Hi, I'm working on the new network configuration and would appreciate any advice (just a logic and ideas, not the code; some more specific questions are at the end of the post).
Background: our office space and other equipment is about to be moved to the two another locations (close to each other). Simplified preliminary network sketch is below.Network configuration information and limitations:
Background: our office space and other equipment is about to be moved to the two another locations (close to each other). Simplified preliminary network sketch is below.Network configuration information and limitations:
- We have no control over the buildings networks or switches. So from our point of view, it looks like all our stuff is plugged into a single dumb switch, and that switch is connected to the router. In practice, the owner of the buildings network has simply put all our rooms on the same VLAN on their network equipment (my guess that this is a port-based L2 VLAN).
- Some of our equipment is connected directly to the router (blue and grey parts) and some is connected via the buildings network (the rest).
- Part of the network equipment is ours and we can control it (router and access points; latter are marked as ...AP/router on the diagram because the devices themselves are just Mikrotik devices that can do the routing job if necessary (e.g. hAP ax²)). But in general, there is no need for really high speeds in the most cases, so all the routing decisions could be made directly on the router.
- Users with laptops can (and will) move between all locations many times a day.
- Most of the users are using Windows (10+), but there are also some Linux devices over there. Plus, we will have a guest network (Wi-Fi only).
- All that is marked as 'device' on the diagram are the random pieces of strange lab equipment with all sorts of operating systems on board. Fortunately, they are all behind our own network APs (except the 'yellow' one, but it has Windows 10).
- All traffic within the uncontrolled part of the network should be secured.
- It should not be possible to connect the unknown equipment to the network (well, this is not always possible for the 'devices', unfortunately...).
- All the equipment should be separated into VLANs, e.g. for the users (LAN and Internet access), 'devices' (LAN only), guests (Internet only) and so on.
- Any laptop should be possible to move anywhere.
- 'Devices' can also be moved (rarely, but still). If necessary, they can be guaranteed to always be behind our own network equipment.
- Some equipment should be available from the Internet, e.g. 'Server'.
- Traffic between the router and our network equipment could be tunneled (IPsec, as it is hardware accelerated). A bit of a concern is the Windows 10 equipment, as the VPN client built into Windows has a strange relationship with the VLAN tags.
- Since the buildings network is, presumably, L2 VLAN, and the IPsec tunnel is at the L3, I need to bridge the L2 over L3 if I want any L2-related features, such as VLAN tagging. Should I use EoIP for that, or there are other better options around?
- Equipment could be authenticated using 802.1x. But then I have to set up a RADIUS server. And not all devices support 802.1x (but the devices facing the building network - yes). So, maybe just IPsec-them-all for the wired devices, that are connected to the uncontrolled part of the network?
- What kind of VLAN should I use? If everything wired to the insecure part of the network is connected over IPsec, laptops are connected to the APs, and so on, would a simple MAC-based VLAN be enough?
- What is the best way to setup that very few devices that require high network throughput (shown in gray in the diagram)?
Statistics: Posted by dmitriyt — Wed Jan 03, 2024 8:06 pm