Network design for two organizations in one building with some shared devices

2

A church & school that share a building have until now "co-existed" from a networking perspective... one ISP, one firewall/UTM, but generally have had separate L2 switches & end-user devices. We need to separate. A second ISP connection and a second firewall have been deployed. I'm now trying to restore the ability to share certain things... in this case, our IP-based video security system.

The security system consists of... 2 stacked Cisco POE switches (one in main bldg, one in gym - connected by fiber - running in L2 mode), 32 IP cameras connected to and powered by the switches, and a QNAP NAS-based NVR with 4 network adaptors.

If users/devices on both networks need to access the NVR for monitoring security, what is the optimal setup? So far I have kept the security switch in L2 and connected to the church's firewall (set as default gateway), but then have a connection from the school's firewall to one of the network adaptors on the NVR.

Ideally I would like to use the switch in the gym (that is part of the security system) for more than just security cameras... especially for extending the church and school wifi coverage. Based on what I've been reading it seems I may need to change the security switches to L3 and do some port configuration to make this happen.

Would really appreciate some advice on this.

basic diagram

Administrator Account

Posted 2019-12-30T16:22:14.227

Reputation: 29

3I would set the security system, the church, and the school each on their own separate subnet. Then grant access as needed (church to security system) and (school to security system) but dont allow (church to school). If there are file shares then set them up individually. Make sure all three groups are numbered differently. – Larryc – 2019-12-30T16:40:31.390

looks like the USG 210 has two WAN ports, There you go... – Larryc – 2019-12-30T16:51:34.707

both USGs have two WAN ports, and both use WAN1 for the ISP connection. are you suggesting that I connect them to each other, or to the security switch? I'm just a self-taught volunteer when it comes to this. – Administrator Account – 2019-12-30T22:16:40.920

Answers

0

Sorry, my response was too long for the comments section. I would take one of the routers and tie both internet connections to the WAN ports. Make the Church its own separate network and connect it to one of the LAN ports, do the same with the school network. You can then Setup "rules" in the router that connects each network to their own internet source. Give the Church and the School networks different IP Numbers(blocks).

You can then control the interactions between the two internal networks, what is allowed (files shares, etc...) and what is not allowed by setting up additional rules in the router. You can pretty much define anything you want to allow between the two networks and what you want to deny between them.

For the security system, I would also make it a separate network, and number it different from the other two. Put it on a third LAN port and grant the church and school networks access to it as needed. I would specify in the rules that the church and school networks can both access the security network devices (as needed) but cannot interact with each other on that (security) network.

Another choice to think about would be to connect the church network and the school network to the WAN ports of the second router, and the Security network to one of the LAN ports of the second router. You can then define the rules for the two networks to access the security network on this second router. It might simplify the rules you have to establish.

I hope this makes sense, maybe I'll draw you up a graphic...

Anyway, I hope that helps. You have all the equipment you need, but you will need to get to know the routers and how to define the rules for them. Note that some manufacturers use different terms, Zyxel may not call them "rules", they might call them something else, but its the same idea.

Good luck to you, I'd like to hear how it all shakes out in the end.

EDIT: Looks like the Zywall uses the term "policies" for what I refer to as "rules"

Larryc

Posted 2019-12-30T16:22:14.227

Reputation: 814

First, I really appreciate your time & input. What you describe in the first scenario is essentially how we had it before... one router/firewall, church on LAN1, school on LAN2, a bunch of rules about who can do what... albeit with just one internet connection and the security stuff part of LAN1. Because of (mostly) technical conflicts that arose we felt the need to separate further, and not continue to share... especially when it comes to the firewall. I see how the second internet connection with just one firewall would be good for redundancy, but it doesn't really address all our issues. – Administrator Account – 2019-12-31T15:45:50.780

I'm not quite sure I understand the second option – Administrator Account – 2019-12-31T15:50:52.267

Asked: 2019-12-30T16:22:14.227

Viewed: 95 times

Active: 2019-12-31T01:28:29.013