Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

GDM



27 posts

Geek


Topic # 118995 16-May-2013 13:13
Send private message

So we have a Windows Server, an ADSL connection and a bunch of routers.

I want to arrange things so that we have essentially two grades of internet access. One grade available to wireless devices that are 'non-official' spads and sphones. The other grade is for authorised devices, laptops, wired pcs, sphones and spads.

Also, the unauthorised devices should not be able to see our LAN at all.

I was thinking of configuring a firewall router so that some of our wireless APs cannot see the network and have QoS on their internet access. See diagram below (if it shows up - fingers crossed!)
Is there a simpler solution? And which device is best for this arrangement? I was looking at a FVs318n, but I really want a throughput of more 100Mb/s for when (if) we get UFB,and at least 1Gb/s firewall (high packet throughput). We don't want to spend much more than $500 on the firewall.

BTW - most of this is existing, we have two SG300s as firewalls currently serving to two ADSL connections using gateways at the server. We are reducing to one ADSL connection...

Maybe you know a network pro who can configure this for us at a reasonable rate, otherwise any advice is great.



https://cdn.geekzone.co.nz/imagessubs/a2d8f7452d6da6ec16881c934a482fbc.jpg

Create new topic
635 posts

Ultimate Geek
+1 received by user: 32
Inactive user


  Reply # 820627 16-May-2013 14:56
Send private message

Draytek have a product that will do this with Giga ports.

Not sure of model but snapper net will know.

341 posts

Ultimate Geek
+1 received by user: 26

Trusted

  Reply # 820694 16-May-2013 17:09
Send private message

bigal_nz: Draytek have a product that will do this with Giga ports.

Not sure of model but snapper net will know.


That'll be the Vigor2830 :)

GDM



27 posts

Geek


  Reply # 821172 17-May-2013 13:42
Send private message

Thanks, I've done some investigation of the Dray Tek


This is the statement in almost all Dray Tek Manuals:

"Virtual LAN function provides you a very convenient way to manage hosts by grouping them
based on the physical port. You can also manage the in/out rate of each port. Go to LAN page
and select VLAN. The following page will appear. Click Enable to invoke VLAN function."


But it doesn't then show HOW to 'manage the in/out rate of each port'.

Have you guys tried them?

I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?




215 posts

Master Geek
+1 received by user: 10


  Reply # 821181 17-May-2013 13:56
Send private message

Hi,

Whereabouts are you in NZ?

When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?

Cheers,
Nigel

341 posts

Ultimate Geek
+1 received by user: 26

Trusted

  Reply # 821224 17-May-2013 15:35
Send private message

nbroad: When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?


I'm assuming based on the mention of firewall that it's an old SnapGear 300.

GDM: But it doesn't then show HOW to 'manage the in/out rate of each port'.


As each VLAN will have its own IP range, you just create a bandwidth management rule for that whole range:


GDM: I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?


Can't really speak to each review without seeing it, but the 2830 has been tested to support 110Mbps NAT throughput which is faster than any internet connection you're likely to get so isn't really a problem.

If you have any more questions I'm happy to answer them :)

1074 posts

Uber Geek
+1 received by user: 65


  Reply # 821242 17-May-2013 15:57
Send private message

With the Wireless clients that have no LAN access and limited WWW access, are these public devices that will be accessing the system?

Are they currently on a different subnet?

I ask this as one of the Fortinet Security Bundles will allow you to perform deeper web and application filtering as well as AV protection.

Aside from this, they will allow you to create different routes and firewall policies for each part of the network that will be running through the device.

The model will depend on the number of users that you have accessing the internet. but at a start i would suggest the Fortigate 60D - http://www.fortinet.com/products/fortigate/60D.html

Of course these are all out of your $500 budget, but looking at other options can never hurt. :)

Edit: the weblink buggered up...

GDM



27 posts

Geek


  Reply # 821262 17-May-2013 16:27
Send private message

theEd:
nbroad: When you say SG300, you mean a Cisco 300 Series Managed Switch?  What are the exact models?


I'm assuming based on the mention of firewall that it's an old SnapGear 300.

GDM: But it doesn't then show HOW to 'manage the in/out rate of each port'.


As each VLAN will have its own IP range, you just create a bandwidth management rule for that whole range:


GDM: I've also noticed that the Dray Tek don't get great ratings for hardware - seems the throughput is a bit low?


Can't really speak to each review without seeing it, but the 2830 has been tested to support 110Mbps NAT throughput which is faster than any internet connection you're likely to get so isn't really a problem.

If you have any more questions I'm happy to answer them :)



Right, I get it. Yes - Snapgear 300.

I looked again at one of the reviews and they were talking about the wireless speeds... which is not important to me.

OK so it is IP managed, which should not be a problem for the non-LAN VLAN (if you see what I mean!) as it can assign IPs to connecting devices. The LAN side DHCP is the Windows server, but no restrictions are needed there.
This is sounding like a good solution!

GDM



27 posts

Geek


  Reply # 821266 17-May-2013 16:34
Send private message

jaymz: With the Wireless clients that have no LAN access and limited WWW access, are these public devices that will be accessing the system?

Are they currently on a different subnet?

I ask this as one of the Fortinet Security Bundles will allow you to perform deeper web and application filtering as well as AV protection.

Aside from this, they will allow you to create different routes and firewall policies for each part of the network that will be running through the device.

The model will depend on the number of users that you have accessing the internet. but at a start i would suggest the Fortigate 60D - http://www.fortinet.com/products/fortigate/60D.html

Of course these are all out of your $500 budget, but looking at other options can never hurt. :)

Edit: the weblink buggered up...



Yeah, that's a bit pricey, good specs - a bit beyond what we need.  This is a small school, but of course nowadays EVERY student has a sphone or spad, so every device coming through the door that has the ssid grabs an IP from our server (and  defaults to the slow connection). But that means all 'foreign' wireless devices are connecting to the internet via our LAN, on the wrong side of the firewall.

1074 posts

Uber Geek
+1 received by user: 65


  Reply # 821272 17-May-2013 16:48
Send private message

GDM:
Yeah, that's a bit pricey, good specs - a bit beyond what we need.  This is a small school, but of course nowadays EVERY student has a sphone or spad, so every device coming through the door that has the ssid grabs an IP from our server (and  defaults to the slow connection). But that means all 'foreign' wireless devices are connecting to the internet via our LAN, on the wrong side of the firewall.


Yeah, they are expensive, but offer some really neat features that might be still useful to you.

With the wireless, even the entry level Fortigate's (Fortigate 20cWifi) will allow you to assign security profiles based on the type of device that is connecting.  From there you can restrict sites, and apply various security settings based on the type of device connecting.

You can also enable fun features like the ability to stop the connecting devices connecting to each other which will help stop the spread of any virus on the WiFi network.

You can also add in authentication either on the box, or via AD to track staff and student usage on the device.

If your budget could expand to it, you could have some real fun with the 100D and have custom block pages and web proxy caches (only because the 100D has a large amount of disk space for caching)


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.