#359641 - 08/09/2013 19:21
Connectivity Between Subnets
|
pooh-bah
Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
|
It's been a while since I've posted here, but glad to see the board is still active. I am planning to set up a fairly elaborate network by residential standards which will connect two different residences by a 1 GB fiber link with each on a different subnet. We will have network shares on servers at each site and want free access to each while using separate Internet connections, hence the different subnets. I have established a test setup with two Asus RT-N66 routers for now just to work out the bugs with the routing. So far I can only get local traffic to move in one direction unless I enable NAT on both routers which I do not wish to do because of potential issues with double NATs. Internet does work on both subnets but that's it.
Currently I have one router as the gateway to a DOCSIS 3 cable modem connected to a second router. The first (the one connected to the cable modem) connects to the second from one of its LAN ports to the second's WAN port. The first is IP 192.168.1.1 on the LAN while the second is 192.168.1.2 on the WAN and 192.168.2.1 on its LAN. I have the second router set to router mode (NAT disabled to avoid double NAT issues) and its firewall disabled. The first has a static route set to route network 192.168.2.0, Subnet Mask 255.255.255.0, Gateway 192.168.1.2 on LAN. This allows traffic to go from any PC on 192.168.1.0 to 192.168.2.0. I read that no static routing is needed on the second router but attempted to implement it temporarily anyway (Route Network 192.168.1.0, Subnet Mask 255.255.255.0, Gateway 192.168.1.1 on WAN), just to see if that would allow local traffic to go from 192.168.2.0 to 192.168.1.0 but it did not help. The only thing that works thus far is turning on NAT and that should not be needed and is not desired. I can ping from the second router to 192.168.1.0 but not from a PC behind the second router at 192.168.2.0 and no local traffic moves in that direction. I did a TRACERT from behind the second router and the ping never makes a Hop to the first router, it goes no further than the first HOP which is 192.168.2.1 the IP of the second router. Traceroute from the second router at 192.168.2.0 also works as expected. So for some reason, the second router is not routing traffic from 192.168.2.0 to 192.168.1.0. Software firewalls are currently disabled. What am I doing wrong and how can I get it working correctly?
Router 1: WAN IP: ISP Provided WAN Subnet Mask: ISP Provided WAN Gateway: ISP Provided LAN IP: 192.168.1.1 LAN Subnet Mask: 255.255.255.0 LAN Gateway: 192.168.1.1 Static Route: 192.168.2.0 255.255.255.0 192.168.1.2 on LAN
Router 2: WAN IP: 192.168.1.2 WAN Subnet Mask: 255.255.255.0 WAN Gateway: 192.168.1.1 LAN IP: 192.168.2.1 LAN Subnet Mask: 255.255.255.0 LAN Gateway: 192.168.2.1 Static Routes: Currently None
Result: Local traffic on 192.168.1.0---->192.168.2.0 and no local traffic 192.168.2.0---->192.168.1.0
_________________________
If you want it to break, buy Sony!
|
Top
|
|
|
|
#359652 - 09/09/2013 17:59
Re: Connectivity Between Subnets
[Re: maczrool]
|
old hand
Registered: 27/02/2003
Posts: 775
Loc: Washington, DC metro
|
I think this is what you're saying:
You'll have both a cable modem and a router at each house.
In each house, you'll have traffic flowing [interwebs] <-> [cable modem] <-> [WANint/router/LANint] <-> [house LAN]
You then want to run a dedicated line between each house's router so the two house LANs talk without hitting the (otherwise slow) internet.
Fun problem; I'm going to ramble a bit:
First, quick, easy answer: if you just want to access the two servers, you can connect the LANs without any routing and bind two IP addresses - one from each LAN - to each server. Problem solved.
If you want full routing between two separate LANs, things get trickier.
If they are real servers, you could use them to route - connect them with the fiber and point the router's static route to the local server; the local server routes to the remote server and vice versa.
I've mostly done vpns lately, but using traditional IP routers, you'd assign an ip address from each house's LAN to each router. For example, Router 1 would have both x.x.1.1 and x.x.2.2; Router 2 would have x.x.2.1 and x.x.1.2; a static route on each would point to the other. Unfortunately, the manual doesn't seem to show that the Asus router supports this; most consumer firewall/switches won't.
What hardware are you going to use for the fiber connecions? Will it support multiple IP addresses/subnets and routing?
This would work if you have a box with two routable LAN interfaces. They tend to get pricy, though.
Alternatively, if you use a firewall with a DMZ port, you could probably route through them but with two runs connecting the houses. [DMZ1] <-> [LAN2] and [DMZ2] <-> [LAN1] Each router thinks the other's LAN is really the DMZ. (The Asus seems to have something it calls "DMZ" which isn't really; it's just forwarding all inbound internet traffic to an inside IP address.)
You might be able to set it up using vLANs.
This gets a bit weird: you could use the same subnet, but have each router's dhcp server give out the local gateway and have a different pool of addresses. Keep your 192.168.1.0 and 192.168.2.0 ranges, but use a 255.255.0.0 subnet. All static addresses will route out the proper gateway just fine. If a router was a bit slow responding to the dhcp request, the other house's router might answer first, and you'd send internet traffic through the wrong cable modem. If this occasional traffic issue isn't a deal breaker, it would work.
-jk
|
Top
|
|
|
|
#359654 - 09/09/2013 20:39
Re: Connectivity Between Subnets
[Re: jmwking]
|
addict
Registered: 11/01/2002
Posts: 612
Loc: Reading, UK
|
I think this is what you want to do?
ISP ISP
| |
R1 --fibre-- R2
| |
LAN1 LAN2
but R1 and R2 are not (afaict) actually 3-port routers - they only have 2 IPs - one for the WAN and one for the internal eth port connected to the presented 'switch ports'. I'd buy 2 more super simple routers and do:
ISP ISP
| |
R1 R2
| |
LAN1--R3--fibre--R4--LAN2
in which case you don't need NAT and R3 needs a static route to LAN2 and R4 needs a static route to LAN1 Looking at:
LAN1--R3--fibre--R4--LAN2
is really:
LAN1 -- eth/lanport-R3-wan ---fibre--- wan-R4-eth/lanport -- LAN2
so wan on the routers is basically another network. Many years ago on real pt2pt links I'd set this up as an ip-less connection but you may have to make it a subnet 192.168.3.0 would be fine. Now you'd need to assign an IP to the R3/4 lan and wan You'd set R1 to static route to LAN2 via R3/lan R2 to static route to LAN1 via R4/lan R3 to static route to LAN2 via R4/WAN R4 to static route to LAN1 via R3/WAN default route on LAN1 would be R1 default route on LAN1 would be R2 Doing the R1->R3 avoids setting static routes on all machines in LAN1/2 which would otherwise be needed and would be a pain.
_________________________
LittleBlueThing
Running twin 30's
|
Top
|
|
|
|
#359655 - 09/09/2013 21:35
Re: Connectivity Between Subnets
[Re: jmwking]
|
pooh-bah
Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
|
I think this is what you're saying:
You'll have both a cable modem and a router at each house.
In each house, you'll have traffic flowing [interwebs] <-> [cable modem] <-> [WANint/router/LANint] <-> [house LAN]
You then want to run a dedicated line between each house's router so the two house LANs talk without hitting the (otherwise slow) internet. More or less yes, but I plan to set up a static route between the two routers at each place with a third router. I do not presently have it set up like this. I'm just trying to test the static routing scheme with two routers at present. First, quick, easy answer: if you just want to access the two servers, you can connect the LANs without any routing and bind two IP addresses - one from each LAN - to each server. Problem solved.
If you want full routing between two separate LANs, things get trickier. I will need full routing because in addition to the 'real' servers with dual interfaces, I would like all PCs to be able to see all devices on the other network which may include IP cameras and shares on various PCs. What hardware are you going to use for the fiber connecions? Will it support multiple IP addresses/subnets and routing? Just a media converter on one end and a mini GBIC in a switch on the other. Nothing fancy. Right now I would really just like to get static routes working like is described here. I would essentially be doing the same thing minus the third router in the picture and stock Asus firmware instead of DD-WRT. I've followed their static routes and IP configurations exactly but it just doesn't work in both directions as stated previously. Once I get that sorted out I can worry about the rest of it. Thanks for your help! Stu
_________________________
If you want it to break, buy Sony!
|
Top
|
|
|
|
#359656 - 09/09/2013 21:52
Re: Connectivity Between Subnets
[Re: LittleBlueThing]
|
pooh-bah
Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
|
I think this is what you want to do?
Code: ISP ISP | | R1 --fibre-- R2 | | LAN1 LAN2
but R1 and R2 are not (afaict) actually 3-port routers - they only have 2 IPs - one for the WAN and one for the internal eth port connected to the presented 'switch ports'.
I'd buy 2 more super simple routers and do: Yes, you are correct, they each have only two interfaces. I was planning to ultimately do this:
ISP ISP
| |
R1 R2
| |
LAN1--R3--fiber-- LAN2 R3 would handle the static routes to LAN 1 and LAN2. Shouldn't this work with proper static routing? My present setup uses only 2 routers to sort out the static routing issues. It looks like this:
ISP
|
R1
|
LAN1--R2--LAN2 R1 has static route 192.168.2.0 255.255.255.0 192.168.1.2. This allows traffic on LAN1 to reach LAN2. I have not found a way to get traffic on LAN2 to reach LAN1 which I would very much like to get working before I try something more elaborate. Thanks for your help! Stu
_________________________
If you want it to break, buy Sony!
|
Top
|
|
|
|
#359662 - 10/09/2013 14:14
Re: Connectivity Between Subnets
[Re: maczrool]
|
old hand
Registered: 27/02/2003
Posts: 775
Loc: Washington, DC metro
|
Yep, I've been doing vpns too much. Your three router model will work fine, if you use a full router rather than a firewall in the middle. A firewall is a subset of a router; they're built to do NAT so IP addresses don't carry across properly.
The setup in the linked explanation and diagram uses dd-wrt firmware to turn the firewall into a full router, allowing IP addresses to flow both ways without any address translation. I don't think the asus firmware can do that, which is giving you the one-way trouble.
Add a full router (or use a computer) to route between the subnets, and set static routes on each Asus box to that router.
-jk
|
Top
|
|
|
|
#359663 - 10/09/2013 14:34
Re: Connectivity Between Subnets
[Re: jmwking]
|
pooh-bah
Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
|
The setup in the linked explanation and diagram uses dd-wrt firmware to turn the firewall into a full router, allowing IP addresses to flow both ways without any address translation. I don't think the asus firmware can do that, which is giving you the one-way trouble. I was really hoping to avoid loading DD-WRT on my Asus routers since one is otherwise running the way I want it and in continuous use. I tried running it once on the spare but the LAN ports were not functional after loading. I do like the RT-66s because they route at close to 800 Mb/s which is pretty close to the speed of my anticipated fiber link. Any recommendations on a reasonably priced router that fits my application and will come close to saturating a 1 Gb/s link? Thanks as always! Stu
_________________________
If you want it to break, buy Sony!
|
Top
|
|
|
|
#359664 - 10/09/2013 17:00
Re: Connectivity Between Subnets
[Re: maczrool]
|
old hand
Registered: 27/02/2003
Posts: 775
Loc: Washington, DC metro
|
Most (see reminiscing, below) of the LAN routing I've done used cisco 2600 series, so I haven't really looked for them otherwise. You could try a different dual Gb firewall with dd-wrt - they seem to have the feature, if not the compatibility with your asus boxes. If you're not afraid to dig into linux, there are some router packages that run on mini-itx boxes. Never used them, though. Something like this, perhaps, or build your own from parts. You can roll your own in one of your computers - just put a fiber card in and enable routing. I'm afraid I can't offer much more help on the hardware side. Perhaps someone else here has an idea. On topic reminiscing: Back in the dark ages - when big switches were not quite affordable - I inherited an office running on 10bT hubs, "stacked" with 10b2 (coax) links. Damned graphic artists routinely flooded the whole network with large file moves, shutting down everyone. We segmented into four business unit subnets using netware 3 servers as routers. It worked - the artists only annoyed themselves. After a while, the powers-that-be got annoyed enough (both with our and the artists' nagging) to spring for 10/100 stacked switches with a Gb line between floors. Heaven! -jk
|
Top
|
|
|
|
|
|