Split 2 Networks with 2 different IP ranges

S

SBSP

Senior Member
Joined
Sep 7, 2007
Messages
667
Reaction score
16
We have created a showroom/Test environment.

Production Network is upstairs and Showroom down stairs.

So i'm thinking to put a firewall between the 2 networks and create a "Up stream Gateway" if i can call it that.


Upstairs network is 12.0.0.1 - 254 downstairs is 10.0.0.1 - 254
upstairs gateway is 12.0.0.1 and downstairs GW is 10.0.0.1

So the firewall has 2 Nics Nic1=10.0.0.1 and Nic2=12.0.0.2 and its gateway of Nic 2 is set to 12.0.0.1

This way i can port forward traffic from 12.0.0.2 to 10.0.0.X. Port 3389 and from there people can RDP to what ever they need to do.

Reason i need a FW in between the 2 networks is because i dont want to share any traffic what so ever between the 2.

I only want to be able to access a "Central" RDP server on port 3389 whicj then can be used to access a virtual ESXi server and the servers installed on the ESXI from the RDP server.

The problem i see with this is the moment i plug the cables into the Firewall will be DHCP.
How do i block DHCP betweent he 2 servers the showroom will have its own Test DC :confused:

Also how will i block network 12.0.0.X to not realize there is another DC around?
 
Why don't you just create a VLAN and put 10 on the one and 12 on the other?
 
12.0.0.0 is a public IP range, not sure why you want to use that for internal range? (You can but why oh why would one ever want to do that ???)

Rather use 10.0.0.0/24 and 10.0.1.0/24

Not sure what you mean by "The problem i see with this is the moment i plug the cables into the Firewall will be DHCP"

a DHCP server will only assign DHCP leases to devices on the same subnet, so your DHCP server on 10.0.0.0/24 will only lease out addresses to pc's plugged into the 10.0.0.0/24 network...
If your test network is on 12.0.0.0/24 clients will not get dhcp ip's from the server on 10.0.0.0/24 network and vice versa, unless there is a config problem on your network.... or if you are forwarding DHCP requests through the firewall...
 
ShawnStar said:
12.0.0.0 is a public IP range, not sure why you want to use that for internal range? (You can but why oh why would one ever want to do that ???)

Rather use 10.0.0.0/24 and 10.0.1.0/24

Not sure what you mean by "The problem i see with this is the moment i plug the cables into the Firewall will be DHCP"

a DHCP server will only assign DHCP leases to devices on the same subnet, so your DHCP server on 10.0.0.0/24 will only lease out addresses to pc's plugged into the 10.0.0.0/24 network...
If your test network is on 12.0.0.0/24 clients will not get dhcp ip's from the server on 10.0.0.0/24 network and vice versa, unless there is a config problem on your network.... or if you are forwarding DHCP requests through the firewall...
Click to expand...


12.0.0.X & 10.0.0.1 is just an example. Its actually 172.19.185 and 172.19.186.

I dont know how to create a VLAN and dont want to take chances. And if i dont have a VLAN then DHCP will interfere if the FW is not blocking that traffic.

But i kind of figured it the way i explained it is now working , without any Domain services and DHCP service visible from our normal network. I'm only allowing 80,443 and 53
 
you guys are giving me the idea that i'm doing this the wrong way.

creating a VLAN, does that involve splitting the switch into 2 LAN by configuring it ?? or is there another way of doing it ?
 
Last edited:
Two NIC's on the server

one NIC serves up 10.0.0.0/24, othet NIC serves up 10.1.0.0/24

Or, even better, use 10.0.0.0/24 and 192.168.0.0/24

Avoid the use of public IP's on your internal network, it will save you the headache later of reconfiguration should there be an IP conflict with an external IP address.
 
SBSP said:
you guys are giving me the idea that i'm doing this the wrong way.

creating a VLAN, does that involve splitting the switch into 2 LAN by configuring it ?? or is there another way of doing it ?
Click to expand...

Try the Firewall route first. Vlans are not as easy as everyone is making out to be unless your a network engineer that works with it on a daily basis.
 
Hi SBSP,

Have you looked at PFsense project, should be easy to achieve what you want out of the box.
 
Your post doesn't really make sense to me.
Firstly, why port forward. Just allow rdp to the server you want. The firewall can be default gateway for both networks, add relavant rules and you are done. If you don't want to make it the default gateway for the 12 network, use a Nat for the rdp server.

With regards to your other issues of dhcp etc, I don't follow. The two networks are separated so there is no way they can see each other except through the firewall. Allow what you want, everything else should be blocked by the default drop rule
 
SBSP I would recommend getting a consultant out to have a look at your network and what you want to achieve. A normal Cisco 877 or 1901 router with a managed switch will deliver all of this for you.A cheap way in doing this if you have two unmanaged switches is to use a Cisco ASA5505.Perhaps a consultant can advise you on networking best practices and RFC 1918 addressing to be used?
 
eCliPSe said:
SBSP I would recommend getting a consultant out to have a look at your network and what you want to achieve. A normal Cisco 877 or 1901 router with a managed switch will deliver all of this for you.A cheap way in doing this if you have two unmanaged switches is to use a Cisco ASA5505.Perhaps a consultant can advise you on networking best practices and RFC 1918 addressing to be used?
Click to expand...

Having thats said, There is actually allot of politics around this.

currently our company not only locally but internationally has put a stop on all new purchases. they do it in Levels, Level1 = you can buy but then you really have to justify it, but at Level 2 = no purchases what so ever!. Were at Level2 :-)

To be quite honest, I'm not really allowed to use any network equipment besides Cisco, We currently have 2 ASA5505 firewall's for redundancy, i actually have the equipment, I also have about 3 other Cisco firewalls but, the problem it will take me about a month to get the Firewall team to help me. then they will tell me to take out the switches which i already have put in which Dlink And i dont know %$^$% about configuring Cisco equipment.

I may only use Dell Servers and HP for Workstations and not any HP workstation the ones available on a configured portal which only displays the ones i'm allowed to buy.

We get excellent prices from both HP, Dell and Cisco by buying through I.E the HP business partner portal.

Not only that for now i dont want to let them know that i'm not using Dell Server but instead HP Servers, because if i buy via those portals my orders will be canceled or someone is going to phone me and tell me what i already know.

These rules are dictated by my managers in Europe (And i fully understand why), my My Local Managers is sort of forcing me to make use of spare equipment , Which was actually taken out because they dont fall in the company standards in the first place, i.e the HP DL360 G6 which has 16 cores and 36 GB of Ram and we paid 100 K for it :-)

So i really cant make any changes to the existing network, I also cannot get a consultant out to do this because they will cut my throat if i get just anyone to come and tamper with our or rather "Their" network.
 
Well good luck. It sounds like the majority of the problems might reside with your current network incumbent and the red tape. I like the policy of only using Cisco networking equipment. Configuring a cisco switch can be real easy and there is a lot of online support. Most managed switches follow similar standards thus if you can configure one you can figure out how to do another.

If you have the firewalls creating a new vlan on the ASA's and the switches would be a easy solution.
 
SBSP said:
Having thats said, There is actually allot of politics around this.

currently our company not only locally but internationally has put a stop on all new purchases. they do it in Levels, Level1 = you can buy but then you really have to justify it, but at Level 2 = no purchases what so ever!. Were at Level2 :-)

To be quite honest, I'm not really allowed to use any network equipment besides Cisco, We currently have 2 ASA5505 firewall's for redundancy, i actually have the equipment, I also have about 3 other Cisco firewalls but, the problem it will take me about a month to get the Firewall team to help me. then they will tell me to take out the switches which i already have put in which Dlink And i dont know %$^$% about configuring Cisco equipment.

I may only use Dell Servers and HP for Workstations and not any HP workstation the ones available on a configured portal which only displays the ones i'm allowed to buy.

We get excellent prices from both HP, Dell and Cisco by buying through I.E the HP business partner portal.

Not only that for now i dont want to let them know that i'm not using Dell Server but instead HP Servers, because if i buy via those portals my orders will be canceled or someone is going to phone me and tell me what i already know.

These rules are dictated by my managers in Europe (And i fully understand why), my My Local Managers is sort of forcing me to make use of spare equipment , Which was actually taken out because they dont fall in the company standards in the first place, i.e the HP DL360 G6 which has 16 cores and 36 GB of Ram and we paid 100 K for it :-)

So i really cant make any changes to the existing network, I also cannot get a consultant out to do this because they will cut my throat if i get just anyone to come and tamper with our or rather "Their" network.
Click to expand...

I don't mind helping you, and will even do the configs for free. Pm me if you would like advise or config assistance.
The 5505 is a sucky firewall, but it will do the job.

I know someone earlier mentioned vlans, but you still need some kind of security because you will be routing between these vlans for rdp access. You can use Acl's on the switches if they have the capability.

What you want to do is extremely quick and easy, and will require minimal cabling if you like (however, les cabling means more switch configuration)

I'm currently out the country, but am back next week and if you want help pm me and I will write up the configurations for you. If you want, I can also try lab it for you and send you the dynamips labconfig file so you can test it yourself

Otherwise, you need to ask more specific questions here and people can try assist .
It really should just be a case of cabling up the lab to the firewall and the work network to the firewall. Adding routing And rules and you are done.
 
@Syntax, thanks for the offfer, that was cool of you, I'm just going to leave the setup with a firewall in between for now.

I will get it done properly at a later stage
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X