Solved

Sharing internet between networks

Posted on 2003-11-17
9
574 Views
Last Modified: 2010-05-18
I have two completely separate networks, each running Windows 2000 server with XP workstations.  Each has a router connecting to cable modems for internet connection.  They are two separate businesses and would like drop the 2 cable connections for internet and split a T1 connection, for various reasons.  I would like to know how to handle the sharing of the internet.  I am not real familiar with working with subnets and such.  I want to keep the networks as they are as far as domain names and IP ranges and all that.  Assume one network has an IP range of 192.168.5.x and the other had 100.100.10.x could the servers for each domain point the workstations to a single router or what?
0
Comment
Question by:jtwestmo
  • 4
  • 3
  • 2
9 Comments
 
LVL 31

Expert Comment

by:qwaletee
ID: 9763975
OK, just pointing out the disparity :) within the comment

To further clarify how the netwmask allows you to break down a subnet. The netmas is always all binary 1's on the left, and binary 0's on thr right.  You never have a zero to the left of a one.  When a device wishes to send a packet to a destination, it uses the mask to see if the address is "local."

It takes its own interface address (basically, its own IP address), and filters it through the mask.
It takes teh destination and filters it through the mask.
If the output of the two operatsions are the same, then it is a local address.  Otherwise, it needs to be forwarded trhough a gateway (which itself has to be a local address).

With a netmask of 255.0.0.0, everything in the first byte must match; the other three don't have to.  That's because a.b.c.d when masked through 255.0.0.0, or 11111111.00000000.00000000.00000000, will keep the first byte (a), but always drop the otehr three, yielding a.0.0.0.

Similarly, with a mask of 255.255.0.0, it will always give a.b.0.0.

It gets trickier (for a human being) to keep track of when you have non-255 masks. 255.240.0.0 means "keep the first byte, and keep the first four bits of the second byte, but drop the other four bits."

Now look at 224 binary and 31 binary.  224 dec = E0 hex = 1110 0000 bin.  31 dec = 0F hex = 0001 1111 bin.  See the pattern? Everything from 0-31 will mask the same through 240, beacuse the first three bits will always be zero.  Similarly, 32-64, which is 0010 0000 through 0011 1111.  the first three bits are always 001, and th other five don't matter when masked.

Routers do the same thing, but a little more complicated.  (It actually isn't really more complicated, it just seems that way.  All TCP/IP stack act as routers internal to the machine, but the simplified eview I gave above suffices to explain it.)

The router has connections to many other routers.  Each router it has a connection to must be a "local" device to it.  So, typically, a router must have at least two addresses -- one for "inbound" and one for "outbound" (inbound and outbound are really relative, of course -- my corporate outbound packet is the backbone's inbound packet).  Typically, except for a workgroup router, it wll have many more addresses than that.  Most often, the "backbone" connection has one address in one range, and the "LAN" connection has many addresses, one for each router "further in" that it can connect to.  Often, those multiple addresses will be in a single subnet.  Sometimes they are not.

The router maintains a list of subnets/masks, and the destination address (gateway) it should use to reach each of them.  So it also takes a similar calculation as the worksataion -- mask "my address" and mask the destination address, and see if they are the same.  But in this case, there is a long list of "my address" possibilities, and a mask to go with each one.  For each interface ("my address") and mask pair, the mask is used against both the interface address and teh destinatino address, until a masked output match is found.  At that opint, the packet is forwarded to the gateway address listed for the subnet; if the gateway is one of the router's own addresses, it sends it out as a local packet.

Does that mean that all the routers on teh internet backbone have a list of all subsets in teh world?  No!  That's the basic reason why masks are always all ones followed by all zeroes.  When you broke your 255.0.0.0-masked subnet into eight 255.224.0.0-masked subnets, you probably added seven or eight routers.  Each of the new routers owns a single "broken up" subnet.  But the next router up the line still thinks you have a 255.0.0.0 subnet, al going to a single router.  That single router doesn't know that the previous calculation invlved a 255.0 mask; it just knows that it has eight 255.224 entries in the routing table.  It is a very nice hierarchical relationship, where "centralized" routers see the world as A-class nets, and the routers "beneath" them see "B-class" nets and so on.  In practice it is messier, as even backbone routers have "shortcuts" to reach nearby routers with other ranges, and as even A and B class nets are broken into parts.  Similarly, in your example, you might only need seven new routers, not eight, because the original router can serve one of the local eight subnets, as well as servicing seven other routers each with one subnet.  Or, with multiple ports installed on a single router, one router can handle, two, three, or mre subnets.  (technically, you don't need multiple ports forthis, you could have "neighbor" subnets all on a single wire segment, but that would be rather pointless, as all devices on subnet A would have subnet B's traffic flowing right past them, and vice versa).
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9763978
I apologize, that was meant for another question.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764483
If each company had a firewall, you could simply uplink the two firewalls to the same broadband connection, and the only thing that would change is that the external address of one or both firewalls would have to be in the same subnet as the broadband device, and use the broadband gateway address.

What if you did not have any firewalls?

If there is no "data security" issue, or overlap in workstation host names, WINS names (Windows host name), or IP address, then you can just plug everything into a single switch, or uplink the two switches to each other.  Problem is that in such a setup, the PCs used to use the broadband device directly for primary gateway.  With incompatible address ranges, you have a small problem.  The simplest solution would be to have the broadband device support two internal addresses, one for company A, one for B, and nothing changes.  Otherwise, get a router for the company that is "dropping" its old service, and have the router take care of translating traffic.

0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 125 total points
ID: 9764966
Shouldn't be a problem.  You have two options.

Option 1.  - Two logical networks, one physical.

In this case, your user workstations and server from both companies will plug into the same physical switches and hubs.  Your router then plugs into the same physical device as everyone else.  That connection is the "inside" interface.  The other connection on the router plugs into your T1.  That is the "outside" interface.  You set up two IP addresses on the inside interface (192.168.5.1 and 100.100.10.1 for example).  Workstations and servers that use the 192's will have 192.168.5.1 as their default gateway, workstations and servers that use the 100's will have 100.100.10.1 as their default gateway.  Connect your T1 connection to the Internet as normal.

Option 2 - Two logical networks, two physical.

Separate the two networks physically.  That is to say, the people who work in office 1 plug into switch 1, the people who work in office 2 plug into switch 2.  

Your router must have two "inside" interfaces and one "outside".  In your case, that will mean one T1 connection and probably two Ethernet.  Program each inside interface on the router with the appropriate address (192.168.5.1 or 100.100.10.1 for example) and plug them into the appropriate switch.  Connect your T1 connection to the Internet as normal.

Your best option here is Option 2.  Option 1 gets very messy, especially if you are running DHCP.  It's worth noting that you don't have to have two physical switches, you can separate them using VLAN's if you are comfortable with that.

In both cases you will have to decide if you want to route traffic between the two networks.  In all liklihood, you probably don't want to.  (Unless you want one company able to see what the other one is doing.)  So, make sure your router is set up to either allow or block traffic between the two.

Either way you only need one router, you just may need two "inside" ports on it!

Good luck!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:jtwestmo
ID: 9765391
So Robing66066 I would need to do away or not use the two routers I have now and get a new one that allows two "inside" interfaces and one "outside"?  

One question could I buy another router like the two I have now and and us that on to connect to the internet and have the other two connect to that router or is that getting two complicated?
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9766334
That depends on what type of ports and capabilities the routers you have now possess.  If both the routers have two ethernet interfaces on them, you could arrange it like this:

Internet <-->Router1<-->Switch1<-->Router2<-->Switch 2

Your addresses would work as such:

Router 1:

Outside: ISP Provided IP Address
Inside: 192.168.5.1
Default Gateway: 192.168.5.1

Router 2:

Outside: 192.168.5.2
Inside: 100.100.10.1
Default Gateway: 192.168.5.1

Now, that would mean that all your Internet traffic from the 100.100.10.x network would have to go through switch 1, but it would work.  Also, if you have any services (web server, email server, etc...) that you would like to make accessable to Internet users on the 100.100.10.x network, it would be a major pain.  Setting up NAT would on Router 1 (if you are using it) might require some extra work too.

The *easiest* solution is to simply buy a router with two inside ethernet ports and one outside port, but it isn't required, your config just gets more complex if you don't.  

What kind of ports do you have on the two existing routers?
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9766343
Whoops.  Sorry.  

Router 1 should read:

Outside: ISP Provided IP Address
Inside: 192.168.5.1
Default Gateway: ISP Provided gateway

Sorry.
0
 
LVL 1

Author Comment

by:jtwestmo
ID: 9766561
I have to netgear 311 routers
but you have answered my question just fine.  I see what I need to do to get it working.  Thank you very much for your help.  I think I am just going to get a router with 2 internal interfaces, that would be easy to do and set up.

Thanks
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9766570
Glad to hear it!  Good luck!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LAN or WAN ? 11 63
MX Backup 4 39
vMotion VLAN or just any IP address will do ? 8 36
ASR920 switching 2 12
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now