Small Restaurant Network Redesign
-
What are the requirements?
- Is Windows a requirement?
- Is remote access to each PC needed?
- Does SodiumSuite yet provide the functionality of inputting Salt commands on the minions?
- Is central management of each Ubiquity needed?
Phones seem okay as those are already hosted somewhere.
Ciscos replaced with Ubiquiti makes sense as you suggested.
Using their existing Windows server to host NC also makes sense as you suggested.
What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.
-
ZT is a software defined network software. It basically creates a VPN between all devices and gives all machine access to all other machines in that network directly.
-
@tim_g said in Small Restaurant Network Redesign:
What are the requirements?
- Is Windows a requirement?
I believe so, but only on the desktop.
-
@tim_g said in Small Restaurant Network Redesign:
What exactly does ZeroTier allow you to do, and how does it work? Their website isn't very descriptive in what it provides.
It's technically a VPN, but it's a SDN built using VPN tech. The important piece here is just that it gives a single IP range for the machines, not that it has VPN functionality. It just deals with the access portions and addressing.
I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.
-
@tim_g said in Small Restaurant Network Redesign:
- Is central management of each Ubiquity needed?
No, just a freebie bonus.
-
@scottalanmiller said in Small Restaurant Network Redesign:
@tim_g said in Small Restaurant Network Redesign:
I'm not sure I'd do it, though, just doing the RDP with port locking seems like it might be better.
Remote Utilities has an RDP mode and is free for commercial use for up to 10 computers.
-
@scottalanmiller said in Small Restaurant Network Redesign:
@fateknollogee said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
ZeroTier?
Duh, of course. Thank you. No idea why that didn't occur to me.
If you want ad-hoc full network connectivity instead of point to point, EdgeOS fully supports L2TP with IPSEC.
-
@scottalanmiller said in Small Restaurant Network Redesign:
Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable.
I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke.
Sites this small can use the EdgeSwitch 8
https://www.ubnt.com/edgemax/edgeswitch-8-150w/And it will report into UNMS along with the routers.
-
I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.
-
@mike-davis said in Small Restaurant Network Redesign:
I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.
The ER PoE is a horrible solution. I hate routers with switching built in.
-
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
I cannot tell you how many times I have had this discussion. VAR or MSP comes in and tells client how terrible RDP is and needs to spend 1000's on Cisco products and SSLVPN's.
Like you mention, its just a cheap VPN if RDP is open to select IP's. If that doesn't satisfy them, I tell them to add RDP Guard. Much cheaper and just as secure.
-
@dbeato said in Small Restaurant Network Redesign:
Also, do they need to be PCI Compliant?
In my experience, it you want to transact using credit / debit cards, you'll either be PCI compliant today or compliant tomorrow. Either way, it comes into play. I think the current advertised 'due date' is sometime in 2020.
-
@scottalanmiller said in Small Restaurant Network Redesign:
at aren't needed.
I would never guess a restaurant chain would have this hardware for the number of PC and users involved. IF i was him I would close the restaurant and open something more business, he has the hardware.
Kidding aside, for the amount of users + the profession they can use the cloud to centralize everything, like so what if the secret pizza recipe gets uploaded to FBI, not much harm. I would use Vultr spin a couple of VMs, maybe use salt master to manage the windows machines, and keep it simple + the reason I like ASUSTOR there NAS can install apps on it, and you can install nextcloud or owncloud on it easily, so theoretically you can also centralize NAS and provide access for remote users as well (via port forward), and have the data secured in good fashion. Not sure with QNAP how that will work, my point is sometimes SOHO equipment is good for such cases.
-
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
If you are going to have the sites VPN'd together with the ERLs, then why not just use RDP over the VPN?
-
@dafyre said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
The only piece that isn't super obvious is... what would be the best access method for remote management of the three non-HQ restaurant PCs? There are only a few machines, so maybe some service has a free tier that would cover this?
Or set up OpenVPN on the ERLs there and use that from the IT manager's workstation to connect ad hoc to a site to access the PCs over RDP? Or even simpler, just open RDP but IP lock it only to the four sites. RDP isn't that insecure on its own, people like to say that but it's mostly a myth. But add IP firewall locking to just the four restaurant or HQ sites and it's just as secure as any VPN, but really simplified.
If you are going to have the sites VPN'd together with the ERLs, then why not just use RDP over the VPN?
The point is it should be ad-hoc VPN. Not always pinned. as that adds security concerns.
-
The only potential flaw that I see in the changes is if the POS software requires Windows/AD is some way. I've seen some pos POS software implementations. Just a note that you might've already worked through.
-
@kelly said in Small Restaurant Network Redesign:
The only potential flaw that I see in the changes is if the POS software requires Windows/AD is some way. I've seen some pos POS software implementations. Just a note that you might've already worked through.
Definitely some pos POS out there alright..
-
@kelly said in Small Restaurant Network Redesign:
The only potential flaw that I see in the changes is if the POS software requires Windows/AD is some way. I've seen some pos POS software implementations. Just a note that you might've already worked through.
Might require Windows, but not AD. No AD in use currently.
-
@jaredbusch said in Small Restaurant Network Redesign:
@scottalanmiller said in Small Restaurant Network Redesign:
Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable.
I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke.
Sites this small can use the EdgeSwitch 8
https://www.ubnt.com/edgemax/edgeswitch-8-150w/And it will report into UNMS along with the routers.
Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).
