# Redesigning Office Network - 50+ Users. Need help with design at a budget.



## ant18290 (Aug 11, 2015)

Hello, I am new to this forum but it seems like it has a great community. Each networking scenario is unique and I was hoping to get some ideas and inspiration from this vibrant community.

I am not a network engineer by any specs, but I have put in my hours and got my scars enough to tackle this issue. I will attach a current network diagram for you to view and get some insight into the situation and list the requirements as followed.

We are looking to reduce the amount of hardware and improve security, while still being able to block websites by category and static IP or user. Wireless can be dropped at the point of failure, as its also included in the modem. Right now we are looking to replace point of failure and possibly condense hardware.

This network has been added on to several times as the company has expanded and everything about this setup is really incorrect. Since I am on a tight budget, I need to replace as little as possible. The network needs user specific website blocking. Right now they are using the netgear as it has a included openDNS membership. The netgear router is also the point of failure, so if it goes I need to replace the website blocking mechanism. Controlling the network is important. I was thinking a UTM or NGFW would be good, So right now I was thinking of either replacing the netgear with one of these options

- Mikrotik CRS125-24G-1S-2HnD-IN (24 ports to maybe get rid of some of the lower switches, lacks a good content filtering solution but I can sign up for OpenDNS seperately I guess)

- Mikrotik Routerboard RB2011UiAS-2HnD-IN (10 port, same as above but less ports)

- ZyXEL ZyWALL USG20W 802.11n Wireless Internet Security Firewall with 4 Gigabit LAN/DMZ Ports, 2 IPSec VPN, SSL VPN , and 3G WAN Support ( Has cloud firewall, website filtering, and more.)

Those were the options I found before I found out we dont need wireless anymore. Now I know I can use a swtch, but I need some suggestions and help. Its really important we can filter the internet by static IP as well.

NETWORK DIAGRAM


----------



## MitchConner (May 8, 2015)

What's your budget for this mate?


----------



## ant18290 (Aug 11, 2015)

Under 300 for router and 200 a year for web filtering if possible


----------



## MitchConner (May 8, 2015)

Is it just specific uri filtering that you need mate (so you can manually administer web access), or are you looking for complete web filtering (so you don't have to manually administer web access)?


----------



## ant18290 (Aug 11, 2015)

MitchConner said:


> Is it just specific uri filtering that you need mate (so you can manually administer web access), or are you looking for complete web filtering (so you don't have to manually administer web access)?


Well, most users will have broad category blocking. We should be able to adjust categories based on the user and also have url specific whitelisting per user. I have been looking at two options, the fortitude 30D and Watchguard XTM 25 recently. I am not sure if they will be able to see how the switches route the internet and filter appropriately though. Right now they are using a custom OpenDNS system provided by the R7000 router thats failing


----------



## MitchConner (May 8, 2015)

Hi mate, sorry for the delay in replying.

I think your limiting factor is going to be the web filtering (which is normally done by the http get rather than IP), because it can cost a bit.

The watchguard firewall will fit the bill if that's in your price range.


----------



## djaburg (May 15, 2008)

What I would do is get the watchguard and add their protection services. OpenDNS can do much of the heavy "mass filtering" load for free. That being said, you can lock down the watchguard based on several features including firewall connections (ie lan3 port is for your filtered switch and can have different filters than other firewall connections. You can also create devices that are the individual computers (based on MAC or IP) and use those to implement filtering. Watchguards are quite powerful but not necessarily as intuitive as most netgear/dlink/linksys type routers. If setup properly they're bulletproof and faster than many other ones since they have hardware doing the bulk of the work compared to software based in the cheaper routers.


----------

