[SOLVED] Wireless Access Point: help with setup and correct network toplogy

[suthagar]

Hi Zentyal gurus I need some assistance setting up a wireless router on our network.

Here is what I currently have

1. A Zentyal Server configured a gateway. It has 3 nics: eth1 is external and uses PPPoE to establish an internet connection to a fibre-to-the-building link. eth2 is the internal connection which links to a managed secure switch and acts as a gateway for the rest of the network. eth0 is currently not setup but it is what I am hoping to attach the wireless router to.

2. A second Zentyal server which is essentially a file server using SAMBA and is also the PDC, DHCP server and DNS Server. It also hosts a few internal company webapps.

3. I have a fritzbox 7390 box which was until it was replaced by the zentyal gateway box, both modem, router and wirelss AP.

4. Not sure if this matters but I have OSX, Windows 7 & 8, a Ubuntu Desktop boxes as well as a host of mobile devices as clients.

Diagramaiically the current topology is as follows:

[Internet] -->  eth1(PPPoE)[Zentyal Gateway]eth2-->[Switch]-->[Zentyal PDC, DHCP, DNS]
                                                                                                |----->[Wired Clients]

What I would like to setup is:

[Internet] -->  eth1(PPPoE)[Zentyal Gateway/Firewall]eth2-->[Switch]-->[Zentyal PDC, DHCP, DNS]
                                                         |                                                   |------>[Wired Clients]
                                                         |
                                                        eth0-->[wireless AP]  -->[Wireless Clients]

Hopefully that makes sense. I'm basically trying to put the wireless AP behind the firewall
I've tried a few things so far with little luck:

1. Tried setting a static address for eth0 but no mater what I put in, unless its a different network segment it says the same Ip already exists on eth2 - which is not correct.
2. Set wireless router to client IP mode which switches off the modem capability and allows you to set its IP, gateway etc.. but no luck as I can not ping the address I set
3. Set wireless router to IP client mode but use DHCP - no luck the router basically can't resolve the DHCP server and does not appear on Zentyal's lease list.

I've read every thread/post/site I could find but either I don't understand what I'm reading or it does not quite apply to my situation. I guess it boils down to is the above topology correct and how do I set eth0 to allow the wirelss router to provide wireless access to the network. BTW the wired clients have no issues accessing the internet.

Thanks and greatful any assistance,

S

[christian]

Please move one step forward explaining what your addressing plan is.
I suspect something wrong with this step.

[suthagar]

@christian

Thanks for the reply. Not sure if I fully understand your question re: addressing plan. If you mean the layout of IP addresses then:

eth0 is supposed to be 192.168.178.3 (internal) however as per my opening post Zentyal won't let me set this to a static address and so I am using DHCP as the setting - would this be the issue?
eth1 has no IP other than what the ISP gives it as it uses PPPoE
eth2 is 192.168.178.1 which is the default gateway address for all clients

Wireless Router is supposed to have 192.168.178.10 but I've never been able to reach it - even is failsafe default 168.254.1.1 fails.
DNS server is 192.168.178.50 and has 2 forwarders.
DHCP range is 192.168.178.20-40
Wired clients have static IP addresses
Mobile clients were supposed to have dynamically allocated IPs

The gateway has not "joined" the domain per se. Not sure why I would do that though. So has no SAMBA / LDAP functionality.
Subnet is 255.255.255.0

Is this what you were after?  I'm happy to give you additional details if you could explain a bit more.

Thanks again for helping out.

S

[christian]

Thank you this is exactly what I meant.

- eth1 will get its IP from ISP, this is very cleat .
- if you have 2 different internal interfaces, you must set IP in different subnet otherwise it doesn't work.
e.g.
eth0: 192.168.178.1
eth2: 192.168.179.1

This said, I would advise, except if you have specific needs, that you simply your design to end up with only one single Zentyal server.
I can see a lot of added values with dual-servers design as you propose but it makes it more complex and this is perhaps not suitable for you yet.

As you have this 3 NICs server available, you can isolate wifi users and LAN users using only one single server. Secondary server doesn help much here from this standpoint. It only prevents Samba to run on server that is at the border to Internet.

[suthagar]

Hi christian

Thanks so much you confirmed what I half suspected about the separate subnets. I''ll give this a go a little later today ( I need some semblance of a weekend!).

Re: two servers. You raise a good point. On a practical level the file server can at max only have two nics - one primary and one is a fail over which I've not implemented yet. All other slots are taken up with RAID card etc so I can't put in another nic. And the gateway machine is a re-purposed older PC which does not have the grunt to handle the requirements of our file server.

The second reason is stability. Although the file server is in a production environment, we run some internally developed apps on there - they are "supposedly" stable  but who knows! As such I thought having a gateway devoted to managing the internet connection would be advisable so that its not disrupted if anything should happen to the file server. We can just redirect the DNS / DCHP elements if needed. In fact once I deem the gateway machine stable I was thinking it could take over those functions as well, unless you think this is a bad idea?

The final reason is the one you mentioned i.e. security. The firewall rules are different on the file server to the gateway - which also runs the intrusion detection modules. Although I could (if I had enough nics) configure the one server to have all firewall rules, having two machines seemed more logical. But as an aside from my windows days I always thought that having your PDC and UMT functions on a single machine was not a good idea is this not the case with Linux boxes?

Thanks again so much for all your help, this forum is quite vibrant. I've a ways to go yet in administering a Linux environment but I'm rapidly learning.

Kind regards,

S

[BrettonWoods]

Just another question, why just not turn off all the firewall dhcp and stuff on the wireless access point. Plug the wan port to the switch and just have a single dhcp. Is it because of some need to diferentiate wired and wireless? All the dhcp will pass through from zentyal.

If your switch supports vlans this also makes a really neat option to segregate traffic and dhcp.

[suthagar]

@BrettonWoods

That would be a lot simpler wouldn't it - put it through the switch, which is behind the firewall anyways. The wireless router has DHCP and DNS turned off so all it is is an AP. From an internal network standpoint we don't differentiate between our wireless devices and wired. The wireless devices only work within the building or its immediate precinct. I'll give that a shot.

The switch does support VLAN, forgive my ignorance what advantage does that provide over say just plugging in to port like any other device?

Thanks

S

[BrettonWoods]

You could set up 2 dhcp scopes one for wired one for wireless.

I was just trying to work out why not just turn off the internal dhcp and dns and just pass through to zentyal

[christian]

Your point about samba with 2 NICs for HA makes sense. Running test on FW doesn't make sense (but does it on server for which you try to improve HA or are these 2 NICs for bandwidth only ?)

Anyway, as I've, on my own design, split Zentyal and file sharing, I won't push you to do differently 

If I may try some suggestion:
- don't worry about VLAN, for what I understand, you don"t need it.
- run infrastructure services on the main Zentyal server (the one acting as FW) then deploy Samba as additional server. Role for each server depends on what kind of service you want to deploy. If infrastructure requires authentication, you will need to manage account on server 1 (infra) and you do want to share these accounts with server 2 (Samba). For the time being, this can be done implementing 2 different approaches.
Few month ago, I would have suggested to look at LDAP replication to keep Samba isolated but after last summit, now that I understand better Zentyal strategy, I would rather suggest to stay on the Samba side, it will make your life easier when migrating to the next versions.

At this stage it would be better if people running 3.x add their inputs here (I'll stay on 2.2 for multiple reasons and there have no hands-on experience) but I would, if I had to design these, look at hereafter design and deployment process:

- Start with server 2 (yes  running only minimum services to run file sharing. This will bring other dependencies, don't worry.
- Once this server runs (test it with device using fixed IP), deploy server 1 and configure it as additional domain controller. This will synchronize accounts you will create on server 2. On server 1, run FW, DNS, DHCP, mail if needed. File sharing will run here to but you will not share anything.

On interesting trick with such design:
- on DHCP, configure leases to push server 2 as main DNS server for clients. you may use server 1 DNS as failover.
- configure DNS on server 2 to use server 1 DNS as forwarder
- enable cache on server 1 DNS

Regarding DHCP: use it to deliver IPs (on different subnets) for internal clients and wifi clients. For internal clients, be sure to define DHCP zone that is not too wide so that you can keep some addresses to manage IP reservation. Be sure server 2 is out of the dynamic range too 

server 1 (eth2) is the default gateway for all internal clients (DHCP will deal with this except for static devices... like server 2 
server 1 (eth0) is default gateway for wifi clients but here again, DHCP will deal with this, don't worry.

With such design, one potential pitfall is DNS content management: I don't have ideas clear enough with 3.x to tell whenever DNS content is synchronized across Samba domain. If not, you may have to manage on server 2 that will be the main DNS server for internal clients some entries for mail server running on server 1. Not clear to me and even reading documentation, I can't make any clever choice here.

Regarding Stuart's comment

You could set up 2 dhcp scopes one for wired one for wireless.

This is not that you could. you must as these are different subnets.
Then one could discuss whether implementing kind of DHCP failover for internal clients makes sense using DHCP server on server 2. I would suggest to make things simple as first approach and discuss this later.

Have fun 

[BrettonWoods]

http://en.wikipedia.org/wiki/Bretton_Woods_system

Bretton please

[suthagar]

Wow a lot to take in - thanks so much for such detailed insight and advice.

So this is what I spend my Sunday afternoon doing:

1. Tried BrettonWood's suggestion of putting the wifi AP onto the switch - worked perfectly, interesting not on different subnet. This was a test I don't intend to keep it this way.

2. Switched server 1 (the firewall) to act as primary DNS and DHCP.

3. Turned server 2 to secondary DNS for now - this is the reverse of what you are recommending I think. Server 2 also running SAMBA, firewall and backup

So far everything is working fine.

Things to do this week:

1. Server 1 eth0 to on different subnet probably 192.168.179.1 - is there any value in giving it a virtual address on main subnet i.e. 192.168.178.x ?

2. Set wireless AP to use 192.168.178.1 as default gateway but I will give the it a static address on new subnet.

3. Turn server 1 into secondary DC. Server 2 and indeed all non-client systems have static IPs outside of DHCP range.

Lots of fun to be had looking forward to the challenge. I'll keep you guys posted on any further developments this week and then mark the thread solved on Friday.

Small digression:

@BrettonWoods your user name brings back memories, apart from being part time sysadmin I'm also a practicing economist and a die hard Keynesian  - bring on a global reserve currency I say! In fact the firm I work builds economic modeling software, I'm helping with the initial infrastructure to save setup costs. 

Thanks again to both of you. This forum and the software is amazing.

Kind regards,

S
 
 

 

[christian]

Samba with primary DNS on non-Samba server... how does it work ? Are you using (Windows) domain concept and if yes, are domain related DNS entries pushed to primary DNS server ?

[suthagar]

Hi christian

Rereading I might not have explained as well as I could have. Server 1 has SAMBA on it - no shares and is acting as a standalone machine. I know of no other way to make a DNS server. In response to your second question - not sure, each of the servers is aware of each other in the same domain I assumed the primary DNS handled the domain entries by default. A little new to this side of things but its on my list to test. So far though all requests for internal names and external addresses are being consistently resolved correctly.

S 

[BrettonWoods]

@suthagar Damn I have been helping a neoliberalist! Detest keynes and all they stood for.

Constant growth just aint possible in a finite planet. Glad your sorted, should of explained BrettonWoods was just twisted humour
 

[suthagar]

@Christan

Sorry for the late response - I was layed out flat with the flu. The wireless point seems to work, a minor amendment is the adding a static route to the wireless router so that it goes to the gateway box. I'm yet to enable captive portal. Without the static route I'm effectively relying on the wireless router's firewall for mobile clients - which defeats the purpose somewhat. Thanks again for the help.

@BrettonWoods LOL, we are going to have disagree, given Keynes is a hero of mine, though I tend to be more in the modern liberalism school; and constant growth is possible if input-output efficiency is not held constant ;-P.   I would love the opportunity to continue to exchange views on another forum - name your place! Economics aside thanks for the assist on getting my network up and running.

To both: how do I mark this solved so offers guidance to others?