Moving offices into a shared space with existing networking

nle

Member
Oct 24, 2012
201
11
18
We're a small design studio that is moving from our own huge office to a big co-working space (also with our own – much smaller – office). We're pretty excited about all the other people/work environment, but it also has its drawbacks – and one of them is the networking side of things.

I'm looking for advice on how to keep our current network/services within an existing network we don't have much influence over?

Our current setup is:

Asus RT-AC3200
  • Running Tomato Firmware
  • Dynamic IP service
  • OpenVPN server
HP ProCurve 1810g-24
  • connected to server via 2 x gbit connections to the switch (trunked).
  • 4 iMacs connected
Server with ESXi
  • OmniOS VM for ZFS (raidz2), with SMB/NFS shares.
  • Ubuntu VM with rclone for offsite backup

(We can no longer run a DHCP-server or port forwarding (and hence the Asus router is not going to be a part of the network anymore)).

Requirements:
  • Give Ubuntu VM access to the internet for the offsite backup.
  • Shield the OmniOS VM from the existing network, so our fileserver is not visible for anyone else (the alternative is to let it be visible, but lock it down further)
  • Get access from the outside via VPN?

I've been thinking a bit about it, and are contemplating the following:
  • Keep everything offline by setting up static IPs and just use the switch without connecting it to the existing network.
  • Passthrough a NIC to the Ubuntu VM and connect that directly to the existing network.
  • Use WiFi on the iMacs to get internet (since the ethernet it taken by the internal network)
  • (Once in a while connect the server and update)

I'm not totally sure how to do the OpenVPN part, but I guess I might have to set up a VPS somewhere as a form of bouncer? And regarding separating the networks, while staying connected to the internet via cable, is VLANs anything to consider (I'm guessing no since I don't have access to routing/firewall)?


What would you guys do?

Appreciate any advice/inputs on both the network and the OpenVPN part.
 

Blinky 42

Active Member
Aug 6, 2015
615
230
43
45
PA, USA
Are the desktops / servers going to be in the same physical room and possible to just wire it all up like it is today and just use the in-office connection as your new "uplink" out to the internet?
If you have multiple actual rooms / locations in the building can you use the existing copper wiring in the building for you use between those locations, or is that reserved for the people your are getting the space from?

Might want to approach it as if the servers you are moving to the new space are actually going to an offsite colo and you set the desktops/laptops p to connect to your server(s) over VPN connections at all times. That way you can move all over the space, and use the Wifi there as the actual transport, or even have people work in remote locations and connect back to your main servers.

Edit:
When I have done longer term contracts at places in the past, I brought my equipment in and basically set up shop in a cube (or 3) with switches, servers, desktops etc all privately connected between each other over switches and Wireless that I bought in. Then I would set the device that is the default router to talk to the office's network and route all traffic out through there so I can do what I need isoltated away from the office but still get out to the internet.

I have done the same with wirelss and even Cell hotspots as the "uplink" in locations that were more locked down or just had no internet yet or poor internet vs. what I could get over 4G.

If you need the outside world to be able to reach in an see your servers (like VPN in from home) then I would consider a VPS as the fixed endpoint that everything calls into.
 
Last edited:
  • Like
Reactions: nle

nle

Member
Oct 24, 2012
201
11
18
Everything is going to be in the same room. And I guess I can set it up exactly as before with the existing network as an uplink.
But wouldn't double NAT cause problems?

Thanks for the input about the VPN, but I think that would be a bit overkill for our use. My main concern is how to connect to the VPN behind closed ports (inside the existing network).
 
Last edited:

Blinky 42

Active Member
Aug 6, 2015
615
230
43
45
PA, USA
Double (or more) nat from your desktops out to the internet isn't a big problem if they configured their equipment well enough and can maintain the connection tracking needed for things to run smoothly. Depending on what you are used to and what they have for Internet connectivity at the new space you may have more issues just in contention for the single internet connection with everyone goofing off and streaming videos vs working ;)

For access from outside the building into your private servers, I would just setup a VPS or VM in a cloud provider of your choice and have the inside servers call into the vpn at all time + you can call into the vpn from home or on the road to get access to your servers in the office.

The only trick is to get an idea of the addressing schems that are used by the office space you are moving into now and make sure you don't overlap that. If you get a 192.168.0.0/16 address from the office space from their wifi/ethernet connections then you want to use something totally different for all your VPN links and your own private network between your equipment.

I try and setup all of my sites with non-overlapping ranges explicitly for that purpose so I can bring up tunnels between them and have direct access across sites seamlessly.
 

nle

Member
Oct 24, 2012
201
11
18
I can report that this worked perfectly fine, everything is like before the move. Thanks for the help.

I have 1,5 remaining issues:

1. VPN server behind NAT
As far as I can tell, it looks like site to site VPN to a VPS, and then connect to the VPS.
Any input/advice on this? Best way to set it up? Recommend a VPS provider?

2. Printing
We have "free" printing in our shared office, but the printers are on the existing network. Currently, we're currently solving this by using WIFI (in addition to our own local wired network – which is set as primary). Sometimes we print big files directly from InDesign, and that is painstakingly slow over WIFI.

Therefore, is there any way to communicate with the printers via our internal wired network? Sort of reverse port forwarding?