OK... my first network diagram. Help with devices and topology?

[BCSteve]

They would only have access to files if there is something sharing the files. Will you have file sharing set up on all clients?

If the outbuildings only have clients, no servers, there's no problem with just a single network.

Sure, the clients will be able to "access" eachother using tcp/ip, but if there are no services responding it won't matter.

Well, I suppose I was looking at it from the point of view that I don't want to babysit every building. So let's say, for example, that the guesthouse has someone with a laptop and that computer is, for whatever reason/ignorance, setup for file/printer sharing. I don't want to sit down at my desktop in the house and suddenly see his files.

I guess I want to treat the buildings like they are independent entities that *if* I didn't have control over them, for whatever reason, that a) I can't see them and b) they can't see me (except, as discussed, for specified servers).

Perhaps I'll just forget the server idea. It was just a bonus down the road sort of thing. The primary idea is to get internet out there and not have everyone snooping. If, down the road, I get some great idea that necessitates more sharing around the network, I'll look into it. The only real immediate thing I can think of is printing while I'm wandering the property... but that's pretty rare.

Thanks for your help. I think I'm good for now. What I'll do is order up another router and a pair of Engenius AP's (ENS200 and 200EXT) and just give it a try. If it works, I'll get more ENS200's and routers to finish the job.

Oh that brings me to another question: Anyone tell a significant difference between the ENS200 and ENH200? Besides power? I don't think I need that extra power (or do I?). The marketing seems to indicate the higher power is for "miles"... i'm not going that far. The ENS are a bit cheaper but they're all pretty inexpensive.

 

[PrivateJoker]

Thanks for your help. I think I'm good for now. What I'll do is order up another router and a pair of Engenius AP's (ENS200 and 200EXT) and just give it a try. If it works, I'll get more ENS200's and routers to finish the job.

Oh that brings me to another question: Anyone tell a significant difference between the ENS200 and ENH200? Besides power? I don't think I need that extra power (or do I?). The marketing seems to indicate the higher power is for "miles"... i'm not going that far. The ENS are a bit cheaper but they're all pretty inexpensive.

A quick glance looks like the ENS200 has a slightly lower gain antenna, but a higher weather resistant rating (the jump from IP55 to IP65 is significant) and the ENH200 has IP55 weather resistance with slightly lower gain antenna, but it offers dual polarization (which can help in mounting, usually there is a switch to either propigate in a vertical orientation or horizontal).

If you're just testing things and RF signals and all that I'm going to be putting some stuff on eBay later this weekend w/ $1 opening bid including an Engenius EOC2611P which I really liked because it had a switchable polarization 10dBi antenna built in, and also a connector for external antenna, and I found a 3com 3CWE598 panel antenna with 8dbi gain and just about the most forgiving, broadest coveage I've ever seen in an antenna with that much gain and 6" square. I was able to light up my detached workshop area with it quite well. If nothing else, it could be an inexpsensive way to get your feet wet. I'll post the links later this weekend if anyone is interested, various high gain antennas, WRT-54GL routers, antenna cables and adapters, etc. All 802.11g stuff, nothing 802.11n or 5ghz. (though some of the antennas are dual band, non MIMO)

 

[BCSteve]

I did notice the IP difference after posting, and that may be a consideration. I'll take another look at IP specifications (its been awhile so I need a refresher). Thanks for pointing that (and other stuff) out.

Sure, post the ebay links! Might be good for testing. If its just for internet sharing, does G vs N even matter? They're both (theoretically) above my (actual) Internet speed.

 

[Dreamslacker]

A simpler setup without resorting to VLANs and the associated routing can be done. See attached diagram; obviously, you need to substitute the correct IP addressing schema and wifi SSIDs as per your needs.

As long as the outhouses remain under the NAT-ed network (by the respective Wifi routers), you shouldn't see the devices behind them, nor should they see the devices upstream.
The main networks and the respective outhouse networks each remain in their own broadcast domains.

You won't be able to access file services on your server from the outhouse via the usual CIFS (SMB) file shares. You can however, retain access via certain protocols like FTP.
For printing, if your printer supports IPP (most modern networked printers do), it is possible to print to the printers even when you're in the outhouse. The printer will have to be setup via it's LAN IP rather than the hostname.

You should also disable (they are generally not enabled or featured on most consumer routers) any dynamic routing protocols (RIP v1/ v2) on the routers to prevent any accidental propagation of routes.

 

[F5ing]

...

As long as the outhouses remain under the NAT-ed network (by the respective Wifi routers), you shouldn't see the devices behind them, nor should they see the devices upstream.
The main networks and the respective outhouse networks each remain in their own broadcast domains.

...

Are you sure about not being able to see devices upstream?

I've had three routers cascaded and from a machine connected to the last (3rd) router in the chain (farthest from ISP) could see/manipulate devices connected to all three routers. But devices on the 1st couldn't see 2nd or 3rd. Devices on 2nd could see devices on 1st but not 3rd.

I was thinking add one more router for the devices in the main house the OP wants to isolate (not the server (and/or printer) that's supposed to be accessable to all).

 

[Dreamslacker]

Are you sure about not being able to see devices upstream?

I've had three routers cascaded and from a machine connected to the last (3rd) router in the chain (farthest from ISP) could see/manipulate devices connected to all three routers. But devices on the 1st couldn't see 2nd or 3rd. Devices on 2nd could see devices on 1st but not 3rd.

I was thinking add one more router for the devices in the main house the OP wants to isolate (not the server (and/or printer) that's supposed to be accessable to all).

It depends on what services you are referring to. SMB/ CIFS broadcasts shouldn't propagate through the NAT. I've not encountered clients being able to actually browse fileshares and servers upstream through a properly configured NAT router.
If you're referring to services like a web server or FTP server, then yes, you can definitely connect via IP addresses (and if the downstream router is able to forward the DNS resolution, by hostnames too).

 

[coxhaus]

Personally I don’t think networks should be built on a bunch of NAT routers performing double NAT. It may be simple but it’s not the way I was taught to build networks. I would want the same level of security for all on the network and more centralized control. Trying to mange DHCP and port openings is not going to be fun on all the different routers. I think it will be a security nightmare to manage this network configured with a bunch of NAT routers.

 

[Dreamslacker]

I agree that it's not a good idea in general but that's just the quick dirty solution.
Replacing the main router with a vlan capable unit coupled with a smart switch works as well if the OP can conceptualize and configure it all. In which case, simple access points with WDS bridging would suffice (just have to put the ports in access mode if the access points don't support vlans).

 

[F5ing]

Agree about the quick part and that you don't need to depend on a bunch of routers to build an elaborate network. But it's easy to do and allows repurposing of equipment you may already own (or future repurposing routers that've been puchased for an existing install).

I've been double NATing for 10+ years. What parameter(s) might've I've been misconfiguring that have always allowed me to browse and manipulate shares located on upstream connected devices (yet never allowed when trying to connect to downstream devices)?

"SMB/CIFS broadcasts shouldn't propagate through the NAT" shouldn't really matter, right (actually I think it's NetBIOS though -- I didn't think SMB does any broadcasting on its own)? I'm already "un-NATed" when messing with upstream devices.

Makes me wonder why some large corporations utilize multiple NATing. Why do they do it?

 

[Dreamslacker]

Agree about the quick part and that you don't need to depend on a bunch of routers to build an elaborate network. But it's easy to do and allows repurposing of equipment you may already own (or future repurposing routers that've been puchased for an existing install).

I've been double NATing for 10+ years. What parameter(s) might've I've been misconfiguring that have always allowed me to browse and manipulate shares located on upstream connected devices (yet never allowed when trying to connect to downstream devices)?

"SMB/CIFS broadcasts shouldn't propagate through the NAT" shouldn't really matter, right (actually I think it's NetBIOS though -- I didn't think SMB does any broadcasting on its own)? I'm already "un-NATed" when messing with upstream devices.

Makes me wonder why some large corporations utilize multiple NATing. Why do they do it?

I've never really encountered that - Shares available downstream. There are certain ways I suppose, with consumer/ prosumer routers that it can work. The NAT router would need to allow and proxy the broadcast traffic through. In some instances, you simply have no control over this.

Generally, you can have the downstream router point to public DNS rather than the upstream router for DNS to avoid propagating the ARP resolved hostnames on the first tier router. Disable any dynamic routing (RIP and such) as well as making sure that the SPI is configured for the strictest settings (available on some Dlink routers). Beyond that, there is little control if the router has a decent IGMP proxy on it that can't be turned off.

In other instances, your router might actually have some simple form of dynamic routing (RIP) that isn't turned off or can be controlled off the web UI.

I've seen RIP being available (through WebUI) on some DLink and TP-Link routers in the past though they most certainly are disabled by default.

That said, it's far less common to see CIFS shares work across the NAT. I've been called in to 'fix' such networks in the past. The ISP provided CPE provides NAT and the customer has their own 'firewall' providing a double NAT. The usual complain is that some wireless clients can connect to the file-shares but not the wired clients.
In these instances, it's almost always because the NAS is connected to the ISP CPE (which also provides wifi for upper management). Usually, it's just a matter of reconfiguring their firewall and router as well as swapping links on the servers and NAS where need be.

Half the time, the initial network is a hackjob performed by a freelance 'it guy' or some intern who was tasked with the job because his/ her area of studies say 'Computer Engineering' or 'Business IT'.
The layman seems to think that you can do everything from programming to networking to fixing any appliances running off electricity just because your diploma or degree says computer or IT in it.

I've encountered some scenarios where the client has a NAS behind a double-NAT router. The upstream devices cannot see or connect to the NAS and the upper management switches to the downstream NAT router's wifi network to access the NAS.
It's a goofy setup at best and very sad to see when it's setup by a person who's paid for 'professional services'. i.e. Not some intern who was tasked with the thankless job.
In at least one such situation, the laptops were even configured to run with Outlook's PST files residing on the mapped drives. Thankfully, it was only the archived emails but it lead to plenty of errors with Outlook when the user plugged in the network cable (goes to the first tier NATed network).

 

[Dreamslacker]

At any going rate, I think we've digressed far enough on the original topic.

What I proposed can be used for a basic 'upgradable' setup that may not require additional purchases to do so.

The OP would need to ensure the following though:

Main router must be 802.1Q VLAN capable and capable of (NAT) routing multiple subnets.
Switch must be managed or smart (able to minimally support 802.1Q VLANs).

He can start off with what is familiar - what I proposed. It doesn't require in-depth knowledge of routing or VLANs.

As he gets comfortable with the concepts of multiple subnets routing, ACLs and VLAN setups, he can configure the main router to provide a separate VLAN subnet for each outhouse.
I've found that being new to VLANs means that one often gets confused with the different nomenclature the various manufacturers use for VLANs configuration on their equipment.

The switch can be used to provision the VLANs to the access-points or wifi router via Access ports (On some switches, this is 'Untagged' or 'Strip on egress') if the AP/ routers in the main building doesn't support VLANs.
This allows regular wifi routers to be (re-)used in the main building simply by switching the link to the LAN side and disabling the DHCP server. If this is an upgrade process, then removing the static WAN IP is required as well.

If the APs do support VLANs and multi-SSID (or if the APs support bridging multiple VLANs like the Aironets), then it's just a matter of providing trunked ports and configuring the multi-SSID to VLAN mappings.

It's not necessary to have VLAN capable APs since a one AP to one network scheme would dedicate the whole wireless link bandwidth to a single subnet.

In fact, bridging VLANs/ multiple networks across the link may require additional purchases if a single AP at the other end is insufficient to cover the entire outhouse or if there are wired links required.

 

[F5ing]

Not to throw the thread further off the rail, but to clarify what I stated:

I've never really encountered that - Shares available downstream.

The shares are always available upstream, never downstream -- the downstream router (further from the ISP) always blocks access (with default configuration).

I've done this with probably 10+ consumer grade routers over the years, of various brands/models.