A little help please with isolating my network...

[connchri]

Hello,

Right, I'm usually well clued up with networking (at least enough to get by), but before I go out and start buying hardware, I could do with someone who knows about networking to help me set up this network.

Right, the situation is this: I have an office at a business park, and they offer services. Mainly heating, electricity, (the usual) but this also provides internet access via your usual Cat5/6 port.

We have been using an old router (BT HomeHub3) purely as a hub, with WiFi, to connect all our computers and WiFi stuff (phones, laptop, etc) to the internet. This works great, and it's been fine for now. Under this setup, all our IP addresses are giving via DCHP from the sites IT services. As such, we have no control over IP addresses or are we able to seragate our network.

We've now grown to the point that we need an SQL database, and we've decided that since we've got our hands on an old HP, Core 2 Duo based Xeon, Workstation (8GB ECC RAM, 5 HDD's in Raid 5 with battery backup cache etc etc) with Windows 2012, we were going to use this as our server - to host virtual machines. (The Database won't be getting hit with too many queries or transactions, so it'll cope fine in a CentOS or Debian VM).

Here's the problem that I have. I want to completely segragate our internal network, so we have control over our own IP addresses and to isolate our computers from the sites IT network - yet still use them for internet access. As far as I understand this would require setting up our own network, using our own IP scheme, and then getting access to the internet via their network by setting up a gateway with NAT or something or other.

The likely hood is, this will result in double NAT access to the internet - I don't forsee this as being a problem as we primarily use the internet for HTTP traffic and e-mail.

So, can someone please point out, with the correct terminology (so I don't confuse myself) how I would go about setting up such a system? I've got a bit of money that I can spend on this, and countless routers, and spare PCs, that might be able to do such a thing. Or if someone can point me in the right direction, that would be great.

 

[Celegorm]

Before I reply and maybe way miss the mark is it possible to summarize what you're looking for like this?

"You want the servers and all internal phones, computers and other connected devices on one network with guests, employee cell phones and all the other random non-company equipment to be on another network" If so, I believe I have a solution for you as I once did something similar.

 

[connchri]

Hi Celegorm,

Not quite. We rent office space, and the owners supply internet access via a network that sprawls over the entire site. This internet access is provided to us simply by connecting our computers to their network - that they administer. What I want to do is create our own network, in our office, that is isolated from this site-wide network (That any other business that rents office space is connected to), yet I still want to use it for our internet connection.

My understanding is that I'll need some sort of gateway with NAT. The site's internet will already be though a NAT as I'm sure it only has one external IP address.

 

[Celegorm]

That's setup like one of my friend's old appartments then so what you want to do is quite doable.

Assuming the office doesn't have kind of overly fancy setup, you can take their network and plug it into the WAN/Internet port on any router and use the router's wireless & lan ports for your devices. The hard part might be hooking up all the hard-wired devices (if any) to your router instead of theirs. If there's any kind of master switch that all of your wall jacks go into then you could insert your new router in between the switch and the rest of the office.

does that make sense?

 

[connchri]

As simple as that...

I really thought there was more to it. Anyway, I'm not back in the office until the weekend, so I'll give it a go and give an update then.

Cheers.

 

[_michaelm]

What Celegorm said will work yes, essentially just treat the site-wide network as 'the internet' i.e. an untrusted zone. Then connecting any router's WAN connection into this (provided it is a NAT router, which it will be in the UK if it's a SoHo style e.g. home hub) will give you the internal network you're after.

However, given the kind of setup you're describing and the level of control you'd want over the items in your network then I'd suggest going for something a bit more industrial. For example, the Astaro security gateway products are exceptional. They offer a free one bundled up as a software appliance and/or vm (see here: Free Astaro Security Gateway Essential Firewall edition available) and whilst it will take some configuration (which it should, because any networking kit which 'just works' is practically useless from a security standpoint), it should provide you a huge amount of administrative power, security and robustness which you simply won't get from a SoHo router as your gateway.

Hope that helps,
Michael