SOHO network advice

Hello again folks!
I want to solve in the best way possible the problem of network configuration for a small bussines.
Nothing big, nothing out of the ordinary, but I want to hear opinions and maybe to clear my view on the matter.
Well, first I want some redundancy on the WAN side, the plan is to contract one ISP more, aditional ISP will be later configured on a router with load balancing feature. We experienced ISP failure so redundancy is a must.
Now, on the internal network. Some noobish questions, please bear with me:

All devices will have fixed IP, DHCP will assing just a few IPs. I have a webserver running internally and I want to be acceses only by some users.

  • Now, assigning the webserver the IP 10.0.2.XX is enough to segment the network?I have to add a NAT rule in the routing table or in the router to acces it, right?
  • Or create a VLAN and assing that IP to the VLAN ? How to control who is accesing that particular VLAN? ACL?Something else?
  • having a proxy has multiple benefits, and I think Squid would add a layer of security to the internal network. How will this affect if I want to implement VPN in the router and the routing table?

For the moment, these are the questions that are bugging me. Just want to be sure that I am doing things right and not comprimising on security, neither availibility.
Thanks in advance for your time,

Subnets for organization and VLANs for security.

When you say that you only want some users to be able to hit your webserver, do you intend to limit by IP address, or are you going to put some devices in on VLAN and others in another and limit access by your VLAN intrarouting rules?

What is your goal with Squid? What do you need a VPN for? For endpoint to access the web server remotely? What you’re actually trying to accomplish will determine if it will help or not.

Inside the internal network

Webserver : will run a custom webapp - I will need to acces it from outside, to make daily changes, so VPN could solve the security of connection; I need to have it on a separate subnet, to prevent any intrusion or acces.

Squid Proxy: users on the POS machines (normal LAN) will have a very limited acces to the internet, no need to acces their FB page while on the job; but POS machines have to acces a cloud server for the database connection ; also, dor caching Windows updated for the computers in the main office.

Thank you for quick response, I am at your disposition to clear any matter up.

Hi There,
there’s a few ways you could achieve what you are trying to do here, i guess it just depends effort vs outcome.
If i understand correctly, you need select devices on the internal network to have access to a locally hosted webapp which we can do a couple of ways, but first that come to mind are(assuming your clients are in a different VLAN to your webapp server) : -

  • you could grant access via ACL’s on your router to an entire subnet(easily managed, less secure)
  • you could grant access via ACL’s on your router to select device (more management but more secure)
  • if you are using apache, you can also restrict access via the apache ACL’s for trusted clients.(most web servers offer this functionality)

For your POS machines there are a few options here as well. Squid is definitely one of them. You could also restrict their access via DNS, by only allowing them to resolve the entities on the internet they require for POS functionality, and returning an NX Domain for everything else for example. This would require a bit more configuration, and of course an internal DNS server.

Depending also on which version of Windows your clients are running, I believe they are able to obtain updates from peers within their local network(could someone please clarify this? i’m unsure what this is called sorry).

NAT’ing would only be required if you would like your webapp to be available from external. With the VPN configuration you could simply drop your VPN clients into a very restricted subnet, allowing only required data to pass between your VPN user subnet, and your internal network.

I find it makes a lot more sense if you grab a piece of paper and draw out a basic high level view of all of your devices, and access requirements. You’ll then get an overview of which restrictions need to go where, and how best to place control around your devices. hope this helps :slight_smile: