See any problems with this setup?

[DougK62]

Here's the setup. Here at work we have about 20 computers. Two are servers - one internal for files and the other external for web serving and email. We have a T1 that everyone shares. Our T1 service is "managed" - meaning that I can't touch the Cisco router that we have on site - the provider takes care of it for us.

I recently stepped into this job. The current setup has every computer getting a public IP address. I don't like this so much and I want to setup some network address translation for all of the computers except the webserver. I have a Linksys BEFSR41 router at home that I no longer use. My thought is to just toss it in right after the cisco router that I can't touch. This will let me NAT the computers that I want and leave the webserver open. Does this seem reasonable? I'm basically looking for opinions and maybe experiences with using the BEFSR41 in a situation that gets more traffic than it's intended situation in a typical home setup. We are a small company and don't generate much traffic. Would it turn into a bottleneck? I also assume that the router can be used this way and won't mind not being on the end of a dsl/cable service like it's intended to be - true?

 

[reicherb]

Seems reasonable to me. AS far as traffic goes, your cable/DSL bandwidth was likely comparable to the T1 you have at work. You might be better server though to buy a low end business calss router/firewall. They can be had pretty cheap. Not that it's the right answer, but a Cisco PIX501 can be had for about $500.

 

[WannaFly]

the setup you decribed is exactly the same i have here at my work. We have about 100 clients on the linskys router. the only problem is that about once a week it locks up and needs to be reset.

But if your company can afford it, it would probably be better to get some sort of SOHO firewall/router.

 

[cmetz]

Getting your PCs behind some sort of firewall is a very sensible thing to do. In the configuration you have, perhaps a better thing to do is to put a small switch between the Cisco and the Linksys, and to put your external boxes (web server et al) on that switch. So the boxes that are intended to talk with the outside world directly continue to do so (and must be kept secure on their own). Then you can use a PAT firewall box to protect/multiplex the random PCs. Just remember to not have any connections from the DMZ directly to the inside network.

The upshot of this vs. opening up a port on the firewall is that port mapping on firewalls is one of the heavy problem areas. People seem to have trouble with it often. The downside is that the firewall might be able to provide a layer of protection against attack even for hosts with ports opened up. But lower-end firewalls don't offer much. Think about this and maybe try both approaches and decide for yourself (if one approach doesn't work right, that makes the decision easier!).

The Linksys box might or might not deliver good enough performance -- you are running up on the limit of what it can do. A T1 is 1.544Mb/s (ish) in two directions, so say ~3Mb/s of throughput capacity is needed. It also matters just how much you use your connection; if you have a burstable connection and don't max it much, maybe it's fine that the Linksys can't handle full speed. Try it and see what kind of performance impact (noticeable or not) it has - if it affects things too much, try a BEFSX41 (which has more performance) or better yet jump to a low-end PIX.