This is the third in a series of posts about downgrading from a Windows domain-based network structure to a workgroup-based one. The series starts here.
Sorry I haven’t posted about this in a while. I’ve been busy.
I changed course, and decided to use VLANs: one for the Windows Domain, one for VoIP, and one for everything else (I’m calling that last one Public). I purchased and installed 9 Ubiquiti Unify Ethernet switches, and 9 Unifi wireless access points. I also got a Unifi Gateway, and the Unifi Controller to manage it all. The controller is a PoE-powered stick that needs layer 2 connectivity to everything else. I just plugged it into one of the PoE switch ports. For now, I’m using non-Unifi WAPs for WiFi access for devices on the Windows domain. I should be able to have another SSID for that on the Unifi WAPs, but I haven’t been able to get the VLAN assignments to work.
The Unifi controller has a nice network topology display. It would be nicer if it figured out the topology correctly all the time, but it’s wrong more often than it’s right. Here’s what the layer 2 network looks like when the planets align:
Not shown are a bunch of non-Ubiquiti WAPs. I’ll get to how they’re used. There is one odd thing about the above diagram. The link between Studio switch 2 and the Server room POE switch is listed as being 10 Mb/s. In fact, it is 1 Gb/s. Also, the port used on Studio switch 2 is missing.
The top-level switch in the above diagram is connected to the Unifi Gateway through two ports, and the gateway is connected to the SonicWall firewall. The top-level switch is also connected directly to another port on the firewall. The 250 Mb/s fiber internet service is operating, but not officially turned up, do I have configured the SonicWall to load-share between the old 50 Mb/s service and the 250 Mb/s one.
Here’s what the controller dashboard looks like:
Note that the ISP load maxes out at 30M. In the controller setup screen you can enter your nominal ISP maximum rate in megabits/sec. When I entered 250, I found that the indicator in the dashboard hardly budged. That’s because the averaging time is so long — I figure it’s about 5 minutes.
Now let’s talk about layer 3 networking. Before, I had a flat network of 10.10.24.0/24, with Windows domain controllers acting as DHCP servers. With a /24 network, I didn’t have enough address space to have DHCP server redundancy via split scopes, so I was just running one. I added a second network: 10.0.0.0/20, and assigned it to the Public VLAN. I put all the Unifi WAPs on that VLAN, and left the other WAPs on the Windows domain VLAN. I configured a DHCP server on the gateway with a scope of 10.0.0.0/24. Thus all the WiFi clients will get IP addresses of 10.0.0.xxx, and, since there’s no route to the Windows domain subnet, they will be blocked from accessing anything except each other and the Internet. I plan to put another router on that VLAN, not use it for routing, but turn up a DHCP server on it and let it serve a scope of 10.0.1.0/24. That will give me DHCP server redundancy. The gateway will still be a single point of failure, and, at present, I see no way around that, since Ubiquiti only supports one gateway per site. I don’t know what I’m going to do with the other 14 /24 subnets in 10.0.0.0/20, but I figure it doesn’t cost anything to have the option of adding some of them.
The Windows domain computers can’t see the DHCP server on the gateway, so they get their IP addresses from one of the Windows domain controllers. Over time, I will move computers off the Windows domain subnet, probably to another private subnet on a private VLAN.
One question I had was how would the increased transfer rate affect the CPU utilization in the Sonicwall 3600. Another was if Backblaze could fully support the higher rate. This Sonicwall graph during a GoodSync backup to Backblaze shows that I don’t appear to have problems on either front:
Leave a Reply