Internet only Network within main Network

[Westyfield2]

<Mods, I've put this here but if you think it'd be better in Servers and Enterprise Solutions please move it there.>
Hi guys,

I’m after some way to create a network within a network. I know they have this at work but don’t have a clue how it’s done (think it might be VLANS... however it is they work! Or maybe settings on the firewalls?). And of course that’d ridiculously expensive equipment!

What I’d like is set it up so that all devices can plug into any switch port or connect to any of the wireless access points. If the device is then recognized as an approved device I’d like it to join the main network and access network shares etc.
But if it’s not an approved device I’d like it to only have internet access and not be able to see machines shared hard drives, NAS etc.
I assume the process of me approving a device could simply be adding it’s MAC address to a list in the router.

This is for a new network and the router I was thinking of using is the Draytek Vigor 2930 as the load-balancing dual WAN will be needed.
Re switches, there’s not going to be 20pcs in one room or anything like that. It’s more going to be like a room with 3pcs in it and a WAP, then another room 20m away with similar etc. Can I make do with completely unmanaged switches eg this . or do i need something with a bit of management like this?
Don’t have a clue which Access Points I'll be using yet, nothing fancy! Something cheap and cheerful!

Cheers

 

[Westyfield2]

This is easy to do with the right kit, a cheap router isn't the right kit unfortunately. Probably your best bet is a router which supports vlans and then some decent switches which support dynamic vlans (that's Cisco terminology really, other vendors may call it other things.).

This isn't something you can really do on the cheap. Better would probably be a wireless AP like apple's airport extreme which supports a guest network, I don't know if nay other consumer gear does this but it's a nice feature. It's wireless only obviously but it's also the only thing I can think of even close to what I imagine you're prepared to spend...

Thanks for the info.

Unfortunately I can't just rely on all the un-approved devices being on wireless, as I just know someone will unplug one of the wired approved machines to plug theirs in and that'll bypass any VLAN that's applied to the switch port . Though if it were based on the machines MAC address it would work (provided the approved devices are protected enough that someone can't get into it and find it's MAC address).

I just looked up the specs of the Draytek Vigor 2930 and it says "Port-Based VLAN (Ethernet LAN ports exclusive/inclusive groups)". I guess that's no use for me then as people will just swap network ports , and a whole switch will be on one of the routers four ports (or is that where decent switches which support dynamic VLANs come in?.

This is for a small charity / organization / business, so the budget is basically somewhere above a crappy BT Homehub but below a £3K Cisco enterprise grade router!

What would be a good router for this then?

 

[Westyfield2]

Thanks all.

Blimey, this is more complicated than I first thought . PKI and VLANs is something I know nothing about apart from “they use it at work and it’s expensive”!

So basically with that Draytek router (or others similary priced) I can’t really do this? With regard to port security mentioned by BRS, what’s the entry level of switches to do this? I was looking at the ProCurve 1400 8ports on the HP site earlier but I don’t see port security mentioned.

I agree, i just think that Draytek calling what they have a VLAN when all it does is create isolated segments which have internet access but not to each other is misleading.

You can't route or trunk any of it, and to me that's wrong on a device calling itself a router.

Isn’t that what I’m after? I want the main network of approved devices to be on the network doing networky things, and all other devices (unapproved) to be internet only – no aceess to the network or each other.
@ ho-hum: Active Directory and groups etc is how I would do it if the budget was larger. This setup has no need for a server at all


With the Apple Airport Extreme mentioned earlier... what's it like? Actually IIRC that’s proper dual band isn’t it? Meaning at each AP location I’d only need one instead of separate 2.4Ghz & 5GHz APs. Can it be configured to just be a AP or should I use one as the router too and forget the Draytek? (Though I’d need a load-balancer to plug into the Airports WAN port).

 

[Westyfield2]

Thanks for all the help guys

Right, trying to summarise what I've learnt!

Draytek Vigor 2930 cannot do VLANs (which is what I need for 'network within a network') but it does port-based DMZ.... which is useless as I need more than its four ports!

To do my 'network within a network' thing I'll need to use intelligent dynamic VLANs, which is far too expensive for this.

Port security is done on a switch, and only lets a device with a specific MAC address plug into a specific port. What's the cheapest Gigabit switch to offer this? I was thinking of the HP ProCurve Switch 1400-8G and this doesn't do it, but if there was another switch £5 more that did...

Re the Apple Airport Extreme (AEBS). This is £140 and has simultaneous 2.4GHz and 5GHz wireless and also a 'guest wireless' feature which is described as being a second wireless network that you can limit to internet only access. Does this guest network work on both the 2.4GHz and 5GHz? (Thus the device is broadcasting both the main network and the public network on both 2.4GHz and 5GHz simultaneously). Does the guest network feature work when it's being used as an access point (by ethernet) off of a non-apple router? (I could use an Apple Router I guess if I plugged a load-balancer into its WAN port).

What I'm thinking right now is:

• Draytek Vigor 2930 Router
• Four HP ProCurve Switch 1400's off of it (1 going to each corner of the building).
• Four Apple Airport Extreme (AEBS)'s (one on each switch) set to be access points only but both public and main networks on both 2.GHz and 5GHz.

This way the router is broadcasting (encrypted) full-network-access 2.4GHz and (encrypted) full-network-access 5GHz wireless. The switches all have full-network-access ports (unless I upgrade to switches with port security at £?). The Airport extremes are each transmitting (encrypted) full-network-access 2.4GHz, (encrypted) full-network-access 5GHz, (open) internet-only 2.4GHz and (open) internet-only 5GHz. PCs and NAS etc can be plugged into the switch ports, and I'll have to ensure that anything I don't want on the network with printer/shares access is only connected by the open wireless.

How's that sound?

 

[Westyfield2]

Thanks. I’ve been reading up on VLANs and think I understand it now and that’s definitely what I want.

There comes a point when you may have to tell whoever you're doing this for that they can't have it on the cheap. It's really not helpful to anyone designing compromised networks with inappropriate kit and you need to recognise the difference between that and trying to get good value.

I agree entirely. However if I go in all-guns-blazing “we need a server” etc the response will be “my BT homehubs nice and shiny” . Working out the possible options and costs and giving the leadership the choice (with me going “ZOMG SECURITY”) will probably be best!

As I see it there’s three options right (with increasing security and increasing cost):

1. All devices (wired and wireless) are on the full network – Draytek Vigor 2930 Router £210, HP ProCurve 1400 Switches 1400's £50ea, bog-standard 2.4GHz and 5GHz WAPs.
2. Devices on separate internet-only and full-access networks (VLANs). Which VLAN a device is on is determined by which switch port it uses (or the switch port of the WAP it's connected through).
3. Devices on separate internet-only and full-access networks (VLANs). Which VLAN a device is on is determined by the devices MAC address.

I suspect option 1 is too insecure, and option 3 will be too expensive.... so it’s option 2! Though if option 3 was only £xx more.....

The cheapest gigabit switch supporting VLANs will be some rubbish Linksys or Netgear thing, the cheapest I'd use is a HP procurve 1800G but that's a limited feature set and not a proper managed switch in my view - I think an 8 port one can be had for £100 or so.

Yep I wouldn’t touch Netgear switches anymore, and the network guys at work swear by HP Procurves. Re the HP ProCurve Switch 1810G-8 at £110, what’s it lacking in comparison with a fully managed switch?

So to do this properly I’m going to need:

• Dual WAN (load balance) router with multiple VLAN trunking over each of its switch ports. Any suggestions?
• Switches. HP ProCurve Switch 1810G-8 at £110ea. Do I *need* (or want even) to upgrade to fully-managed switches? And how much?
• Access points. Cheap normal home-use access points (I can’t see there being more than 10 wireless users).

Any comments or suggestions will be appreciated!

 

[Westyfield2]

Thanks for all the help.

In a way I'd prefer a web interface to CLI, as my last experience with CLI was on an ancient Allied Telesyn and it was hideous . Though that's just me being a wimp!

Hmm, so the 1810G having vlans, no port security or dynamic vlan support would be fine for option 2 but not option 3 then.

Yep I too was thinking about whether GigE is really needed. Again, if I work out which switches to use for 10/100 and which to use for GigE it should just be a dead simple "Is the extra £xx worth it yes/no?". I know we won't be needing PoE. HP or Cisco is the vibe I'd been getting from the guys at work too.

Yeah two ethernet WAN ports is what I'm after (it'll just be two ADSL2+ connections using either the ISPs modem or a Draytek Vigor 120). The router having a decent firewall is a must, as one of the PCs (or maybe a dedicated NAS) will be remote-accessed.
That Juniper SSG5 looks good, though I've never seen or used anything Juniper (know the guys at work use some Juniper equipment though). Any Cisco stuff in this pricerange and small network? Or are they mega £££ for large enterprise only?