Setting Up Small Business Network

[Novakane_]

I am setting up a network and I have a few general questions that I probably will expand upon in the future. But first let me explain the setup I have at the moment.

Static IPs: I have one router running from the modem, so It is only using one IP and broadcasting that. This is good because Remote Desktop will be used

Unmanaged Switch: This switch gives Ethernet access to different parts of the office.

PCs: There is Two hardwired PCs and the rest are laptops. Around 8-10 in total.

Email/Website: Through GoDaddy. I think we should keep it like this to keep everything cost effective. Wouldn't Make sense to introduce a server just for these elements.

Firewall/VPN: The only firewall is the router and Windows firewall, as usually is on most small businesses. There is not a VPN set up, but people may need to connect from home and I need a solution for that.

Questions:

1) If I have multiple Static IPs and want to utilize all of them with the two hardwired PCs and lets say a Server, would I need to set them up behind a router(s)? or can I connect my Server and other device, on which I want static IPs, DIRECTLY to the Modem?

2) Would I have any use for a MANAGED Switch in this situation?

3) Would it make sense to setup a server for a firewall, or for Windows Server for a VPN connection to the computers in the office? What OTHER methods are there of having means of remotely connecting to the computers in the office? RDP? I do have Static IPs that can facilitate that purpose and I would not need to connect to more than 3 in house PCs remotely.

4) Any other tips/recommendations on providing the best service for a client?

 

[bill001g]

I am assuming by static ip you mean you have mulitple actual routable ip addresses you have purchased from your ISP?

It tends to not be safe to put a server directly on the internet without some form of firewall between but if you really want to do it you technically can. The detail depend a bit on how the ISP gives out multiple ip addresses. The most simple case you would put a second unmanged switch between your modem and router and plug the servers in their.

In addition to being directly on the internet your severs would now also not be on your internal network. You could still access them using the external IP addresses and performance would be ok but it may make some things more complex to use.

You really don't want to use RDP directly on the internet. It is fairly secure but it still exposes the internal machines directly to external attack. The more common method is to use a VPN and then use RDP over the vpn. It would appear the same as if you did RDP between machines in your office. Depending on what you need to do you may not even need to run RDP, the vpn connected machines should be able to access things like network shares directly.

The simplest way to setup VPN is with a router than can do VPN "server" function. You would then load a vpn client on the remote machine. They would connect to the router and be given a internal IP address and would more or less appear to be a machine connected directly to the local lan.

In your case you also have the option, because you have multiple public ip, of putting is a second router only for the vpn function. It is a more complex configuration because you must ensure the second router is not giving out ip to the remote users that conflict with the dhcp server on the first router. The main advantage would be you do not have to mess with your current router.

 

[Novakane_]

I am assuming by static ip you mean you have mulitple actual routable ip addresses you have purchased from your ISP?

It tends to not be safe to put a server directly on the internet without some form of firewall between but if you really want to do it you technically can. The detail depend a bit on how the ISP gives out multiple ip addresses. The most simple case you would put a second unmanged switch between your modem and router and plug the servers in their.

In addition to being directly on the internet your severs would now also not be on your internal network. You could still access them using the external IP addresses and performance would be ok but it may make some things more complex to use.

You really don't want to use RDP directly on the internet. It is fairly secure but it still exposes the internal machines directly to external attack. The more common method is to use a VPN and then use RDP over the vpn. It would appear the same as if you did RDP between machines in your office. Depending on what you need to do you may not even need to run RDP, the vpn connected machines should be able to access things like network shares directly.

The simplest way to setup VPN is with a router than can do VPN "server" function. You would then load a vpn client on the remote machine. They would connect to the router and be given a internal IP address and would more or less appear to be a machine connected directly to the local lan.

In your case you also have the option, because you have multiple public ip, of putting is a second router only for the vpn function. It is a more complex configuration because you must ensure the second router is not giving out ip to the remote users that conflict with the dhcp server on the first router. The main advantage would be you do not have to mess with your current router.

Thanks for your input,

Whats the cheapest way to introduce a VPN? And that problem at the end can easily be solved in the router settings, I just have to configure the IP ranges.

 

[bill001g]

It depends how much traffic you intend to run through the vpn, it tends to be very cpu intensive. If you have a old pc laying around that you can put a second nic card in that tends to be the cheapest. There are many free firewall/vpn unix images you can get.

Although not the cheapest a router tends to be the easier to get set up than a linux server. There are pre build appliance vpn solutions also. If you are planning on more than say 30mbps of traffic you are better off with a appliance or a medium size dual nic pc. Nothing special about the pc, needs dual nic but does not need fancy video or even much disk space. It is purely a cpu thing.

 

[anotherdrew]

I agree fully with Bill, but as a fellow business owner I question you searching for the cheapest solution. You have 12 computers, so I assume about 10 employees. If each employee lost 5 minutes a week of productive time due to network issues what would that cost you? Seems like an unneeded expense when a quality dedicated VPN appliance/firewall costs between $200 and $400.

 

[Novakane_]

I agree fully with Bill, but as a fellow business owner I question you searching for the cheapest solution. You have 12 computers, so I assume about 10 employees. If each employee lost 5 minutes a week of productive time due to network issues what would that cost you? Seems like an unneeded expense when a quality dedicated VPN appliance/firewall costs between $200 and $400.

You're right I should have worded it better "What is the most cost effective VPN"

 

[Novakane_]

It depends how much traffic you intend to run through the vpn, it tends to be very cpu intensive. If you have a old pc laying around that you can put a second nic card in that tends to be the cheapest. There are many free firewall/vpn unix images you can get.

Although not the cheapest a router tends to be the easier to get set up than a linux server. There are pre build appliance vpn solutions also. If you are planning on more than say 30mbps of traffic you are better off with a appliance or a medium size dual nic pc. Nothing special about the pc, needs dual nic but does not need fancy video or even much disk space. It is purely a cpu thing.

I dont have a PC laying around, but thats great. I hear a server with PFSense is pretty good and cheaper than SonicWall.

By the way, How does this look?
https://www.amazon.com/TP-Link-SafeStream-TL-R600VPN-throughput-Concurrent/dp/B0077AXF4E/ref=sr_1_5?s=electronics&ie=UTF8&qid=1521220980&sr=1-5&keywords=vpn%2Brouter&th=1

 

[bill001g]

I have no knowledge of that product. A good vpn box will actually have detailed stats as to how much traffic it can pass. There will be different rates for IPSEC compared to say openvpn which is much more intensive. Some vpn boxes have hardware encryption chips that can assist with IPSEC but not openvpn since openvpn is based on SSL. It mostly depends what clients you want to load on your end pc. IPSEC is harder to setup but performs much better.

 

[anotherdrew]

https://www.smallnetbuilder.com/lanwan/lanwan-reviews/32424-tp-link-tl-r600vpn-safestream-gigabit-broadband-vpn-router-reviewed

The reviews at Small Net Builder are pretty good and you can compare products using similar metrics.

 

[Novakane_]

I read that the $60 TP-Link has no VLAN capabilities. I wouldnt really need a VLAN so I think thats okay, but I can spend $25 more for the one model up which has a good amount of features. I think that would be perfect.