using 5 WAN static IP addresses simultaneously

N

NoodleTech

[H]ard|Gawd
Joined
Mar 14, 2007
Messages
1,105
My friend has verizon business fios at his coffee shop with 5 static IP addresses.

He uses the internet connection for customer wi-fi access, his point of sale system, and his DVR.

Currently he is using the verizon-provided actiontec MI424WR router which has a bunch of issues.. He is also using a PePwave Officepoint 400 access point with a captive portal set up for customer logins. The captive portal redirects the user to the pepwave website, so the user must authenticate over the internet, but sometimes this page does not appear for some users because apparently there is no internet access. I think the actiontec router is the source of the problems because he had the same no internet access problem with his old linksys WAP54G access point. So he wants to replace the verizon router with his SonicWall TZ 190.

There are 8 LAN switch ports on the TZ 190. I was thinking he should assign 1 of the 5 static WAN IP's to one of the LAN ports which would be connected to a switch. The POS machines would be connected to that switch. Then he would assign the 2nd of 5 static IP's to another LAN port which would connect to the wireless access point for customer access. This one would have DHCP enabled to assign IP addresses to wi-fi users. The 3rd of 5 static IP's would be assigned to another LAN port for the DVR machine. I would also set up portshield interfaces for each of those 3 LAN's so that there would be a SPI firewall between them. I also plan to put each of those networks on different subnets (IE 10.0.0.x for POS, 192.168.0.x for wi-fi, and 192.168.2.x for the DVR). Is this possible with the TZ 190 and would this essentially create 3 physically separate networks and be in compliance with PCI standards?

Is there a better way to set this up for him?

Thanks in advance.
 
Why do all that when you can do it with 1 outside IP? I'm not a sonicwall guy just don't care for them.

However setup the inside netowrk for his POS sustem, then setup a DMZ port for the customer AP.
 
k1pp3r said:
Why do all that when you can do it with 1 outside IP? I'm not a sonicwall guy just don't care for them.

However setup the inside netowrk for his POS sustem, then setup a DMZ port for the customer AP.
Click to expand...

I've been told using multiple virtually creates multiple physical networks which isolates the POS from the customers. The best option would be to get a separate DSL line for his POS systems, but he doesn't want to do that.
 
I don't see why using a different external IP 'isolates' anything. The external situation is separated from the internal situation by the SonicWall and your configuration there is what will determine what is isolated from what.

Seems like a heck of a lot of costly hardware for a coffee shop. I would personally have done this with a $100 HP 1700-8g switch and $225 ALIX pfSense router with a WiFi card. Maybe a few good APs instead if you have a large area to cover.

Your basic thinking seems sound, but I'm not a SonicWall guy either. If you can separate the broadcast domain of each switch port (ie. create a VLAN, though I'm sure SonicWall has some other name for this - I guess this is 'portshield'?), anyway. I don't see any reason you need multiple IPs here, but if you have them, you may as well use them. If they're all in the same broadcast domain and you're just using different subnets, you get no isolation out of that.
 
keenan said:
I don't see why using a different external IP 'isolates' anything. The external situation is separated from the internal situation by the SonicWall and your configuration there is what will determine what is isolated from what.

Seems like a heck of a lot of costly hardware for a coffee shop. I would personally have done this with a $100 HP 1700-8g switch and $225 ALIX pfSense router with a WiFi card. Maybe a few good APs instead if you have a large area to cover.

Your basic thinking seems sound, but I'm not a SonicWall guy either. If you can separate the broadcast domain of each switch port (ie. create a VLAN, though I'm sure SonicWall has some other name for this - I guess this is 'portshield'?), anyway. I don't see any reason you need multiple IPs here, but if you have them, you may as well use them. If they're all in the same broadcast domain and you're just using different subnets, you get no isolation out of that.
Click to expand...

thanks for clearing that up. I wasn't seeing how having 5 external IP's created internal isolation between POS and customers either.. I guess I was misinformed. Well the old owner of the shop gave him the SonicWall so I'm just working with what he has and the pepwave is great! hmm.. I'm not sure how to create 3 separate VLAN's on the SonicWall.

I'm not sure if portshield is the name for it either. This is SonicWall's description of portshield from the user manual: PortShield architecture enables you to configure some or all of the LAN switch ports on the TZ 180 and TZ 190 into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed switch ports that enjoy the protection of a dedicated, deep packet inspection firewall.
 
That does sound like it's on a separate VLAN to me. I would just set it up and make sure broadcast traffic doesn't make it between ports, but it sounds like they're isolated if you set that feature up. I'm not sure it's worth setting up a separate LAN just for the DVR either, though it depends what you need this box to do. Maybe if you have it exposed to the world for remote access that makes sense.

I have heard good things about those APs, never used them myself, but the price doesn't look too bad for what they do. You can't often go wrong by reusing existing hardware that's up to the task either!

You may also look into reconfiguring the Actiontec as a bridge if you haven't already done so.
 
thanks a lot for the advice :)

I just read a review on the TZ 190 and portshield is in fact SonicWall terminology for a VLAN. My friend remotely monitors the DVR from home.

I'm loving the pepwave so far, but some users have been having problems getting to the login portal page and also getting any kind of internet connectivity whatsoever. I think it is the actiontec's problem.

Would it be better to configure the actiontec as a bridge or skip it altogether and connect an ethernet cable straight from the FiOS ONT to the sonicwall?
 
Umm not entirely sure what you want.. but if hes got FiOS business with 5 statics... and you wanna make things simple/secure... tell verizon you'll use your own router and they will get rid of their router and just give you a single network line from their FIOS gear...

Then put a switch in, and then no that switch i'd put seperate routers in

Router #1 for his business network
Router #2 for the customers wifi... get a wireless router for like $50 on NewEgg for this.

Then he still has 3 static IP's he can use for whatever he wants... best way to do it, easiest way. Keeps his public wifi on a completely different network.

Verizon will let you do this but you have to tell them. Usually the tech who comes on site is part of a different group and isnt 100% sure on how to do all that, but they do need to get rid of their router. I did this for a client of mine a few weeks back. Tech put their router in and i told him "so im getting 5 statics so i can use my own router right?" and he had to call in, verify it and then removed it... i ended up doing my own cable ends for him... one network end plugged into the FIOS gear (outside the building in their boxy thing) and the other end i put into a switch of my own and from there i have 5 lines coming off for my 5 static IP's and each line has a different router for different purposes (customer wifi, client #1's network, client #2's network, etc...)
 
Adam, that is exactly what I want.

What do you mean by a single network line from their FiOS gear? They ran ethernet from the ONT to the router, not coax, so can't I just plug the switch in after calling in and letting them know my plans?

For the switch, do I need a specific type or will a simple unmanaged one work?
 
NoodleTech said:
Adam, that is exactly what I want.

What do you mean by a single network line from their FiOS gear? They ran ethernet from the ONT to the router, not coax, so can't I just plug the switch in after calling in and letting them know my plans?

For the switch, do I need a specific type or will a simple unmanaged one work?
Click to expand...

Simple unmanageable switch will work just fine here. I would not worry about calling Verizon. You would only need to call them if they provisioned you with MoCa (The Coax cable connection to the router).

Do this:
1. Plug your switch into the FiOS ONT's WAN port.
2. Plug your routers into the switch.
3. Configure each router with a different public IP.
 
great! thanks randyc.

can you recommend me a solid router to stick in front of the access point and one to stick in front of the dvr? i'll use the sonicwall with the POS system.
 
I don't see any reason to use a bunch of separate routers when you have one that can handle VLANs properly like your SonicWall apparently can. It just makes things less neat, less manageable and introduces new points of failure. Not to mention all the extra hardware you'll have laying around to break.

So the Peplink captive portal needs to go out to the Internet?! Why?
 
keenan said:
I don't see any reason to use a bunch of separate routers when you have one that can handle VLANs properly like your SonicWall apparently can. It just makes things less neat, less manageable and introduces new points of failure. Not to mention all the extra hardware you'll have laying around to break.

So the Peplink captive portal needs to go out to the Internet?! Why?
Click to expand...

The entire Pepwave management system is hosted online. I guess that's how they cut costs and eliminate the need for a costly AP controller.
 
I don't know if you'll need to tell them or not... not 100% sure...

the ONT thats what i meant. Basically their ONT Has a coax line going directly into their router (or in your case, a network line - it varies from location to location).. open up the ONT outside the house/office, you'll find a network jack in there to connect to. (you already said theres a line going so one less step for you to worry about, skip to the switch part)... Run your network line to this, then you can use any kind of switch (a cheap 5 port linksys for $22 will do). Plug this into your switch. Now you can use your static IP's on whatever devices you plug into the switch. Be it a router, a computer (i do this for testing, i assign a few statics to whatever i need like a router for office, router for wireless, then i use one static on my laptop for testing purposes).

You MAY need to call them as they have assigned those statics to the mac address/hardware (their router).

They should have NO PROBLEM at all updating your account to reflect that you are supplying your own router.
 
NoodleTech said:
The entire Pepwave management system is hosted online. I guess that's how they cut costs and eliminate the need for a costly AP controller.
Click to expand...

Curious. I knew dd-wrt's hotspot could optionally use an Internet service or separate internal radius and web servers, but had no idea anyone was actually selling this as part of a product.
 
You must log in or register to reply here.
Back
Top