Answer to Question #311725 in Computer Networks for Showi

Computer Networks

The organization has one main office and branches.

1). In the main office and in branches we need access to the internet. ISP provides this connection but doesn't supply the router, only provides the information about IP/Gateway/DNS for connection.

Should install the router and firewall in the necessary places and isolate the local network from outside.

It is the hardware base solution and must apply router and firewall functions in the hardware. The hardware type is dependent on network size and employee quantity.

Best price/quality solution provided by Mikrotik. Can use start from Mikrotik RB2011iL-IN to Mikrotik CCR1072-1G-8S+

2). IN THE OFFICE ALL EMPLOYEE’S PC AND PORTABLE DEVICES NEED ACCESS TO THE INTERNET, BUT EMPLOYEES ARE SURFING THE MANY SITES WHICH ARE NOT NEEDED FOR WORKING, DOWNLOADING VIRUSES, ETC.

This is resolved by router/firewall. For example, in Mikrotik, market all connections to necessary sites, allow connection to them, and all other connections dropped by firewall rules.

3). In office start working the new employee. For work provided a new PC which connects via UTP cable to the office's switch. During the work employee have problems, files upload/downloaded with low speed, PC sometime disconnected from switch, etc. 

Start testing the switch port, change connection, connect to another port. 

Start testing the PC’s network interface and change it, if needed.

Start test the mounted UTP cable, all lines from PC to the switch. With necessary tester can test the lines and can see if there are cable wire drop/clipping or other problems, how correctly the connectors are in accordance with the standard or not, etc.

After testing with LAN tester can see that they have problem with 8P8C connectors (RJ45). Remount connectors, problem resolved.

4). After some problems in the office local area network (LAN), the accountant's PCs should be isolated from other employees’ PCs.

If the office’s switch is not a management switch, you should change it. In management switches configuring the necessary VLANs. One separated VLAN was provided for the Accountant department isolated network. Accountant workstations connection ports on a switch configured under necessary VLAN.

5). In the office the departments work on their VLAN. Office network (LAN) is based on a few switches, each switch connecting to another one via a port which is configured as TRUNK. The marketing department, some PC, connected to the one switch have no connection with the other PC which is connected to the other switch, in the same department VLAN. Other departments are working without any problem.

Testing the PC connections via PING command and seeing that connection problem between the switches. Necessary VLAN not added in the TRUNK. Add the necessary VLAN in the TRUNK and the problem is resolved.

6). The branch and some employees working from outside need access to the necessary devices and the LAN in the main office. Need to provide a solution.

There is one simple and good solution. It provides access via a VPN connection.

In the router activating two VPN servers, one for the branches, the other one for the outside working employee.

Build L2TP/IPSec VPN and provide necessary access to the LAN and devices.

7). When the office started working, the ISP provided for the main IP (router to ISP interface) and subnet network IP (LAN) the public IPs. It is needed for some users who want to connect via RDP to their PC’s public (real) address. During the work, the logging provides information about many and many attempts to hack employees’ PCs. Need a solution to prevent it.

The router did apply the simple routing for route LAN public IPs to the main public IP. To prevent access for anyone from the internet to the employee’s PCs via public (real) IP address, changing the routing conception. Now LAN starts working under NAT and uses private (not real) IPs, which are not visible from the internet.

Now employees have access to the office LAN via VPN, then can use RDP to connect to the PC, but build a connection to the public IP.

8). In the office the network printer/scanner connected to the switch, receiving the IP from the router via DHCP. PC connecting to network printer/scanner via special software. After the some days PC hasn’t not connection with printer, devices working correctly, in LAN not available the problems and errors.

The PC can connect to the printer/scanner device and via IP, and, after the scan the neighborhood, via MAC address.

Check the settings and see that the printer/scanner is configured on PC via IP. After the same days the printer/scanner restarted and received the other IP from the DHCP server. After configured software for working with printer/scanner via MAC address, problem resolved.

9). In the office one PC in LAN works normally, has a connection with local devices in the same network, in the same network can share the files, and has PING to other PCs. But cannot surf the internet, hasn’t connection with Google DNS (8.8.8.8), etc.

Testing via PING the connection to the router – PING OK.

Testing via PING the connection from the router (gateway) to the PC – PING OK, PC not blocked in router/firewall.

Open the PC’s network interface and see that the IP configuration was not set up correctly. Unfilled the gateway part. PC has a connection to any device in the same network, with router also, but the router didn’t work as gateway for PC, so, PC didn’t have a connection to the other network, connections not routed because gateway did not exist in settings.

Filling the gateway part with the router’s IP, is problem resolving.

10). After changing network conception, when LAN started working under NAT, there was a problem with the access from outside to IP cameras network, which working in its own separate VLAN, access to the NVR server. Access via special application and need to provide a solution without using the access to LAN via VPN.

NVR server provides the access to the IP camera network via specific ports. The solution is simple. Apply necessary port forwarding from router out (to ISP) interface public (real) IP to the NVR server private (not real) IP.