Satellite Modem based networking troubles

July 14, 2010 at 11:53:49
Specs: Windows 7
Hey guys, need some networking assistance/advice. I have a BW network with HX50 modem in this setup: Modem-ZyXEL Firewall-Wired Router-Switch with a grand total of 30 users.

The firewall has 4 ports, one goes to one of the router ports, one goes to the hard line to me(I'm the network admin on the system), and 2 ports go to D-Link wireless access points.

The router has 4 ports also, one is used up coming from the firewall, one is going to the switch, and one is going to my 3rd D-Link access point(all DAP-1522's).

The switch is 8 ports, one port used coming from the router, and 6 used by hard wired people in that section of the building my equipment is located.

The HX50 modem IP is, firewall is, modem, and access points also

In the FAQ section on the modem, it gives me 12 IP addresses I can use in the domain, should I switch all devices to that IP range, and how should I assign individual user IPs? I have DHCP turned on in the firewall and shut off in all other devices, and still have a great big bottleneck somewhere. Can anyone help me get this mess straightened out? Any and all help would be greatly appreciated.


July 14, 2010 at 12:04:08
The firewall, modem and AP's CAN NOT be in the same subnet. Period. This is basic routing which in your case isn't routing at all.

Do not use the 10x ips internally unless you want to be raw [unprotected] on the internet.

Correct setup should be
modem<>firewall<>switch<>pcs and AP's

IPs would look like this;
modem[]<>[10.142.xx.xxY]wan interface of firewall{firewall}lan interface of firewall [] and all AP's pcs would get ips in the range.

You will note that you have one ip subnet between modem lan and firewall router wan ports. You have another subnet on the lan side of the firewall router. This is how routing works, you have to have different subnet to route to.

You do not need the extra router as it adds a subnet as well as a hop to the internet for those devices off its lan ports.

If this has been working I would have to assume you have been using the 2nd router not as a router but as a switch [no wan port connection just a lan port to the firewall connection]. I would suggest you get a 48port switch instead so you have the ports you need and easy management.

July 14, 2010 at 20:20:42
OK, I'm going to playing with it some more today, and I'd love to get new equipment but unfortunately I'm in Afghanistan with the U.S. military, so we're a little short on options. I can't take the router out of the equation because I don't have enough ports to run every thing, but it is plugged in from the router thru a LAN port, I was unable to get it to work thru the WAN port. Thank you for your advice, any other suggestions I should follow?

July 14, 2010 at 21:32:11
OK. We have limited equipment to work with. Not a problem. Good to know how you are using the router, good choice considering the circumstances.

What model of ZyXEL Firewall do you have so I can look up the docs?
What's the upload/download specs of the satellite connection?

July 14, 2010 at 22:20:43
The down/up speed is 3MB down, 1MB up, and the firewall is a ZyXEL ZyWALL 2 Plus. Didn't have muich experience with firewalls, and I am pursuing a career in network security, so I wanted some hands on in configuring one. Will using the router as a LAN device hurt us overall? We also have a wireless bridge going to another access pointm, but thats pretty easy to configure.

July 15, 2010 at 10:22:08
What is the wireless bridge connected to?

Doing wireless bridging and wireless AP's slows the internet access down. Wireless has tremendous overhead which adds to the lag. This is compounded with wireless bridging going to a wireless AP.

You would get the best performance with wired link. Given 30 with 7 wired you have 23 wireless clients using 4 APs for an average of 5 per AP.

From my experience that is the max for a AP.

30 users on a 3/1mbps with all the lan overhead is going to result in slow internet access. Should be OK for email and browsing but nothing else.

I would suspect you are also dealing with location issues so moving equipment around isn't possible.

Ignoring that, and considering a possible better design using the existing equipment, I would recommend the following;

Off the firewall have
8port switch
4port router acting as a switch
wireless bridge

Off the switch
6 wired users
1 your pc [you can continue to be off the firewall but you will be grabbing all the bandwidth from the rest]

Off the router acting as a switch
3 AP's

Off the wireless bridge
1 AP

There is nothing you can do to make wireless suck less without wiring and changing equipment.

July 16, 2010 at 08:35:16
My bridge is actually going to yet another access point. The way the network is set up looks like this:

Satellite Modem to

ZyXEL Firewall, going to 2 WAPs, 1 hard line to me, and the router

DLINK Router, going to the wireless bridge, 8 port switch, and remaining access point

8 Port Switch, going to 6 hardwired users in the building the equipment is located in

DLINK access points, each connected to one Buffalo Ethernet Converters(access points that receive a wireless signal and put it out to users thru a cable basically)

Wireless Bridge, going to one more wireless bridge about 200 meters away, which is hooked to a Linksys router acting as an access point

Linksys router provides a signal to a Buffalo Ethernet Converter that provides signal to 2 users.

I know it sounds like a mess, but with the exception of the firewall/router/switch setup, it was the only way I could provide signal to everyone in a spread out area. I have everyone connected to the internet now, and its running ok especially for having 30 people on it, but I would like to increase speeds if possible. I agree with you about the wired network being available but its not feasible, and the vast majority was here when we got in country. I certainly appreciate the feedback you've given me so far.

Report •

July 16, 2010 at 12:26:51
There really isn't anything you can do to increase bandwidth with the setup you are forced to have.

You could not have encryption which will lessen the wireless overhead but depending on what is around you that may not be a wise choice.

