Hi folks, first time poster but have been watching the YouTube channel for a while now. Thought this would be a good place to gather some good feedback and advice. Apologies in advance as this is quite a long post!
To preface my skill-set, I’m a geek and very much learning when it comes to networking, firewalls and security. I’m enjoying this new role of managing our network and internal IT as well as information security. I should also mention that I’m in the UK.
Due to all this Coronavirus preparation, especially as we work within healthcare technology, a fire has been lit under the butts of my boss (technical director) and myself by our medical director to get a good remote access solution into the office working.
Our current hardware is as such:
- VDSL Internet (not ideal, but our office is in a weird location) 70 down / 20 up
- DrayTek Vigor 2862 modem / router (no WiFI).
- HP 24 port PoE switch (soon to be replaced by a UniFi US 48 500w that arrived today).
- UniFi CloudKey Gen2Plus
- 2 x UniFi AP AC-Lite access points
From the router we have a site-to-site VPN to our hosting provider for one of our solutions, that includes our two domain controllers. Key staff already have dial-in VPNs to that infrastructure, but these carry an additional cost per user.
Internally we have a Windows 2012 R2 server that runs all the bits and pieces to test our application as well as running HyperV for VM testing. This also runs both Network Policy server for our RADIUS auth for the WiFi as well the ‘Duo Authentication Proxy’ which I’ll come onto in a bit.
Right now we have only one LAN, with no VLANs, and due to poor planning on our part it’s on the 192.168.1.1/24 range. The UniFi is set up with 3 WiFi networks:
- iQ WiFi: Authenticates via RADIUS and is for company devices only - we push this out via group policy
- iQ Staff: Currently authenticates via RADIUS too, it’s designed for staff to use with their personal devices. Ideally I’d like this isolated to an extent, for example I don’t want this getting to the servers over the site-to-site VPN.
- iQ Guest: Does what it says on the tin, this is for guests and it was decided this would just have a simple WPA2 PSK that we rotate every 3 months. This needs to be totally isolated from all other devices.
The Vigor 2862 supports LT2P over IPSEC and indeed we have a VPN working with Duo authentication, the proxy handles this for us and uses our AD credentials with a Duo Push challenge. There’s a slight challenge that it’s a bit fiddly, because of the RADIUS timeout and retry policy on the Vigor, which you can’t seem to edit.
What I need to achieve next is as follows:
- Separate off the different WLANs - my boss doesn’t want us to get too complicated as we’ve not worked with VLANs before now.
- Get the best experience for staff logging into the ‘personal devices’ network.
- Have a really easy guest network - the ‘Voucher’ idea was quickly shut down by the other two directors who didn’t want to have to come and grab a code for a guest.
- Make sure the dial-in VPN works and won’t run into any routing issues with people’s home networks.
I’m already aware that we’ll need to make changes to our site-to-site VPN to change subnets, that’s not a problem as our hosting provider are fantastic.
I think the big questions are:
- Should we be looking at a different firewall solution? Does anyone have experience with VLAN configuration on the DrayTek series, especially around rules etc. Everytime I see a video on the channel I see Tom advocating for pfSense, for example.
- Am I over complicating things?
- Have I chosen well with the new switch and existing UniFi gear (which in itself is pretty new, about a week old - we had some nasty consumer mesh system before this).
Thanks to anyone who’s read this, I really appreciate your time.