Configuring Internal DHCP on Windows Server and staying on the Internet

mrroboito

Long winded explanation followed by long winded question alert.

Hi,
I'm looking after the network in a primary school, I'm a teacher with a little networking knowledge and I'm in the process of getting someone to take over looking after our network but haven't got anyone yet. In the meantime I'm running out of IP addresses and regularly have to bump phones off the network in order to get teacher's laptops back on (I plan to set reservations for teacher laptops so that this won't continue but I'm still short of addresses).
I have two choices, one is to get the "school broadband" people to increase the number of ip addresses available to the school (all public IPs), the other choice is to configure DHCP on a private ip range on Windows server and then connect (bridge?) to the public address on the "school broadband" Cisco router to get internet access.
I think the second solution is better as it gives us more control over the network because, for example, I won't come up against this problem again if we get more devices in the school by having, for example, a BYOD day.
I can set up DHCP on the server (I have an internal scope set up but deactivated for the time being) but the trouble is I'm not sure of the best way to ensure internet access.
I have Win server 2012 OS on a PC with one NIC, the aforementioned Cisco box is on the same subnet and acts as our gateway. Now for the long winded question(s):
Do I need another box between the server and the Cisco?
Or
Can I reconfigure the Cisco to acknowledge the internal subnet?
Or
Do I need another NIC in the server?
Or
Can this all be done through the server? (If it's done through the server will all internet traffic go through the server creating a bottleneck or will the client and Cisco router communicate directly?)
Or
Am I talking through my arse and there's a very simple alternative that I haven't mentioned?

I'd appreciate a push in the right direction. Thanks,

Rob

DublinDilbert

mrroboito wrote: »

Long winded explanation followed by long winded question alert.

Hi,
I'm looking after the network in a primary school, I'm a teacher with a little networking knowledge and I'm in the process of getting someone to take over looking after our network but haven't got anyone yet. In the meantime I'm running out of IP addresses and regularly have to bump phones off the network in order to get teacher's laptops back on (I plan to set reservations for teacher laptops so that this won't continue but I'm still short of addresses).
I have two choices, one is to get the "school broadband" people to increase the number of ip addresses available to the school (all public IPs), the other choice is to configure DHCP on a private ip range on Windows server and then connect (bridge?) to the public address on the "school broadband" Cisco router to get internet access.
I think the second solution is better as it gives us more control over the network because, for example, I won't come up against this problem again if we get more devices in the school by having, for example, a BYOD day.
I can set up DHCP on the server (I have an internal scope set up but deactivated for the time being) but the trouble is I'm not sure of the best way to ensure internet access.
I have Win server 2012 OS on a PC with one NIC, the aforementioned Cisco box is on the same subnet and acts as our gateway. Now for the long winded question(s):
Do I need another box between the server and the Cisco?
Or
Can I reconfigure the Cisco to acknowledge the internal subnet?
Or
Do I need another NIC in the server?
Or
Can this all be done through the server? (If it's done through the server will all internet traffic go through the server creating a bottleneck or will the client and Cisco router communicate directly?)
Or
Am I talking through my arse and there's a very simple alternative that I haven't mentioned?

I'd appreciate a push in the right direction. Thanks,

Rob

You need to plan out your network before making any changes.

Sounds like you have proper external IP addresses, how many have you got?

How many fixed hosts have you on the network?

Do you want the byod devices to be able to access the network resources or just the internet?

How many wireless devices do you need to support?

What sort of wiresless access points have you got?

Sounds like a bit of a free for all on the wireless at the moment. Your going to have to look at nat-ing, to support all the different hosts.

I'd be surprised if you had a block of external IP addresses, I'm guessing your dhcp pool might be getting depleted, but that's a guess.

gctest50

mrroboito wrote: »

I'm looking after the network in a primary school, I'm a teacher with a little networking knowledge and I'm in the process of getting someone to take over looking after our network but haven't got anyone yet.

It might be better if you look after it - you'll always be on-hand to fix tiny issues before they become a problem

and ( free bonus! ) you should get good at it - might lose the will to live though

mrroboito wrote: »

I have Win server 2012 OS on a PC with one NIC,

Is this PC doing any other jobs at the moment ?

mrroboito

gctest50 wrote: »

It might be better if you look after it - you'll always be on-hand to fix tiny issues before they become a problem

and ( free bonus! ) you should get good at it - might lose the will to live though






Is this PC doing any other jobs at the moment ?

Ah, should have mentioned it's the domain controller and print server.

I've been looking after everything in the school for years but it's gone too big for me to keep doing this and still find time for my actual job.

mrroboito

DublinDilbert wrote: »

You need to plan out your network before making any changes.

Sounds like you have proper external IP addresses, how many have you got?

How many fixed hosts have you on the network?

Do you want the byod devices to be able to access the network resources or just the internet?

How many wireless devices do you need to support?

What sort of wiresless access points have you got?

Sounds like a bit of a free for all on the wireless at the moment. Your going to have to look at nat-ing, to support all the different hosts.

I'd be surprised if you had a block of external IP addresses, I'm guessing your dhcp pool might be getting depleted, but that's a guess.

Loads of questions there, to be honest, the network is set up pretty well, I have approx 20 fixed ips on APs, printers, NAS, etc. We have enterprise level Motorola wireless set up with three VPNs, most mobile devices just need web access, we might have 120 wireless devices in use daily plus guests.
The problem is I have only 120 public (genuinely) ip addresses to handle all this.
I can handle most tasks and config, I just don't know what is best practice for getting web access for my clients when I change to private IPs.

DublinDilbert

mrroboito wrote: »

Loads of questions there, to be honest, the network is set up pretty well, I have approx 20 fixed ips on APs, printers, NAS, etc. We have enterprise level Motorola wireless set up with three VPNs, most mobile devices just need web access, we might have 120 wireless devices in use daily plus guests.
The problem is I have only 120 public (genuinely) ip addresses to handle all this.
I can handle most tasks and config, I just don't know what is best practice for getting web access for my clients when I change to private IPs.

Are the fixed ip addresses you've assigned to the printers, nas, etc internal IP addresses? Or have you selected 20 of the external ones but have them statically assigned to these devices?

It's not clear if your using internal IP addresses on the lan and nat-Ing onto the real address when going external???

mrroboito

DublinDilbert wrote: »

Are the fixed ip addresses you've assigned to the printers, nas, etc internal IP addresses? Or have you selected 20 of the external ones but have them statically assigned to these devices?

It's not clear if your using internal IP addresses on the lan and nat-Ing onto the real address when going external???

Hi,
Everything in the building is on the external/public addresses.

davo2001

mrroboito wrote: »

Hi,
Everything in the building is on the external/public addresses.

Any particular reason for this? Would it not be easier to have everything coming in on one external IP and router it to a private subnet?

Alot of work to change it initially but better in the long run.

rogue-entity

mrroboito wrote: »

I think the second solution is better as it gives us more control over the network because, for example, I won't come up against this problem again if we get more devices in the school by having, for example, a BYOD day.
I can set up DHCP on the server (I have an internal scope set up but deactivated for the time being) but the trouble is I'm not sure of the best way to ensure internet access.
I have Win server 2012 OS on a PC with one NIC, the aforementioned Cisco box is on the same subnet and acts as our gateway.

You confirmed that the Cisco router is issuing public IPs to connected devices, that you have 120 of them (so you have a /25 subnet) not counting devices with static addresses assigned. If these are not firewalled then you have infrastructure (and guest devices) exposed directly to the Internet.

The simplest approach would be to have a large flat network, but the ideal approach would be to use a number of subnets to make things manageable.
Both of these require that you obtain or build a router/firewall that can act as your gateway between the internal private network and the external network. Each subnet could then have it's own public IP and separate firewall rules over what is permitted in and out of the network. Even different priorities for example if you have VoIP telephone service.

Take the above as a suggestion, others may have a better approach.

ressem

rogue-entity wrote: »

You confirmed that the Cisco router is issuing public IPs to connected devices, that you have 120 of them (so you have a /25 subnet) not counting devices with static addresses assigned. If these are not firewalled then you have infrastructure (and guest devices) exposed directly to the Internet.

The simplest approach would be to have a large flat network, but the ideal approach would be to use a number of subnets to make things manageable.
Both of these require that you obtain or build a router/firewall that can act as your gateway between the internal private network and the external network. Each subnet could then have it's own public IP and separate firewall rules over what is permitted in and out of the network. Even different priorities for example if you have VoIP telephone service.

Take the above as a suggestion, others may have a better approach.

Not quite,
the NCTE / PDST provide the class-c subnet or subportion to each school. And the NCTE provide the firewalling and monitoring.
If asked, the NCTE will disable DHCP on their equipment, allowing you to substitute your own.
Or ask them for a larger subnet, as the OP stated.

Are there actually that many devices simultaneously active or do the DHCP registrations not expire fast enough?

A decent layer 3 core switch + Vlans could be set up to shove the motorola connected devices onto 10.x.0.0/16 subnets, but it's not really good practice.

Usually the motorola device guest wifi VLAN could/would be set-up to assign the DHCP for guest devices internally, to divide them from the LAN.

I did the same as you're suggesting one summer years back when the department was unresponsive, using a linux PC as a gateway. Worked ok.

Shishkebaby

do you have a manged switch connected to the router ? if so what Model ?
Also what Model is the Cisco Router ?

gctest50

Shishkebaby wrote: »

...
Also what Model is the Cisco Router ?

The Cisco NSA-roodkcab-400

ED E

davo2001 wrote: »

Any particular reason for this? Would it not be easier to have everything coming in on one external IP and router it to a private subnet?

It appears to be HEANET doctrine. Im not sure why. Some of the large 3rd levels still give EVERY machine a public while others moved to NAT.


OP my first port of call would be to drop a quick mail to the HEANET schools desk. If they've bothered to allocate you more than a /27 there may be a reason why, as above they seem to have a policy of it. As they're providing your pipe it'd be good to at least ask what they want done.

Adding NAT to the system is likely to have some niggling issues so I'd do the transfer at 3 or 4 on a Friday so you have time to test and reconfig before your colleagues are sending messengers to your class to complain.

Cuddlesworth

ED E wrote: »

It appears to be HEANET doctrine. Im not sure why. Some of the large 3rd levels still give EVERY machine a public while others moved to NAT.

Inter-connectivity. There are serious issues for example with government departments who decide to start linking systems and create internal connections. Seems like a lot of space in 10 until two or more entity's meet. And nobody likes re-Iping.

If every school and college is effectively within a internal network(Heanet), then they either manage all the private address space and deal with NAT to the public or they give out public IP space and let the orgs do what they want to do.

ED E

I understand where there could be benefit there for the third levels that may have inter-institution research groups or for the likes of Eduroam. But for the schools deployment it seems weird.

Its probably not been a consideration up until now as a school of 700 pupils still only had circa 150 devices on the network but now with a one for every child mantra that won't work.

Considering each of the institutions with a large block could sell off most for upwards of €40,000 it wouldn't surprise me if there's a change with the current funding climate.

mrroboito

Hi,
I've been a bit lax with keeping up with this during the weekend, I'll have to check model numbers of the cisco router and switches (switches are managed but we are not using this facility at the moment, they are Zyxel, have to check model).
I think I'll go ahead and stick a router between the internal network and the Cisco then set up an internal, private subnet (just one for the moment) behind that.
I have a couple of routers hanging around that I think are capable of doing the job. Now just have to find the time to get this done.
Thanks for all the replies, I'll post model numbers as I'm curious about whether doing this can get me the ideal answer but as of now, I'm planning a big old overhaul.

Rob