Small Restaurant Network Redesign


  • Service Provider

    Form a private conversation, I know someone who has a small network of four sites and a small number of PCs. Right now their VAR has overbuilt the network for them and made it very complex and expensive. I'm working on a simplification process. Unfortunately, this came up because they are having phone quality issues which appear to be WAN based, and not something that can be fixed with changes on the network. But it exposed network issues and costs that can be addressed. So the phone and WAN issues are a separate issue.

    Here is the breakdown of the four sites. It is one head office, and three restaurants.

    Today they have:

    Head Office

    • Cisco Firewall
    • 9 Users
    • 10 SIP Phones
    • 2 Printers
    • Windows Server

    Restaurant 1

    • Cisco Firewall
    • 3 Windows PCs
    • 1 Printer
    • 1 QNAP NAS
    • 3 SIP Phones

    Restaurant 2

    • Cisco Firewall
    • 3 Windows PCs
    • 1 Printer
    • 4 SIP Phones

    Restaurant 3

    • Cisco Firewall
    • 2 Windows PCs
    • 1 Printer
    • 2 SIP Phones

    The VoIP / SIP phones connect to a hosted PBX product, so no hosting for that. There is a Windows Server somewhere in this mix providing Active Directory to 15 users. The sites are VPNd together using the Cisco firewalls.

    Some of the big issues today include high costs, high complexity, and the need for an outside company for support because of things like the VPNs and VLANs that aren't needed.


  • Service Provider

    I'm still gathering info, but here is where I am thinking this should head. First, this is a completely LAN-based design, in a company whose needs are completely LANless. None of the existing design fits the company model. What is there is antiquated and too complex. This could be greatly simplified. There is some question as to what apps are using the storage, but once that is cleared up, I think it will be easy to come up with an overall design.

    Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable.


  • Service Provider

    First...

    AD needs to go, as does the QNAP as the storage device. Neither makes any sense here. AD is just adding risk, not value. Those should be "just removed."

    For storage, something like DropBox would be fine, but is costly on a month to month basis. Since there is a central site here, and presumably a little hardware that the Windows system is currently running on, I think running NextCloud there makes sense. It's free and we know how dead simple it is to install. That'll replace AD and the QNAP, all at once. And it will remove the need for the VPN with it. All in one move.

    Nextcloud will be easier to use and manage, more reliable for everyone, and start saving a lot of money right away.

    With this, I believe, there is no need for any Windows Server licensing, Windows CAL licensing, NAS device, or VPNs.


  • Service Provider

    Second step, remove all of the Cisco routers that are potentially compromised. The VAR is pretty clearly not to be trusted and has made claims that the Cisco routers and switches aren't powerful enough for 300Kb/s of VoIP traffic. So whether he's an idiot or has actually sabotaged the network does not matter. What matters is getting all of the expensive Cisco gear, and the access from that unscrupulous vendor, out of there.

    Ubiquiti ERLs at all four sites would be best. (They've actually done one site already, so this is moving forward.) This is about $450 total (it's not in the US, so prices are a little higher.) There is no need for VPNs, so just the most basic setup is all that is needed. Nothing more. Cheap, quick, and easy. Once the Cisco routers and switches are gone, the old VAR has no hold over them.


  • Service Provider

    Next I'd add a UNMS to the main site, on the same server hardware as the NextCloud instance. Simple visibility and remote management of the remote offices. This isn't needed, but it's free, so a nice extra project.


  • Service Provider

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.


  • Service Provider

    And, of course, deploying free SodiumSuite to the handful of PCs would give a little simplified visibility into the network. Doesn't replace anything there already, but gives a few RMM-like features that you might as well have once going this route.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    ZeroTier?


  • Service Provider

    @fateknollogee said in Small Restaurant Network Redesign:

    @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    ZeroTier?

    Duh, of course. Thank you. No idea why that didn't occur to me.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    @fateknollogee said in Small Restaurant Network Redesign:

    @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    ZeroTier?

    Duh, of course. Thank you. No idea why that didn't occur to me.

    Haha, I figured you probably just forgot ZT.
    Not to thread-jack, but I'm looking forward to using the new ZeroTier Edge devices



  • Also, do they need to be PCI Compliant?



  • @scottalanmiller said in Small Restaurant Network Redesign:

    There is a Windows Server somewhere in this mix providing Active Directory to 15 users.

    Is this Windows Server here only for providing AD?

    Is this hardware good enough to be used as a KVM host?
    I assume the plan is to convert this box & run NC, UNMS etc as vm's.


  • Service Provider

    @fateknollogee said in Small Restaurant Network Redesign:

    @scottalanmiller said in Small Restaurant Network Redesign:

    There is a Windows Server somewhere in this mix providing Active Directory to 15 users.

    Is this Windows Server here only for providing AD?

    Correct


  • Service Provider

    @fateknollogee said in Small Restaurant Network Redesign:

    Is this hardware good enough to be used as a KVM host?

    If it can run Windows at all, we can presume so 🙂



  • @fateknollogee

    @scottalanmiller said in Small Restaurant Network Redesign:

    For storage, something like DropBox would be fine, but is costly on a month to month basis. Since there is a central site here, and presumably a little hardware that the Windows system is currently running on, I think running NextCloud there makes sense. It's free and we know how dead simple it is to install. That'll replace AD and the QNAP, all at once. And it will remove the need for the VPN with it. All in one move.



  • @scottalanmiller

    What are the requirements?

    • Is Windows a requirement?
    • Is remote access to each PC needed?
      • Does SodiumSuite yet provide the functionality of inputting Salt commands on the minions?
    • Is central management of each Ubiquity needed?

    Phones seem okay as those are already hosted somewhere.

    Ciscos replaced with Ubiquiti makes sense as you suggested.

    Using their existing Windows server to host NC also makes sense as you suggested.

    What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.



  • ZT is a software defined network software. It basically creates a VPN between all devices and gives all machine access to all other machines in that network directly.


  • Service Provider

    @tim_g said in Small Restaurant Network Redesign:

    @scottalanmiller

    What are the requirements?

    • Is Windows a requirement?

    I believe so, but only on the desktop.


  • Service Provider

    @tim_g said in Small Restaurant Network Redesign:

    What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.

    It's technically a VPN, but it's a SDN built using VPN tech. The important piece here is just that it gives a single IP range for the machines, not that it has VPN functionality. It just deals with the access portions and addressing.

    I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.


  • Service Provider

    @tim_g said in Small Restaurant Network Redesign:

    • Is central management of each Ubiquity needed?

    No, just a freebie bonus.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    @tim_g said in Small Restaurant Network Redesign:

    I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.

    Remote Utilities has an RDP mode and is free for commercial use for up to 10 computers.


  • Service Provider

    @scottalanmiller said in Small Restaurant Network Redesign:

    @fateknollogee said in Small Restaurant Network Redesign:

    @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    ZeroTier?

    Duh, of course. Thank you. No idea why that didn't occur to me.

    If you want ad-hoc full network connectivity instead of point to point, EdgeOS fully supports L2TP with IPSEC.


  • Service Provider

    @scottalanmiller said in Small Restaurant Network Redesign:

    Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable.

    I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke.

    Sites this small can use the EdgeSwitch 8
    https://www.ubnt.com/edgemax/edgeswitch-8-150w/

    And it will report into UNMS along with the routers.


  • Service Provider

    I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.


  • Service Provider

    @mike-davis said in Small Restaurant Network Redesign:

    I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.

    The ER PoE is a horrible solution. I hate routers with switching built in.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    I cannot tell you how many times I have had this discussion. VAR or MSP comes in and tells client how terrible RDP is and needs to spend 1000's on Cisco products and SSLVPN's.

    Like you mention, its just a cheap VPN if RDP is open to select IP's. If that doesn't satisfy them, I tell them to add RDP Guard. Much cheaper and just as secure.



  • @dbeato said in Small Restaurant Network Redesign:

    Also, do they need to be PCI Compliant?

    In my experience, it you want to transact using credit / debit cards, you'll either be PCI compliant today or compliant tomorrow. Either way, it comes into play. I think the current advertised 'due date' is sometime in 2020.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    at aren't needed.

    I would never guess a restaurant chain would have this hardware for the number of PC and users involved. IF i was him I would close the restaurant and open something more business, he has the hardware.

    Kidding aside, for the amount of users + the profession they can use the cloud to centralize everything, like so what if the secret pizza recipe gets uploaded to FBI, not much harm. I would use Vultr spin a couple of VMs, maybe use salt master to manage the windows machines, and keep it simple + the reason I like ASUSTOR there NAS can install apps on it, and you can install nextcloud or owncloud on it easily, so theoretically you can also centralize NAS and provide access for remote users as well (via port forward), and have the data secured in good fashion. Not sure with QNAP how that will work, my point is sometimes SOHO equipment is good for such cases.



  • @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    If you are going to have the sites VPN'd together with the ERLs, then why not just use RDP over the VPN?


  • Service Provider

    @dafyre said in Small Restaurant Network Redesign:

    @scottalanmiller said in Small Restaurant Network Redesign:

    The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?

    Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.

    If you are going to have the sites VPN'd together with the ERLs, then why not just use RDP over the VPN?

    The point is it should be ad-hoc VPN. Not always pinned. as that adds security concerns.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.