Office Network Problems

NateL · May 14, 2008

We have a Mac network guru coming in on Friday to help us out a bit..but in the mean time, i'd like to try to figure some things out on my own..for my own personal knowledge.

Our cable modem plugs directly into a Netgear JGS525 Switch. From there, we have Ethernet wires running all over the office and connecting to some Macs. So far, so good. Internet for those that are hardwired is blazing fast..as well as file transfers from computer to computer.

Our ISP has given us a range of static IP addresses. We assign each mac with its own IP address. We have about 15 static IP's we can use.

Now for the problem area.
Wireless.

It's extremely spotty and works when it wants to. There is a conflict that we can't quite find. We reset everything 10 times yesterday and it worked for 30 minutes each time and then crashed. (wired computers, still working...it's not an ISP issue)

We go from our router to an Airport Extreme Base. We assign the airport extreme with a static IP. We have two more airport extremes and an airport express set up as repeaters, which to me is odd because we shouldn't need 4 airports to get wireless to work in our office...we don't have a very big office...3 at most should be sufficient...but never seems to be. Someone never has enough signal or their internet is slow as poo.

anyway, I hope this is making sense..but the wireless internet just seems to go on and off..and we need to basically reset everything in order to get it working again, for what seems like an hour at most and then the whole wireless network crashes again.

One other odd thing is about our network printer. It will only work whenever it's plugged into the Airport Express. If we're hard wired, then that means in order for us to print, we must connect to the wireless network and then print to the Bonjour Shared printer. Can i hook up the printer via ethernet to the Switch? then, would wireless be able to find it?

cwa107 · May 14, 2008

May I ask why the preference for static IP addressing? I have a feeling that's where your problems stem from. Your Airport Extreme is a perfectly capable DHCP server.

NateL · May 14, 2008

cwa107 said:
May I ask why the preference for static IP addressing? I have a feeling that's where your problems stem from. Your Airport Extreme is a perfectly capable DHCP server.

we have 3 computers set up as web servers. 2 Mac Pros and an iMac. We post project files to our local web server and our client views the web page to see the status of the projects we're working on.

for instance, they go to computer1.oursite.com and that gets forwarded to the IP address that we have setup. It's much easier and makes more sense than uploading gigs of files to our web host for our website.

One other thing is we often connect via Remote Desktop so we can work on our work computer from another location. We just punch in the IP address and connect. Is there an easier method?

pixelbaker · May 14, 2008

i'm sure the help you've got coming on Friday will tell you much the same thing, only more in depth: that setup does not seem very good.

You need a router, some sort of firewall other than the systems themselves. That's asking for trouble. Modem-->Router-->switch--->workstations/servers.

With a router, you can keep your setup virtually the same, but it's much safer and cleaner. The router handles your DHCP and all that business and if you get one that has wifi, there's your wireless network also included. You can setup port forwarding for the web ports to forward directly to your web server, as well as assign a port per computer for remote desktop. This would mean that instead of a unique IP for each workstation on the network, you have one outside IP and differing ports for each system.

This would probably solve a lot of your connectivity issues as well if they're all connected to a central location in a smaller, sectioned off network.

cwa107 · May 14, 2008

NateL said:
we have 3 computers set up as web servers. 2 Mac Pros and an iMac. We post project files to our local web server and our client views the web page to see the status of the projects we're working on.

Wow. Was this network built by an IT professional? I ask because although OS X is pretty stout, it's still quite risky to leave your machines wide open on the public Internet by assigning them static, public IP addresses. I'm not sure that solving these issues is really in the scope of this forum, although I'll do my best to help.

for instance, they go to computer1.oursite.com and that gets forwarded to the IP address that we have setup. It's much easier and makes more sense than uploading gigs of files to our web host for our website.

Do you have your own DNS server or did you have your ISP set up that host record on theirs?

One other thing is we often connect via Remote Desktop so we can work on our work computer from another location. We just punch in the IP address and connect. Is there an easier method?

I'm not sure where to start, there's quite a bit I would have done differently as a network engineer, but I'm sure I'm not getting the full picture either, so I don't want to speculate too much.

I know you said that you have a "Mac networking guru" stopping by to take a look at it, but is this person a network engineer or more of a hobbyist?

cwa107 · May 14, 2008

pixelbaker said:
i'm sure the help you've got coming on Friday will tell you much the same thing, only more in depth: that setup does not seem very good.

You need a router, some sort of firewall other than the systems themselves. That's asking for trouble. Modem-->Router-->switch--->workstations/servers.

With a router, you can keep your setup virtually the same, but it's much safer and cleaner. The router handles your DHCP and all that business and if you get one that has wifi, there's your wireless network also included. You can setup port forwarding for the web ports to forward directly to your web server, as well as assign a port per computer for remote desktop. This would mean that instead of a unique IP for each workstation on the network, you have one outside IP and differing ports for each system.

This would probably solve a lot of your connectivity issues as well if they're all connected to a central location in a smaller, sectioned off network.

Well-put, and pretty much what I was trying to get at as well. I understand that in a SOHO setting, your budget is limited and you tend to rely on both your ISP and some of the higher-end, consumer grade networking gear to get you by. But when you start putting machines on the public Internet, it's time to have a serious evaluation done by a networking professional - and that person doesn't even need to be a Mac specialist, as much as they need to be familiar with network security and infrastructure.

NateL · May 14, 2008

pixelbaker said:
i'm sure the help you've got coming on Friday will tell you much the same thing, only more in depth: that setup does not seem very good.

You need a router, some sort of firewall other than the systems themselves. That's asking for trouble. Modem-->Router-->switch--->workstations/servers.

With a router, you can keep your setup virtually the same, but it's much safer and cleaner. The router handles your DHCP and all that business and if you get one that has wifi, there's your wireless network also included. You can setup port forwarding for the web ports to forward directly to your web server, as well as assign a port per computer for remote desktop. This would mean that instead of a unique IP for each workstation on the network, you have one outside IP and differing ports for each system.

This would probably solve a lot of your connectivity issues as well if they're all connected to a central location in a smaller, sectioned off network.

Thanks for that suggestion. I forgot all about using ports. This is why we're in a bit of a pickle...we're graphics people, not network people

cwa107 said:
Wow. Was this network built by an IT professional? I ask because although OS X is pretty stout, it's still quite risky to leave your machines wide open on the public Internet by assigning them static, public IP addresses. I'm not sure that solving these issues is really in the scope of this forum, although I'll do my best to help.

Yes and no. The guy who wired up our building is a complete moron. We've done most of this ourselves, to the best of our abilities.

Do you have your own DNS server or did you have your ISP set up that host record on theirs?

we had our Webhost set up CNAME..I believe...

I'm not sure where to start, there's quite a bit I would have done differently as a network engineer, but I'm sure I'm not getting the full picture either, so I don't want to speculate too much.

I know you said that you have a "Mac networking guru" stopping by to take a look at it, but is this person a network engineer or more of a hobbyist?

Thanks, apparently this guy sets up networks (mac networks) for big companies...so i think it's beyond hobbyist.

again, I appreciate your advice...I will talk with the higher ups about a router in addition to the switch and then maybe we could dump the static IP's and go with ports.

Would using ports interfere with how people navigate the site?

pixelbaker · May 14, 2008

Would using ports interfere with how people navigate the site?

They would see the exact same thing and use it in the same way, it's just much more specific on what type of traffic you're allowing to that system. The main concern with your network setup here is security. Right now your machines are open to the internet and there is no buffer between them. Like cwa107 said, OS X is pretty secure, but basic security measures should always be in place - even in a home setting, but especially a business one.

GroovyLinuxGuy · May 14, 2008

NateL said:
We have a Mac network guru coming in on Friday to help us out a bit..but in the mean time, i'd like to try to figure some things out on my own..for my own personal knowledge.

Our cable modem plugs directly into a Netgear JGS525 Switch. From there, we have Ethernet wires running all over the office and connecting to some Macs. So far, so good. Internet for those that are hardwired is blazing fast..as well as file transfers from computer to computer.

Our ISP has given us a range of static IP addresses. We assign each mac with its own IP address. We have about 15 static IP's we can use.

Now for the problem area.
Wireless.

It's extremely spotty and works when it wants to. There is a conflict that we can't quite find. We reset everything 10 times yesterday and it worked for 30 minutes each time and then crashed. (wired computers, still working...it's not an ISP issue)

We go from our router to an Airport Extreme Base. We assign the airport extreme with a static IP. We have two more airport extremes and an airport express set up as repeaters, which to me is odd because we shouldn't need 4 airports to get wireless to work in our office...we don't have a very big office...3 at most should be sufficient...but never seems to be. Someone never has enough signal or their internet is slow as poo.

anyway, I hope this is making sense..but the wireless internet just seems to go on and off..and we need to basically reset everything in order to get it working again, for what seems like an hour at most and then the whole wireless network crashes again.

One other odd thing is about our network printer. It will only work whenever it's plugged into the Airport Express. If we're hard wired, then that means in order for us to print, we must connect to the wireless network and then print to the Bonjour Shared printer. Can i hook up the printer via ethernet to the Switch? then, would wireless be able to find it?

Okay..first things first. You don't need to assign each workstation an IP address from the 15 that your ISP gave you. Get rid of the switch and replace it with a router so you can do NAT. You do not need a routable address for each computer. And it will save you money in the long run since you won't be paying for each IP address that you are using.

When i posted my reply, I was unable to see anyone else's replies. I see that this route (no pun intended (well maybe just a little)) has already been covered. If I could figure out how to delete this post I would

cwa107 · May 14, 2008

NateL said:
Thanks for that suggestion. I forgot all about using ports. This is why we're in a bit of a pickle...we're graphics people, not network people

I don't think you give yourself enough credit, I'd say you have more than a little working knowledge just based on what I'm hearing from you here.

Yes and no. The guy who wired up our building is a complete moron. We've done most of this ourselves, to the best of our abilities.

Yeah, wiring guys tend to be pretty specialized in pulling and terminating cable. They may know enough to patch the ports into a switch, but in my experience that's about where their knowledge ends.

we had our Webhost set up CNAME..I believe...

Got it, so while you do host your own test boxes, your actual production servers belong to a webhost who does the favor of hosting a DNS record to point back to one of your public IPs. Do I have that right?

BTW, even if you do go NAT with port forwarding, your static machines can still coexist in that network, implemented properly.

Thanks, apparently this guy sets up networks (mac networks) for big companies...so i think it's beyond hobbyist.

again, I appreciate your advice...I will talk with the higher ups about a router in addition to the switch and then maybe we could dump the static IP's and go with ports.

I think that would be a good idea for starters.

Would using ports interfere with how people navigate the site?

Done properly, no.

PerryLynch · May 15, 2008

GroovyLinuxGuy, CWA107, and Pixelbaker all have the right ideas for you. Here's my $0.02 worth to go along with it:

1. Drop a firewall - ANY FIREWALL - in front of that network. Your professional network guy may deploy equipment for large networks, but he's forgotten the single most basic rule: Keep other people out. Your network performance is spotty because you're getting external users hammering the network looking for vulnerabilities. To prove this out, configure the Netgear to give you a span port (a port that can be used to monitor traffic on all the other ports) and then connect a machine using ethereal to it. You'll be amazed at how much garbage traffic you're going to see.

2. Keep the switch. That's an excellent piece of equipment that you'll need just to maintain the high file transfer rates inside the network. But you need to develop a plan of your network, and configure the switch to help you limit the traffic that your servers see. Internal servers should not be on the same subnet as external servers. Workstations should be able to see both internal and external servers. The Internet at large should only be able to see 3 or 4 services, protected by NAT, to prevent direct attachment to the internal servers.

3. The printer issue sounds like you're the victim of a botched internal network numbering issue.

This really isn't rocket science. If you'd like some additional advice, PM me with some contact data.

Perry