#367007 - 29/06/2016 20:42
Growing a network
|
carpal tunnel
Registered: 08/03/2000
Posts: 12344
Loc: Sterling, VA
|
I have a remedial understanding of networking. I'm learning new stuff all the time but I'm still at a low level. If it were networking college I feel like I've just finished my first 200-level courses, but I also feel like there might have been a 100-level or two I might have missed. Therefore I do frequently butt up against the limits of my knowledge, particularly when my clients spring things on me that I hadn't anticipated (sometimes that's my bad).
Take, for instance, a church I do work for. They have a bizarre, patchwork network that I've basically had to Frankenstein into existence. There's some good equipment, with a Ubiquiti Edgerouter and Unifi APs all over the place providing WiFi.
The problem is that this network was designed for the staff, but now I've been asked to bring WiFi to the sanctuary and public areas so that the congregation can get online as well. I have no problem setting up the guest network and portals (the Unifi system makes this very easy), but I'm just going to run out of IP addresses. Between the office computers, IP cameras, wireless APs, printers, and staff smartphones, I'd say that there's perhaps 40-80 available addresses in the DHCP range, depending on the day. Now, this might not be much of a problem because I doubt there will be many people connecting to this, at least at first. But I'd rather not count on that.
So the question is: how do I make more addresses?
I'm limited in several ways. I'm limited in how the network is physically laid out because there's a conduit running between the newer building where the equipment rack is and the older building where all the offices are. It's possible I could separate the wireless users from the wired, but most of the office is using the wireless at the moment. The router has two interfaces (I've only configured and used one at the moment), so it's pretty capable.
I can't imagine that we'd need more than one additional subnet, but I don't know how this works. Is that even the right thing to do? Should I split out devices as best I can across two subnets, giving me around 500 addresses to play with? Would devices be able to communicate across those subnets? What about netmask? I'm not even sure what that is...
As you can see, I'm a little lost at this level.
_________________________
Matt
|
Top
|
|
|
|
#367008 - 29/06/2016 20:50
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Me no expert, but..
The "guest" network should be outward bound only. No access to the staff/servers internally. So it will be on it's own subnet, supporting up to about 250 guests at a time using common router firmware.
The "staff" network probably needs to be bigger than 8-bits. So if you make it a /16 subnet, it can then handle up to 65000+ simultaneous IP addresses. The only question is, "can the existing DHCP server do that?" Common wifi router firmwares are hardcoded to /8, so they probably cannot do it, or not with their default firmware.
So find out the limitations of the gear first.
Cheers
|
Top
|
|
|
|
#367009 - 29/06/2016 20:55
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
You might be able to do it just by changing you netmask and DHCP range.
Say your router doing DHCP is on IP address 192.168.1.1 and the netmask is 255.255.255.0
That means that there are 253 addresses available, 256 - 1 for router - 1 for network (192.168.0.0) - 1 for broadcast (192.168.1.255).
If you just change the netmask to 255.255.0.0 you will suddenly have 256 times as many addresses. Your address range will run from 192.168.0.1 to 192.168.255.255
What you then need to do is extend the DHCP range
There are other ways of doing it, you could use the Unifi to split the congregation onto a different VLAN and have that on the 192.168.2.0/24 range, but that involves a router (and network switches) that understand VLANs.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#367010 - 29/06/2016 20:56
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Next up, if both guest and staff subnets are to share the same physical wires, then the routers and switches have to have VLAN capability on the wired ports to keep them all separate. Otherwise security is non-existent trickier to achieve.
If VLAN capability isn't there, or isn't supported well enough, then separate physical cabling is likely to be needed for the two networks. That's how I do it here at home --> totally separate outside of the wifi access point.
I suppose it ought to be possible to put guest users on a VPN in lieu of VLANs, but that's likely to be difficult to set up, and most probably the wifi boxes lack that capability in the factory firmware.
|
Top
|
|
|
|
#367011 - 29/06/2016 20:57
Re: Growing a network
[Re: andy]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
As Mark pointed out, some consumer routers might not let you extend the DHCP address range.
If you can have your router connected directly to the Unifis (or can replace the switches between them with VLAN capable ones), then one of Ubiquiti's routers might be a good idea for you. You could then have separate wifi networks, on different subnets.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#367012 - 29/06/2016 20:59
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Heh.. I sense an echo in here!
Bowing out now, to andy's superior expertise in this area!
Cheers
|
Top
|
|
|
|
#367013 - 29/06/2016 21:01
Re: Growing a network
[Re: mlord]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Hmm, I don't know about that... I'm about to start trying to explain VLAN's and subnets when I'm three beers in, maybe it would be better to wait until the morning
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#367014 - 29/06/2016 21:10
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Decreasing IP address lease time on the DHCP server can also help. I've run into poorly configured DHCP servers few times: they leased IPs for 24 hrs to WiFi users, rendering a 255.255.255.0 network practically too small because IPs were not yet available in the afternoon after users had actually left in the morning. Decreasing lease time to 10 minutes helped greatly. Of course, you need to configure this to your needs.
Just one thing to consider.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#367015 - 29/06/2016 22:14
Re: Growing a network
[Re: Dignan]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
And, of course, the 172.16... and 10... private subnets have lots of addresses.
-jk
|
Top
|
|
|
|
#367022 - 30/06/2016 15:03
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12344
Loc: Sterling, VA
|
Thanks guys. As far as I know, the Ubiquiti Edgerouter is capable of a /16 subnet, so that might be the easiest solution. I believe the router and APs are also capable of VLANs, but I know the switches are not.
I guess I need to look into how the guest network is created on those Unifi APs. I was under the impression that it did all the client isolation for me already, giving out web access only, and I wouldn't have to tell it to block a certain subnet.
So when it's a /16 subnet, a device at 192.168.1.64 could talk to another device at 192.168.3.37 with no problems? That seems like the way to go to solve the DHCP issue, but it seems I have a little more work to do on security.
For sure, a VLAN would be the way to go, if necessary. Wouldn't physically separate networks also require their own APs, effectively doubling the number of APs they have now? I need staff and guest wifi in all areas. That's why a VLAN seems the better way to go, but I'm not sure if I can create a VLAN for the guest network only, or if it applies to the whole AP...
Looks like I have a lot of research to do. Thanks so much for the lessons you've given me so far!
_________________________
Matt
|
Top
|
|
|
|
#367024 - 30/06/2016 16:48
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31602
Loc: Seattle, WA
|
So when it's a /16 subnet, a device at 192.168.1.64 could talk to another device at 192.168.3.37 with no problems? Yes, but only if both devices also have a subnet (netmask) setting to match. For example, if you had any devices on the LAN which you had configured with fixed IP settings instead of dynamic, then those likely have the older, more restrictive subnet/netmask setting, and they won't talk to the wider network until you've gone in and changed them to the new settings.
|
Top
|
|
|
|
#367029 - 30/06/2016 17:58
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Thanks guys. As far as I know, the Ubiquiti Edgerouter is capable of a /16 subnet, so that might be the easiest solution. I believe the router and APs are also capable of VLANs, but I know the switches are not. The Edgerouter is pretty capable. VLAN enabled switches aren't expensive nowadays, I've got some cheap TP-Link ones that work well. I guess I need to look into how the guest network is created on those Unifi APs. I was under the impression that it did all the client isolation for me already, giving out web access only, and I wouldn't have to tell it to block a certain subnet.
I can't remember exactly what the guest stuff does, I know you can block subnets with it. But that is unlikely to help you unless you can separate your wifi users onto separate subnets in the first place. So when it's a /16 subnet, a device at 192.168.1.64 could talk to another device at 192.168.3.37 with no problems? That seems like the way to go to solve the DHCP issue, but it seems I have a little more work to do on security.
Yes. For sure, a VLAN would be the way to go, if necessary. Wouldn't physically separate networks also require their own APs, effectively doubling the number of APs they have now? I need staff and guest wifi in all areas. That's why a VLAN seems the better way to go, but I'm not sure if I can create a VLAN for the guest network only, or if it applies to the whole AP...
You can assign different VLANs to different wifi networks on the Unifi APs. You then use the Edgerouter to assign different DHCP ranges based on the VLAN. Then all your guest traffic is completely logically separated and you can use firewall rules on the Edgerouter that apply differently to the two categories of traffic. But only when you've upgraded your switches (it only needs to be the switches between the APs and the Edgerouter).
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#367043 - 01/07/2016 04:36
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12344
Loc: Sterling, VA
|
This must be a dumb question, but why do the switches need to support VLAN? I'm just worried that it might not be possible. This Frankenstein network has a few small five port switches on it. It's awful...
_________________________
Matt
|
Top
|
|
|
|
#367044 - 01/07/2016 05:57
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Because switches that don't support VLANs don't know how to forward the VLAN tagged traffic without breaking the tagging. You need the APs to tag the traffic, as only it knows which wifi network a client is on. The router needs to see those tags of you want people on different subnet. All the switches it passes through between the two need to know about VLANS.
Any switches that aren't on the route from AP to router can stay as they are.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#367052 - 01/07/2016 11:41
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
VLANs are a way of segregating traffic while sharing the same physical wires. The alternative is separate physical wires for each LAN (guest vs. staff).
If you don't do one of the above, then it is really easy for a user on the "guest LAN" to just reconfigure their own IP parameters to put themselves onto the staff LAN, ignoring what the DHCP server tells them to do.
It's a security thing.
|
Top
|
|
|
|
#367068 - 01/07/2016 13:07
Re: Growing a network
[Re: Dignan]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12344
Loc: Sterling, VA
|
I get that it's a security thing I was wondering why the switches needed it too, and I see that now. Thanks, Andy. This is going to take some thinking. There are too many switches on this network at the moment, so I'm going to need to disable the guest network for now. I'm pretty sure that there's an AP on the network that, between it and the router, goes through four switches. It's a mess...
_________________________
Matt
|
Top
|
|
|
|
|
|