Weird network setup...

[Chuck]

I've just been apointed network manager for a school for my year in industry and during the handover period I noticed something a bit strange with the way the network IP's were setup.

The problem is that they only have 15 IP's allocated to them (with a good few being tied up with important stuff like routers, servers, my machine , etc..), and something like 30+ machines. Now the way the old network admin got around this was having a DHCP (?) server allocate internal IP's to all the machines by default (with an 'internal' hosts file which give the internal IP of the mail server), and then when someone wanted to use the internet he'd manually change the setting on their computer to use one of the 10 free IP's (and copy over a new hosts file with the relevant changes). For starters i'm not really quite sure how this works... running two different IP ranges on the same network (i.e. not bridged by a firewall) seems loopy to me and I really can't work out why it's working. But still...

The way I see it there are are three main options available to me.

- I can either get some more IP's (which I don't really want to do... budget is tight enough as it is).

- Or I can screw the internal IP's and just have the DHCP server allocate the 10 free IP's, but just with really small expiry times. (eugh).

- Or I can screw the external IP's and setup a proxy / firewall to map things over (which again I don't want to do because the server is overloaded as it is [P1-Pro 200 - NT4].. well I guess it's overloaded the network is as slow as hell and I can't see another reason for it...)

Comments?

Thanks

 

[nexus9]

You should probably use a private IP address range for your boxes and run NAT (Network Address Translation - much better than a proxy IMHO). I don't think NAT is very CPU intensive, especially for the number of users you have. It'll probably run fine on a 486 running Linux. Hell, I think someone was giving away a Ppro 200 on the distributed computing forums the other day...

private ip address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

 

[Chuck]

Thanks. I'll give it a shot.

 

[SufferinSuccotash]

Just a second success story -- we have 30 IP addresses here at work and about 150 workstations. NAT works great for us, and so does IP Masquerading (Linux as a router instead of NT, same thing really). Usually you don't run into any problems with this until you get into gaming or another program that has uses the ports in a strange way, which shouldn't be a problem at a school, right?

 

[Chuck]

I've been thinking about this for a bit, and i'm not sure, but I have a bad feeeling that it'd be hard to put in a NAT server or linux box in between the the ISDN router and the network because the main server is on the top floor (with the main bulk of the machines in the library) and the ISDN router is on the ground floor in the hub / switch box.

I doubt they'd autherise me to re-wire the whole school!

 

[dirtboy]

Actually, you already have everything you need. At this point, you need to do a little investigating into what kind of equipment you have and how the building(s) are wired, so you can create a plan to fix things.

Two things I see right away. You have 15 IP addresses. From the information you left, I am assuming your server is not an outside web server? What does this server do? The 15 should be 14 more than you really need. I have run over 50 machines, including multiple servers, off of one IP address.

This means you can convert you entire network to private IP's, 192.168.x.x. Before you do that, we need to find out some information. You said you have an ISDN router, correct? What you need to do is find out what make and model this thing is, then check with the manufacturer to see if it can do NAT. Most routers can do NAT out of the box, but if this is an older model, you may have to download and update its firmware.

Once you have NAT setup on the router, all of your computers on the network will have Internet access simultaneously.

You also said the network seemed slow. Do you mean the Internet is slow or that file transfers across the network or to/from the server(s) are slow? In either case, it is time to look at how the switches and hubs are connected to the network. Since you have 30 machines, I am guessing that you have atleast two hubs. It's time to find out how they are connected to one another. There may be a better way to do it to increase performance.

 

[Chuck]

I think it's an 'Ascend Pipeline 50/75'. I can't see a mention of NAT on the specs page. Also the problem is that I don't think i'm allowed to access it. The ISP that they currently go through manage the router. I dunno if i'd beable to con them into enabling it.

I don't exactly know what they meant by the network being slow. They just said "it's slow, fix it". I'm guessing they meant that general file was slow since they don't use the internet much (with the current IP problem). As far as I can make out, most programs are stored on the NT4 server, but with Windows on the local HD. While I was their for the 2 day hand-over period (much to the dismay of the old admin) I turned on the performance monitor for NT on the server. The CPU % usage never really went above 30% (other than the odd 100% spike).

Hub wise, I think it's fairly solid. They are two 3com hubs / switches (not quite sure which) both with about 25/30 ports and cables everywhere. The cables also went into these strange little boxes which looked like hub's, but seemed to only be the faceplate of one. I've tried to find the name of the hub/switch but they don't look anything like the ones on the 3com web site.

Thanks

 

[Damaged]

An Ascend Pipe 50/75 will do NAT if it has the proper firmware (version 6.x.x something or higher). I don't know why the ISP wouldn't enable NAT for you. Heck it's in their best interest as well. Funny thing about the Ascends running NAT is that you can't ping the outside IP nor manage it remotely with NAT enabled. THAT, I'm sure, would be the ISP's gripe if they're managing the CPE (Customer Premise Equipment).

Those "stange looking hubs" with just the face plates are patch panels. Basically you have one where you can drop an incoming line from a certain location and then patch it over another panel that's connected to a switch or whatever. Hopefully the things are labeled in some meaningful way. If not, you should take the time to label the ports at peoples desks, then the patch panel ports so that it makes sense. Heck, just so it's easier to find things and track things down.

 

[Chuck]

Why not just connect the cable directly into the hub though?

 

[Damaged]

You mean instead of using the patch panels? You could. The patch panels just keeps things more organized and easier to troubleshoot as well as providing ease of switching cabling around.

 

[dirtboy]

Damaged is right on the money. There is no reason why your ISP wouldn't want you running NAT...most of them will recommend running it.

I would inquire with the staff what they mean by "the network is slow". If they mean the Internet, well, that's because you just have an ISDN line. If it is file transfers between the server, then it has something to do with the way the switches/hubs are connected.

 

[Chuck]

I've just rung them up. They say that they don't offer NAT, and that they'd suggest getting more IP's (at a cost)... grr..

 

[cavingjan]

Sounds like they are just looking for some more money. You could buy and install a regular router to hook into the network between the ISDN modem (its not really acting as a router anymore) and the hubs. This will provide protection for the rest of your network and share the connection. And then ditch several of the IP addresses that you will not need anymore.
Another option might be to try to get a DSL service. I have found that in some areas, ISDN is actually more expensive that several of the different flavors of DSL.

 

[Chuck]

Not in the UK

I might just for for more IP's.. It can't be *that* expencive...

 

[dirtboy]

They may not offer it, as in they won't help you configure your network for NAT, but any routed network can be configured for NAT. Especially since your Pipeline 50 is able to run NAT with the proper firmware, there's really nothing stopping you.

 

[lessthanjoey]

you should DEFINITELY use NAT over additional IP's for a number of reasons:

1. IP Addresses cost money. You could buy an additional router like suggested above and place it in between their router and your network for less money than the IP's you require.

2. NAT and the second router (if configured correctly) provides a second layer of security for yoru network. Giving workstations valid routable IP's is a very bad idea. It would improve security and protection to those pc's immeasurably if they only had non-routable IP Addresses.

Hope this helps....