Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Guest access on top of small business server 2011 as DHCP
New Posts  All Forums:Forum Nav:

Guest access on top of small business server 2011 as DHCP

post #1 of 10
Thread Starter 
Hopefully this is the right place for this question. We're going to a domain setup with small business server 2011 as the os, and it likes to act as the DHCP, but we'd also like to have two access points act as both a regular wireless network (easy enough-just going to use two wireless routers act in switch mode with DHCP turned off) and as a guest network (some routers offer guest access or guest zone). Both routers would be configured the same to allow cross-over when walking throughout the office.

The issue I'm imagining is that these features (the guest access) work by setting up a second IP range and isolating them from the rest of the network aside from the internet (probably just port 80), but the big question is, how can I allow guess access AND have the DHCP servers on the routers turned off?

Or can I have three different IP ranges? One for the LAN on the server, one for regular wireless, and a third for guest access?

Thanks for any help.
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
post #2 of 10
If I remember correctly. Assign your router an IP address from the DHCP server. Then in the router settings set the range of that IP you want to assign to users.

So your server would hand out 192.168.30.10

You would then set in the router to get the DHCP server from that IP address

This is what I'm thinking of on a linksys router

    
CPUMotherboardGraphicsGraphics
i7 2600k Gigabyte P67-UD4-B3 GTX 580 GTX 580 
RAMHard DriveOSMonitor
Who cares? Intel SSD  Windows 7 Dell u3011 
MonitorPowerCaseMouse
Dell u3011 Seasonic x1200 800D G700 
AudioAudio
Xonar STX Beyerdynamic DT 990 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
i7 2600k Gigabyte P67-UD4-B3 GTX 580 GTX 580 
RAMHard DriveOSMonitor
Who cares? Intel SSD  Windows 7 Dell u3011 
MonitorPowerCaseMouse
Dell u3011 Seasonic x1200 800D G700 
AudioAudio
Xonar STX Beyerdynamic DT 990 
  hide details  
Reply
post #3 of 10
You can use 802.1x for your wireless clients. I'd love to explain it to you, but to be fair it's a chore to implement. I've never got it working.. When users authenticate their credentials the authenticator will push down dynamic policies for Vlan association, IP address, ACL, etc. Getting that configured on top of using ESS wifi would be a nightmare...
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #4 of 10
Thread Starter 
First, thank you both for your replies. I'm slowly getting a better handle on the larger networking picture and searchable terms are gold.
Second, it seems that there are more options available than I originally thought. We also have a cisco smart switch that supports some vlan functionality and a sonicwall firewall (unfortunately a dead end until we upgrade) that make me pretty confident that this can be done in one way or another. Though I've pretty much given up on avoiding a dedicated router, but we already have a spare 802.11g and three lines running to where it would go (only one is currently used, but we're going to run a 4th for cat6). So it wouldn't cost a dime to separate them and shrink the headache.

The firewall doesn't support DMZ (OPT for sonicwall), but we may trade-up this one for a model that does since this is now a legacy product.

If you read or respond to only one thing, this is what I still need help on. I'd like to create a new vlan that is separate from the rest of the network and only has access to the internet, but I'm unfamiliar with all the terms involved.
We have a Cisco SG 200-26 smart switch (manual) and I'd like some help setting this up.

Thank you.
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
post #5 of 10
The best solution would be what scottsee had mentioned, implement 802.1x/NAC. It is not that difficult to implement if you have or are a Networking Professional. What is required is a Cisco ACS Server for TACACS+/RADIUS authentication for your user base and the Cisco NAC appliance which will move guests to a guest VLAN. The other benefits of this solution is you will be able to maintain a baseline config on all workstations throughout the network. If you do not have a decent backbone in place I would not recommend attempting this.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #6 of 10
I don't have any experience with those devices. GUI configuration scares me, I can never find what I'm looking for. It looks like a nice little small business switch.

Generaly speaking you'll want to do a few things:

Move the management interface to a vlan other then its default Vlan1. Vlan1 is the default Vlan for all ports, and all broadcast and multicast traffic on Vlan1 will cause the switch to process the packets just like pc's do. On busy networks that can cause the switch to work harder then it needs to. It's also a security issue for port-security though I'm not sure that switch even supports that feature. For best practice setup an out of band manangement Vlan..

I'd also suggest creating an additional vlan and moving all of your active ports to it. That way if someone wants to plug a cable into a wall-jack they won't have access to the network unless you go into the management GUI and assign the respected port to your data vlan.

As for your direct question about setting up a guest Vlan for only internet access you've got me stumped with that device. You're router will need to support dual interfaces or allow for sub-interfaces, or if you are connecting to a distribution multilayer switch upstream that can act as your default gateway.

What kind of router do you guys have?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #7 of 10
Thread Starter 
That's really odd. I thought I had replied to bratas' last post already, but it doesn't seem to be here. Oh well.

I'm sorry to say that you've given me way too much credit (and this company I suppose). I'm nowhere near a IT professional and this is a small company with under 15 employees, which is why the guest access isn't a huge issue. Implementing a RADIUS server seems like overkill, and I've read that vlans aren't the most secure, but with as few people that will be accessing it for as little time as they're here, that shouldn't be a worry.

Our setup is pretty straightforward with a SBS 2011 server (not in place yet, but will be the DHCP server), the Cisco SG 200-26 smart switch, and a Sonicwall TZ-180 firewall/router.

The router can't handle DMZ/OPT because it has the standard OS and it would be cheaper to just trade it in for a newer model (could be a possibility), but if it's possible to do this with the switch, all the better.

Could we have the majority of the ports in vlan1 (only have 19 ports active and it would actually cause more problems to not allow PnP), and keep the WAN and guest ports in vlan2 and vlan3 respectively?
If so, the problem now is that I don't know how to keep 1 and 3 separate and still allow both to access 2. Any ideas?

EDIT: It seems that a more appropriate use of vlans would be to make only two vlans (one with the majority+wan and the other guest+wan), but with the wan being in both, would vlan1 communicate with vlan2 and vise versa?
Edited by tismon - 4/29/11 at 7:01am
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
post #8 of 10
What kind of router do you guys have?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #9 of 10
Thread Starter 
Um...
Quote:
Originally Posted by tismon View Post
and a Sonicwall TZ-180 firewall/router.
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
Tismon7
(13 items)
 
Media-Server
(14 items)
 
The Baby
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 @ 4.05Ghz Asus P6T Deluxe V2 Sapphire Vapor-X HD5770 + EVGA GT 520 physx 6GB (2GBx3) Corsair XM3 2000 
Hard DriveOptical DriveOSMonitor
60GB Vertex2 SSD, 500GB+320GB+500GB Samsung Blu-ray reader/DVD+RW + ASUS DVD+RW Windows 7 Professional 64-bit 21.5" LG + 19" WH + 15" Dell 
KeyboardPowerCaseMouse
Logitech MX 3200 Corsair 850HX NXZT Tempest Evo Logitech G500 
CPUMotherboardGraphicsRAM
Phenom II X4 925 Denab ASUS M5A99X EVO AM3+ EVGA 9800GT + EVGA 8800GT 8GB Corsair 
Hard DriveOptical DriveCoolingOS
250GB Barracuda 3Gbps + 2TB Barracuda Green 6Gbps ASUS DVD+RW Hyper 212+ Windows 7 Professional 64-bit 
MonitorPowerCase
21.5" LG Corsair 750HX Thermaltake Armor A60 
CPUMotherboardGraphicsRAM
Atom N270 1.6 Ghz Dell Mini 910n Intel GMA 945GSE 2GB G.Skill DDR2 533 
Hard DriveOSMonitor
16GB SSD + 2x 8GB SanDisk Extreme III SD Windows 7 Pro 8.9" 1024x600 
  hide details  
Reply
post #10 of 10
I don't know how to configure those. Does that device support multiple layer 3 interfaces? or sub-interfaces with the support of 802.1q?

There is really only 3 ways of doing inter-vlan routing.. I briefly explained it in one of my posts above.
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Guest access on top of small business server 2011 as DHCP