NAT Guest VLAN
I am thinking about how to set up a secure guest VLAN with it's own DHCP scope and DNS etc to keep it separate from the main network. We currently have everything on VLAN 1. Switches are mainly 3com or HP with a pair of 3com 5500s at the core. We have ruckus for wireless
I have managed to create a VLAN to test it out and these are the problems I've had so far:
- Internet doesn't work because the ip range is different to the RBC assigned range - do I need to use NAT somehow or reserve some IPs from the main range
- Proxy setting guest devices: ideally I want all guest devices to use port 80 and not need to enter proxy settings for max compatibility. I'm looking into removing the proxy altogether and using lightspeed as the filter.
I'm trying to find a system that is simple to configure and maintain. Do I need a NAT hardware router, that can also do guest DHCP and DNS? Can anyone suggest anything?
The router at the demarc for the connection to the internet will need to know about the new network and how to route to it.
if you have the ruckus controller it should do most of the work for you. you'll have to create a WPAD file for proxy autodiscovery and put it's info in dhcp and dns.
Thanks for the replies,
I can't change the gateway switch because it belongs to the internet provider, but I'll ask them if they could add another private range...
I looked at the Ruckus settings. I found how to isolate the clients which is good, and I've already created a L3/4/IP address Access Control list but I couldn't get it to work. What rules would be needed to only allow internet access and nothing else? I also want guest devices to use their own DHCP, and DNS.
I can't get a range added to the gateway device, so I will need an intermediate L3 device to NAT the VLAN IP ranges. Any suggestions for something easy to configure and maintain? Most of the switches here are 3com or HP.
Would be great if such a device could also provide DHCP and DNS for the guest VLAN and rules to prevent the guests accessing the main school network, with a nice web gui.
I'm not getting anywhere either asking for the crappy RM upstream proxy to be removed. I'm don't mind keeping the proxy setting for the devices we control so I don't have to re-configure, but I don't want to have this added complexity for guest devices.
Can a NAT device hide the proxy? so the guest devices can use port 80, or is this an extra service, or device that's needed to do this?
Something like smoothwall would be great for this, very similar to what we do for our guest networks. Our smoothwall box is the gateway device for these networks and provides dhcp & dns proxy for the networks. It's set up as a transparent proxy so no configuration is required on the clients.
A cheap/free way of doing it might be to set up Linux box running squid/dhcp/dns to do the same. Have two interfaces: one to your main network and one to the guest vlan.
How good are your switches, your core may be able to manage NAT, if not ISA/TMG also gives you lots of features including caching which can be handy.
Yes, that should do it, although it might not quite meet the "easy to configure" criteria. However, if the original poster needs a hand I can probably help. You'll just need a basic machine, install Debian and set up iptables - I have an example setup that should be easy enough to adapt. You just need to tell the Debian machine to use your existing gateway, and if you want a DNS server you just install bind and tell it to use yor current DNS server as its up-stream DNS server. You can set up Squid to do caching if you like, and you can get that to do more filtering, too, if you want, or even act as a captive portal (first time it sees a MAC address, show an acceptable use policy, or whatever), although I'm sure by now there's aprobably a nice all-ine-one way of doing all this.
Originally Posted by Ashm
pfsense..... Enough said! :)
Thanks for the posts.
I agree smoothwall could do this, but it was too expensive, which is why we ended up with lightspeed. I'm still hoping that the proxy can be removed to save me all this extra work.
Maybe smoothwall express could be used.
I looked at ISA\TMG but I'm a bit anti now Microsoft has discontinued them.
pfsense looks interesting
I'd rather have a switch hardware type device than a server because of power and heat problems where the internet comes into the building.
I have a little experience with switch config via telnet, but would still much rather have a nice web GUI.
Any more suggestions?
Can you get another range of IP addresses and sit the Guest VLAN on that? Having an extra block shouldn't be as much as buying a new device?
We have two different ranges issued by default with SWGfL, one for admin and one for curriculum. The smaller admin one we never used so I'm now utilising that for BYOD devices. Don't need to worry about having another box running for NAT. Using Ruckus here and it authenticates logons against AD and restricts clients only access to the e-mail and frog server on the main VLAN. DHCP is looked after by the our normal DHCP server with the help of the DHCP Helper option on the core switch and I point the DNS to the DNS Servers of SWGfL. Works well.
I agree getting another range would be easier, as would removing the proxy, but trying to do so through East Sussex Technical and the South East Grid is proving difficult. They are really slow. It took them a month to do the firewall changes necessary for the lightspeed box.