Small Office Networking problem (Switches / VLANs)

fro5tie · 26 Aug 2011 at 18:40

Hi

I have the following problem and could use suggestions for resolving it:

Wired network with approx 15 PCs and 2x servers.
Broadband internet needs to go in and shared out via all the PCs
Servers need to be denied access to the Internet, but PCs need to access both servers and Internet

My idea at the moment is to buy a cheapish switch, and create 2x VLANs as follows:

VLAN 1 - Internet - Router is untagged, PCs are tagged
VLAN 2 - Local Network - Server is untagged, PCs are untaggged

Been debating whether this will work or not, any suggestions?

Unfortunately we are on a tight budget switch wise, and cannot get anything decent which will allow us to route traffic properly from PCs through to Internet.

Will_3rd · 26 Aug 2011 at 19:58

What's doing DHCP/DNS? The server or router?

Is this an Active Directory Domain with Exchange?

#Chri5# · 26 Aug 2011 at 20:09

Good questions by Will_3rd.

I'd look to do this at gateway level rather than by VLANs. Any decent SME firewall should let you drop all WAN bound traffic from certain sources, or just drop everything bar required services eg DNS.

fro5tie · 27 Aug 2011 at 15:07

Hi,

Its not an AD domain, no exchange, no DHCP/DNS, its just a workgroup with PCs and servers set up with static IPs. Been discussing with a few other people and yeah it does seem like a bit of an OTT idea we thought of first. Probably going to just look into blocking the MACs of the servers on the router, there isnt a firewall or anything like that at the moment its simply just the PCs go through the broadband router to the outside so thats the only place we can look at blocking traffic.

Zarf · 28 Aug 2011 at 01:02

To achieve your desired setup cheapest option is to stick with your existing setup and block the macs in the router (or remove the gateway address on the servers)

Sin_Chase · 28 Aug 2011 at 01:06

How do you plan to patch servers without an internet connection?

What is the point? It does not represent ANY additional security as your desktops can get infected and easily dump it to a server over a share.

If there is a non security reason then fair enough. What router is it? Just dump a rule on it for the servers by source IPs for outbound and destination IPs for inbound. Block/Drop.

bremen1874 · 28 Aug 2011 at 01:46

Not having a direct way to apply security updates probably makes the servers more exposed than they’d be otherwise. If there’s another patch management option visible to the servers then it’s fair enough, but on that size of network it’s not likely.

There has got to be some good, but slightly obscure, reason why these servers need to be blocked from the Internet.

GhostlyPea · 28 Aug 2011 at 10:48

Buy a proper firewall... you can get a cheap Checkpoint SAO 500 for circa £300 which would do the job marvellously, or if the budget allows something like an ASA 5505.

Do it properly and find the budget or you will only regret it later when something goes **** up.

- GP

Deleted member 77746 · 28 Aug 2011 at 11:31

15 machines doesn't need to be complex like vlans e.t.c ..... A simple switch with a router will be good enough.

Phemo · 28 Aug 2011 at 17:35

Buy a real firewall and do it that way. Something like a Juniper SSG5 would be ideal and cheap too.

Otherwise, if you really don't need any Internet access on the servers, just set them with static IPs and no default gateway then they can't get anywhere outside of their local subnet anyway.

Gaz1988 · 28 Aug 2011 at 19:53

15 PC's + 2 servers + router into a switch

leave default gateway on servers blank.

connect router to internet.

Job done! nice and cheap.