Hi everyone,
I'm a sysadmin for a small company with two offices. I've recently been tasked with handling the network admin side of things. My understanding of network concepts is decent, however I am not a network engineer by any standards, so I would genuinely value some help.
The situation right now:
-
Equipment
- MikroTik Router CCR2004-1G-12S+2XS * 2 (one at each site)
- NETGEAR XS728T * 3 (10GB 24 Port Switch)
- NETGEAR M4300-96X (40GB Switch)
-
Office 1
- 10.0.0.0/16
- Desktops: 10.0.2.x
- Servers: 10.0.5.x
- Wifi: 10.0.3.x
-
Office 2
- 10.1.0.0/16
- Desktops: 10.1.2.x
- Servers: 10.1.5.x
- Wifi: 10.1.3.x
The two offices are linked via IPIP L3 tunnel so that 10.0.x.x can reach 10.1.x.x
However, we are planning to change ISPs shortly which will give us 2 external IPs at each site. One static, which I'd like to reserve for servers behind NAT, and the other dynamic which I'd like to allocate to desktops & wifi clients behind NAT. Desktops should be able to reach important ports on the server network, e.g. ssh, smb, etc, however otherwise be locked out. Additionally, I'd like to segregate wifi traffic so that users connected to the wifi network can only reach the outside world and are prevented from accessing any internal resources. I'd like this design to be applied at both sites.
The switches we have (Netgear) appear to support VLANs, which I imagine is probably the solution to this, however I can't say I have much previous experience in setting something like this up. I think the subnetting could be better designed as well, rather than have each type of machine exist in the same /16 subnet.
Any tips/advice/suggested changes would definitely be welcome!
No comments:
Post a Comment