Networking questions

C

Craig Hauber

Sophomore
Jan 20, 2011
242
1
18
53
Between Williston ND and Plentywood MT
www.mondaksound.com
I would like to have all my computers and devices relating to the A/V operation of a venue I installed readily and easily available to any management/operators (and myself) via wifi yet at the same time have a customer accessible internet access.
I currently have good access for operators/managers ipads, vnc etc.. However anyone that brings in a laptop and connects to the wifi can see all the machines -and if they were a disgruntled ex employee, could wreak havoc from out in the alley! (This has happened) -We use VNC to manipulate video switching, zone audio levels, lighting scenes and music content. As well as the Ashly DSP having direct network access too
Yes I could implement a rigorous password-changing process but that would make it very difficult to operate when it gets busy. -and there's always that gap between when someone aquires a password and your next change.

The issue is the common internet service (Verizon business DSL with their crappy router-modem). I have the entire A/V system running on it's own rackmount switch and can disconnect the network from the internet very easily (unplug and move to another router with no WAN connection). However there is streaming content coming in to the A/V system, as well as my need to use LogMeIn for remote troubleshooting.

So to cut-to-the-chase, how do I have the A/V network totally inaccessible from the public network but both sharing the same internet connection?
 
Re: Networking questions

Stick a router between the AV network and the main network, set DHCP on the AV router so it assigns IP's at a different subnet than that of the main network. Set up port forwarding on the new router to allow your LogMeIn to pass through to the destination and block all other ports. Give the AV network it's own private wifi AP and hide it's SSID, and if you need to, MAC filter clients so only approved devices can connect.
 
Re: Networking questions

Also...depending on the switches and routers you use, you can create VLANs to segment the traffic. This is what we do to separate the "guest" network from the business network.

Good luck.
 
Re: Networking questions

Spent about 4 hours chasing google searches down the rabbit-hole of advanced networking. Any hardware recommendations to simplify this and how to translate your suggestions to the actual hardware gui's in most devices? I've been using a bunch of dd-wrt flashed linksys routers for a while now but still in the simple 192.168.1.1 type single-router networks. I do set everything static so it's easy to find devices from pad & phone apps, but that's about it for my level of configuration ability.
(my brain still hurts from all that subnet mask class-C /24 subnetworking stuff I just read, -but still don't know how to apply it!)
 
Re: Networking questions

What wireless router/access point are you using? Most of the newer wireless routers have the option to create a guest network, where all the hard networking stuff is taken care of for you. This way all you have to do is make sure that the employee network is secure, and possibly has a hidden SSID, then you can setup the guest network with an SSID like venue-guest. Then whoever connects to the guest network only has access to the internet and nothing else.
 
Re: Networking questions

There's a Westell dsl model/router/WAP unit provided by Verizon. It's got 4 switched ports on it but no real settings capability beyond that of basic simple stuff.
Just found there is already is a totally isolated network in the venue for the Micros cash registers -but they are running through a sonicwall that takes up one port on the verizon unit. So whatever I do must leave that part undisturbed or they can't process credit-cards.
Right now the network is:
Westell router set to straightforward DHCP from .100 to .200 with no port forwarding or anything advanced. All machines connected have static IP's ranging between .10 and .40. No access to Micros system but it is connected (and will cost for me to call them out for service)

Westell port 1 to 16-port (unmanaged) switch to rack gear (dsp/switchers/amps/processing)
port 2 to Cisco WAP (out in the house)
port 3 to Sonicwall unit (cash register system)
port 4 to Linksys WAP (back patio outside)

Wireless on the westell unit has been disabled as it didn't have useable range outside of the office and the cisco covers the entire venue and lobby well.
-I was thinking of re-purposing the Linksys unit to the inside as well and using it for the private network.
Still reading up on everything as best as I can and thinking that VLAN's are the answer. I just have to figure out the settings so I can continue to use the Verizon Westell gateway and not interfere with the Sonicwall system.

Thanks for all the help so far
 
Re: Networking questions

Here's what we have. Dunno if this will help - or how secure it is.

There's an arrow missing - right vertical runs from DSL router to Public router.

WAN sockets are not used on Public or AV routers.
 

Attachments

  • IPnraddys.pdf
    10 KB · Views: 0
Re: Networking questions

I would say the easy solution, although just an keeping honest people honest method, would be to plug two WAPs in with different subnets to the router. One is your AV network. The other is the public one. The AV network, protect it with MAC addresses of allowed devices. This should all be doable with consumer hardware. Otherwise, look into a good IT person and invest in the real hardware. Good Cisco hardware with features enough for av needs is super cheap on eBay now. Get a few L3 switches, and a good router for 400$.
 
Top Bottom