I was hoping to get assistance in configuration on my server system. I'm really too green to be doing this for the company I work for but we needed this system in a hurry, now I tweak it with great fear of taking out the network during store hours (only hours I have access to work on the system)

Anyways. Here's what I'm doing:

My internet service provider is Cable, routed through Microsoft server 2003. I have a linksys Wireless G router configured as an access point, routed through two switches, that works perfectly for internet and network access. All computers hard wired work perfectly.

I have a WRT54G2 v.1 router I wish to setup for a secondary wireless access. This one I am trying to configure as a secondary router so it will only allow access to the internet while blocking network access.


The server is configured on ip scheme 192.168.1.1. It shares 192.168.1.50 through 192.168.1.200. There is a small range, 192.168.1.100 through 192.168.1.125 not distributed through dhcp for static IPs.

The first router acting as an access point has it's local IP set at 192.168.1.100 and has dhcp disabled.


The second router (wrt54g2) which I wish to setup as arouter has it's local IP set to 10.0.0.1 and has it's Internet connection type set to static ip. I assigned it an IP of 192.168.1.101 with domain name 192.168.1.1 and static dns of 4.2.2.2 and 4.1.1.1 (public domains). DHCP is set to 10.0.0.50

The router has been switched from gateway to router under advanced routing.

A member of Linksys forum correctly identified that the server isn't setup for NAT over 10.0.0.1 (I assume he's correct because his suggestion to turn the router back to gateway worked). However as a gateway I have access to the network still and that defeats the purpose.

So how do I setup 2003 to work with the 10.0.0.1 ip scheme without disrupting the exsisting 192.168.1.1 network? So that I can change the linksys back to a router (from a gateway).

Will I need a secondary internal NIC running a second network or is it all purely software solutions? Also, detailed instructions would be lovely and appreciated as I am a novice. Thank you for your help and support.

Any time that you use a PC, server or workstation as a router, it becomes a problem. Adding a second subnet can be a little tricky too. You could put the wireless router between the server and the cable modem, keep everything on the same subnet and control the network access with group policy. It's a lot less work.

Modem > Router > Switches > All PCs, server and workstations alike.

I guess you need another NIC for that.

Or get a switch that supports VLAN and place it on the local port of your 2003. Then configure VLAN.

Guapo: Maybe if I simplify the project to my ultimate goal. That goal is to have two wireless access points. One with access to the internet and local network, the other two only have access to the internet. So we can work on computers with the secured wireless while still allowing customer use of a wireless access point.

I don't think group policies will work because we don't have a set stable of computers that use the network. IE: we may need to get access to the network with a customer computer while we work on, and setting every customer computer up to work with group policies seems a bit unrealistic. Unless I simply don't understand how group policies would benefit me?

Also, the reason we went to using server 2003 as a overpowered router was because the smaller home office routers we were using kept locking up from the strain of the traffic we were putting on them. A business class router is probably our best bet, but I was hoping to accomplish my goals without drastically changing our current configuration.

We mainly do virus clean up, small home user setup and support. Servers aren't completely beyond me, but not my usual territory either.

I've considered using a secondary NIC as suggested by Htan68, but does anyone here have any experience with a three nic server running two internal domains through one WAN? I could use that advice the most I believe.

Having three NICs in the server wouldn't be two internal domains over one WAN. It would be 2 segments in one domain, which is doable but I have another idea.

There may be a way to set group policy by IP address, instead of by user or group, in Windows Server 2003. Suppose you give the PCs that you want to have access to files on the server a static IP and the customer PCs a DHCP address. Then set the group policy accordingly. I don't have a server here to test it.

It's a bit scary to offer wireless access for visitors with AP connected via LAN side. I will consider to redesign the network so I can have a deep sleep.

If your server room is not enclosed in a concrete or steel wall or if you think that the radio signal will reach the visitors place, maybe you can invest a cheap Cisco 851W router and place it like this...

<cableISP><Cisco 851W><Server><Switch><LinksysForInternalWireless and Clients in LAN>

Visitors will connect via Cisco 851W wireless. So all you have to do is harden your Server outside port.

You can configure that router easily even if you have zero knowledge with Cisco because it comes with SDM tool. Just follow the manual for basic config to enable SDM or Web base. If you have at least basic knowledge in Cisco you don't need SDM.

Guapo:

putting every Computer on static is just not a feasible idea. I occasionally need to connect customer laptops to the internal while doing such things as virus scans. And the techs, myself included, don't always remember to switch things back like static ips when returning their laptops.

How ever you mentioned that three nics would just give me two segments in a domain? Perhaps I could split the 192.168.1.1 up between two nics? So lan1 would be 192.168.1.10-75 and lan2 would be 192.168.1.80-150. Then I could set up group polocies to allow only the first segment access to the network drives and such?

Htan:

You are absolutely correct sir. The problem we initially had was our cheap linksys home router origionally used was locking up two to three times a day, we believe due to the amount of traffic we were pushing through it. Now if I put another linksys router infront of the 2003 server then that would still channel all outgoing traffic through that router, and we'd have the same problems again. Or am I wrong?

I was trying to gain a perspective of options that would not require me purchasing a business class router. However, if that is the only real way of doing what I wish to do, then I will accept that. I hear impossible requests from customers wishing to do incredible things on a shoe string budget. And they always take it poorly when I tell them what they want isn't a cheap solution. So if what I want isn't a cheap solution then it isn't a cheap solution and I shall start looking into business class routers.

and for future brainstormings. The room containing the server is actually the storage room where we keep overflow inv. I know it's not ideal, but we are tiny and how often have you seen a proper server setup outside a multi million dollar operation?

I don't know that a customer computer has to have network access to be part of a virus scan, etc.... The server can still see the PC but the user still doesn't see the shares.

If you can split the Class C subnet between the NICs, then your group policy may work.