Question about combining two network via a VPN

The Cobra

2[H]4U
Joined
Jun 19, 2003
Messages
3,175
This will be a post, but with lots of stuff and questions if the [H] community can jump in.

I recently took a job at a private school in St. Pete, FL as their IT person as a favor for a friend. I have always worked by myself for the most part except for the typical IT vendors and such. I have my MCSE in 2012R2 and stopped there because my teaching duties took over more than my actual IT duties. I had AD setup with Exchange/Office 365 over the last 15 years. One of the schools I worked at had two locations that were connected via a Watchguard Firewall and both networks could see each other no issue. People just wanted their files and such.

Fast-forward 10 years we decided to pickup and move to St. Pete from Annapolis, MD to help my friend out where he is now head of school and I became his IT director. The last IT person was strictly a teacher who didn't know anything about networking (my weak area) I got the school a Microsoft Educational license to bring them into compliance as far as licensing goes. They had illegal copies of Office and a ton of machines that said "Windows needs to be activated" I also migrated them to a new AD domain on Server 2019 (They were running Server 2003R2) with ADSYNC running for their office accounts. We are keeping G-Suite and I will sync that in the future. I got all the teacher laptops upgraded from Win 7 to Win 10 Education because of the A3 O365 license. So on that end, no more login or printing issues and also no security problems about people being able to access files. The physical network at the school is very nice...Cisco switches that are less than a year old with a five year warranty. The internet connection is coax from Spectrum that is 100/10 decent, but could be faster. My firewall is another story, that is a Cisco 5510 with is EOL. So that is getting replaced with a Sophos XG310. The other building is a nightmare....

The other building has a decent internet connection from Spectrum with a static IP at 50/10. It serves 30 ipads, 8 laptop/desktop computers and two wireless access points. I have decided to migrate to Sophos for wireless because they are now cloud based. As far as networking equiplment, I will be using TP-Link POE switches (2600 series) connected via fiber foir QOS and other networking protocols. There will be 8 VOIP phones that will be handled by Frontier with a virtual trunk and will forward to our ancient PBX system at the main school and do internal calling, which we don''t have right now. Frontier said that FIber "Should" exist in my area as the guy said there are customers in the area that already have it. If not, I have to bump up the Spectrum speeds on both ends. The firewall I decided to get for the smaller school is a Sophos XG 135 r2.

My question is the following: My internal network at the school is a simple/flat 192.168.4.0 (,1 gateway, .2-.50 blocked off for servers, printers and networking gear) DHCP has a superscope of 192.168.4.51-192.168.5.250 with a subnet of 255.255.254.0 When I setup the new network across the street, can i give it a 192.168.1.x with the same subnet? If my thinking is correct, the vpn will route traffic, I will stick a small domain controller in the small school to handle DNS and login drive mapping issues (I plan on ruining DFS as I had at another job with two physical locations connected via a VPN so that the files can replicate)

Am I mental for thinking this or am I correct in my thinking? Windows used to have issues with VPN if there wasn't an NAT on the network to translate in earlier years and you needed a repeater. But with DNS working properly, I should have no issues at all. No?

I really need to keep this as simple as possible because I don't want to have to really tinker with anything because of my other duties at he school.

Thx for reading my long winded post. And I look forward to your answers.
 
Last edited:
I used to work in K-12 and helped hundreds of network engineers and IT directors with limited knowledge integrate solutions.

Important note: Kids are little turds when it comes to school networks. Absolutely, positively, 125% you need to have your servers and critical infrastructure on separate VLANs in a predictable, scalable measure. No ifs, ands, or buts. Still with me? If you cut corners here you are going to create a lot of work for yourself. Trust me.

Make your IP networking easy to understand just by seeing the IP addresses. What I mean by that is identify your locations based on networks. For example:
  • School 1: 172.16.0.0/16
    • What this tells you is that any IP address that starts with 172.16.x.x will always be in School 1
    • Network infrastructure goes on 172.16.1.0/24 (VLAN161)
    • Servers go on 172.16.2.0/24 (VLAN162)
    • Access points go on 172.16.3.0/24 (VLAN163 and so forth...)
    • Student devices go on 172.16.4.0/23 (giving you 510 possible endpoints on VLAN)
    • Teacher devices go on 172.16.6.0/23
    • IP cameras go on 172.16.8.0/24
    • IP Phones go on 172.16.9.0/23
    • etc. etc.
  • School 2: 172.17.0.0/16
    • Same as above but replace the second octet with a 17 instead of a 16
  • The TP-LINK 2600 switch looks like a L2 switch only. Create all the VLANs on this switch, and configure a tagged interface between the switch and your firewall
    • Create subinterfaces with a an IP address on your Sophos firewall for each respective VLAN
    • All traffic in order to route between VLANs will now need to be routed through your firewall, giving you visibility
  • You can completely block students from accessing internal infrastructure and messing with stuff, only permit necessary domain services like DNS
  • Block outbound traffic from student machines to external DNS servers, VPNs, etc. without affecting your other network devices
  • Configure DHCP relay on your network switch - https://www.tp-link.com/ae/support/faq/1630/
If I understood you correctly, your other school doesn't have a private fiber connect back to school 1 so you're completely reliant on an IPSEC VPN to connect the sites: https://community.sophos.com/kb/en-us/123140. Follow that guide to configure it. Remember that when traffic comes across the wire in IPSEC and its destination is an endpoint on the remote side, the traffic is decrypted by the firewall, so the source IP address will be the private IP on the other source side. (Teacher Smith at School 2 from 172.17.6.23 trying to reach Server B at 172.16.2.18 at School 1).

I know this is a lot to take in, but hopefully enough to get you started. I really cannot encourage you enough to separate your students from the rest of your infrastructure. There are a plenty of students that are incredibly clever with tampering with school networks to circumvent web filters and other preventative measures designed to keep your school and administrative staff safe from MAJOR community backlash and publicity (side note: if you're a public school, you get federal funding with mandates that requires certain levels of internet protection such as gambling and pornography). Plenty of these kids know more than you, I can guarantee it - and that's not a dig on you... they just have an incredible amount of free time.

Edit: NVM, just reread your post... you are at a private school. So a lot of the federal/legal requirements don't apply I don't believe.
 
Last edited:
Awesome answer, thank you very much for your help and input. It's going to be a complete rework, but def worth it.
 
Creating VLANs and 802.1q tagged interfaces: https://www.tp-link.com/us/support/faq/788/

Just remember - interaces that connect to devices that need to be aware of VLANs on that switch will need to be tagged. Frames are tagged with an 802.1q header as they egress the switch, not on ingress. This way any upstream devices know from which VLAN the frame is sourced.
 
One of the things I have discovered is that in 2017, the students were doing some online trading with actual currency and bitcoin!!! They installed Cisco Umbrella to fix that. Our policy runs out in December. I am debating on weather to renew or not. I know that Sophos has its own service that is part of their support plan.

I did find out today that Fios is available in our area up to 500/500 and it is already wired to each buildings dmarc. A tech needs to come out and see where it can be pulled too. I may just have to have the fiber in the current dmarc and just run it from there.

This campus has just been added onto so there are 6 differing closets with networking gear in it.
 
So when you say across the street, do you literally mean on the other side of the road? If that's the case then I'd strongly consider getting a Layer 2 Point to Point connection going between the two buildings (Wireless APs on top of each building). There's basically no point in setting up a VPN and having two ISPs if the buildings are that close in proximity. You'll be much happier when you can just manage everything from one network. (Later on if you're still there you would definitely want to pay someone to get fiber ran between them, but a PTP is something you can likely contract out and have something in place fairly quickly)

As for Cisco Umbrella, if it's setup, configured and working, it's likely worth it to keep it in place for the time being. That said, Umbrella is only DNS filtering, so anyone who can figure out how to put an IP in instead of a hostname can bypass it. So it's basically just one layer of security, and you'll definitely need a firewall to complement it regardless. Keep in mind that you probably also have an external website that uses your domain name, so there are likely other external DNS services configured in Umbrella as well. So trying to move DNS to your sophos would probably require you to figure out where you're going to host external DNS services.

I will completely backup Cmustang87 in saying that you're talking about smart kids with absolutely nothing better to do. They will spend time figuring out things that are broken in the network. They may not exploit them but they can find them nonetheless. Getting the network segmented will be a key step in getting in the right direction. The other point is if you're using Umbrella, you should be able to block all devices in the network from using any external DNS other than umbrella. There really shouldn't be a need for anything to use anything else and then you know that everything is being funneled through your filtering. You basically want to treat teachers almost the same as students, as they can do just as much harm if not more. They will leave their devices unlocked and sitting in the room, ripe for students to take advantage of.

Side note: If you have the A3 plan for Office, I'm going to guess you should have Azure AD Premium P1 included in your licensing. If you do, then you'll really want to look at Azure's SSO application. You can actually use Azure to auto provision G Suite accounts, so rather than setting up the Google Sync client you can let Azure do the heavy lifting.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-provisioning-tutorial

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

I personally haven't done a setup of that, but just happen to know that it should be possible. I think it sounds like you already have the AAD sync connector setup, so switching G suite to use SSO through Azure might be the easier long term solution.
 
Last edited:
One of the things I have discovered is that in 2017, the students were doing some online trading with actual currency and bitcoin!!! They installed Cisco Umbrella to fix that. Our policy runs out in December. I am debating on weather to renew or not. I know that Sophos has its own service that is part of their support plan.

I did find out today that Fios is available in our area up to 500/500 and it is already wired to each buildings dmarc. A tech needs to come out and see where it can be pulled too. I may just have to have the fiber in the current dmarc and just run it from there.

This campus has just been added onto so there are 6 differing closets with networking gear in it.

Find out if you can run a L2 fiber link between the two buildings and not do VPN at all. A wireless point to point is another option as bman212121 stated.

I also recommend renewing and keeping Cisco Umbrella. Do you have the VA (virtual appliance on site?) If not, I'd recommend doing so! If so, another tip of the hat to basically block outbound DNS queries unless they are sourced from the Umbrella VA. Then also setup a NAT rule that will automatically translate NAT requests to your public DNS server of choice in the off event that somehow something does leak.

https://support.umbrella.com/hc/en-...e-VA-communicates-with-Umbrella-and-local-DNS
 
Last edited:
All good stuff, thx for the replies. When I say literally across the street, it is across the street. They have tried to go down the city path of just digging up the road and stick a fiberline between the two buiidings. That was going to cost $45k with a 120-180 waiting period from the city of St. Pete...you know, bureaucracy. So that was a no. Then I went and thought about Wireless...they had tried that before. This part of St. Pete is known to get pop-up T-Storms frequently and it will kill the connection. It had been done previously and the HOS was an adamant NO on that solution. I looked into Microwave in each directions....the parents are kinda weird...they are worrying about nuking their child with that much "radiation"....so again, no.

Spectrum Enterprise (Their version of Fiber) would cost $24k at a wait of 90-120 days...again, not feasible. The only two solutions at this point is the Point to Point VPN over Coax or Fios Fiber crossing the web via IPSec. I am going to stick to the IP schema that Mustang proposed. But I will have to do that slowly. Every device on this network has ip mappings that are mis-mashed

The problem is that over the summer is they literally start camp the week after school let out. There is a break July 4th week where the place is practically empty but I have to work on the new building during that week. I will only have that one week to really put in all the new stuff in addition to updating our student database for the 19/20 school year. Oh and also setup 150 chromebooks for students as well. Thank goodness no windows laptops for the kids. I think as a workaround for the kids if to keep them on Cisco umbrella and make a vlan on the old wireless network that will segment them from the main network until I can completely rejig the IP schema over Thanksgiving since we are closed all week and over XMAS as well. The rest of the network will be open for staff members to do normal stuff and don't need to be on Cisco Umbrella. Also, we have pretty much eliminated VPN traffic internally for school owned machines and the students who still use the BYOD thing.
 
$45K to cross the street?. Guessing they were planning on ripping up the parking lot on both sides and putting in conduit or something. I definitely get the bureaucracy thing, but I bet if you actually look at the pole, chances are good that both of your coax connections from Spectrum probably come off the same pole. So someone from Spectrum already made a path between both buildings, and it likely didn't cost $45K. I'd probably get a second opinion on that cost, but either way it sounds like if it were half that it would still cost too much.
 
I would suggest still keeping Umbrella even on teacher devices. With the Umbrella VA on premises you can do user based policies when you integrate with AD rather than relying on a separate external IP (NAT policy) to determine the policies. The latter being another reason to get teachers and students on different networks!
 
Back
Top