Network Gurus, I need your help on setting up 50 computers w/ 30 Static IPs on a full T1...

[RDSport323]

Ok, here's my situation that I need some advice or help with...

I have:

1. Full T1 Connection
2. 30 Static IP Addresses
3. 50 computers
4. Netopia R5300 T1 Router with 8 Port Hub
5. HP ProCurve 4000m 40port Switch
6. HP AdvanceStack 24 port Hub

I need:

1. All computers to be connected or somehow have access to the internet
2. to be able to monitor Time Usage on each computer remotely from a Main Computer (the computer used at the front desk)
3. To be able to remotely control all computers conneted on the LAN.
4. to minimize decrease of performance

My solution was to do this:

T1 Line ---> Netopia T1 Router ----> HP ProCurve 4000m 40 port switch (connect 27 computers to that) ----> then have one of the computers connected to the switch run linux with 2 NICs act as a router and assign private IPs ----> HP AdvanceStack 24 port Hub ----> then connet the remaining 23 computers to the hub. That was one of the ideas or procedures I thought of using..

But, with that plan, I have a few questions. Having 24 computers connected through a linux router, would it cause any collisions, or will the linux box not be able to handle all of the information being requested, etc?

Also, is there any software out that can monitor usage of each computer on the LAN? Where I can sit at the front desk, and keep track of how long each person has logged in? or has been using the computer?

Besides PC Anywhere and Timbukto, are there any other programs that I can use to remotely connect to another computer and monitor its activities/control its activities w/o the person sitting at the computer knowing?

I really need help with this... I am hoping my plan works, but I am just worried about whether or not the linux router can handle all the traffic, etc? Any other suggestions/advice would be grealy appreciated....

Thank you

 

[bex0rs]

Besides PC Anywhere and Timbukto...

VNC is a popular [and free] one.


... w/o the person sitting at the computer knowing

I can't speak for PCA, but I know that with Timbuktu and VNC, the icon in the taskbar changes color when a connection is made. Most people probably won't notice / won't care if they notice, though.


Having 24 computers connected through a linux router, would it cause any collisions, or will the linux box not be able to handle all of the information being requested, etc?

Shouldn't be a problem for the linux box. However, 24 computers on a single hub may not be the best idea, depending on what they are doing.


I'm sure others have input too...

~bex0rs

 

[RDSport323]

Oh yeah, i remember VNC... I think I might try that....

The 24 computers attached to the hub will be doing some basic surfing on the net, Instant messaging, possibly d/ling mp3s or what not, and maybe playing Counterstrike... is that too much bandwidth?

What I dont understand, is why would they make a 24 port hub, if it can't handle all the information? why not limit them to maybe 8 port hubs....?

thanks!

 

[Garion]

A few comments:

Your linux router might be able to keep up with a light load, but it might bog down a bit when things get heavy. Of course, it depends what kind of box it's on.

In general, you want to keep all your hosts "inside" your router. That way all the normal LAN traffic doesn't have to go across the router and get slowed down. Link up the hub and the switch and you'll be set. The only traffic that has to pass through the router is then destined for the Internet.

If this is for a business, your best bet would be to get a real firewall. You should be able to pick up a dedicated hardware firewall for a couple of grand that should do the trick nicely.

If you don't have the cash, pick up one of the inexpensive broadband routers like the SMC Barricade. Their max throughput is around 4Mb/s, more than enough to handle your T1. (I've got something similar and I see speeds of 2-3Mb/s on my cable modem all the time). The Barricade will do all kinds of port forwarding and will do a good job at protecting your network. Also, it's very simple, especially when compared to a linux router!

Others are on the right track with VNC - It's a good tool to use for viewing people's desktops - Lots of fun to add the occasional "q" when they are typing along, too.

Lastly, it's very difficult to monitor Internet traffic. There are some products that will let you do it, but it isn't cheap and doesn't always work very well, especially in a switched network where you don't see all the traffic on any one port.

- G

 

[chaotic]

Funk Software makes a very cool (and transparent) program for remote control called Proxy. It has some issues with some machines not being allowed to boot, so you'd have to get in contact with Funk directly if it happened.


*Edit: Link Fixed

 

[Woodie]

For monitoring, try WebSense (Don't know the URL). Or, instead of allowing direct internet connectivity for all, use a proxy server, and log internet activity there.

For activity monitoring, what OS, and what auditing can you set up?

W2K provides for log-on hours, and the audit log (on the DC) can keep log-in & log-out times).

You're not going to have much fun, administering 30 static IP addresses! Too bad you can't set up DHCP, limiting the scope to the 30 addresses that you have. It still wouldn't solve your 30:50 ratio problem, though.

--Woodie

 

[Garion]

URL is very tricky. http://www.websense.com/. *grin*

Websense might be overkill, however. It's pretty hardcore business-focused.

I just saw an app called

Little Brother that might do what you're looking for. Check it out.

- G

 

[nexus9]

Linux router will probably handle this without any problems. We have a 300 Mhz PII that is NATing and firewalling for about 500 people on a shared T3, and we don't have any problems.

-Nexus9

 

[67gt500]

I see no reason for the linux router in this situation.

netopia to the two switches, and branch out from there.

that router has an internal dhcp server and nat functionality. I'm currently using the 5100, great piece of hardware. for the machines you wish to run statics simply hard code the tcp/ip stacks for each machine.

Not a very complex process, and I see no particular need for a linux box acting as a dhcp server or firewall. If you were looking for auditing/setting policies, etc across the lan I would recommend any server operating system as a go between the router and workstations. But it simply is not needed in this setup.

 

[RDSport323]

Wow, thanks to all of you who have responded..

67gt500: I see what you are trying to do by connecting the switch and the hub directly to the router, but, even though the router has a built in DHCP and NAT service, it still doesn't solve my problem of having 30 IPs for 50 computers. Unless the 24port Hub has a built in DHCP server as well, I don't see a clear solution by having the hub and switch directly conneted to the router. I can probably set the router to distribute the 30 IPs to the comptuers connected, but then what happens after 30?

I figure having a linux box will solve that problem w/o the need of buying another router. And with a linux box, since no one will be using the actual computer, it won't cause any sort of lag or traffic bottlenecks.

nexus9: You have a linux box that serves as your firewall/dhcp server, with 300 computers connected together? Wow.. that's a LOT of information to be passed through just 4 pieces of copper wire. Isn't technology INCREDIBLE???

I am soo amazed at how much can be accomplished with just COPPER wires... wow.

thanks for the input fellas. i truly appreciate it

 

[MJT2k]

Someone mentioned using a proxy server, lets expand on that idea. You could set it up like this.

T1 --> Router --> Hub {Linux Box attached to Hub} --> Switch (in any order, it doesn't matter).

Then set up a linux box that will serve as a proxy, dhcp, and possibly as a firewall (not sure how) to the first hub/switch.

All the computers on the network will have to "log in" to the linux box to get an IP via dhcp (weather it be public or private). You can decide what computer will have what type of IP via the dhcp server using MAC addresses (using dhcp to hand out static IP's.

Basicly the setup would be so that every computer will have a "direct" connection to the Internet (not really, but they would if you had enough IP's). I am not really sure how to make this setup work but it has been done before (dial-up ISP's, large corp's, schools, etc.) In fact you wouldn't need to use linux you could do it with NT or 2000 server (but I don't suggest it).

 

[Garion]

Again, I think the Linux box is totally overkill and really going to impact performance.

RD, if you pick up a cheap broadband router/firewall (We'll just call it a firewall for this post to avoid confusion with your other router) like the SMC Barricade it will allow you to use Network Address Translation (NAT). This allows your entire network (from 1 - 1,000+) users to connect to the Internet using ONE IP address. Yes, just one. The fact that you have 30 is great, but most organizations don't need that many.

When you use NAT, the firewall will act as a DHCP server for your inside network. It will dispense IP address from a "private" range, designed to be used behind NAT or off the Internet. In this case, most firewalls use 192.168.x.x. Your connection would be, in essence:

T1 router -> Firewall -> Switch -> Hub

Whenever you put in anything that has to process IP packets (like a Linux router or, for that matter, any kind of router) you are adding delay to the network. If you were to put a hub on one side of a linux router and your switch on the other you would really decrease the performance from the users on the hub to the users on the switch since all their traffic between the two would have to be processed by the Linux router.

With the hub connected to the switch you'll get maximum performance on your LAN, as many IP addresses as you can ever use, easy management, low cost, a high level of security and a very trouble-free solution. Kind of a no brainer.

- G

 

[RDSport323]

Garion,

thank you very much for that informative response. I understand your reasoning, but see, this place that I am configuring, is an Internet Gaming Cafe... where people go and play Counter-Strike and other online games, as well as surf the internet. I guess your idea about sharing one IP is ideal and great, but, since they have 30 IPs, I would like to fully utilize them in one way or another... (e.g. FTP server, WWW server?, CS Servers), or anything. But, just as long as the computer is configured to use an IP, and not set to use DHCP, then the router will not assign that computer an IP correct?

Well, I guess that sounds like the plan, but now to find use of the other 29 or so IPs... w/o hogging up too much bandwidth.

Thanks for the input.

 

[ScottMac]

The additional "outside" IPs can be assigned / mapped to specific "inside" resources. If you have address .1 - .30, then .1 can be the primary sire address, .2 can be mapped to an FTP server, .3-6 can be one type of game server, .7-.10 can be another type of game server....etc.

Mapping external addresses to internal resources is very common. The outside address is what the firewall uses to figure out what it is on the inside that you want to talk to.

If you're not really familiar with this stuff, you should stay with off-the-shelf, and get a semi-smart guy to manage it...if you wanna integrate & configure something custom...you better get yerself a *REALLY* smart guy...the kind of place you're describing is a ripe target for every twerp-hacker-wannabe with a script...especially after you kick them (or their friends)off / out. Denial-of-service (DoS) is so easy to pull off it's scary...get something good, and get a good person to set it up and manage it.

FWIW / .02

Scott

 

[ScottMac]

The additional "outside" IPs can be assigned / mapped to specific "inside" resources. If you have address .1 - .30, then .1 can be the primary sire address, .2 can be mapped to an FTP server, .3-6 can be one type of game server, .7-.10 can be another type of game server....etc.

Mapping external addresses to internal resources is very common. The outside address is what the firewall uses to figure out what it is on the inside that you want to talk to.

If you're not really familiar with this stuff, you should stay with off-the-shelf, and get a semi-smart guy to manage it...if you wanna integrate & configure something custom...you better get yerself a *REALLY* smart guy...the kind of place you're describing is a ripe target for every twerp-hacker-wannabe with a script...especially after you kick them (or their friends)off / out. Denial-of-service (DoS) is so easy to pull off it's scary...get something good, and get a good person to set it up and manage it. Get a good commercial grade router and firewall for the NAT mapping.

FWIW / .02

Scott

 

[Garion]

You are correct that if the PC already has a static IP it won't try to get one from the DHCP server. There is, however, one catch. If you are using the setup I described, the "inside" and "outide" of the firewall are different networks. If you have an "inside" IP you can't plug into the "outside" network and make it work.

If you're doing this as a business then you probably want something more robust than a barricade. Best bet would be to look at a specialized hardware firewall that provides better protection, flexibility and throughput. What's your budget? You might do well with a low-end Cisco PIX, but they are a pain to configure. There's lots of other fish in the sea - Just be sure that you can evaluate whatever you buy to make sure it works well with gaming. Not usually a primary design point with big hardware companies. Also, the IP mapping that Scott mentions is not available in small routers - Just the larger corporate-oriented ones.

Possible uses for your outside IP's: Web server, FTP server, gaming servers, mail servers, etc. If you don't use all your IP's they aren't going to take them away, don't worry about it.

- G