Everything in IT is based on something else. We always want to have the newest, latest, greatest technology; Replicating our files shares between two offices, Wi-Fi, VPNs for working from home, Email on our smart phones, etc. There seems to be a bit of magic in a lot of these new technologies. The parts that are “magic” all rely on a lot of other little things being setup correctly, and those little things, are often overlooked and lead to network issues.
Let’s start with wireless. It’s so easy, right? Just grab a router from <insert big box retailer here>, plug it in somewhere on the network and walk away, right? At home we can get away with that stuff, but not for our business or enterprise networks. The biggest problem here is that our new Linksys, Netgear, or whatever brand “router” is more than just that. They are a router, firewall, and wireless access point all rolled into a single device. The important piece in that device that we usually don’t want to double up on is the router / firewall combination. Yes, we’ve shifted focus a bit, but stay with me, you’ll see what I’m getting at in the end.
Often times stringing a few of these devices together will work fine, for the most part. The challenge comes when we want to start growing the network. Let’s add a server and setup a Windows Active Directory domain on our network that has 3 Linksys routers to help cover our whole building with Wi-Fi. (see Figure 1)
The tech guy has copied all the files onto the server and shared the main copier / printer that is connected to the same router. According to him it is ready to go. He even shows you how to join a computer to the new domain. Looks easy right? Pam’s computer joins the domain, the boss’s computer has no problem, and the guy across the way from the boss has no problems either. Then things get weird. Moving farther away from the new server nobody can join, people who were able to get to the file share at their desk can’t reach it in the conference room. This seemingly random level of success seems to only get worse as you continue through the office. What’s happening here?
We’re going to change our view of the network from a map of our office to a logical layout (see Figure 2). Let’s imagine we have computers plugged into each router.
Here’s the part of these router/wireless devices that isn’t quite obvious at first. The firewall has an inside and outside interface. Network traffic can easily go from the Inside to the Outside direction, but not the other way around.
Because of this outside / inside “wall” (get it?), anyone connected to AP1 won’t be able to reach the server. Okay, the easy solution is to move the server to AP1 then right? It’s not really that easy. People on AP3 are only sorta working. Why is that?
The network settings used on all of the routers was the default configuration (See Figure 3). Because of Network Address Translation (NAT), we CAN duplicate the network addresses like we have here, but that doesn’t mean the network is completely free of problems. In this default type of deployment, there are a lot of things that can work but there are also many things that won’t work until changes are made to configure the devices and networks correctly.
In the current network, each router is handing out network addresses and giving out name servers (DNS resolution) from the Internet, because that’s what AP1 gave to AP2, and AP2 gave to AP3. Computers anywhere on the network can reach the Internet, but only the computers connected to AP2, the same AP that the server and printer are connected to, can actually reach the server and the printer.
Computers on AP3 could reach the server and printer -IF- the network address on the inside of AP3 wasn’t the same as the inside of AP2. So, how do we fix this mess? It’s rather simple, and I promise it won’t break the bank!
- Turn off DHCP (which hands out addresses to the desktops / laptops) on the routers and move DHCP services to the Windows Server.
- Replace AP2 and AP3 with simple network switches.
- Buy a few wireless access points – which is all they do (no firewall / router built in!), and setup the APs properly across the office.
- Replace AP1 with a basic router / firewall that doesn’t have built in Wi-Fi.
Here’s what our network looks like after a few basic changes.
(see Figure 4)
Our “network” is actually one single network now. Before, we had pockets that were segregated via one-way streets. Now, a computer connected to any AP, or any switch, can reach the server, file shares, printer, and Internet. Everything works! The key takeaway here? Let’s think twice about throwing another Wi-Fi router into the mix. They can end up cutting you off from important parts of your network without realizing it.