said:

OK I'll do the research. Nope I'm from Argentina. But I'll try eBay.

I will back at my old gaff later in the week so I will check in the loft there to see if I have any spare dsl modems that can be used for bridging.  If I do I will PM you and send it over for nothing, I can even pre-configure it for the correct VCI/VPI settings if you can find this out from your current modem or from the supplier directly.

In the UK for example we primarily use,

VPI = 0

VCI = 38

With the exception of O2 which use a custom config as they control their own DSLAM cards in the exchange(s)

VPI = 0

VCI = 101

 

With any luck I will have one, got loads of old shit sat in the loft gathering dust.

[AgusAlexander]

11 hours ago, Falconevo said:

I will back at my old gaff later in the week so I will check in the loft there to see if I have any spare dsl modems that can be used for bridging.  If I do I will PM you and send it over for nothing, I can even pre-configure it for the correct VCI/VPI settings if you can find this out from your current modem or from the supplier directly.

In the UK for example we primarily use,

VPI = 0

VCI = 38

With the exception of O2 which use a custom config as they control their own DSLAM cards in the exchange(s)

VPI = 0

VCI = 101

 

With any luck I will have one, got loads of old shit sat in the loft gathering dust.

Don't worry about that! seriously, you already helped me a lot! If I really cant find anything in here I'll tell you, but I think my uncle had adsl and now switched to cable but they never asked for the modem to be returned so I can check if that one supports bridge mode. Really, don't worry because I don't even know if they are even compatible with our ISP's. 

[AgusAlexander]

On 12/14/2016 at 1:43 PM, Falconevo said:

I will back at my old gaff later in the week so I will check in the loft there to see if I have any spare dsl modems that can be used for bridging.  If I do I will PM you and send it over for nothing, I can even pre-configure it for the correct VCI/VPI settings if you can find this out from your current modem or from the supplier directly.

In the UK for example we primarily use,

VPI = 0

VCI = 38

With the exception of O2 which use a custom config as they control their own DSLAM cards in the exchange(s)

VPI = 0

VCI = 101

 

With any luck I will have one, got loads of old shit sat in the loft gathering dust.

 

Hey first and foremost I got my ISP to upgrade my internet speed and to change my modem and then I was able to get the bridge mode enabled.

On the other hand I finally got approval to buy and set up PFSense machine, the build is as follows:

Motherboard: AM1B-M.

Processor: Sempron 2650.

Ram: 4GB Kingston ddr3 1600mhz.

Network Interfaces: 2 TP-LINK PCIE Gigabit ethernet adapters TG-3468.

                                   1 onboard Gigabit LAN Realtek RTL8111GR .

Disk: No disk but a 4gb thumb drive running embedded PFsense latest version.

 

I know I should probably have bought some intel Nic second hand but they were pretty expensive, PCI not compatible with this mobo and PCIE even more expensive. So if I can get away with using these it would be great!. Problem is I'm getting some issues with PFSense, it not only does not autoassing my nic's but also when I set them manually I cannot get a PC connected to the Pf sense router and access the GUI, it just fails to assign an ip, it shows some random nonsense ip (like 127.213.100.123) on my PC.

Also, I noted that the MAC Addresses for my NICS are not being displayed as they should be following the interface name: 

 

 

And when I try to autodetect and connect a cable to the modem or to a PC it says "No linkup detected". I'm really clueless here because unless its some sort of weird compatibility issue I cannot think of any other thing I did wrong. Also, I searched forums to find if my nic is compatible and some reported being successful using it. And it's also weird that the onboard NIC is having the exact same issue.  Maybe it is the PFSense version?

 

 

[Falconevo]

Set yourself a static IP on the PC you have connected on the LAN network.

Set it as

IP Address - 192.168.1.2
Subnet - 255.255.255.0
Gateway 192.168.1.1
Primary DNS - 192.168.1.1

Then access the pfSense control panel via - https://192.168.1.1 via a web browser

[AgusAlexander]

20 hours ago, Falconevo said:

Set yourself a static IP on the PC you have connected on the LAN network.

Set it as

IP Address - 192.168.1.2
Subnet - 255.255.255.0
Gateway 192.168.1.1
Primary DNS - 192.168.1.1

Then access the pfSense control panel via - https://192.168.1.1 via a web browser

 

 

Woa, that worked! thanks man!  But now I'm stuck again, I got the basics working now my pc plugged into LAN gets internet just fine. I also found some PCIE wifi card lying around and it was detected by pfsense (it is not listed on compatibility list but it worked anyway), problem is I can't enable another DHCP server other than LAN, and since I wanted my guest WIFI to be in a separate subnet this is really inconvenient. I also tried just bridging the LAN and WIFI interfaces but to no avail, DHCP refuses to work on my WIFI interface.

I thought it was due to the Wifi NIC so I swapped it for the ethernet NIC again but the same error persists, no DHCP on wifi.

 

So I opted for bridging my WIFI and LAN and the only way I can get it working is when I set a Firewall rule on LAN to allow all traffic, then I get the lan DHCP server to assign ips to my wifi devices, but weird stuff happens because even though on my phone I get wifi and internet access(I first disconnected cellular), my phone still says it has no internet connection and some things like speedtest wont work.

Here is my DHCP page, it only has the lan window.

And my firewall rules:

 

I'm clueless here, I expected to just set another DHCP server add some firewall rules and call it a day but its really bugging me

 

[Falconevo]

If you are using a bridge, there is a system tuneable to change the filtering method to be on the bridge instead of the interface(s).

Set net.link.bridge.pfil_member to 0
Set net.link.bridge.pfil_bridge to 1

 

The WiFi interface should not have a IP's allocated to it, change the IPv4 configuration to none.