On Wed, 19 Jan 2005 16:15:56 -0500 (EST), ranbir sandhu <m3freak@xxxxxxxxxx> wrote: > Hi all, > > I'm not a networking expert or even "the network guy", > and thus I am running into a problem figuring out how > to improve the network at my new office. > > The business centre I'm in is sharing a DSL connection > with one dynamic IP between 19 tenants (simple > Linksys/Dlink type of router). Besides the obvious > security problems, this makes it very difficult for > tenants to host their own servers, including me. > > Along with changing the ISP to one that can provide > static IPs, here's what I'm thinking of suggesting: > > Internet --> DSL Modem --> Hub/Switch > | | > Router1 Router2 > | | > Switch Tenant > | That > Tenants Cares > That > Don't Care > > Router1 would have a static IP. Like it says, tenants > that want a simple Internet connection would > essentially receive the same service they have now. > > Router2 would be assigned another static IP. > Additional tenants could easily be accommodated with > more static IPs and routers. Firewalls etc. would be > the responsibility of the tenant. > > The obvious problem with this is that if a simple > switch or even a hub is used after the DSL modem, the > business centre won't be able to control the traffic > (i.e. prioritize and/or control bandwidth use). One > tenant could use up the entire pipe, for example. > > I've considered dropping in a machine running mOnOwall > to help solve the traffic shaping issue. Also, I've > read that mOnOwall can transparently firewall/bridge: > this would make it very easy to assign static IPs to > those that want them. But, I don't know how many > routes it can accomodate. > > Is the above approach a good one? How else would > something like this be handled? > > Incidentally, I've spent quite a bit of time reading > up on layer 2/3 switches, VLANs etc., but I still > haven't figured out if plugging the modem directly > into a switch is the right thing to do. > Here is what I'd do ( I have a porposal submitted to do this for a medical complex). Internet | DSL Modem or Internet Router | Firewall----Tenant-2 | Tenant-1 Firewall each tenant from the other tenants. Give each tenant a different RFC 1918 address range. Use a Switch capable of trunking, and a Ethernet card capable of trunking in the firewall to allow multiple VLANs on one physical connection. -- Leonard Isham, CISSP Ostendo non ostento.
