Small Restaurant Network Redesign
-
Next I'd add a UNMS to the main site, on the same server hardware as the NextCloud instance. Simple visibility and remote management of the remote offices. This isn't needed, but it's free, so a nice extra project.
-
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
-
And, of course, deploying free SodiumSuite to the handful of PCs would give a little simplified visibility into the network. Doesn't replace anything there already, but gives a few RMM-like features that you might as well have once going this route.
-
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
ZeroTier?
-
@fateknollogee said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
ZeroTier?
Duh, of course. Thank you. No idea why that didn't occur to me.
-
@scottalanmiller said in Small Restaurant Network Redesign:
@fateknollogee said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
ZeroTier?
Duh, of course. Thank you. No idea why that didn't occur to me.
Haha, I figured you probably just forgot ZT.
Not to thread-jack, but I'm looking forward to using the new ZeroTier Edge devices -
Also, do they need to be PCI Compliant?
-
@scottalanmiller said in Small Restaurant Network Redesign:
There is a Windows Server somewhere in this mix providing Active Directory to 15 users.
Is this Windows Server here only for providing AD?
Is this hardware good enough to be used as a KVM host?
I assume the plan is to convert this box & run NC, UNMS etc as vm's. -
@fateknollogee said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
There is a Windows Server somewhere in this mix providing Active Directory to 15 users.
Is this Windows Server here only for providing AD?
Correct
-
@fateknollogee said in Small Restaurant Network Redesign:
Is this hardware good enough to be used as a KVM host?
If it can run Windows at all, we can presume so
-
@scottalanmiller said in Small Restaurant Network Redesign:
For storage, something like DropBox would be fine, but is costly on a month to month basis. Since there is a central site here, and presumably a little hardware that the Windows system is currently running on, I think running NextCloud there makes sense. It's free and we know how dead simple it is to install. That'll replace AD and the QNAP, all at once. And it will remove the need for the VPN with it. All in one move.
-
What are the requirements?
- Is Windows a requirement?
- Is remote access to each PC needed?
- Does SodiumSuite yet provide the functionality of inputting Salt commands on the minions?
- Is central management of each Ubiquity needed?
Phones seem okay as those are already hosted somewhere.
Ciscos replaced with Ubiquiti makes sense as you suggested.
Using their existing Windows server to host NC also makes sense as you suggested.
What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.
-
ZT is a software defined network software. It basically creates a VPN between all devices and gives all machine access to all other machines in that network directly.
-
@tim_g said in Small Restaurant Network Redesign:
What are the requirements?
- Is Windows a requirement?
I believe so, but only on the desktop.
-
@tim_g said in Small Restaurant Network Redesign:
What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.
It's technically a VPN, but it's a SDN built using VPN tech. The important piece here is just that it gives a single IP range for the machines, not that it has VPN functionality. It just deals with the access portions and addressing.
I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.
-
@tim_g said in Small Restaurant Network Redesign:
- Is central management of each Ubiquity needed?
No, just a freebie bonus.
-
@scottalanmiller said in Small Restaurant Network Redesign:
@tim_g said in Small Restaurant Network Redesign:
I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.
Remote Utilities has an RDP mode and is free for commercial use for up to 10 computers.
-
@scottalanmiller said in Small Restaurant Network Redesign:
@fateknollogee said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
ZeroTier?
Duh, of course. Thank you. No idea why that didn't occur to me.
If you want ad-hoc full network connectivity instead of point to point, EdgeOS fully supports L2TP with IPSEC.
-
@scottalanmiller said in Small Restaurant Network Redesign:
Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable.
I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke.
Sites this small can use the EdgeSwitch 8
https://www.ubnt.com/edgemax/edgeswitch-8-150w/And it will report into UNMS along with the routers.
-
I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.
