Internet only Network within main Network

Westyfield2 · 17 Nov 2009 at 14:38

<Mods, I've put this here but if you think it'd be better in Servers and Enterprise Solutions please move it there.>
Hi guys,

I’m after some way to create a network within a network. I know they have this at work but don’t have a clue how it’s done (think it might be VLANS... however it is they work! Or maybe settings on the firewalls?). And of course that’d ridiculously expensive equipment!

What I’d like is set it up so that all devices can plug into any switch port or connect to any of the wireless access points. If the device is then recognized as an approved device I’d like it to join the main network and access network shares etc.
But if it’s not an approved device I’d like it to only have internet access and not be able to see machines shared hard drives, NAS etc.
I assume the process of me approving a device could simply be adding it’s MAC address to a list in the router.

This is for a new network and the router I was thinking of using is the Draytek Vigor 2930 as the load-balancing dual WAN will be needed.
Re switches, there’s not going to be 20pcs in one room or anything like that. It’s more going to be like a room with 3pcs in it and a WAP, then another room 20m away with similar etc. Can I make do with completely unmanaged switches eg this . or do i need something with a bit of management like this?
Don’t have a clue which Access Points I'll be using yet, nothing fancy! Something cheap and cheerful!

Cheers

bigredshark · 17 Nov 2009 at 15:20

This is easy to do with the right kit, a cheap router isn't the right kit unfortunately. Probably your best bet is a router which supports vlans and then some decent switches which support dynamic vlans (that's Cisco terminology really, other vendors may call it other things.).

This isn't something you can really do on the cheap. Better would probably be a wireless AP like apple's airport extreme which supports a guest network, I don't know if nay other consumer gear does this but it's a nice feature. It's wireless only obviously but it's also the only thing I can think of even close to what I imagine you're prepared to spend...

Westyfield2 · 17 Nov 2009 at 15:40

bigredshark said:
This is easy to do with the right kit, a cheap router isn't the right kit unfortunately. Probably your best bet is a router which supports vlans and then some decent switches which support dynamic vlans (that's Cisco terminology really, other vendors may call it other things.).

This isn't something you can really do on the cheap. Better would probably be a wireless AP like apple's airport extreme which supports a guest network, I don't know if nay other consumer gear does this but it's a nice feature. It's wireless only obviously but it's also the only thing I can think of even close to what I imagine you're prepared to spend...

Thanks for the info.

Unfortunately I can't just rely on all the un-approved devices being on wireless, as I just know someone will unplug one of the wired approved machines to plug theirs in :rolleyes:

and that'll bypass any VLAN that's applied to the switch port

. Though if it were based on the machines MAC address it would work (provided the approved devices are protected enough that someone can't get into it and find it's MAC address).

I just looked up the specs of the Draytek Vigor 2930 and it says "Port-Based VLAN (Ethernet LAN ports exclusive/inclusive groups)". I guess that's no use for me then as people will just swap network ports

, and a whole switch will be on one of the routers four ports (or is that where decent switches which support dynamic VLANs come in?.

This is for a small charity / organization / business, so the budget is basically somewhere above a crappy BT Homehub but below a £3K Cisco enterprise grade router!

What would be a good router for this then?

bigredshark · 17 Nov 2009 at 15:59

I should have explained dynamic vlan really, what it'll do is set the vlan which a port is assigned to based on the mac address of what's plugged in. Which sounds like what you want to do, then you need each vlan to go into your router (actually really it needs firewall features) and the 'default' vlan is only allowed internet while the internal vlan gets full access.

Only issue is, the only way I've ever configured it, it gets the information about which mac address to which vlan from a central source (VMPS server) which is a bit of an overhead for a small network.

You could always prevent people from unplugging something and plugging another machine in with port security (again, I'm talking cisco terminology but other manufacturers will support it). This will let you specify that only a specified mac address can be plugged into that port. Less flexible but every cisco switch going supports it and you don't need a VMPS server to do it...

oddjob62 · 17 Nov 2009 at 20:37

Without some decent hardware you're not going to be able to make it as "intelligent" as you seem to want it. I'm currently setting up somethign that does exactly what you want, using 802.1x but this is with Extreme switches, Cisco WAPs and a Windows NPS server with a PKI.

The port security that BRS mentions is probably the best you'll get for the kind of budget you're talking about.

dave-lew99 · 17 Nov 2009 at 22:05

I just need to point out that what Draytek call a VLAN the rest of the world calls a DMZ...

So it won't really be all that useful to you in this instance.

bigredshark · 17 Nov 2009 at 22:26

I wish the term DMZ could be erased from the face of the earth personally, it's misleading and best reserved for people who don't understand security at all. rant over...

dave-lew99 · 18 Nov 2009 at 08:36

I agree, i just think that Draytek calling what they have a VLAN when all it does is create isolated segments which have internet access but not to each other is misleading.

You can't route or trunk any of it, and to me that's wrong on a device calling itself a router.

ho-hum · 18 Nov 2009 at 08:59

Could you not achieve what you want by user access rather than device access?
For less than £3k could you not furnish your setup with an active directory server domain and use group policies, so that when users log in and are authenticated they are then applied the relevent GPO's according to their account level?
I've not personally tried this, but i would have thought that you could do the same with the computers in ADUC too.

Just a thought?

Westyfield2 · 18 Nov 2009 at 13:22

Thanks all.

Blimey, this is more complicated than I first thought

. PKI and VLANs is something I know nothing about apart from “they use it at work and it’s expensive”!

So basically with that Draytek router (or others similary priced) I can’t really do this? With regard to port security mentioned by BRS, what’s the entry level of switches to do this? I was looking at the ProCurve 1400 8ports on the HP site earlier but I don’t see port security mentioned.

dave-lew99 said:
I agree, i just think that Draytek calling what they have a VLAN when all it does is create isolated segments which have internet access but not to each other is misleading.

You can't route or trunk any of it, and to me that's wrong on a device calling itself a router.

Isn’t that what I’m after? I want the main network of approved devices to be on the network doing networky things, and all other devices (unapproved) to be internet only – no aceess to the network or each other.
@ ho-hum: Active Directory and groups etc is how I would do it if the budget was larger. This setup has no need for a server at all

With the Apple Airport Extreme mentioned earlier... what's it like? Actually IIRC that’s proper dual band isn’t it? Meaning at each AP location I’d only need one instead of separate 2.4Ghz & 5GHz APs. Can it be configured to just be a AP or should I use one as the router too and forget the Draytek? (Though I’d need a load-balancer to plug into the Airports WAN port).

dave-lew99 · 18 Nov 2009 at 13:25

It'd be like having two discrete networks - each one would be able to access devices on it's own network and the internet, but not each other.

You'd also have to manually switch them over from one network to the other by re-patching.

bigredshark · 18 Nov 2009 at 17:11

Westyfield2 said:
Thanks all.

Blimey, this is more complicated than I first thought . PKI and VLANs is something I know nothing about apart from “they use it at work and it’s expensive”!

So basically with that Draytek router (or others similary priced) I can’t really do this? With regard to port security mentioned by BRS, what’s the entry level of switches to do this? I was looking at the ProCurve 1400 8ports on the HP site earlier but I don’t see port security mentioned.

With the Apple Airport Extreme mentioned earlier... what's it like? Actually IIRC that’s proper dual band isn’t it? Meaning at each AP location I’d only need one instead of separate 2.4Ghz & 5GHz APs. Can it be configured to just be a AP or should I use one as the router too and forget the Draytek? (Though I’d need a load-balancer to plug into the Airports WAN port).

The HP 1400 isn't managed. I suspect a cheap managed procurve could do it but I've never done anything fancy with them so I can't say. I'd use something like a Cisco 2960-24TT which is a base model but ha the features required. It's not gigabit and it'll cost around £450 so it's not cheap.

The airport extreme can be configured in access point only mode, I have one here doing exactly that and it's great but if you need the wired access then it's not really relevant.

Westyfield2 · 18 Nov 2009 at 20:43

Thanks for all the help guys

Right, trying to summarise what I've learnt!

Draytek Vigor 2930 cannot do VLANs (which is what I need for 'network within a network') but it does port-based DMZ.... which is useless as I need more than its four ports!

To do my 'network within a network' thing I'll need to use intelligent dynamic VLANs, which is far too expensive for this.

Port security is done on a switch, and only lets a device with a specific MAC address plug into a specific port. What's the cheapest Gigabit switch to offer this? I was thinking of the HP ProCurve Switch 1400-8G and this doesn't do it, but if there was another switch £5 more that did...

Re the Apple Airport Extreme (AEBS). This is £140 and has simultaneous 2.4GHz and 5GHz wireless and also a 'guest wireless' feature which is described as being a second wireless network that you can limit to internet only access. Does this guest network work on both the 2.4GHz and 5GHz? (Thus the device is broadcasting both the main network and the public network on both 2.4GHz and 5GHz simultaneously). Does the guest network feature work when it's being used as an access point (by ethernet) off of a non-apple router? (I could use an Apple Router I guess if I plugged a load-balancer into its WAN port).

What I'm thinking right now is:

Draytek Vigor 2930 Router
Four HP ProCurve Switch 1400's off of it (1 going to each corner of the building).
Four Apple Airport Extreme (AEBS)'s (one on each switch) set to be access points only but both public and main networks on both 2.GHz and 5GHz.

This way the router is broadcasting (encrypted) full-network-access 2.4GHz and (encrypted) full-network-access 5GHz wireless. The switches all have full-network-access ports (unless I upgrade to switches with port security at £?). The Airport extremes are each transmitting (encrypted) full-network-access 2.4GHz, (encrypted) full-network-access 5GHz, (open) internet-only 2.4GHz and (open) internet-only 5GHz. PCs and NAS etc can be plugged into the switch ports, and I'll have to ensure that anything I don't want on the network with printer/shares access is only connected by the open wireless.

How's that sound?

bigredshark · 18 Nov 2009 at 21:05

You need higher end kit unfortunately, the HP 1400G is unmanaged and doesn't support vlans, so there's no way to separate full access and internet on them.

The cheapest gigabit switch supporting VLANs will be some rubbish Linksys or Netgear thing, the cheapest I'd use is a HP procurve 1800G but that's a limited feature set and not a proper managed switch in my view - I think an 8 port one can be had for £100 or so.

I would say using the draytek might work but it isn't exactly great, you can't trunk two vlans over a single port it appears which means it's fairly useless.

There comes a point when you may have to tell whoever you're doing this for that they can't have it on the cheap. It's really not helpful to anyone designing compromised networks with inappropriate kit and you need to recognise the difference between that and trying to get good value.

Westyfield2 · 19 Nov 2009 at 13:21

Thanks. I’ve been reading up on VLANs and think I understand it now and that’s definitely what I want.

bigredshark said:
There comes a point when you may have to tell whoever you're doing this for that they can't have it on the cheap. It's really not helpful to anyone designing compromised networks with inappropriate kit and you need to recognise the difference between that and trying to get good value.

I agree entirely. However if I go in all-guns-blazing “we need a server” etc the response will be “my BT homehubs nice and shiny” :rolleyes:

. Working out the possible options and costs and giving the leadership the choice (with me going “ZOMG SECURITY”) will probably be best!

As I see it there’s three options right (with increasing security and increasing cost):

All devices (wired and wireless) are on the full network – Draytek Vigor 2930 Router £210, HP ProCurve 1400 Switches 1400's £50ea, bog-standard 2.4GHz and 5GHz WAPs.
Devices on separate internet-only and full-access networks (VLANs). Which VLAN a device is on is determined by which switch port it uses (or the switch port of the WAP it's connected through).
Devices on separate internet-only and full-access networks (VLANs). Which VLAN a device is on is determined by the devices MAC address.

I suspect option 1 is too insecure, and option 3 will be too expensive.... so it’s option 2! Though if option 3 was only £xx more.....

bigredshark said:
The cheapest gigabit switch supporting VLANs will be some rubbish Linksys or Netgear thing, the cheapest I'd use is a HP procurve 1800G but that's a limited feature set and not a proper managed switch in my view - I think an 8 port one can be had for £100 or so.

Yep I wouldn’t touch Netgear switches anymore, and the network guys at work swear by HP Procurves. Re the HP ProCurve Switch 1810G-8 at £110, what’s it lacking in comparison with a fully managed switch?

So to do this properly I’m going to need:

Dual WAN (load balance) router with multiple VLAN trunking over each of its switch ports. Any suggestions?
Switches. HP ProCurve Switch 1810G-8 at £110ea. Do I *need* (or want even) to upgrade to fully-managed switches? And how much?
Access points. Cheap normal home-use access points (I can’t see there being more than 10 wireless users).

Any comments or suggestions will be appreciated!

bigredshark · 19 Nov 2009 at 15:13

I think you're probably on the right track, the 1800G I don't know well, we only use 2510s (and then only for management purposes, ilo and drac cards on the servers etc, actual data links are on cisco or juniper switches). I understand the 1810G has a web management interface only as opposed to the full CLI and I think it only does the very basic features (that it to say, it has vlans, no port security or dynamic vlan support)

If you want to get a higher end switch then you really need to consider how much you need Gigabit really, a 10/100 managed switch with a decent feature set can be had for £250-300 (HP or Cisco) but a gigabit one will likely be double that at least.

Router wise that's difficult, you need something which supports multiple WAN interfaces, vlans and doesn't cost the earth. Given the Draytek you mentioned has ethernet WAN ports I assume that's what you need - I would use a Juniper SSG5 firewall which has 8 assignable interfaces (each can be LAN, WAN, whatever) and supports vlans - it's also a top notch firewall but costs around £300 or so. It is however the cheapest device I can think of which can do everything you need but I would caution that I'm recommending it partly because I know the Juniper product line very well, there will likely be other devices which could do the job and may be easier to set up.

Westyfield2 · 19 Nov 2009 at 20:58

Thanks for all the help.

In a way I'd prefer a web interface to CLI, as my last experience with CLI was on an ancient Allied Telesyn and it was hideous

. Though that's just me being a wimp!

Hmm, so the 1810G having vlans, no port security or dynamic vlan support would be fine for option 2 but not option 3 then.

Yep I too was thinking about whether GigE is really needed. Again, if I work out which switches to use for 10/100 and which to use for GigE it should just be a dead simple "Is the extra £xx worth it yes/no?". I know we won't be needing PoE. HP or Cisco is the vibe I'd been getting from the guys at work too.

Yeah two ethernet WAN ports is what I'm after (it'll just be two ADSL2+ connections using either the ISPs modem or a Draytek Vigor 120). The router having a decent firewall is a must, as one of the PCs (or maybe a dedicated NAS) will be remote-accessed.
That Juniper SSG5 looks good, though I've never seen or used anything Juniper (know the guys at work use some Juniper equipment though). Any Cisco stuff in this pricerange and small network? Or are they mega £££ for large enterprise only?

Zarf · 20 Nov 2009 at 07:22

If you're willing to get your hands dirty with linux, there's the LISA project which supports dynamic VLANs and inter-VLAN routing with an IOS like CLI. http://lisa.ines.ro/

Since you're only talking a few devices in each room you could knock together some managed switches from old PC's on the cheap using dual port nics, probably under £80 total for a 6 or 8 port switch.

You'd still need to make sure you got AP's that supported 802.1q and multiple SSIDs to provide the wireless side, but i'd estimate you could do the whole setup on a budget of £500.

bigredshark · 20 Nov 2009 at 14:37

I think you'd have to be clinically insane to even think about that, just remember you have entirely no comeback if it doesn't work, no support, no warranty and a good chance the some features don't even work. Also bearing in mind PCs were never meant for that and so won't be able to forward at line rate reliably.

Going back to the OPs question. The Juniper kit is very good but if you don't know it you'll have an uphill struggle, because it's actually a good firewall and really flexible it's also a world away from the cheap inflexible WAN, DMZ, LAN boxes so it's a big learning curve and you not only need to understand the (slightly obtuse) CLI but also the concepts involved.

Cisco wise, you need something with three ethernet ports and a fair degree or configurability. In the router area I can't think of anything cheap, but an ASA5505 might do the job - I don't use them myself so somebody will need to advise on how configurable the ports are (ie. can you have two WAN interfaces and a pair of internal security zones?)