Multiple IP ranges for DHCP

[Darky]

Hallo,

We have 50 IPs which can connect via a gateway to the internet. Since we have about 100 computers we installed Zentyal as a Gateway and DHCP Server. The Zentyal Server uses now one of the 50 IPs and all the other computers are in an internal 192.168.2.X network. We have two network interfaces. One external and one internal. All IPs are fixed based on the mac adress.

Is it possible to configure Zentyal in such a way, that 50 computers get the external IPs and the rest on an internal network. The computers with the "external" IPs also have to get different informations for the gateway since they do not have to go through Zentyal. However they should be able to see the samba server and make remote desktop connections (windows) to the "internal" IPs.
Why the whole effort? We only have the internal network because we ran out of IPs. However the Zentyal server turns out to be a bottleneck as internet gateway.

greetings

[christian]

Darky,

Basic answer is yes but I'm a bit surprised 

If I understand correctly, you have allocated "public" IP addresses (in reference to RFC1918) to 50 clients, correct?
Does it mean they all have direct access to internet?

If I was at you seat, I would investigate further why Zentyal as gateway is a bottleneck. It's a bit strange to me unless you run Zentyal on small hardware short of resources.
With 50+ users (100 for you), shared gateway will benefit from HTTP proxy, anti-spam and anti-virus.
Could you please elaborate on the performance issue?

It's very likely, with design you describe, that users complain because they are used to have direct access to Internet and may refuse any infrastructure that will bring potentially some control on what they do there 
If not, it is definitely very interesting to understand further where bottleneck is (if any)...

[christian]

This said, reaching design you target is very easy:
- keep one Zentyal network interface as external (not mandatory but my advice to keep the internal protected)
- define DHCP ranges on both internal and external, with difference default gateway for each as you already understood
- then it's a matter of FW rules to authorise access to Samba
- would the need to remote desktop connection be release if all desktop were on same internal LAN?

[Darky]

Thanks for your help.

It's very likely, with design you describe, that users complain because they are used to have direct access to Internet and may refuse any infrastructure that will bring potentially some control on what they do there 

Of course, you seem to be completely right here. However there is one strange problem which is hard to get by. Bottleneck is the wrong word here.
First, my situation:
We are a chair at a university and I voluntarily manage the server. So I do not know about RFC1918, but we have the kind of IPs you can reach from everywhere and do not go through a NAT Internet access for the chair members has highest priority here.
The problem:
I recently did a manual update from ebox 1.4 to Zentyal 2.0. Since then sometimes the internet connection for some users is broken. It worked fine with the ebox setup. It happens rather randomly, but here are the facts:

- It happens to windows 7 and XP machines
- about 3 times a day
- connection lost for secconds up to minutes
- the windows network interface gets the small yellow exclamation point
- one user who reported to have big problems, seemes to have solved it by disabling IPv6 on windows 7. I am trying this myself at the moment.
These problems are reportet to me. My personal experience:

- It happens every other day for a few seconds on my windows 7 machine.
- restarting the network interface solves the problem (the average knowledge about computers is not enough to expect everyone to do this)
- Strange firewall behavior: http://forum.zentyal.org/index.php/topic,7797.msg31289.html#msg31289

Server settings as I wrote bevore +
- Firewall is open for DNS in every thinkable way (still the reported drops on DNS port)
- Dansguardian on allways allow (to rule out a problem) and 1Gb cache
- When I turn on Dansguardian the free Ram can drop down to a few hundred megabytes

So I wanted to deal the public IPs to permanent chair members for whom a reliable connection is important, because I can not get by this problem.

[christian]

For sure you are the one to make the final decision as you will have to face and support users 

Problem I see with public IP and "direct" access is not that much control, filtering or whatever like this but risk if (and I don't know what is deployed on your side from this perspective) there is no infrastructure between internet and client preventing unauthorized access to clients stations.

Based on what you describe, (and assuming there is no bug, which is another topic) I would configure Zentyal so that:
- all clients are on private single LAN. On DHCP range.
- HTTP proxy is "on" without filtering (I do NOT mean transparent proxy here however)
- DHCP provides Zentyal server as DNS for clients (no need for clients to resolve names using external DNS). No need to define very short leases if clients are not moving a lot. You will not face any IP address shortage issue with 100 clients.
- Zentyal is configured to use localhost as first DNS (if needed) and external DNS.
- At FW level, no connection is authorized through FW between external LAN (your public address range) and internal LAN (the private one). Any service should stop at Zentyal border (like HTTP if needed, SMTP, POP/IMAP if needed)
- I would also advise to reinstall Zentyal 2.x from scratch. Migration from 1.x is not very clear to me but I believe Zentyal team may have better advice here. Regarding this, waiting for 2.2 release is, for what I can see so far, a good idea.

Then we have to solve bugs you highlight