2: Setting Up the Router
[Original article by: KC Lai]
[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]
The Router is the most important piece of your network infrastructure in terms of security. Choose a proper router with all the features you need before buying one. Once you have acquired a commercial-grade router, read the following guide in preparing it for your office IT system.
The physical connections
Connect the Internet modem to the WAN port of your router with a network cable. Connect any of the LAN ports of the router to one of the ports on the network switch. Connect your computers to the network switch (via the patch bay or directly).
Setup the WAN Connection
Log in to your router (and change the default administrator password immediately).
Head over to the WAN connection setup section, and configure your Internet connection (either PPPoE, static IP, or DHCP) with the parameters that your Internet provider gave you. You may need to ask your Internet provider to enable “bridge connection mode” for the Internet modem. Most of the time, this is not necessary as basic Internet services usually allow for 2 non-static IP address (in case your modem asks for one IP, and your router asks for another IP)
DHCP Server
The router will most often also be your network’s DHCP server. This allows you to plug in computers to the network and be given an IP address so it can see other computers on the network and also access the Internet.
You may want to change the IP address and subnet of your office network so it is on a different subnet that your home. This makes a difference later if you connect via VPN. For example, if you home IP is 192.168.1.1, then change the office router IP to be 192.168.2.1 (the second last number determines the subnet, the last number is the number assigned to router or computer). Be sure that your subnet mask corresponds to the way you choose the IP address of the router (you may need to use a subnet calculator). In general, if you use the pattern 192.168.x.x, then your subnet mask can be 255.255.255.0 (which gives you 254 available IP numbers to assign to computers/devices on your network). Save and restart the router.
The DHCP server is usually enabled by default. Edit the following settings:
- DHCP Server: Enabled
- Start IP Address: 192.168.2.200 (start at a higher number to reserve the lower numbers for devices/computers that you want fixed IP addresses for easier management)
- Maximum DHCP Users: 50 (or whatever maximum number of dynamically assigned IP addresses allowed, including wifi devices)
- Static DNS: 208.67.222.123, 208.67.220.123 (for OpenDNS which filters/protects your users) or 8.8.8.8, 8.8.4.4 (for Google if reliability is a concern)
- Forced DNS Redirection: YES (if you don’t want users to bypass your chosen DNS server)
Go through the settings for any other tweaks you may wish to do, such as setting the Time Zone.
Setting Static Leases
On the router admin panel, go to the section for assigning static-IP numbers to devices on your network. We recommend going through the pain of keeping track of all the authorized devices that are allowed on your network and assign them a static IP. Keep a document containing the device name, MAC address, and IP for all your computers and devices. This allows you to easily manage port forward, filter IP address for access control, QoS, remote management and other features. If the IP address keeps changing (when on device bumps off another), it is harder to identify where to access the computer or device is on the network. This also allows you to identify unauthorized devices that may have joined your Wifi network or plugged in to a vacant network wall jack.
Consider thinking ahead, and grouping your devices and computers in to IP ranges (for easier identification and organization). Leave number range space for future additions to that group. For example, reserve 1-20 for network infrastructure, 21-50 for servers, 51-100 for peripherals, 101-200 for computers, 200-254 for all other devices (DHCP served IP address, such as Wifi guests).
Enter in the MAC address, hostname, and give a fixed IP address (that is a lower number than your “Start IP Address” that you set previously) for all devices:
Example:
MAC Address | Hostname | IP Address | Client Lease Time |
00:24:01:e7:61:1b | Clinic-server | 192.168.2.10 | |
00:22:b0:68:97:34 | Network-switch | 192.168.2.12 | |
3f:34:30:f8:bc:12 | Printer | 192.168.2.20 |
Using Wireless Access?
There are some security issues if you choose to use Wifi access in your office. Consider turning off your Wifi access on your router until you have considered the issues and decided on a type of access that works for your needs. Read the article of Wifi Access Point for more information.
Read Next: Network Firewall