0

At one location we have a single server (also a DHCP server) and much less than 254 clients. Many are wired, but there are also a couple of wireless routers, which occasionally have their wired ports used too.

Right now the wireless routers have their own subnets (192.168.1.x and 192.168.2.x) and the main wired network is separate (10.0.10.x). It works for the most part, except that sometimes we'll have DNS issues (the main server acts as a DNS server just for the intranet web apps) and I don't think I've ever successfully connected to a client via remote desktop across the subnets, or to Wake-on-LAN one that's wired to one of the wireless routers.

I'd like to be able to Wake-on-LAN any machine if I want to remote into it from one spot in the building, and not have random DNS issues or things break when we plug in a new device. In short, I just want a cleaner setup.

Can all clients just be under the main wired subnet, 10.0.10.x? If so, how do I configure the two wireless routers with regards to DHCP? Is there a way for them to issue 10.0.10.x addresses to wireless clients, without giving out the same IP to two different clients? Is there a way to do this without some computer having to have a bridge service running?

Kev
  • 964
  • 4
  • 23
  • 46

4 Answers4

5

The easiest way to set this up is to disable DHCP on the two wireless routers. Configure the wireless routers with static IP addresses on the LAN ports using the 10.0.10.0 subnet (IPs that aren't being used by DHCP or another device with a static IP). Set the WAN port for DHCP (or set it to another subnet that you'll never use).

Then unplug the cable from the WAN port on the wireless routers and plug it into one of the LAN ports. This will basically bypass all the routing function of the routers and turn them into access points. So your network will look something like this now.

10.0.10.1 - router to the Internet
10.3.10.2 - SBS server with DHCP enabled
10.0.10.3 - Wireless Router #1
10.0.10.4 - Wireless Router #2
10.0.10.100-10.0.10.200 - Workstations, servers, anything else that uses DHCP

Anyone using the wireless need need to get a new IP or reboot.

My office is setup this exact way.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • +1 - Yeah, what he said. – Evan Anderson Oct 20 '09 at 20:16
  • +1 with a note - take security into account. Use encrypted password-protected wifi at least or anyone within shouting distance of your offices could get highway access to your intranet. Personally, i'd recommend keeping the wireless on a different subnet, routing it to the intranet through some kind of FW and limiting the access as much as possible without hurting usability. – V. Romanov Oct 20 '09 at 21:47
  • How does the separate subnet help? And doesn't forwarding through to the intranet negate any security benefit that would be had by a separate subnet? – Kev Oct 20 '09 at 21:55
  • Let the wifi routers provide DHCP on the wireless network and block all traffic and protocols from the wireless except those you need, to specific addresses. For example, where i work, the wireless has it's own DHCP and subnet, and is set up so that it allows only HTTP access to our proxy server specifically. Thus all access to the intranet is blocked at the wifi router FW level. You could, ofcourse, open up additional services as required. And if it's all too much of a hassle - just reminding you to keep it passworded :) – V. Romanov Oct 20 '09 at 22:09
  • @mrdenny: apparently I can't fully use this solution, as on at least one of the routers, plugging into one of the client ports instead of the WAN doesn't seem to work. The router configuration doesn't allow the WAN IP and LAN IP to be on the same subnet, so the closest I can seem to get is setting the LAN IP to 10.0.10.3 and then setting the WAN to use PPTP or something (dynamic could work, I suppose, except that it keeps trying to find a DHCP server forever.) – Kev Oct 20 '09 at 22:40
  • 1
    @Kev: You don't need IP addresses on the "WAN" ports. Set them to DHCP, stick a piece of tape over them, and pretend like the routers are really just access points. – Evan Anderson Oct 21 '09 at 01:23
  • I probably should have been more clear about that. I'll update my answer. Thanks @Evan. – mrdenny Oct 21 '09 at 01:56
  • @mrdenny: There's something vaguely funny to me about somebody worrying that two little routers are sitting around asking for the DHCP response that will never arrive. >smile – Evan Anderson Oct 21 '09 at 02:02
  • I think our router's bad. – Kev Oct 21 '09 at 16:24
  • What's the problem? – mrdenny Oct 21 '09 at 17:58
  • Well, even resetting to factory defaults, I could not get devices plugged into it to see the rest of the network, even by IP address, whereas doing the same earlier in the day with the same router, and now with a different router, works. – Kev Oct 21 '09 at 20:38
  • Sounds like bad timing. When you are plugged into it can you ping the inside IP of the router? I'd probably toss the router and replace it, just to be on the safe side. – mrdenny Oct 22 '09 at 05:38
3

Without getting into anything too fancy (for wireless in a business I'd recommend 802.1x with separate authenticated and unauthenticated client VLANS)...

I'd highly recommend splitting up your subnets. Even with all of the security, I don't like letting wireless clients have unrestricted access to your wired network, especially if there's anything other than desktops on it.

My recommendation (assuming you only need /24s): 10.0.0.0/24 - public servers, router, services boxes, etc. (maybe add desktops in here too) 10.0.1.0/24 - WAP 1 (bridging with security) and clients 10.0.2.0/24 - WAP 2 (bridging with security) and clients 10.0.4.0/24 - (if you want to separate client desktops from servers)

Have all of those subnets setup as VLANs. Set the switch port connected to your main router/firewall to trunk mode, setup the VLANs on your router, and set whatever rules you need to route/filter/firewall between the subnets (both between different subnets and subnets to the WAN). Good client separation, good security, room to grow.

As to DHCP, you'd disable it on the wireless APs (which would just be acting as bridges) and either multi-home your DHCP server on all of the subnets (probably not good as I have a feeling you're running Windows) or allow DHCP to be routed, or use dhcp relay/IP helpers.

Jason Antman
  • 1,546
  • 1
  • 12
  • 23
  • Thanks, but I'm confused. I only vaguely get what /24 means. I still don't understand how a separate subnet helps with security if you then route traffic between subnets. How do I switch to trunk mode? And your DHCP advice I'm really confused--if I'm going the AP route I thought that meant not having separate subnet; what's multi-homing? (and yes I'm running Win2k3 unfortunately); DHCP routing is my current setup that I find messy; and I don't understand the difference between that and "use dhcp relay/IP helpers." ... – Kev Oct 20 '09 at 22:32
  • That said, we have a firewall that could act as a DHCP server, but I don't think it has homing either. – Kev Oct 20 '09 at 22:41
  • 2
    Kev, If you're going to be going network administration like this, I'd highly recommend picking up a good book on networking. I've found that most of the vendor material either is too difficult for beginners (Cisco) or totally ignores anything that isn't the vendor's chosen way of solving a problem (M$). I'd look at some of the O'Reilly books, especially Network Warrior. In the mean time, to try and answer your specific questions: /24 - look up CIDR in Wikipedia, it's a good article. Security - the idea is you also firewall between subnets. – Jason Antman Oct 21 '09 at 12:26
  • Setting a trunk port on a switch depends on what brand of switch and what OS. The APs can work in a separate subnet just as well as not. Multi-homing - having one host with interfaces on multiple networks. DHCP relay/IP helpers are more like a proxy for DHCP. Google dhcrelay, the Linux Man Page will explain the concept. And, alas, I've never even touched a Windows server knowingly, so I can't provide any advice on how to actually make these things happen in a Windows environment. Sorry. – Jason Antman Oct 21 '09 at 12:28
  • Thanks for the extra explanations. I'll try to get that Network Warrior, it sounds good. For now, I had already read the CIDR thing in Wikipedia, and so I was confused because having way less than 255 (more like < 25) clients, I wasn't sure what I'd need 24 bits for. – Kev Oct 21 '09 at 20:44
  • 1
    Well, what can it hurt? If anything, it makes it easier to visually separate the IP addresses. – Jason Antman Oct 22 '09 at 03:00
2

It sounds like you'd rather have your wireless Ethernet clients just get DHCP from the LAN DHCP server, and ultimately just bridge the wireless media onto the wired media. You very likely only need the "wired to wireless" bridge and wireless access point functionality of your "wireless routers" and don't need any of the "router" functionality at all.

If it were my network, I'd connect the LAN ports of each of the "wireless routers" to the wired Ethernet LAN switch, disable the DHCP servers on each of the "wireless routers" and assign them each a static IP address in the 10.0.10.0/24 network and be good to go.

Put a piece of tape over the "WAN" ports on the "wireless routers" and never connect that port to anything again.

This is a pretty common way to use cheap router devices with wireless Ethernet as inexpensive wireless access points.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

Where does your "main wired" network get its DHCP from? Do you have a DHCP server? If not, why not set one up, and have everything pull DHCP from that? That way it is responsible for giving out addresses, and you don't have to worry about the same one being given out twice.

kingfish
  • 410
  • 3
  • 11
  • Oh yes, sorry, the main server is a DHCP server as well. However, how can a wireless client send a packet to a DHCP server besides the wireless router's built-in one without first having an IP address? Is that allowed? – Kev Oct 20 '09 at 20:04
  • If so, how do I tell it to do that? Just disable DHCP on the wireless router, and it'll forward DHCP requests to what it considers to be the WAN? – Kev Oct 20 '09 at 20:05
  • Sort of. See the two other answers for more info. They elaborated on the same idea. – kingfish Oct 20 '09 at 20:26
  • Well, thanks for the initial help anyway, +1. – Kev Oct 20 '09 at 21:03