Suggested network layout
Here is a suggested layout I found on the net that I thought was good and I am posting it here for your review. If you want to see it from the origional website, click here.
"A" is your primary ROUTER. It has the connection to the ISP. It is configured as follows:
If the ISP uses DHCP, then it will be automatic and supply the WAN IP address, subnet mask, gateway address and DHCP servers.
If the ISP does not support DHCP for your circuit, then you will have to enter the IP address, subnet mask, gateway and DNS servers. In either case, do not activate DHCP on this router. Thus this router does not provide IP addresses to downstream devices.
The "LAN" side of the router is set up as follows:
- IP address: 172.16.0.1
- Subnet Mask: 255.255.0.0
For each building you place a SWITCH, indicated by the devices shown as B1, B2, lll Switches do not require IP address assignments, they are transparent.
C1A is a combination ROUTER/WiFi access point. Let's assume that C1A is assigned to faculty and staff. It is configured as follows:
C1A - "WAN" - "WAN" side of the router -
- IP address: 172.16.0.101
- Subnet Mask: 255.255.0.0
- Gateway: 172.16.0.1 <-the "LAN" side of primary router "A"
- DNS Server(s) copy from "A"
If WiFI is supported, use an ESSID that indicates that it is the faculty/staff LAN and assign a security key different from the student LANS(s).
"LAN" side of the C1A router
- IP Address: 192.168.0.1
- Subnet Mask: 255.255.255.0
- DHCP server turned ON
- DHCP pool start: 192.168.0.255
D1B is a switch to support hard-wired connections - in this case for studentsWhat this provides internet access to both groups - students and faclulty/staff, yet isolates students from faculty/staff, and it also isolates each buildings from each other. Essentially, anywher you have a "C" router you have a little subnet that is isolated from all of the other C subnets.
Why it works:
Subnets are defined by devices that have IP address(es) that match for the width of the subnet mask. 255 converted to bits would be 8 bits turned on, so a subnet mask of 255.255.255 would be 24 adjacent high-order bits. Thus you can have 254 devices behind each of the "C" routers. The high-order of each of the "C" routers varies because you have a different number in the 3rd octet. (C1A has a 0 as the 3rd octet in 192.168.0. where C1B has 192.168.1 etc.
The pools 192.168.x.x, 172.16.x.x and 10.x.x.x (not used here) are reserved for non-routable addresses, i.e. they are hidden behind NAT (Network Address Translation). The router will establish a connection between a device on the WAN side and an up-stream device (i.e. an internet host) but will not make a connection to any device in a non-routable pool other than those devices in its own managed pool. Thus devices in C1A's pool of 192.168.0.x will not be able to route to devices in C1B's pool of 192.168.1.x. (As long as you keep the mask at 255.255.255.0
An NAT router substitutes its WAN-side IP address into a request originated by a device on its LAN side and keeps track of the socket (the connection). It passes the request up stream towards the internet. In the configuration diagrammed, this happens twide - once in the "C" series router, and once in the A router. When the remote host sends the response back, it sends it to A on the socket, which substitutes the address of the "C" router and delivers it to the "C" router. That router accepts it and substitutes the IP address of the original requesting device.
What this does NOT do is provide a mechanism for supporting a local file server and/or domain controller for authentication and/or shred resources such as printers. For that you would need to have a pool of IP addresses assigned by your ISP, and hang them (file server, domain controller, printers) off of "A" which would be a switch instead of a router. All devices attched to "A" (other than the "B" switches) would have to have static IP addresses. Thus the "C" routers would each have to have a WAN-side IP address in the common pool provided by the ISP as well. You would manage access to disk drive(s) and printer(s) via Windows authentication etc.