Fixing Our Office Network - Suggestions?

Hi folks, first time poster but have been watching the YouTube channel for a while now. Thought this would be a good place to gather some good feedback and advice. Apologies in advance as this is quite a long post!

To preface my skill-set, I’m a geek and very much learning when it comes to networking, firewalls and security. I’m enjoying this new role of managing our network and internal IT as well as information security. I should also mention that I’m in the UK.

Due to all this Coronavirus preparation, especially as we work within healthcare technology, a fire has been lit under the butts of my boss (technical director) and myself by our medical director to get a good remote access solution into the office working.

Our current hardware is as such:

  • VDSL Internet (not ideal, but our office is in a weird location) 70 down / 20 up
  • DrayTek Vigor 2862 modem / router (no WiFI).
  • HP 24 port PoE switch (soon to be replaced by a UniFi US 48 500w that arrived today).
  • UniFi CloudKey Gen2Plus
  • 2 x UniFi AP AC-Lite access points

From the router we have a site-to-site VPN to our hosting provider for one of our solutions, that includes our two domain controllers. Key staff already have dial-in VPNs to that infrastructure, but these carry an additional cost per user.

Internally we have a Windows 2012 R2 server that runs all the bits and pieces to test our application as well as running HyperV for VM testing. This also runs both Network Policy server for our RADIUS auth for the WiFi as well the ‘Duo Authentication Proxy’ which I’ll come onto in a bit.

Right now we have only one LAN, with no VLANs, and due to poor planning on our part it’s on the 192.168.1.1/24 range. The UniFi is set up with 3 WiFi networks:

  • iQ WiFi: Authenticates via RADIUS and is for company devices only - we push this out via group policy
  • iQ Staff: Currently authenticates via RADIUS too, it’s designed for staff to use with their personal devices. Ideally I’d like this isolated to an extent, for example I don’t want this getting to the servers over the site-to-site VPN.
  • iQ Guest: Does what it says on the tin, this is for guests and it was decided this would just have a simple WPA2 PSK that we rotate every 3 months. This needs to be totally isolated from all other devices.

The Vigor 2862 supports LT2P over IPSEC and indeed we have a VPN working with Duo authentication, the proxy handles this for us and uses our AD credentials with a Duo Push challenge. There’s a slight challenge that it’s a bit fiddly, because of the RADIUS timeout and retry policy on the Vigor, which you can’t seem to edit.

What I need to achieve next is as follows:

  • Separate off the different WLANs - my boss doesn’t want us to get too complicated as we’ve not worked with VLANs before now.
  • Get the best experience for staff logging into the ‘personal devices’ network.
  • Have a really easy guest network - the ‘Voucher’ idea was quickly shut down by the other two directors who didn’t want to have to come and grab a code for a guest.
  • Make sure the dial-in VPN works and won’t run into any routing issues with people’s home networks.

I’m already aware that we’ll need to make changes to our site-to-site VPN to change subnets, that’s not a problem as our hosting provider are fantastic.

I think the big questions are:

  • Should we be looking at a different firewall solution? Does anyone have experience with VLAN configuration on the DrayTek series, especially around rules etc. Everytime I see a video on the channel I see Tom advocating for pfSense, for example.
  • Am I over complicating things?
  • Have I chosen well with the new switch and existing UniFi gear (which in itself is pretty new, about a week old - we had some nasty consumer mesh system before this).

Thanks to anyone who’s read this, I really appreciate your time.

Based off having a look around DrayTek’s live demo, the system seems very restricted, imposing arbitrary limitations in an effort to reduce complexity. It may be just fine for an SME, but that does not mean such a business shouldn’t make the step towards an enterprise firewall software, like pfSense. Obviously I’m biased here since I’ve been using pfSense for several years now, but I think the DrayTek is less comfortable to manage, despite the potentially steep learning curve for pfSense newcomers. My advice, if that’s not clear by now: Make the switch. It will pay off in the future.

Are you over-complicating things? No, I don’t think so. Your post is put together very well, you provided the right details, so it shows you have already invested some thought into the situation. A tip that I can give you is to concretely plan your logical network prior to configuring devices. I use a spreadsheet to determine which network (address range) is on which VLAN, what the DHCP pool is, etc. It also serves as documentation later on. You should investigate how large (number of clients) each subnet is going to be and consider reserves. As you pointed out, it makes sense to use non-standard networks to avoid collisions.

As to whether betting on Unifi was the right idea: They are good value. There are more flexible systems out there (for both switching and wireless), but the functionality (and I am including the controller) is sufficient for most situations. A major plus as far as I am concerned is that there are no licensing fees.

1 Like

Thanks for the reply, really helpful,

As part of the process, I’ll be documenting everything in our Confluence site - which will include the network mapping VLANs, their ranges and DHCP handouts (I generally like a 100-200 DHCP range) and reservations within the sub-100 range, at home I’ve tried to group them into categories, so 10-19 are computers, 20-29 are phones and tablets, 40-49 are smart home etc. (This is another area the Vigor interface sucks at).

I think moving to pfSense would make a lot of… sense… oh dear. The challenge will be the cost implications as we’d need a new appliance for the new firewall and a new VDSL modem (since that’s currently built into the Vigor).

Given how much we’ve just spent on new hardware, including a decent sized order at Dell for new Vostros (They’re really nice machines, Dell hardware has come a long way - even as an Apple user at home I really like this new Vostro 5490), I’m not sure I can get approval for much more.

That being said, would an older (18 months at most) workstation be suitable if it had a decent NIC? We’ll be retiring our workstations for the laptops so I can see there being a few spare - rack space may be the only issue though.

For the modem I see several options:

  1. Maybe the DrayTek router can be set up in bridge mode. That wouldn’t cost anything.
  2. Get an affordable DSL modem. You’re looking at 50€ to 100€ (don’t know what that is in Pounds currently).
  3. There are even DSL modem SFPs, if you are looking to save some space. They are around 120€ though, so probably not that interesting.

As for the firewall appliance, I am always a bit reluctant when it comes to using non-enterprise gear. Some of the stuff is decidedly not made to run all day every day, while other hardware may handle it just fine. If you’re looking to upgrade, I can recommend APU boards. Protectli is also a name that is mentioned frequently in this context. I still wouldn’t consider these enterprise-level hardware, but at least they are designed to run 24/7. They will set you back around 150€ or 220€, respectively. Anyway, a modem and a router combined is still going to be less than half of one of the laptops you bought.

Hi,

I have experience with draytek, you should be able do what you seem to need without any issues, assuming that the duo timeout issue isn’t too bad.

If you don’t have too much experience going full on enterprise kit maybe too much I’d say as there’s the risk of misconfiguration and a steep learning curve , is this your only job at the company , it sounds like you may have another job there and you’ve kind of taken on the networking? So spending alot of time learning new kit and sorting issues when in production may not be an option.

Just setup the vlan ranges and Vlan IDs on the draytek then configure the ssids and switch with the same 802.1q tags.

Take a config backup so you can roll it back quickly if new issues crop up.

Note that there may be some messing about with getting the radius server to work across both the WiFi and staff vlans. (Do you need authentication if it’s just a personal device network?)

You can also use the server as a Vpn server (I haven’t double checked if server 2012 can) which is probably a much better UX.

With all that being said moving to pfsense makes alot of sense, set one up in a lab environment , it shouldn’t be hard to mimic the draytek, and get comfortable and just swap it out one day. ( Buy a netgate or draytek modem )

But be aware that all those VPN accounts will need recreating and users informed etc.

As for the guest Vlan, I personally don’t really see an issue with just rotating the password every so often, just block the gateway login page from that Lan, when you know where to go there’s a surprising amount on features on drayteks, but it does take some learning.

Buy yourself one from eBay for £100 and use it at home and get familiar maybe.

Also consider getting some internet redundancy put in the office especially if you host offsite.
(Who is your good hosting provider?)
</>Jumbled rant.

Fellow Brit here :wave:

Feel free to ask me questions.

Thanks, I’ll have a look into the options. There are some affordable VDSL modems, DrayTek themselves even make one - I don’t believe the Vigor can be used in Bridge Mode though.

I’m looking at a number of options for a new firewall, and the appliances like Protectli is definitely something I’m considering. Taking one of the old workstations home as a lab set up for pfSense may also be something I look at.

You’re right about the cost being less than one of these new laptops, but without sharing confidential financial details we’re already over-budget, the justitifcation being to get ready for COVID-19 causing us to ‘abandon ship’ and leave the office.

Thanks for the detailed reply, much appreciated.

The Duo timeout issue, sadly, was too bad and we deemed it unworkable - DrayTek support haven’t been able to point me to a timeout option - just the retries for RADIUS. We’re looking at alternative ways of handling Duo - probably at the WIndows login level on each laptop.

So, the networking and IT role is going to be my full time job here within the next month or so. I’m transitioning from this being a part-time element of my original role, which was customer support for our web app and the associated infrastructure elements of that.

The really good host for that, since you asked, is UKFast, I’ve never had problems with them and they really help out when one of our customers has screwed up a VPN configuration (we exchange a lot of data for patients, such as demographics and pathology results so this gets routed over a site-to-site VPN for each customer into our UKFast environment), We have another hosting provider for our NHS N3 customers, Redcentric, and honestly I can’t say enough bad things about them!.

To allow me to really go full-time on this, we just need to get someone to take my first-line duties so I can focus on this new set of responsibilities. I’ll still be handling support for any infrastructure related issues (new VPNs, disaster recovery backup plans etc).

My managers are happy to get me training I need for both the IT / networking side as well as my security and ISO27001 responsibilities. I’m very lucky to work for such a good company.

Thanks for the up vote on the rotating guest network password, I think that’s the best option. I’d like the staff VLAN to be authenticated, as we may allow more access on this, for testing on mobile devices for example - so they’d need to get to our build server in the main office VLAN.

Redundancy in our internet is something I’m looking into, apparently we now have VIrgin Media business in the area too - and the Vigor is dual WAN so that wouldn’t be an issue.

I think the overall thought coming out of this is that I should set up a lab environment for pfSense - I’ve been asked to look into ESXI as well to replace HyperV so this could be part of the same overall ‘future projects’ work.

One question I did have, around the concept of phone passthrough - so our Polycom VOIP phones (which connect to an external server) could be on their own VLAN - is that massively complicated if using tags and the Unifi switch’s port profiles?

Are the PCs connected through the phones to the switch? If not then there should be no problem tagging the switch port, it’s as simple as that.

Yeah I’ve heard good things about UKfast too, I was thinking to apply for a job there.

What networking and IT course are you thinking of?

I would highly push for a netgate support contract if you go pfsense at least for the 1st year , it’s not cheap, but you don’t want hours of downtime on a production system whilst you try work out what’s gone wrong, although I guess it’s up to you on how well you’d think you can troubleshoot.

The vigor is dual wan, but you’ll need a modem for the 2nd wan, although a VM business router should be able to do bridge mode so you may not need another modem.

If networking is relatively new to you, I highly recommend Ed Harmoush’s Practical Networking site (free). He has an index for CCNA level topics; this is the stuff you need to know (with the exception of EIGRP unless you are working with Cisco routers). Here is the CCNA index. And I recommend starting at the beginning; these are short and well prepared topics. He has some youtube videos that go along with some of his notes. For example the “how packets travel through a network” topic.

For easy to understand but technically correct VLAN info, I am not aware of any better than you will find there. If someone else knows someone that does a better job, please post it here. It’s not vendor specific, but since it is aimed at people studying for the Cisco CCNA, the examples are based on Cisco devices. But you should be able to follow along, because he explains as he does things.

1 Like

Thanks for that, I’ll check out the guide as I’m discussing with my company about getting my CCNA or similar.

1 Like