I'm the sysadmin at a small public library. Since I got here a few years ago, I've been trying to set up the network in a secure and simple way.
Security is a little tricky; the staff and patron networks need to be separated, for security reasons. Even if I further isolated the public wireless, I'd still rather not trust the security of our public computers. However, the two networks also need to communicate; even if I set up enough VMs so they didn't share any servers, they need to use the same two printers at the very least.
Currently, I'm solving this with some jerry-rigged commodity equipment. The patron network, linked together by switches, has a Windows server connected to it for DNS and DHCP and a DSL modem for a gateway. Also on the patron network is the WAN side of a Linksys router. This router is the "top" of the staff network, and has the same Windows server connected on a different port, providing DNS and DHCP, and another, faster DSL modem (separate connections are very useful, especially as we heavily depend on some cloud-hosted software). Both networks have wireless networks (staff secured with WPA, of course).
tl;dr: We have a public network, and a NATed staff network within it.
My question is; is this really the best way to do this? The right equipment would likely make my job easier, but anything with more than four ports and even rudimentary management quickly becomes a heavy hit on our budget.
(My original question was about an ungodly frustrating DHCP routing issue, but I thought I'd ask whether my network was broken rather than asking about the DHCP problem and being told my network was broken.)
Answer
To me it seems to be a simple matter of using VLANs to separate the networks in question and then using network cards in the servers that can differentiate the VLAN traffic and responds accordingly. Of course, the switches need to be VLAN capable which, if they're not already, may be a bit more expensive than you can afford. ProCurve makes good 24-port 10/100 switches for under $400, if that's not too steep.
The topmost LinkSys may be a bit of an issue as far as seeing the VLANs is concerned. I know some of LinkSys's higher end stuff (if such a thing exists) can work with VLANs, but I never liked them. You may want to see if your LinkSys is candidate to have dd-wrt installed on it which can handle VLANs and may be a bit more robust as far as what it can do for you in other ways.
Or you could use one of your servers as the gateway/firewall. Drop IPCop on a reliable piece of equipment and be done with LinkSys forever.
No comments:
Post a Comment