This is a client that has become a very loyal client.  For the longest time their network had no real segmentation.  Their Cc machine was on the same network as the wifi guest network and all of them were on the same subnet as their main internal network.  That’s bad enough..but what’s worse is they are an accounting firm..and once again they were told they were secure and got charged tons of money..and they weren’t.

Their network “segmentation” was provided by one Linksys wifi router put into wifi mode and plugged into their internal network, and then another wifi router was turned into a switch and used to expand their office network for the cashier machine and pos system to live on the network as well.  Finally they had some Netgear wifi cameras spread around that were being serviced by another Netgear router put into wifi only mode so act as a relay for the cameras.  I was finally able to convince them of the dangers of this setup when their camera person said they could have their cameras online with remote access.  Of course these are Chinese cameras(they paid him 2k for the setup at least he got rid of the Netgear cameras)…and they require ports forwarded for access.  I had tried to get them to go with the Unifi protect system…however the price was not what the client was willing to pay(it would have been about 3k for new wiring, labor, and the cameras)  Once I explained how dangerous this is…and I showed them my post on the Mirai botnet and the havoc it caused…they finally were convinced they are a ticking time bomb in a myriad of ways and allowed the smaller Unifi system upgrade.  I had a strict limit so I went with a 16 port POE Unifi switch instead of the 24 port.  This meant I had to reuse their Netgear dumbswitch for the internal network…they have one too many devices to fit on the 16 port with the cameras added.  This install isn’t my best looking work but I had one hour to deconstruct the network and install the Unifi gear.  Due to the ease of pre-configuring Unifi I needed only the hour to tear out the garbage and install the Unifi system.  I will ask for another hour of time to properly tie up the networking cables..but for right now the client is happy.

right-left top-bottom: Arris modem, Unifi AC-Lite, Unifi USG-3P Unifi USW-16POE Netgear dumbswitch

Unifi 8 port switch. port 1 is the trunk feed. port 2 is the POS machine..which doesn’t actually handle any money or credit is simply a logging station. Port 3 is another workstation in the same office. The far right port is for the actual CC machine.

EdgerouterX that was installed without turning any of the lan ports into their own segments. I went ahead and removed it and installed the Unifi USG firewall. This is the one piece of gear I will be reusing elsewhere.

Netgear router used to act as a wireless bridge for netgear wifi cameras.

Linksys router acting as a switch for the cashier’s room.

Linksys router acting as guest wifi hooked into the internal network.