Network getting bigger. Need help!!!

[nautme]

I've got a small business that hosts some websites for friends and a couple companies (all free of charge) and I'm needing add a dedicated server (or vm) to the network for some work stuff. Currently, we have one IP and everything goes through that, but I'd like to add more (for more servers). Also, the FVS318s we're using are killing our bandwidth (from 15mbps to 4mbps WAN to LAN to WAN to LAN), so I'd like to upgrade one or both of them.

The network, as it sits, is a Cable Modem (Zyxel I think) w/4 ports that connects to a FVS318. On that FVS318, there are two servers (one mail, one web) on a 10.10.10.X subnet and a connection to a second FVS318 (via it's WAN port). The second FVS318 is our LAN and is connected to about 10 or so computers via a Dell PowerConnect switch on a 192.168.0.x subnet. Oh, and there's a NetGear wireless something or other connected to the switch, but we don't really use it often.

Anyway, my goals are to increase available bandwidth, add additional IP addresses, and keep as much security in place as possible. In the future, I may need to add a second internet connection for some redundancy, but that's not a priority now.

I welcome any suggestions (configuration or reading material). I've been a consistent user of NetGear products (except their support), but I'm open to whatever.

Thanks in advance!!!

 

[thiggins]

According to the Router Charts, the FVS318 has around 7 Mbps of throughput. What is the bandwidth from your cable modem?

Why the second router?

Does the Dell switch have VLAN capability?

 

[nautme]

The cable modem is 15mbps in and 2mbps out. The first FSV318 is a v3 and drops the speed to around 8mbps. The second is a v1 and cuts the 8mpbs to around 4mbps (I'm guessing the v1 must have a slower throughput).

I'm not the one who originally configured the network, but I believe the original design was to allow some traffic through the first router and not the second to keep the bulk of traffic out of the inner LAN and hopefully be a little more secure. The office expanded a couple years ago and the PowerConnect's were added to handle the additional computers/LAN ports (we've got about 20 computers total, but only currently have 5 employees).

I'm pretty sure it's a PowerConnect 2124 (from memory) and I'm not too sure about the VLAN capabilities. Dell's documentation at http://docs.us.dell.com/support/edocs/network/0P263/en/ug/0p263e12.htm states the following-

The switch supports tag-based prioritization following the IEEE 802.1p standard. The eight levels of IEEE 802.1p priority are mapped to the four priority queues of each port. For each port, the four priority queues are scheduled following a Weighted Round Robin scheme.

NOTE: The IEEE 802.1p priority information is part of the IEEE 802.1q tag that also defines VLAN memberships. The switches will ignore the VLAN membership information in the tag (i.e. all ports are part of all VLANs), but will preserve the full tag information—including packet priority and VLAN ID—when transmitting the packet at the destination port.

That's the only information I can find about VLAN on the 2124. I don't have any experience with VLANs and actually just learned about them in researching this upgrade.

 

[thiggins]

Thanks for the info. I was trying to determine whether the Dell switch was "smart" or managed. It isn't

You might want to look at the Linksys RV042. Throughput is over 40 Mbps up and down and it has the ability to handle dual WAN ports or a dedicated DMZ port for your servers, or the ability to have two LAN segments to keep the servers and client machines separate.

Also has IPsec VPN capability, if you were considering that.

 

[nautme]

What I've been considering was the NetGear FVS336G. How does that compare with the RV042? Also, how/where do I connect what? I mean, do I simply connect the WAN port RV042/FVS336G to the cable modem? Will that give me access to all five IPs? I can connect the servers directly to the FVS336G, and then connect the 2124s to give me the rest of the network, but does the FVS336G support VLANs (the SNB review made no mention of it)? I'd like to keep my web servers off the internal lan/vlan. Am I going about things the wrong way?

 

[thiggins]

What I've been considering was the NetGear FVS336G. How does that compare with the RV042?

They are about equal in routing speed. But the RV042 more closely meets your requirements for being able to keep servers and clients separate and handle multiple public IPs.

Also, how/where do I connect what? I mean, do I simply connect the WAN port RV042/FVS336G to the cable modem?

Basically, yes. Actually, the RV016 might be better. It has more ports and can support both dual (actually, up to 5 WAN ports) as well as a dedicated DMZ port for your servers.

Will that give me access to all five IPs?

The RV042 and RV016 both support one-to-one NAT, which lets you map public IP addresses to private (LAN) IP addresses. The FVS336G does not support multiple WAN IPs.

I can connect the servers directly to the FVS336G, and then connect the 2124s to give me the rest of the network, but does the FVS336G support VLANs (the SNB review made no mention of it)? I'd like to keep my web servers off the internal lan/vlan. Am I going about things the wrong way?

The FVS336G doesn't support VLANs nor does it support multiple LAN IP ranges.
If you a have a router with a dedicated physical DMZ port, then anything connected to it will be separated from the LAN side machines. VLANs can provide separation a different way. Either would be fine.

I should note that the Linksys routers also support QoS both up and downlink. Very handy if you need to control bandwidth hogs.

 

[nautme]

Basically, yes. Actually, the RV016 might be better. It has more ports and can support both dual (actually, up to 5 WAN ports) as well as a dedicated DMZ port for your servers.

Is it not possible to run all the IP addresses through one port (on the RV016 or another box)? It seems odd to connect several patch cables to my cable modem simply to have multiple IP address running into my firewall/router. In looking at the RV016 documentation, it says "Do not include the Router's WAN IP Address" under Public Range Begin. Does this mean that if I get 5 addresses, the first will be used by the router and will be unusable to another machine (or would I just use NAT/Port Forwarding for that IP)?

VLANs can provide separation a different way. Either would be fine.

With a VLAN configuration, would that give my LAN connectivity to the Web/Mail server, but not the reverse?

Thanks for all your help!

 

[thiggins]

Is it not possible to run all the IP addresses through one port (on the RV016 or another box)?

All you need is one port on the RV042 to handle multiple IPs from a single ISP. If you bring on a second ISP, then you'll need another WAN port.

With a VLAN configuration, would that give my LAN connectivity to the Web/Mail server, but not the reverse?

VLANs are a complicated subject. You can create a VLAN where the server(s) are separated from LAN traffic, but allow access to admin machines. See this article:
VLAN How To: Segmenting a small LAN

If you used the DMZ option in the Network Setup, I believe that you will not have access to the server private (LAN) IP from other LAN machines. (YeOldeStoneCat or anyone else with RV042 experience should jump in here) But you would be able to reach the server for admin via its public IP.

 

[nautme]

Gotcha on the ports. I read the VLAN article before I posted this question. I can't say that I followed the whole thing, but it did apply to the RV042 so if I go the RV016 or RV042 route, it should help out.

I called Linksys, trying to get more information and find out if they they suggested the RV016 or something else for my configuration, and the guy I spoke with gave me the number to Cisco pre-sales. Fun.

In the VLAN article, it mentions the RV042 and the SRW2008 switch. Do I need a managed switch in addition to the RV016 (as I'd need more ports) or can I use my existing switches?

Also, Using the one-to-one NAT, does that expose all ports on the connected servers? Realistically, I'd only want to expose the ports needed (basically port 80 to multiple IPs).

 

[thiggins]

You're getting pointed to Cisco because Linksys business products have been moved under that umbrella.
Cisco takes over Linksys Small-Biz biz http://www.smallnetbuilder.com/index.php?option=com_content&task=edit&id=30543&Itemid=52&Returnid=52

You may or may not need an additional managed switch depending on your network topology. For example, if you are ok with all ports on a switch uplinked to a port that is assigned to a VLAN being in the same VLAN, then the uplinked switch doesn't have to support VLANs.

One to One NAT does not expose all ports. That would be a DMZ. One-to-one allows multiple public IPs to be assigned to multiple ranges of private IP addresses. NAT firewall is still in effect for the ports in each NAT group.

 

[srt10x3]

Is the RV016 available in an all Gb model?

Craig

 

[nautme]

Actually, they had me call Cisco because they said the RV016 wouldn't do what I wanted it to do, but it sounds like it does.

Everything plugged into the unmanaged switches would be on the same VLAN, so I think I'm fine there.

Thanks for all your help. I'll let you know how it comes out.

 

[Crappy Wiring]

Load Balancing router

You should get a router that you can plug into dsl & cable at the same time..

2 ISP's alot of web cafe's are using them

 

[thiggins]

Is the RV016 available in an all Gb model?

No. Just what you see.

 

[nautme]

Well I finally got my router (they said it was on backorder) and I've got it all configured. I've got my web and mail servers on their own VLAN and the rest of the network on another (same subnet though). My throughput is above 12mbs down (up from 4mbps on the old LAN). I haven't added any additional IPs yet, but they're on the to do list.

I've just got one question. Is it possible for devices on one VLAN to see another VLAN but not vice versa? I'd like to be able to see my web and mail servers internally, but I don't want them to see my LAN servers. I looked at the VLAN How To, but the RV016 doesn't have the same configuration screens (no Ports to VLAN menu), only a Port Management menu with the option of choosing a VLAN (1-13) for each port. In they How To, they configured the laptop to see both VLANs. Is that possible with the RV016? If not, could I put in some Access Rules in the Firewall that would let it go across the VLANs?

Thanks!

 

[dreid]

There might be a simple solution. It sounds like your cable modem is also a router.

If that is the case, connect one of the ports on the cable modem to the Dell switch, and connect your web and mail servers to the Dell switch.

Connect the WAN port on the RV016 to another port on the cable modem, and connect all your LAN servers to the RV016.

This solution should put the web and mail servers on one subnet and the LAN servers on another. The LAN servers should be able to access the web and mail servers, but will be protected by the RV016 firewall.

Good luck.