Network with DHCP Server, Public IP Range, Router and Private IP Range?

[mrchan]

Here is the issue:

We have a DHCP server and a pool of about 120 Public IP addresses. The problem is, that is not nearly enough.

What we've done is setup a wireless network (Belkin Pre-N) to give laptop users private IP addresses. The room the wireless router is in, is also where we have 14 shared lab computers.

What I would like to do is also run those 14 shared lab computers with a private IP from the router.

But, I still need to be able to access them from the servers and other computers that are in the Public IP range.

Tried turning off the routers firewall and that didn't work.

Tried port forwarding, 4899 (remote admin), 2967 (nav server), 3389 (terminal services), but still no go.

Any Ideas?

 

[spidey07]

how many machines total?

all the hosts should have private addresses. Then you can use NAT to direct what to go where if those hosts need connections made to them (ie server)

 

[mrchan]

printers, servers, computers, laptops 100 - 150 on any given day.

i can't have them all on a private range.

 

[Abix]

If you dont mind me asking, what exactly do you need 120 public IPs for?

Also, why can you not goto 10.*.*.* or 172.16.*.* or 192.168.*.*? Im sure that the second question will be answered by the first.

 

[SpunkyJones]

Originally posted by: mrchan
printers, servers, computers, laptops 100 - 150 on any given day.

i can't have them all on a private range.

Why not?

 

[mrchan]

It's part of a University Campus. The department has 128 IPs. Going to a completely private network would require loads of paperwork and take way too much time.

 

[spidey07]

Originally posted by: mrchan
It's part of a University Campus. The department has 128 IPs. Going to a completely private network would require loads of paperwork and take way too much time.

But its what you need to do rather than come up with a overly complicated, difficult and costly to support solution.

Not trying to preach here, but complicated = bad.

 

[SpunkyJones]

Originally posted by: spidey07

Originally posted by: mrchan
It's part of a University Campus. The department has 128 IPs. Going to a completely private network would require loads of paperwork and take way too much time.

But its what you need to do rather than come up with a overly complicated, difficult and costly to support solution.

Not trying to preach here, but complicated = bad.

Agreed. The K.I.S.S. theory, learn it, live it, love it.

 

[Abix]

Too much time? Your IPs are assigned via DHCP! Admittedly, changing the pool it draws from, the router interfaces, any switches with IPs(for admin purposes), any static IPs, etc, probably would take a nice bit of time it really is the *best* way to do it. Additionally, if you do that, then you dont have you deal with the large cost overhead of 128 IPs! Even if you do figure something else out, whoever setup that department wasnt very smart IMO.

Anyways, if you have already setup the wireless router to pass out IPs from a pool of lets say 192.168.1.1-100, then *all* you have to do is this:
-connect the WAN port on the router to one of your other routers in your core(I assume youve already done this, for internet access)
-connect a nice 20 port switch to one of the LAN ports and hook up all other desktops to the switch(I assume youve already done this)
-turn on the DHCP server in the WLAN router and give it a pool of 192.168.1.1-100/24

At this point, all the laptops and desktops should be getting IP address, and you should be able to ping anywhere in the little network just fine

-turn on NAT

Once you have your NAT on, and all the other stuff correctly setup, you should be able to hit up the other servers with whatever you need.

If thats not working for you, do me a favor and do a tracert from one of the desktops/laptops to one of the servers.

PS - "But, I still need to be able to access them from the servers and other computers that are in the Public IP range" What do you mean by that? What type of access do you need to the desktops/laptops in the new private network?

 

[mrchan]

That is how it is configured now. The lab machines all have IP addresses from the router. NAT is on. Internet Access works fine. Roaming Profiles work fine. Users logged into these machine can access the servers and shares with no problem.

The problem is that the computers in the new private network don't show up in the larger network, I can't access them remotely, can't manage them through active directory and norton corporate edition can't update their virus definitions.

The other issue of going to a private IP range for the entire network is that the department will be moving to a different building within a couple years so I just need a short term solution.

 

[Lordicus]

From my understanding you will not be able to access the private IP's from a public IP because the private IP's are non-routable.

Depending on how the public IP's are given out, you may be able to have both a public and a private IP with 1 NIC. (I do this with a DSL line and the ISP's software)

Ultimately as mentioned above by the guru's it would be ideal for internal hosts to have private IP's unless otherwise necessary. I think that you would be commended by mentioning the problem and proposing a solution. But, if the boss is playing deaf, then an idea would be to have a script with netsh to change IP's from public to private on a double click for when u need to access those hosts. 2 NIC's is another solution to get you on the same subnet.

Hope this helps, please if I'm wrong in any way point it out, I'm always learning!
Best of luck and courage facing the analogue bosses !

 

[spidey07]

Originally posted by: mrchan
That is how it is configured now. The lab machines all have IP addresses from the router. NAT is on. Internet Access works fine. Roaming Profiles work fine. Users logged into these machine can access the servers and shares with no problem.

The problem is that the computers in the new private network don't show up in the larger network, I can't access them remotely, can't manage them through active directory and norton corporate edition can't update their virus definitions.

The other issue of going to a private IP range for the entire network is that the department will be moving to a different building within a couple years so I just need a short term solution.

Ahh, so now we get to the root of your trying to do. I don't think a soho router solution is going to work.

This is something we need to draw out and really understand the topology. Again, not trying to preach - but you have specific goals that can be layed out and a design/solution will fall right into place.

I'm a big picture kind of guy and if the goals are clearly defined a simply solution falls right behind it.

 

[Wizkid]

How about this: connect the wireless router to your Cisco (or whatever) router, assign that interface a 192.168.x.x IP and update the routing tables on all your routers. Get a wireless router that lets you setup static routes so that you can point it to the rest of the network without using NAT. OR, better yet, just buy a real wireless router (not soho) from Cisco or the likes and do something similar to the above.

Warning: I never actually tried the above, so take my advice with a grain of salt

 

[mrchan]

Thanks guys, I pretty muched figured there was no real work around, at least with the equipment I have at the moment, but was hoping for something I hadn't considered.

 

[Abix]

Originally posted by: mrchan
That is how it is configured now. The lab machines all have IP addresses from the router. NAT is on. Internet Access works fine. Roaming Profiles work fine. Users logged into these machine can access the servers and shares with no problem.

The problem is that the computers in the new private network don't show up in the larger network, I can't access them remotely, can't manage them through active directory and norton corporate edition can't update their virus definitions.

The other issue of going to a private IP range for the entire network is that the department will be moving to a different building within a couple years so I just need a short term solution.

The only way that I can think of to do that is to change to an all private range IP address scheme. Routers are designed so that they do not send private IPs out into the public IP range. If you change completely over to a private IP scheme, then your routers will be able to distribute the private IPs all across the network perfectly fine and youll be able to do any sort of direct remote admining required.

Overhaul your network!