- Posts: 3
- Thank you received: 0
Multi tenant business centre
19 years 10 months ago #6825
by m3freak
Multi tenant business centre was created by m3freak
Hello everyone,
This is my first post here. In fact, I hadn't heard about this site until today, when the VLAN articles popped up in one of my searches on Google. BTW, the articles were great.
I have a bit of a problem. I've recently moved into a new office located in a business centre. There are 19 individual offices, which means 19 different businesses.
The business centre currently has DSL service from the local phone company, which means that all tenants are sharing one dynamic IP. This is a security problem, but it also prevents tenants from hosting their own servers, including me.
My networking experience is limited, so I've had some trouble trying to figure out how to improve the situation not only for the business centre, but for my small business as well.
The business centre wants to continue offering the shared Internet access, so I've considered implementing VLANs to at least partition the private networks for each tenant. However, what I'm confused about is how would such a setup accommodate those tenants that require a public IP.
Would something like m0n0wall in conjunction with a layer 2/3 switch be the solution? I've been considering m0n0wall because I know it can bridge/transparently firewall, but I don't know if this is a good solution.
I posed this question on the Fedora mailing list, and someone kindly replied. Here's what he suggested:
----
Here is what I'd do ( I have a porposal submitted to do this for a
medical complex).
Internet
|
DSL Modem or Internet Router
|
Firewall----Tenant-2
|
Tenant-1
Firewall each tenant from the other tenants. Give each tenant a
different RFC 1918 address range. Use a Switch capable of trunking, and a Ethernet card capable of trunking in the firewall to allow multiple VLANs on one physical connection.
----
How would tenants that need their own public IPs be accommodated in this setup? I don't want 1:1 NAT, so a bridge/transparent firewall is the answer, I assume.
Thanks in advance for any thoughts/tips/links.
This is my first post here. In fact, I hadn't heard about this site until today, when the VLAN articles popped up in one of my searches on Google. BTW, the articles were great.
I have a bit of a problem. I've recently moved into a new office located in a business centre. There are 19 individual offices, which means 19 different businesses.
The business centre currently has DSL service from the local phone company, which means that all tenants are sharing one dynamic IP. This is a security problem, but it also prevents tenants from hosting their own servers, including me.
My networking experience is limited, so I've had some trouble trying to figure out how to improve the situation not only for the business centre, but for my small business as well.
The business centre wants to continue offering the shared Internet access, so I've considered implementing VLANs to at least partition the private networks for each tenant. However, what I'm confused about is how would such a setup accommodate those tenants that require a public IP.
Would something like m0n0wall in conjunction with a layer 2/3 switch be the solution? I've been considering m0n0wall because I know it can bridge/transparently firewall, but I don't know if this is a good solution.
I posed this question on the Fedora mailing list, and someone kindly replied. Here's what he suggested:
----
Here is what I'd do ( I have a porposal submitted to do this for a
medical complex).
Internet
|
DSL Modem or Internet Router
|
Firewall----Tenant-2
|
Tenant-1
Firewall each tenant from the other tenants. Give each tenant a
different RFC 1918 address range. Use a Switch capable of trunking, and a Ethernet card capable of trunking in the firewall to allow multiple VLANs on one physical connection.
----
How would tenants that need their own public IPs be accommodated in this setup? I don't want 1:1 NAT, so a bridge/transparent firewall is the answer, I assume.
Thanks in advance for any thoughts/tips/links.
19 years 10 months ago #6830
by TheBishop
There may be some elegant ways of getting round the problem which some of our other members will no doubt share in due course, but to my mind one of your issues is thay toy only have a floating IP from your service provider. It really isn't easy to host a server, let alone several servers unless you have at least one fixed IP address. Plus, if you had fixed address(es) then all your firewalling and other configuration rules become easier too
19 years 10 months ago #6831
by m3freak
Replied by m3freak on topic Re: Multi tenant business centre
Thanks for the reply.
I should have clarified that the ISP will definitely be changed to one that can provide static IPs.
I should have clarified that the ISP will definitely be changed to one that can provide static IPs.
19 years 10 months ago #6855
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Multi tenant business centre
Hi there m3freak and welcome aboard,
You mentioned that you've just moved into this new office and Internet access is provided by the business center. The changes you would like to implement sound great, but I am not sure how you plan do make them.
Being new in the complex, are you allowed to implement all that you mentioned in your post; or have you already spoken with the business center management and they've agreed to resolve this issue?
The reason I am asking this is because depending on the type of solution you end up implementing, it may or may not affect everyone else. I'm imagining at the moment that all offices connect to a central switch and access the Internet, but at the same time, I can't understand how 19 or so businesses could 'share' a network in this way!
If you are able to provide us with a small logical diagram of the network, it would greatly help us help you.
Cheers,
You mentioned that you've just moved into this new office and Internet access is provided by the business center. The changes you would like to implement sound great, but I am not sure how you plan do make them.
Being new in the complex, are you allowed to implement all that you mentioned in your post; or have you already spoken with the business center management and they've agreed to resolve this issue?
The reason I am asking this is because depending on the type of solution you end up implementing, it may or may not affect everyone else. I'm imagining at the moment that all offices connect to a central switch and access the Internet, but at the same time, I can't understand how 19 or so businesses could 'share' a network in this way!
If you are able to provide us with a small logical diagram of the network, it would greatly help us help you.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
19 years 10 months ago #6890
by tfs
Thanks,
Tom
Replied by tfs on topic Re: Multi tenant business centre
[code:1]
The business centre wants to continue offering the shared Internet access, so I've considered implementing VLANs to at least partition the private networks for each tenant. However, what I'm confused about is how would such a setup accommodate those tenants that require a public IP.
[/code:1]
Vlans and subnetting are not going to help you if some of the tenants need public IPs.
The business centre wants to continue offering the shared Internet access, so I've considered implementing VLANs to at least partition the private networks for each tenant. However, what I'm confused about is how would such a setup accommodate those tenants that require a public IP.
[/code:1]
Vlans and subnetting are not going to help you if some of the tenants need public IPs.
Thanks,
Tom
19 years 9 months ago #7024
by m3freak
Thanks!
Yeah, I've already spoken with the owner and he wants to make the changes. I already explained to him and his partner that the current design is terrible for security, but also for any businesses that may need public IPs of their own.
The biggest issue for the owner is security.
Yes, that's exactly it. Every office (i.e. business) is connected to a central switch, which is in turn connected to a simple router. Here's the diagram:
Internet
|
Modem
|
Router
|
Switch --> Business 1 etc.
|
Business 2 etc. |
All 19 offices are connected in this way.
I want to break this up so that some businesses can continue to receive Internet access with one public IP, but others move to public IPs given to them by the buisiness centre. This is what I'm envisioning:
Internet --> Modem --> Switch --> m0n0wall --> Layer 2 switch
So, those businesses that require public IPs would be connected at the switch before m0n0wall, in which case everything else (e.g. firewalls, switches etc.) is up to them.
The remaining offices would be connected to the Layer 2 switch. They would receive the same Internet service they have right now, but with one major change: VLANs to partition the network, thereby introducing some privacy (I understand that VLANs are not 100% perfect, but it will do).
I think this is the simplest, least expensive route for the business centre. The only issue right now is trying to figure out which 802.1q NIC will work in m0n0wall ('ve been considering the Linksys LNE100M...I know, better hardware out there, but the business centre wants to keep costs as low as possible).
Also, all 19 VLANs (possibly a few more for the business centre itself) will have to be trunked to m0n0wall. The Linksys 2224 doesn't appear to support that many ports for trunk groups, and the Netgear FSM726S doesn't say anything about how many it can handle. Any other cheapo brands out there??
If you have any comments/suggestions, I'm listening.
Thanks for your time!
Replied by m3freak on topic Re: Multi tenant business centre
Hi there m3freak and welcome aboard
Thanks!
You mentioned that you've just moved into this new office and Internet access is provided by the business center. The changes you would like to implement sound great, but I am not sure how you plan do make them.
Being new in the complex, are you allowed to implement all that you mentioned in your post; or have you already spoken with the business center management and they've agreed to resolve this issue?
Yeah, I've already spoken with the owner and he wants to make the changes. I already explained to him and his partner that the current design is terrible for security, but also for any businesses that may need public IPs of their own.
The biggest issue for the owner is security.
The reason I am asking this is because depending on the type of solution you end up implementing, it may or may not affect everyone else. I'm imagining at the moment that all offices connect to a central switch and access the Internet, but at the same time, I can't understand how 19 or so businesses could 'share' a network in this way!
Yes, that's exactly it. Every office (i.e. business) is connected to a central switch, which is in turn connected to a simple router. Here's the diagram:
Internet
|
Modem
|
Router
|
Switch --> Business 1 etc.
|
Business 2 etc. |
All 19 offices are connected in this way.
I want to break this up so that some businesses can continue to receive Internet access with one public IP, but others move to public IPs given to them by the buisiness centre. This is what I'm envisioning:
Internet --> Modem --> Switch --> m0n0wall --> Layer 2 switch
So, those businesses that require public IPs would be connected at the switch before m0n0wall, in which case everything else (e.g. firewalls, switches etc.) is up to them.
The remaining offices would be connected to the Layer 2 switch. They would receive the same Internet service they have right now, but with one major change: VLANs to partition the network, thereby introducing some privacy (I understand that VLANs are not 100% perfect, but it will do).
I think this is the simplest, least expensive route for the business centre. The only issue right now is trying to figure out which 802.1q NIC will work in m0n0wall ('ve been considering the Linksys LNE100M...I know, better hardware out there, but the business centre wants to keep costs as low as possible).
Also, all 19 VLANs (possibly a few more for the business centre itself) will have to be trunked to m0n0wall. The Linksys 2224 doesn't appear to support that many ports for trunk groups, and the Netgear FSM726S doesn't say anything about how many it can handle. Any other cheapo brands out there??
If you have any comments/suggestions, I'm listening.
Thanks for your time!
Time to create page: 0.137 seconds