OK... my first network diagram. Help with devices and topology?

[BCSteve]

Here's my first attempt at making a diagram. Please note that this network doesn't really exist as shown (many of the components do, however). I'm trying to figure out how to accomplish my goals.

Overview: I have cable internet coming into our farmhouse. In an attempt to modernize things, I want computers out in the various outbuildings. 6 outbuildings in total, spread out over a few acres but with line of sight from each building to the house.

1. Each building should have access to Internet
2. Each building will have its own wifi SSID and its own network.
3. No network should see the others. I mean I don't want people in an outbuilding to have access to files in another outbuilding or the house. We have seasonal workers that aren't exactly vetted for security. I'm not talking hacker-proof... just not easy access to files.
4. EXCEPT: All buildings should have access to "server" in the house.
5. Note: The diagram only shows 2 outbuildings (and only the bridge and router. I didn't bother adding whatever devices might be on them)
6. Note: The diagram shows Linksys, but ignore that. None of the accesspoints/bridges/routers have been purchased

I think I have it right that the house will have a WAP with an omnidirectional antenna on the room and each outbuilding will have a bridge with a directional antenna pointed at the house's Omni (right?). I guess what I'm not understanding are how to keep the subnets separate while also sharing access to the server.

Trying to learn

Thanks.

ps. I'd like it if someone can help me understand what ip addresses each of the devices might have. In particular, the WAP and bridges... as I don't really get how that works.

 

[coxhaus]

I have a couple of questions. Are you planning on using separate SSDs on separate vlans? You will need wireless equipment to support this. Are you planning to use multiple NICs on your server for the separate vlans or are you going to use a router to route to the server? How do you plan to setup DHCP and DNS? Are you going to use a DHCP server on the server with separate scopes or are you going to use routers for DHCP? These are question which will need to be answered to build this network.

I prefer using cable over wireless to connect buildings. You may get different opinions here.

 

[BCSteve]

I don't know what SSDs means. Vlans... I don't know. I figured just different subnets. I wasn't thinking about multiple NICs, no. Figured the routers would handle that, but I am not familiar with these things. I assumed DHCP was handled by the routers and DNS by the ISP.

I have allot to learn!

 

[coxhaus]

Multiple networks can coexist on the same wire and switch but they will not see each other without a router to route the traffic between them. Once you turn on routing all the machines will see each other so you will need some kind of control in the router to block all traffic except for the server traffic so the machines can share the server but not see each other.

DHCP is broadcast traffic for one network or scope. If you are going to send DHCP traffic to another network from your central server you will need DHCP relay support in the routers for DHCP to work with different networks. If you use DHCP on separate routers the networks cannot exist on the same physical wire. The networks will need to be physically separate.

 

[BCSteve]

are they not physically separate? Or the wireless bridge counts as "physical"?

 

[coxhaus]

I think a bridge is a layer 2 device.

 

[BCSteve]

you're losing me

 

[PrivateJoker]

you're losing me

I think hiring a professional, and comparing a couple quotes might be the way to go.

 

[Nerre]

I'd just set up the WiFi routers in the outbuildings with their own networks and NAT. That would mean that clients connected to one of those routers could not be accessed from any other client, but they should still be able to access the server.

Think of it as that you are setting up your own internet service for the outbuildings (as if you were an ISP).

The only problem might be that the routers by default block the samba ports, not sure if samba works well through NAT (have never tried). But if the server is only supposed to be accessed using http and (s)ftp/scp there will be no problems.


(I think most of the people who have responded in the topic have not looked a the attached picture, because the diagram in the picture answers many of the questions.)

 

[BCSteve]

I think hiring a professional, and comparing a couple quotes might be the way to go.

So learning isn't allowed? For a site like this, advice like that is really the same as saying, "I don't know the answer or can't be bothered to help [so really I shouldn't have posted]"

But I guess it's a way to get your post count up

 

[BCSteve]

I'd just set up the WiFi routers in the outbuildings with their own networks and NAT. That would mean that clients connected to one of those routers could not be accessed from any other client, but they should still be able to access the server.

Well, that's what I thought initially, but is it really that simple? Aren't they all on their own subnets then? I thought that then meant they couldn't access the server? The wireless bridges don't affect your suggestion?

 

[BCSteve]

you're losing me

As someone oh-so-kindly pointed out to me via pm... I wasn't very clear with this post.

I didn't mean "I don't know what a bridge is" or even "I don't know what level 2 means"... but rather, I'm not understanding the point you were trying to make. I *have* Google'd the definitions and several pages of explanations... but what may be obvious to some (ie. why it being a level 2 device gives some apparent answer) is, thus far, lost on me.

As I said... I'm trying to learn.

 

[BCSteve]

Trying again... here attached is another diagram.

I've added a VLAN enabled switch at the head, with the router-as-a-stick configuration. So I think that gives me the ability to logically segment my network for better control over who can see what, but I'm still unclear if it gest me where I need to be.

Here's what I think will happen:

• Router A will provide (DHCP) addresses to "various wireless devices", "Server", "PC" as well as the WAN addresses for Routers B and C.
• Similarly, Router B will provide (DHCP) addresses to the devices that are connected to it and same for Router C
• That means I have 3 subnets, yes?
• What I'm unclear on: can the devices on B/C now utilize the server? I can configure the VLAN such that the B/C router has access to the server, but does that extend to the devices attached to those routers? I'm guessing "yes"
• I guess I'm presuming here that the AP and bridges are sort of invisible to all this, right? That's just basically forming a link the same as if a wire went from Router B [or C] directly to the switch? Although how's that work with the VLAN?? Now each of those routers (and 4 others when we expand this to my whole setup) is sharing a port on the switch. So now I'm confused again

 

[coxhaus]

If it was me I would connect each building with copper on a separate vlan. I would create routing between the vlans for server access and then block all access to the other vlans with access lists on the router except for the server.

I would setup DHCP server on a Microsoft server with separate scopes for the different vlans. I would turn on DHCP relay to allow DHCP to work with different networks.

I would add a wireless access point to each building for separate wireless.

I think these are the basics to get this network working.

 

[BCSteve]

Running copper isn't feasible.

 

[stevech]

I think hiring a professional, and comparing a couple quotes might be the way to go.

Family farm, I'd say let us freebies help.
Hotel, Motel, Small Biz, get a pro, due mostly to getting security right.

Use one single subnet. One DHCP server. Way too complicated if you don't.
Access points + *one* router w/DHCP.
ANd/or bridge pairs if distance so dictates

best to design with scale - RF wise. Annotate an aerial photo/google earth image, etc.

 

[BCSteve]

thanks.

But then... well, then don't I have all buildings able to access all files?

It is going to be a requirement that the buildings NOT have access to each other, save for the server in the house should be accessible to all (although that's not critical). Does that make sense?

I guess the main thing is that Internet get to all locations. That's priority #1 in this. Priority #2 is keeping all the buildings separate in terms of security (again, I'm not looking for hacker-proof... just don't want someone to bring up "network" in the file manager and see everyone else)

Priority #3 is the server. And actually the server doesn't even exist. Its just a future thing. No real plans for it, just want to keep the possibility open for a centralized backup or file sharing or maybe a media server.

 

[Nerre]

Well, that's what I thought initially, but is it really that simple? Aren't they all on their own subnets then? I thought that then meant they couldn't access the server? The wireless bridges don't affect your suggestion?

Teh same way that computers behind a normal router can access servers in the internet your computers will of course be able to access servers on your "internet".

Start from the outbuildings end (not from your internet connection). You set up a network with a server. That network is now "the internet". To that network you use wireless bridges to connect other routers.

The bridges will work just like a copper cable.


Then the "final" step is to connect your "internet" to the real internet.

You will get double NAT, but http and most other protcols using tcp will be able to handle that. And since you have control of all the routers you can set up port forwarding and/or port triggers as necessary should you need some protocol that can't handle double NAT.

It's easy to try, just set up two routers and a couple of clients. No need to use the wireless bridges now, they will be transparent.

 

[Nerre]

But then... well, then don't I have all buildings able to access all files?

They would only have access to files if there is something sharing the files. Will you have file sharing set up on all clients?

If the outbuildings only have clients, no servers, there's no problem with just a single network.

Sure, the clients will be able to "access" eachother using tcp/ip, but if there are no services responding it won't matter.

 

[BCSteve]

It's easy to try, just set up two routers and a couple of clients. No need to use the wireless bridges now, they will be transparent.

OK, that's the part I wanted to hear!