Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Which router/firewall?

GDM

GDM

30 posts

Geek


#118995 16-May-2013 13:13
Send private message

So we have a Windows Server, an ADSL connection and a bunch of routers.

I want to arrange things so that we have essentially two grades of internet access. One grade available to wireless devices that are 'non-official' spads and sphones. The other grade is for authorised devices, laptops, wired pcs, sphones and spads.

Also, the unauthorised devices should not be able to see our LAN at all.

I was thinking of configuring a firewall router so that some of our wireless APs cannot see the network and have QoS on their internet access. See diagram below (if it shows up - fingers crossed!)
Is there a simpler solution? And which device is best for this arrangement? I was looking at a FVs318n, but I really want a throughput of more 100Mb/s for when (if) we get UFB,and at least 1Gb/s firewall (high packet throughput). We don't want to spend much more than $500 on the firewall.

BTW - most of this is existing, we have two SG300s as firewalls currently serving to two ADSL connections using gateways at the server. We are reducing to one ADSL connection...

Maybe you know a network pro who can configure this for us at a reasonable rate, otherwise any advice is great.



https://cdn.geekzone.co.nz/imagessubs/a2d8f7452d6da6ec16881c934a482fbc.jpg

Create new topic
bigal_nz
635 posts

Ultimate Geek
+1 received by user: 32
Inactive user


  #820627 16-May-2013 14:56
Send private message

Draytek have a product that will do this with Giga ports.

Not sure of model but snapper net will know.



theEd
341 posts

Ultimate Geek
+1 received by user: 26

Trusted

  #820694 16-May-2013 17:09
Send private message

bigal_nz: Draytek have a product that will do this with Giga ports.

Not sure of model but snapper net will know.


That'll be the Vigor2830 :)

GDM

GDM

30 posts

Geek


  #821172 17-May-2013 13:42
Send private message

Thanks, I've done some investigation of the Dray Tek


This is the statement in almost all Dray Tek Manuals:

"Virtual LAN function provides you a very convenient way to manage hosts by grouping them
based on the physical port. You can also manage the in/out rate of each port. Go to LAN page
and select VLAN. The following page will appear. Click Enable to invoke VLAN function."


But it doesn't then show HOW to 'manage the in/out rate of each port'.

Have you guys tried them?

I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?



nbroad
320 posts

Ultimate Geek
+1 received by user: 39


  #821181 17-May-2013 13:56
Send private message

Hi,

Whereabouts are you in NZ?

When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?

Cheers,
Nigel

theEd
341 posts

Ultimate Geek
+1 received by user: 26

Trusted

  #821224 17-May-2013 15:35
Send private message

nbroad: When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?


I'm assuming based on the mention of firewall that it's an old SnapGear 300.

GDM: But it doesn't then show HOW to 'manage the in/out rate of each port'.


As each VLAN will have its own IP range, you just create a bandwidth management rule for that whole range:


GDM: I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?


Can't really speak to each review without seeing it, but the 2830 has been tested to support 110Mbps NAT throughput which is faster than any internet connection you're likely to get so isn't really a problem.

If you have any more questions I'm happy to answer them :)

jaymz
1136 posts

Uber Geek
+1 received by user: 76


  #821242 17-May-2013 15:57
Send private message

With the Wireless clients that have no LAN access and limited WWW access, are these public devices that will be accessing the system?

Are they currently on a different subnet?

I ask this as one of the Fortinet Security Bundles will allow you to perform deeper web and application filtering as well as AV protection.

Aside from this, they will allow you to create different routes and firewall policies for each part of the network that will be running through the device.

The model will depend on the number of users that you have accessing the internet. but at a start i would suggest the Fortigate 60D - http://www.fortinet.com/products/fortigate/60D.html

Of course these are all out of your $500 budget, but looking at other options can never hurt. :)

Edit: the weblink buggered up...

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

GDM

GDM

30 posts

Geek


  #821262 17-May-2013 16:27
Send private message

theEd:
nbroad: When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?


I'm assuming based on the mention of firewall that it's an old SnapGear 300.

GDM: But it doesn't then show HOW to 'manage the in/out rate of each port'.


As each VLAN will have its own IP range, you just create a bandwidth management rule for that whole range:


GDM: I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?


Can't really speak to each review without seeing it, but the 2830 has been tested to support 110Mbps NAT throughput which is faster than any internet connection you're likely to get so isn't really a problem.

If you have any more questions I'm happy to answer them :)



Right, I get it. Yes - Snapgear 300.

I looked again at one of the reviews and they were talking about the wireless speeds... which is not important to me.

OK so it is IP managed, which should not be a problem for the non-LAN VLAN (if you see what I mean!) as it can assign IPs to connecting devices. The LAN side DHCP is the Windows server, but no restrictions are needed there.
This is sounding like a good solution!

GDM

GDM

30 posts

Geek


  #821266 17-May-2013 16:34
Send private message

jaymz: With the Wireless clients that have no LAN access and limited WWW access, are these public devices that will be accessing the system?

Are they currently on a different subnet?

I ask this as one of the Fortinet Security Bundles will allow you to perform deeper web and application filtering as well as AV protection.

Aside from this, they will allow you to create different routes and firewall policies for each part of the network that will be running through the device.

The model will depend on the number of users that you have accessing the internet. but at a start i would suggest the Fortigate 60D - http://www.fortinet.com/products/fortigate/60D.html

Of course these are all out of your $500 budget, but looking at other options can never hurt. :)

Edit: the weblink buggered up...



Yeah, that's a bit pricey, good specs - a bit beyond what we need.  This is a small school, but of course nowadays EVERY student has a sphone or spad, so every device coming through the door that has the ssid grabs an IP from our server (and  defaults to the slow connection). But that means all 'foreign' wireless devices are connecting to the internet via our LAN, on the wrong side of the firewall.

jaymz
1136 posts

Uber Geek
+1 received by user: 76


  #821272 17-May-2013 16:48
Send private message

GDM:
Yeah, that's a bit pricey, good specs - a bit beyond what we need.  This is a small school, but of course nowadays EVERY student has a sphone or spad, so every device coming through the door that has the ssid grabs an IP from our server (and  defaults to the slow connection). But that means all 'foreign' wireless devices are connecting to the internet via our LAN, on the wrong side of the firewall.


Yeah, they are expensive, but offer some really neat features that might be still useful to you.

With the wireless, even the entry level Fortigate's (Fortigate 20cWifi) will allow you to assign security profiles based on the type of device that is connecting.  From there you can restrict sites, and apply various security settings based on the type of device connecting.

You can also enable fun features like the ability to stop the connecting devices connecting to each other which will help stop the spread of any virus on the WiFi network.

You can also add in authentication either on the box, or via AD to track staff and student usage on the device.

If your budget could expand to it, you could have some real fun with the 100D and have custom block pages and web proxy caches (only because the 100D has a large amount of disk space for caching)

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright