Small Office Networking problem (Switches / VLANs)

Associate
Joined
3 Dec 2008
Posts
100
Hi

I have the following problem and could use suggestions for resolving it:

Wired network with approx 15 PCs and 2x servers.
Broadband internet needs to go in and shared out via all the PCs
Servers need to be denied access to the Internet, but PCs need to access both servers and Internet

My idea at the moment is to buy a cheapish switch, and create 2x VLANs as follows:

VLAN 1 - Internet - Router is untagged, PCs are tagged
VLAN 2 - Local Network - Server is untagged, PCs are untaggged

Been debating whether this will work or not, any suggestions?

Unfortunately we are on a tight budget switch wise, and cannot get anything decent which will allow us to route traffic properly from PCs through to Internet.
 
Good questions by Will_3rd.

I'd look to do this at gateway level rather than by VLANs. Any decent SME firewall should let you drop all WAN bound traffic from certain sources, or just drop everything bar required services eg DNS.
 
Hi,

Its not an AD domain, no exchange, no DHCP/DNS, its just a workgroup with PCs and servers set up with static IPs. Been discussing with a few other people and yeah it does seem like a bit of an OTT idea we thought of first. Probably going to just look into blocking the MACs of the servers on the router, there isnt a firewall or anything like that at the moment its simply just the PCs go through the broadband router to the outside so thats the only place we can look at blocking traffic.
 
To achieve your desired setup cheapest option is to stick with your existing setup and block the macs in the router (or remove the gateway address on the servers)
 
How do you plan to patch servers without an internet connection?

What is the point? It does not represent ANY additional security as your desktops can get infected and easily dump it to a server over a share.

If there is a non security reason then fair enough. What router is it? Just dump a rule on it for the servers by source IPs for outbound and destination IPs for inbound. Block/Drop.
 
Not having a direct way to apply security updates probably makes the servers more exposed than they’d be otherwise. If there’s another patch management option visible to the servers then it’s fair enough, but on that size of network it’s not likely.

There has got to be some good, but slightly obscure, reason why these servers need to be blocked from the Internet.
 
Buy a proper firewall... you can get a cheap Checkpoint SAO 500 for circa £300 which would do the job marvellously, or if the budget allows something like an ASA 5505.

Do it properly and find the budget or you will only regret it later when something goes **** up.

- GP
 
Last edited:
Buy a real firewall and do it that way. Something like a Juniper SSG5 would be ideal and cheap too.

Otherwise, if you really don't need any Internet access on the servers, just set them with static IPs and no default gateway then they can't get anywhere outside of their local subnet anyway.
 
15 PC's + 2 servers + router into a switch

leave default gateway on servers blank.

connect router to internet.

Job done! nice and cheap.
 
Back
Top Bottom