+ Post New Thread
Results 1 to 12 of 12
How do you do....it? Thread, NAT Guest VLAN in Technical; Hi, I am thinking about how to set up a secure guest VLAN with it's own DHCP scope and DNS ...
  1. #1
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    12

    Question NAT Guest VLAN

    Hi,

    I am thinking about how to set up a secure guest VLAN with it's own DHCP scope and DNS etc to keep it separate from the main network. We currently have everything on VLAN 1. Switches are mainly 3com or HP with a pair of 3com 5500s at the core. We have ruckus for wireless
    I have managed to create a VLAN to test it out and these are the problems I've had so far:
    • Internet doesn't work because the ip range is different to the RBC assigned range - do I need to use NAT somehow or reserve some IPs from the main range
    • Proxy setting guest devices: ideally I want all guest devices to use port 80 and not need to enter proxy settings for max compatibility. I'm looking into removing the proxy altogether and using lightspeed as the filter.



    I'm trying to find a system that is simple to configure and maintain. Do I need a NAT hardware router, that can also do guest DHCP and DNS? Can anyone suggest anything?

    Thanks,

  2. #2

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    The router at the demarc for the connection to the internet will need to know about the new network and how to route to it.

    Rob

  3. #3

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,822
    Thank Post
    217
    Thanked 268 Times in 217 Posts
    Rep Power
    68
    if you have the ruckus controller it should do most of the work for you. you'll have to create a WPAD file for proxy autodiscovery and put it's info in dhcp and dns.

  4. #4
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    Thanks for the replies,
    I can't change the gateway switch because it belongs to the internet provider, but I'll ask them if they could add another private range...

    I looked at the Ruckus settings. I found how to isolate the clients which is good, and I've already created a L3/4/IP address Access Control list but I couldn't get it to work. What rules would be needed to only allow internet access and nothing else? I also want guest devices to use their own DHCP, and DNS.

  5. #5
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    Update:
    I can't get a range added to the gateway device, so I will need an intermediate L3 device to NAT the VLAN IP ranges. Any suggestions for something easy to configure and maintain? Most of the switches here are 3com or HP.
    Would be great if such a device could also provide DHCP and DNS for the guest VLAN and rules to prevent the guests accessing the main school network, with a nice web gui.

    I'm not getting anywhere either asking for the crappy RM upstream proxy to be removed. I'm don't mind keeping the proxy setting for the devices we control so I don't have to re-configure, but I don't want to have this added complexity for guest devices.
    Can a NAT device hide the proxy? so the guest devices can use port 80, or is this an extra service, or device that's needed to do this?

  6. #6

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    312
    Thank Post
    21
    Thanked 82 Times in 69 Posts
    Rep Power
    45
    Something like smoothwall would be great for this, very similar to what we do for our guest networks. Our smoothwall box is the gateway device for these networks and provides dhcp & dns proxy for the networks. It's set up as a transparent proxy so no configuration is required on the clients.

    A cheap/free way of doing it might be to set up Linux box running squid/dhcp/dns to do the same. Have two interfaces: one to your main network and one to the guest vlan.

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,239
    Thank Post
    882
    Thanked 2,742 Times in 2,316 Posts
    Blog Entries
    11
    Rep Power
    784
    How good are your switches, your core may be able to manage NAT, if not ISA/TMG also gives you lots of features including caching which can be handy.

  8. #8

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,683
    Thank Post
    1,268
    Thanked 788 Times in 685 Posts
    Rep Power
    237
    Quote Originally Posted by Ashm View Post
    A cheap/free way of doing it might be to set up Linux box running squid/dhcp/dns to do the same.
    Yes, that should do it, although it might not quite meet the "easy to configure" criteria. However, if the original poster needs a hand I can probably help. You'll just need a basic machine, install Debian and set up iptables - I have an example setup that should be easy enough to adapt. You just need to tell the Debian machine to use your existing gateway, and if you want a DNS server you just install bind and tell it to use yor current DNS server as its up-stream DNS server. You can set up Squid to do caching if you like, and you can get that to do more filtering, too, if you want, or even act as a captive portal (first time it sees a MAC address, show an acceptable use policy, or whatever), although I'm sure by now there's aprobably a nice all-ine-one way of doing all this.

  9. #9
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,525
    Thank Post
    522
    Thanked 293 Times in 269 Posts
    Rep Power
    83
    pfsense..... Enough said!

  10. #10
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    Thanks for the posts.
    I agree smoothwall could do this, but it was too expensive, which is why we ended up with lightspeed. I'm still hoping that the proxy can be removed to save me all this extra work.
    Maybe smoothwall express could be used.

    I looked at ISA\TMG but I'm a bit anti now Microsoft has discontinued them.
    pfsense looks interesting

    I'd rather have a switch hardware type device than a server because of power and heat problems where the internet comes into the building.

    I have a little experience with switch config via telnet, but would still much rather have a nice web GUI.

    Any more suggestions?

  11. #11

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    897
    Thank Post
    282
    Thanked 140 Times in 113 Posts
    Blog Entries
    28
    Rep Power
    42
    Can you get another range of IP addresses and sit the Guest VLAN on that? Having an extra block shouldn't be as much as buying a new device?

    We have two different ranges issued by default with SWGfL, one for admin and one for curriculum. The smaller admin one we never used so I'm now utilising that for BYOD devices. Don't need to worry about having another box running for NAT. Using Ruckus here and it authenticates logons against AD and restricts clients only access to the e-mail and frog server on the main VLAN. DHCP is looked after by the our normal DHCP server with the help of the DHCP Helper option on the core switch and I point the DNS to the DNS Servers of SWGfL. Works well.

    Pete

  12. #12
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    I agree getting another range would be easier, as would removing the proxy, but trying to do so through East Sussex Technical and the South East Grid is proving difficult. They are really slow. It took them a month to do the firewall changes necessary for the lightspeed box.

SHARE:
+ Post New Thread

Similar Threads

  1. Guest VLAN for staff
    By Little-Miss in forum How do you do....it?
    Replies: 3
    Last Post: 16th July 2012, 08:22 PM
  2. Replies: 13
    Last Post: 6th February 2012, 10:46 AM
  3. VLANs Guest Access
    By HCC in forum Wireless Networks
    Replies: 11
    Last Post: 21st January 2010, 08:55 PM
  4. Wireless Guest Access for PDA's,Laptops,IPhones using VLAN
    By steveo2000 in forum Wireless Networks
    Replies: 15
    Last Post: 28th July 2009, 11:07 AM
  5. VLAN for guest internet access
    By plexer in forum How do you do....it?
    Replies: 3
    Last Post: 17th December 2007, 12:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •