Small network with lots of features, questions

Hello all,

I have setup a working network for my church, but I'm second-guessing
the schema that I'm using. I would very much appreciate your thoughts
on this. But a caveat first: our budget is limited, so while I know
we do a lot more in terms of security with better equipment... for
now, we have what we have. So here's the hardware I have:

Servers: One box running Server 2008 Enterprse (Core) with 3 vm's.
The host machine is running only Hyper-V. 2 NIC's are installed. VM1
is primary DC, DHCP; VM2 is backup DC, file server; VM3 is RRAS, print
server.
Networking: we have one public IP and a cable modem. One router
(Linksys BEFSX41) as the gateway. A few basic switches.
Wireless: 4 WAP's. DHCP is turned off; set up as RADIUS clients,
authenticating to the domain.
Clients: mostly XP Pro, one Mac OSX 10.4 (don't ask), one Vista
Business

Stuff I'd like to have ASAP but have not yet implemented:
- VPN - Allow at least one user to VPN into the network (I say at
least 1 because I'm not sure if that's all our router will allow).
- Wireless DMZ -- Allows guests to have wireless access to the
Internet but not access the network.

The current setup:
- Router IP: 192.168.1.1
- Switch is not plugged into the router. I am keeping the LAN
separate from the router as a security measure.
- One NIC from the server is plugged into the router (192.168.1.13);
the other is plugged into the switch (10.0.0.13).
VM3 is acting as a router so that network clients can access the
Internet. It has two NIC's (192.168.1.14 and 10.0.0.14)
- VM1 (10.0.0.15) and VM2 (10.0.0.12) have static IP's.
- DHCP assigns 10.0.0.100-199, gateway 10.0.0.14 (VM3), DNS
10.0.0.15/12 (VM1 and 2).
- All static network clients (servers) have 10.0.0.14 (VM3) as their
gateway.

Problems:
- Internet connection for clients is dog-slow. This prompted my post
here -- http://social.technet.microsoft.com/...-01713c1212a7/
-- because I thought it was maybe Hyper-V related. It is a somewhat,
but that discussion has led me to re-think the network topology.
- Not sure how to implement VPN, which I'm itchin' to get running.

What I'm thinking:
- Plug the switch into the router directly. According to that post,
it's not really buying me the security I thought it was.
- Remove NAT from VM3. Client gateways will be the router instead of
the server.

Questions/concerns:
- Should the router be on totally different subnet than the domain
computers? Does it matter if the gateway IP for a 10.0.0.x network
client is 192.168.1.1?
- I've read it's good to have two NIC's for one's VPN server. I have
that on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x
IP? Which one is the "Internet" NIC that RRAS prompts for? Or does
it not matter?
- Bearing in mind I'd like to have wireless DMZ, how does that affect
IP address assignment for network devices? Does this force me to have
a different subnet than the network for the gateway? Since Internet
traffic for both DMZ and network clients will ultimately be going
through the router.

As you can tell, I'm a newbie, but I've gotten pretty far with this.
If you have an IP address schema that you think works better than my
10.0.0.x and 192.168.1.x, I'm all ears (10.0.x.x? 192.168.x.x?).
I've read a little on private subnets, but I've only absorbed so much.

Again, your help is much appreciated.

Thanks
Tom

Note: I have also posted this here:
http://social.technet.microsoft.com/...5-11597b65810f
But that board seems to be kind of slow.

Hi Tom --

I can't address all of your concerns but hopefully I can assist with a
couple.

1. Should the router be on totally different subnet than the domain
computers?

No; the key is to ensure that the router provides a substantial firewall to
protect the network from intrusion. In some cases organizations use a
hardware firewall outside of the routers:

Internet <--> Hardware firewall <--> Perimeter network with VPN and Web
servers <--> Router public interface | Router | Router private interface <-
-> LAN

But that sounds like overkill for what you're doing.

2. Does it matter if the gateway IP for a 10.0.0.x network client is
192.168.1.1?

That doesn't make sense to me. If a client computer is on a subnet to which
a router is attached, the router IP address on that subnet must be from the
same address pool. The router IP address is then the default gateway for
the clients on the subnet.

Of course the router has other interfaces, and they can have other IP
addresses to service other subnets. (Assuming that we're discussing a real
Layer 2 or Layer 3 router and not a home networking job, which in most
cases has LAN interfaces/Ethernet ports that are more like a hub than a
router.)

3. I've read it's good to have two NIC's for one's VPN server. I have that
on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x IP? Which
one is the "Internet" NIC that RRAS prompts for? Or does it not matter?

A VPN server is typically used as a gateway device between two networks.
Because of the fact that there are two networks, two network adapters are
required for the VPN server to fulfill its function properly.

The public interface of the VPN server -- which is connected to the
Internet -- must have a static public IP address provided by your ISP. The
private IP address on the LAN side must be from the same address pool (like
10.10.10.X) that is used by other clients on the subnet to which the server
is connected. So if clients there are using 192.168.1.X, the private
interface of the VPN server should also be from that address pool.

If you are using the VPN server to connect two private network segments,
you can choose which side is which. Just keep in mind that there will still
be the logic of which side is "public" and which side is "private," because
users on the public side will have to be running VPN clients that have
access permissions to connect to the LAN on the private side of the VPN
server.

HTH --

***********

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Tom M <(E-Mail Removed)> wrote in
news:6414add6-07ea-4b8c-ad92-(E-Mail Removed):

> Hello all,
>
> I have setup a working network for my church, but I'm second-guessing
> the schema that I'm using. I would very much appreciate your thoughts
> on this. But a caveat first: our budget is limited, so while I know
> we do a lot more in terms of security with better equipment... for
> now, we have what we have. So here's the hardware I have:
>
> Servers: One box running Server 2008 Enterprse (Core) with 3 vm's.
> The host machine is running only Hyper-V. 2 NIC's are installed. VM1
> is primary DC, DHCP; VM2 is backup DC, file server; VM3 is RRAS, print
> server.
> Networking: we have one public IP and a cable modem. One router
> (Linksys BEFSX41) as the gateway. A few basic switches.
> Wireless: 4 WAP's. DHCP is turned off; set up as RADIUS clients,
> authenticating to the domain.
> Clients: mostly XP Pro, one Mac OSX 10.4 (don't ask), one Vista
> Business
>
> Stuff I'd like to have ASAP but have not yet implemented:
> - VPN - Allow at least one user to VPN into the network (I say at
> least 1 because I'm not sure if that's all our router will allow).
> - Wireless DMZ -- Allows guests to have wireless access to the
> Internet but not access the network.
>
> The current setup:
> - Router IP: 192.168.1.1
> - Switch is not plugged into the router. I am keeping the LAN
> separate from the router as a security measure.
> - One NIC from the server is plugged into the router (192.168.1.13);
> the other is plugged into the switch (10.0.0.13).
> VM3 is acting as a router so that network clients can access the
> Internet. It has two NIC's (192.168.1.14 and 10.0.0.14)
> - VM1 (10.0.0.15) and VM2 (10.0.0.12) have static IP's.
> - DHCP assigns 10.0.0.100-199, gateway 10.0.0.14 (VM3), DNS
> 10.0.0.15/12 (VM1 and 2).
> - All static network clients (servers) have 10.0.0.14 (VM3) as their
> gateway.
>
> Problems:
> - Internet connection for clients is dog-slow. This prompted my post
> here --
> http://social.technet.microsoft.com/...rhyperv/thread
> /7915c78d-dd34-4367-86a0-01713c1212a7/ -- because I thought it was
> maybe Hyper-V related. It is a somewhat, but that discussion has led
> me to re-think the network topology. - Not sure how to implement VPN,
> which I'm itchin' to get running.
>
> What I'm thinking:
> - Plug the switch into the router directly. According to that post,
> it's not really buying me the security I thought it was.
> - Remove NAT from VM3. Client gateways will be the router instead of
> the server.
>
> Questions/concerns:
> - Should the router be on totally different subnet than the domain
> computers? Does it matter if the gateway IP for a 10.0.0.x network
> client is 192.168.1.1?
> - I've read it's good to have two NIC's for one's VPN server. I have
> that on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x
> IP? Which one is the "Internet" NIC that RRAS prompts for? Or does
> it not matter?
> - Bearing in mind I'd like to have wireless DMZ, how does that affect
> IP address assignment for network devices? Does this force me to have
> a different subnet than the network for the gateway? Since Internet
> traffic for both DMZ and network clients will ultimately be going
> through the router.
>
> As you can tell, I'm a newbie, but I've gotten pretty far with this.
> If you have an IP address schema that you think works better than my
> 10.0.0.x and 192.168.1.x, I'm all ears (10.0.x.x? 192.168.x.x?).
> I've read a little on private subnets, but I've only absorbed so much.
>
> Again, your help is much appreciated.
>
> Thanks
> Tom
>
> Note: I have also posted this here:
> http://social.technet.microsoft.com/...rPN/thread/51c
> 7c85f-46dc-42ad-be75-11597b65810f But that board seems to be kind of
> slow.
>

Hi James, thanks for the reply.

> No; the key is to ensure that the router provides a substantial firewall to
> protect the network from intrusion. In some cases organizations use a
> hardware firewall outside of the routers:
>
> Internet <--> Hardware firewall <--> Perimeter network with VPN and Web
> servers <--> Router public interface | Router | Router private interface <-
> -> LAN
>
> But that sounds like overkill for what you're doing.

Yea, I'd like to purchase a real hardware-based firewall one day, but
it's not in the budget right now. I'm stuck with the router-and-
firewall-in-one that we have, at least for now. It's a Linksys
BEFSX41.

> 2. Does it matter if the gateway IP for a 10.0.0.x network client is
> 192.168.1.1?
>
> That doesn't make sense to me. If a client computer is on a subnet to which
> a router is attached, the router IP address on that subnet must be from the
> same address pool. The router IP address is then the default gateway for
> the clients on the subnet.
>
> Of course the router has other interfaces, and they can have other IP
> addresses to service other subnets. (Assuming that we're discussing a real
> Layer 2 or Layer 3 router and not a home networking job, which in most
> cases has LAN interfaces/Ethernet ports that are more like a hub than a
> router.)

Unfortunately I can't get that Layer 2 or 3 router right now, so it's
more of a "home networking job" :-) Given that, what I have right now
is the router with an IP of 192.168.1.1, the "public" interface of the
server/router as 192.168.1.14, and the "private" ip of the server/
router as 10.0.0.14. Network clients are all 10.0.0.x. Network
gateway is the server, and traffic routed out through the public
interface to the router.

But let's say I put the router, the server, and the clients all on the
10.0.0.x subnet. Is that going to kill my wish to have a separate
wireless DMZ (assuming this needs to be a different subnet), given I
don't have a Layer 2/3 router? Or does this force me to have the
server as a router in order to keep the subnets different?

>
> 3. I've read it's good to have two NIC's for one's VPN server. *I have that
> on VM3. *But do I give it two 10.0.0.x IP's? *One 192.168.1.x IP? *Which
> one is the "Internet" NIC that RRAS prompts for? *Or does it not matter?
>
> A VPN server is typically used as a gateway device between two networks.
> Because of the fact that there are two networks, two network adapters are
> required for the VPN server to fulfill its function properly.
>
> The public interface of the VPN server -- which is connected to the
> Internet -- must have a static public IP address provided by your ISP. The
> private IP address on the LAN side must be from the same address pool (like
> 10.10.10.X) that is used by other clients on the subnet to which the server
> is connected. So if clients there are using 192.168.1.X, the private
> interface of the VPN server should also be from that address pool.

Hm. I was under the impression I could use my router to route VPN
traffic to whatever private-IP interface I expose on the server. The
server would be plugged into the switch. Not true?

Thanks again!
Tom

Tom,
Your network sounds overly complicated to me. I can understand why internet
access is slow, because all the clients have to go through your server, which
is running 3 VM's, to get to the internet.

You stated that you would like to have the wireless hosts seperated from
your LAN. To do that, without using your server as a router, you need
another router.

I would connect your cable modem to the WAN port on Router 1. Set it up as
a DHCP server. Connect your wireless AP's to it with open authentication
(coffee-shop mode). Also connect Router 2 to it, set to acquire it's IP
address automatically from the first router. Since you will have 4 WAPs and
a router, you might need to get a small switch as well, since most routers
like that Linksys only have 4 ports.

Your server and internal LAN switch would be connected to the second router,
and on a different subnet. This is going to isolate your internal network
from the wireless guests, but still bring internet access to the internal
network. So it might look something like this:

Router 1:
WAN side IP address: ? (I'm sure you have this info)
LAN side IP address of router: 192.168.1.1 255.255.255.0
DHCP pool: 192.168.1.10 - 254
Default gateway: ? (from your ISP)
DNS: ? (your ISP's DNS servers)

Router 2:
WAN side IP address: 192.168.1.2 255.255.255.0 (on the same subnet as
Router 1)
Default gateway: 192.168.1.1 (the IP address of Router 1)
LAN side IP address: 192.168.10.1 255.255.255.0 (notice different subnet)
DHCP server turned off.
Set your server as 192.168.10.2, and run DHCP, DNS, etc on your server.
Internal LAN hosts use 192.168.10.1 as gateway, and 192.168.10.2 for DNS, of
course they will pick this up from your server's DHCP service.

To me, this seems like a simpler setup. Here's a very rough diagram:

---> Internet ---> Router 1 ---> Wireless clients
---> Router 2 ---> Server
--->
Internal LAN

Best of luck,
Eric

(sorry I can't help with the VPN stuff, I don't know much about that)

"Tom M" wrote:

> Hello all,
>
> I have setup a working network for my church, but I'm second-guessing
> the schema that I'm using. I would very much appreciate your thoughts
> on this. But a caveat first: our budget is limited, so while I know
> we do a lot more in terms of security with better equipment... for
> now, we have what we have. So here's the hardware I have:
>
> Servers: One box running Server 2008 Enterprse (Core) with 3 vm's.
> The host machine is running only Hyper-V. 2 NIC's are installed. VM1
> is primary DC, DHCP; VM2 is backup DC, file server; VM3 is RRAS, print
> server.
> Networking: we have one public IP and a cable modem. One router
> (Linksys BEFSX41) as the gateway. A few basic switches.
> Wireless: 4 WAP's. DHCP is turned off; set up as RADIUS clients,
> authenticating to the domain.
> Clients: mostly XP Pro, one Mac OSX 10.4 (don't ask), one Vista
> Business
>
> Stuff I'd like to have ASAP but have not yet implemented:
> - VPN - Allow at least one user to VPN into the network (I say at
> least 1 because I'm not sure if that's all our router will allow).
> - Wireless DMZ -- Allows guests to have wireless access to the
> Internet but not access the network.
>
> The current setup:
> - Router IP: 192.168.1.1
> - Switch is not plugged into the router. I am keeping the LAN
> separate from the router as a security measure.
> - One NIC from the server is plugged into the router (192.168.1.13);
> the other is plugged into the switch (10.0.0.13).
> VM3 is acting as a router so that network clients can access the
> Internet. It has two NIC's (192.168.1.14 and 10.0.0.14)
> - VM1 (10.0.0.15) and VM2 (10.0.0.12) have static IP's.
> - DHCP assigns 10.0.0.100-199, gateway 10.0.0.14 (VM3), DNS
> 10.0.0.15/12 (VM1 and 2).
> - All static network clients (servers) have 10.0.0.14 (VM3) as their
> gateway.
>
> Problems:
> - Internet connection for clients is dog-slow. This prompted my post
> here -- http://social.technet.microsoft.com/...-01713c1212a7/
> -- because I thought it was maybe Hyper-V related. It is a somewhat,
> but that discussion has led me to re-think the network topology.
> - Not sure how to implement VPN, which I'm itchin' to get running.
>
> What I'm thinking:
> - Plug the switch into the router directly. According to that post,
> it's not really buying me the security I thought it was.
> - Remove NAT from VM3. Client gateways will be the router instead of
> the server.
>
> Questions/concerns:
> - Should the router be on totally different subnet than the domain
> computers? Does it matter if the gateway IP for a 10.0.0.x network
> client is 192.168.1.1?
> - I've read it's good to have two NIC's for one's VPN server. I have
> that on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x
> IP? Which one is the "Internet" NIC that RRAS prompts for? Or does
> it not matter?
> - Bearing in mind I'd like to have wireless DMZ, how does that affect
> IP address assignment for network devices? Does this force me to have
> a different subnet than the network for the gateway? Since Internet
> traffic for both DMZ and network clients will ultimately be going
> through the router.
>
> As you can tell, I'm a newbie, but I've gotten pretty far with this.
> If you have an IP address schema that you think works better than my
> 10.0.0.x and 192.168.1.x, I'm all ears (10.0.x.x? 192.168.x.x?).
> I've read a little on private subnets, but I've only absorbed so much.
>
> Again, your help is much appreciated.
>
> Thanks
> Tom
>
> Note: I have also posted this here:
> http://social.technet.microsoft.com/...5-11597b65810f
> But that board seems to be kind of slow.
>

Sounds overcomplicated to me.

Two simple thoughts sum it up.

1. Unless you have more than 254 Hosts there is no real point in more than
one subnet.

2. The Linksys BEFSX41 *IS* your Firewall,....the VPN Device and the
Firewall should usually be the same physical device in a small
network,...the BEFSX41 cannot do the VPN as far as I know,...so replace it
with something that can. It doesn't matter how bad they don't want to buy
anything,...reality is reality.

So you get a Firewall that is VPN capable and replace the Linksys with it.
Turn off the DHCP on it so that the Windows DHCP on the DC can do that job
and you are basically done. You will have to create user acounts on the VPN
Device so they can login to the connection. More elaborate Firewall/VNP
devices might use RADIUS or LDAP to leverage the Domain Accounts. I do not
see RRAS being a very good choice in this case.

An optional method to the VPN would be something like Logmein
Free(www.logmein.com). You won't use this with VPN,...you use it *instead*
of the VPN. You can try out Logmein Hamachi, it is kind of a blend of the
regular Logmein and a VPN concept.
https://secure.logmein.com/products/hamachi/vpn.asp . I have not tried
that, so if you download it and use it you will know more about it than I
do.

Other things you are not considering with the VM facination.....
VM are irrelevant. It doesn't matter if a machine is "virtual" or
"physical",...it still all works that same. The only thing VMs mean in your
particular case is that a hardware failure wipes out your entire system in
one fell swoop rather than losing just one server on one physical machine.
The "plus" of VMs is the cost savings in hardware and electricity,...the VMs
(by themselves) are not fault tolerant and are in some ways much more
dangerous in disasters,...particualrly if you aren't using a backup strategy
that can backup the VM Images while they are actively in use.

Corporate Enterprise Virtualization is not done the way you are doing
it,...it still uses a lot of hardware, but just less than it would use
without virtualization. Most of the Virtualizations Systems requires SANs
that cost as much as a cheap house or a new car.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------