Installing UT in front of SBS2003 with 2 NIC's

[SirBC]

I will be using UT in front of my SBS2003 network and I have a few questions before I jump into the UT pool. My SBS has 2 NIC's, RRAS firewall (not ISA) and SBS takes care of DHCP on the LAN. My 4 port wireless router is also doing DHCP, but as is shown in the diagram below, the SBS external NIC has a static IP with this IP having an IP reservation in the router.

The reason I was also having the router doing DHCP is that I originally offered wireless access for my patients (this is in a dental office), but it became too much of a headache to manage with having to rotate access keys, giving to patients, etc. So I now have 2 internet kiosks plugged into the router as well as 2 IP security cameras. I don't want or need any of those to be on my internal network, but I could also just use static IP's for those and then I could turn off DHCP on the router.




However I end up using UT, I will still have SBS doing DHCP for the internal network. So, a couple of questions:

1. Should I replace my router with UT? My router is nothing special, just a consumer grade Netgear. Is there any advantage to using the UT router? If I don't use UT, do I loose any functionality? If I run UT in bridged mode, are there any UT features I will be missing out on? I would like to close the open ports the way that
Silver Bullet showed in his Tip of the Day post, but it looks like this is being done from within the routing module. If I don't use the routing module can I still do this?

2. If I do use UT for routing, can I plug a small switch into the 3rd NIC and use that for my internet kiosks and IP cameras? I would likely turn off DHCP on the UT box, would that cause any issues?

Thanks!
- Dave

[SirBC]

Bumpity.

[YeOldeStonecat]

I'm not a fan of double NAT'ing...especially for the primary network. A bit of a performance loss..and some applications that need to run through it can get quirky.

Looking at your needs.....
*Kiosk/wireless
*IP cameras
*SBS network...security..healthcare...

I'd prefer to have Untangle as my primary router.
I'd run SBS on just 1x NIC...single homed.

I'm not sure what your needs are for the IP cameras..do you need to view/record these from the SBS network? Or from home? Or does it matter? Have your own local DVR or something for them that you can just walk up to?

I'd put a small managed switch behind Untangle....and create port based VLANs (easily done with todays web managed switches)..to separate your Kiosk from the office network.

Modem==>Untangle Red NIC....UNTANGLE...Untangle Green NIC...Port 1 of your managed switch.

Now...I'd create VLAN1...for your Kiosk. Convert your wireless router into just an access point...and plug that into the port you assigned to VLAN1 (lets say..port 2). Port 1 of the managed switch (going to your Untangle box) would also be a member of this VLAN1. Your IP cameras can be plugged into ports 3 and 4..also make them a member of VLAN1.

Now...take ports 5...on up....and make them members of VLAN2. Also add port 1 (your Untangle box)..as a member of VLAN2.

Uplink your single NIC SBS box into port 5..the rest of your network into the rest of the ports...and they are all members of VLAN2.

The switch prevents traffic from going between the VLANs..so the Kiosk cannot get to your SBS network..and visa versa. Stopped cold at the switch.

There is some reconfiguration of your wireless router to make it an access point (killing DHCP, uplink to your managed switch using a LAN port on each..you don't use the WAN port of the wireless router, and change LAN IP to be in the range of your network..but outside the DHCP pool). Also the SBS box needs a little reconfiguring..disabling the outside NIC..running the CEICW again..good idea to leave it at 192.168.16.2...make the LAN side of your Untangle box 192.168.16.1, make your wireless router 192.168.16.2435.

[SirBC]

Stonecat, thanks for the detailed response. I read over it a few times to try and digest it all and I think I managed to wrap my brain around what you are saying.

When SBS2008 arrives I will be moving to a single NIC setup since it won’t support 2 NIC’s, and I will also need a perimeter firewall, which is why I am now looking at getting Untangle up and running. However, I’d like to wait until I actually move to SBS2008 before moving to 1 NIC. I do like the idea though of VLAN’s and my current switch does support port based VLAN’s.

-Dave

[SirBC]

I was thinking about this a little more over coffee this morning. StoneCat, was your recommendation for using VLAN's to improve security? If I were to use UT as a router (in the above config from the graphic) and put the IP cameras and internet kiosks in the DMZ, would they not be segmented from the internal LAN just as effectively as using VLAN's? In fact, traffic to/from the DMZ would never cross the internal NIC of the UT, while using a VLAN would require that traffic would be crossing the internal NIC. Wouldn't that be less secure, or am I misunderstanding something?

[YeOldeStonecat]

Yeah...you can, that's another approach....basically you have the router handle a sort of VLAN itself that way. (a 3rd "zone"..call it orange or blue) I just prefer to keep things simple...a dual NIC router is quick and easy to build, web managed switches are quick 'n easy to manage.

6 of 1, 1/2 a dozen of the other.

[john_es]

I'd put a small managed switch behind Untangle....and create port based VLANs (easily done with todays web managed switches)..to separate your Kiosk from the office network.

What brand of managed switch would you suggest? I am looking at this setup and need to figure out what switch will pass through openvpn access.

Thanks,
John

[YeOldeStonecat]

What brand of managed switch would you suggest? I am looking at this setup and need to figure out what switch will pass through openvpn access.

Thanks,
John

I'm a big fan of HP ProCurve switches...solid performance, stable, and lifetime warranty.

Linksys SRW series are actually fairly decent also.