+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
Wired Networks Thread, setting up vlans in Technical; Originally Posted by Mehmet Why do you need an additional box to do NAT? How do your devices get onto ...
  1. #16

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    891
    Thank Post
    282
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by Mehmet View Post
    Why do you need an additional box to do NAT?

    How do your devices get onto the internet at the moment? Do you have an address range which is big enough for all of your devices? Are you allowed to use PAT?
    As said, set range given by SWGfL which is currently big enough for all devices which has a gateway address which will allow traffic only from that range. One option I guess would be to chop up said range, but would have to work out exact device numbers in each subnet. Not really sure on PAT if I'm allowed, tbh, not really thought of it. Main driver is to reduce the broadcast domains abit, and also introduce a public access Wi-Fi VLAN in the future.

    Pete

  2. #17


    Join Date
    Jul 2007
    Location
    Rural heck
    Posts
    2,662
    Thank Post
    120
    Thanked 434 Times in 353 Posts
    Rep Power
    126
    Quote Originally Posted by FragglePete View Post
    , and also introduce a public access Wi-Fi VLAN in the future.

    Pete
    Depending on the system you use you might well need loads of IPs for this. Our system gives out an IP address as soon as someone connects to the guest SSID, on a 3 hour lease we've got 311 IP addresses in use. Most haven't even logged onto to use the system, they've probably just got their phones configured to automatically connect to any unsecured AP.

    EDIT: What we've done is put guest clients into a separate vlan with a Forefront TNG server acting as a proxy. Only annoying thing is that you can't use TMG's transparent proxy function if you're connecting to an upstream squid proxy.
    Last edited by K.C.Leblanc; 1st May 2012 at 12:45 PM.

  3. Thanks to K.C.Leblanc from:

    FragglePete (1st May 2012)

  4. #18

    Join Date
    Apr 2012
    Location
    London
    Posts
    67
    Thank Post
    10
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    Quote Originally Posted by FragglePete View Post
    As said, set range given by SWGfL which is currently big enough for all devices which has a gateway address which will allow traffic only from that range. One option I guess would be to chop up said range, but would have to work out exact device numbers in each subnet. Not really sure on PAT if I'm allowed, tbh, not really thought of it. Main driver is to reduce the broadcast domains abit, and also introduce a public access Wi-Fi VLAN in the future.

    Pete
    I don't get it. The address block given to you is a public address block; they don't care about your private addressing scheme -- or do they? Obviously the NAT configuration would have to be altered to allow the new subnets to be translated -- is that a problem? If it is, then like you said you could subnet the private range you are currently using and it shouldn't be a problem (as long as your public address range is large enough).

  5. #19

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    891
    Thank Post
    282
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by Mehmet View Post
    I don't get it. The address block given to you is a public address block; they don't care about your private addressing scheme -- or do they? Obviously the NAT configuration would have to be altered to allow the new subnets to be translated -- is that a problem? If it is, then like you said you could subnet the private range you are currently using and it shouldn't be a problem (as long as your public address range is large enough).
    It's not a public address block, its a private address range within SWGfL network that has it's own gateway that we use (we actually have two ranges, one for admin and one for curriculum but we only use the Curriculum range) - I don't have any control over the firewall, router, etc - just a range we have to use to be able to access the internet via the g/w address given. I can use an internal private range (and have done for the phone system), but will need to NAT from that range to the SWGfL range which I don't have the hardware for yet.

    I think that makes sense?

    Pete

  6. #20

    Join Date
    Apr 2012
    Location
    London
    Posts
    67
    Thank Post
    10
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    Quote Originally Posted by FragglePete View Post
    It's not a public address block, its a private address range within SWGfL network that has it's own gateway that we use (we actually have two ranges, one for admin and one for curriculum but we only use the Curriculum range) - I don't have any control over the firewall, router, etc - just a range we have to use to be able to access the internet via the g/w address given. I can use an internal private range (and have done for the phone system), but will need to NAT from that range to the SWGfL range which I don't have the hardware for yet.

    I think that makes sense?

    Pete
    Now I'm even more confused... "NAT from that range to the SWGfL range"? In that case, why not just use the range you have been provided with and subnet it?

  7. Thanks to Mehmet from:

    FragglePete (1st May 2012)

  8. #21

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    891
    Thank Post
    282
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by Mehmet View Post
    Now I'm even more confused... "NAT from that range to the SWGfL range"? In that case, why not just use the range you have been provided with and subnet it?
    That is also an option I'm looking at, breaking up the current range into smaller subnets. The range has 1024 IP addresses, but with hitting nearly 800 devices (when you take into account servers, printers, APs, desktops, laptops, projectors) squeezing those into logical subnets that keeps administration simple might be a challenge. But, yes, one plan is to "NAT from that range to the SWGfL range" but this requires some sort of NAT device which I don't have.

    Thankfully the network is coping quite nicely being 'flat', but I know I can make it better by subnetting a bit more but careful planning is required.

    Pete

  9. #22

    Join Date
    Apr 2012
    Location
    London
    Posts
    67
    Thank Post
    10
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    Quote Originally Posted by FragglePete View Post
    That is also an option I'm looking at, breaking up the current range into smaller subnets. The range has 1024 IP addresses, but with hitting nearly 800 devices (when you take into account servers, printers, APs, desktops, laptops, projectors) squeezing those into logical subnets that keeps administration simple might be a challenge. But, yes, one plan is to "NAT from that range to the SWGfL range" but this requires some sort of NAT device which I don't have.

    Thankfully the network is coping quite nicely being 'flat', but I know I can make it better by subnetting a bit more but careful planning is required.

    Pete
    Can I ask what private address range you have been assigned?

  10. #23

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    891
    Thank Post
    282
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by Mehmet View Post
    Can I ask what private address range you have been assigned?
    PM sent!

  11. #24

    Join Date
    Jun 2010
    Location
    Berkshire
    Posts
    111
    Thank Post
    18
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Quote Originally Posted by FragglePete View Post
    Its something I'm trying to do here; it's taken a while to get my head around it all but I'm almost there. Biggest stumbling block now is needing an additional 'box' to do NAT-ing for any additional VLANs we put in place. We're on a set range from SWGfL, so the VLANs won't be able to get out through the gateway. To implement it I want something quite robust and simple in place but not really decided on the best option just yet. (TMG, Smoothwall, etc) - Budget is an issue as well.

    Initial driver for us was putting a new VOIP phone system in place, and this was put on a seperate VLAN to help prioritise traffic and seperate it from the main network, but the phone system can't get out through the gateway due to lack of NAT-ing locally. It's not an issue for this system, but I do want to start breaking up the network but at the same time Keep It Simple!

    Pete
    We have been having a similar battle with SEGFL regarding NAT . It's not that they can't NAT on our cisco router - just that they won't and without it the telephone system has to route the call which uses up all of the phonesystems resources. They dont come with much as they are are supposed to be inly used for initiating the call ( as far as I understand it at least). Anyway I mention it only because there are three schools trying to do this with VOIP and you are now number 4 . If I get anywhere with it Ill update

  12. #25

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    891
    Thank Post
    282
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by sparker View Post
    We have been having a similar battle with SEGFL regarding NAT . It's not that they can't NAT on our cisco router - just that they won't and without it the telephone system has to route the call which uses up all of the phonesystems resources. They dont come with much as they are are supposed to be inly used for initiating the call ( as far as I understand it at least). Anyway I mention it only because there are three schools trying to do this with VOIP and you are now number 4 . If I get anywhere with it Ill update
    Our Phone System doesn't use the Internet Connection for calls (SIP Trunks), we're using an ISDN30 for external access, just using our network infrastructure to deliver a phone in every room - I heard that SWGfL won't allow SIP trunks to across their network and some schools have gone down the route of getting a dedicated Broadband line for this.

    Pete

  13. #26

    Join Date
    Apr 2012
    Location
    London
    Posts
    67
    Thank Post
    10
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    Quote Originally Posted by FragglePete View Post
    PM sent!
    I'm not going to pretend to know anything, I know nothing about how schools work, but seriously... if you need a larger address block then you need a larger address block... what do they want you to do exactly? If you subnet a /22 network and you're currently using 800 of those addresses then that doesn't give you much space for growth does it... and you don't want to have to redo the whole thing a year or two down the line. If you could run PAT you wouldn't have this problem, but I wouldn't be surprised if they didn't allow that!

  14. #27
    maark's Avatar
    Join Date
    Feb 2006
    Location
    leicester
    Posts
    475
    Thank Post
    90
    Thanked 76 Times in 67 Posts
    Rep Power
    39
    You can stick printers on a different subnet as they don't need to connect to the internet - they just need to communicate with your servers. This will free up a few addresses.

  15. #28


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,705
    Thank Post
    229
    Thanked 870 Times in 747 Posts
    Rep Power
    298
    Quote Originally Posted by teejay View Post
    VLANs won't necessarily solve your problem, you are seeing the effects of a problem, ie network slowdown, without finding the cause of the problem. May I suggest before you do anything you invest some time with Wireshark and figure out what is causing the problem. Shout on here if you need help analysing
    youre right it wont and i think i found the problem today (im only there 3.5 hours a week the trunk to ict suite was in teh wrong port so only 100mb so was maxing out all the time hopefully thats cured it) But its been something ive been looking for an excuse to implement somewhere for a while granted not the best reason ever but atm im spending a lot of time bored hence the 200+ line vbs inventory script a while back i enjoy the challenges and atm am findin them few and far between (discounting pebkacs)

  16. #29

    Join Date
    Apr 2012
    Location
    London
    Posts
    67
    Thank Post
    10
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    Quote Originally Posted by sted View Post
    youre right it wont and i think i found the problem today (im only there 3.5 hours a week the trunk to ict suite was in teh wrong port so only 100mb so was maxing out all the time hopefully thats cured it) But its been something ive been looking for an excuse to implement somewhere for a while granted not the best reason ever but atm im spending a lot of time bored hence the 200+ line vbs inventory script a while back i enjoy the challenges and atm am findin them few and far between (discounting pebkacs)
    Well done

  17. #30


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,705
    Thank Post
    229
    Thanked 870 Times in 747 Posts
    Rep Power
    298
    Quote Originally Posted by Mehmet View Post
    Well done
    if that was the problem lol dont like changing too many things at once as yuo never know in future which one actually worked

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Setting up a VLAN
    By iSteve in forum Wireless Networks
    Replies: 9
    Last Post: 1st July 2014, 04:02 PM
  2. setting up vlans
    By sted in forum Wired Networks
    Replies: 6
    Last Post: 25th April 2012, 10:03 AM
  3. Setting up home wireless network with MAC and PC..?
    By tosca925 in forum General Chat
    Replies: 6
    Last Post: 21st November 2011, 04:39 PM
  4. Setting up VLANS
    By mattpant in forum Wireless Networks
    Replies: 14
    Last Post: 22nd February 2011, 09:16 AM
  5. Setting up NAT using IPTABLES
    By ChrisH in forum *nix
    Replies: 23
    Last Post: 9th November 2005, 01:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •