Setting up DNS routing on a Windows SBS 2003
Okay folks, nice big point topic as I think the answer will be quite complex.
The scenario is, we have three seperate ADSL lines into the building, 2x2Mbs and a new 8Mbs line coming in the next week or so. Currently we have about 40 PCs hooked up to the first 2Mbs line, and the email server hooked up to the 2nd (don't ask). If the main line goes down, it basically means that all the 40 PCs drop. Each user logs in via Windows 2003 SBS.
Each of the ADSL lines have a Belkin Router with DHCP enabled, and a Watchguard Firewall box attached.
What I WANT to acheive is to have the PCs spread over the three lines, with certain boxes going through certain lines (eg Reprographics goes through the 8mbs line) BUT to have a fall back in case one of the lines fails, all it's "users" temporarily switch to another line. Ideally I'd like to be able to control this centrally from the Server. Most of the PCs have fairly static IP addresses (in that they rarely change once assigned), but I'd rather not have FIXED IP addresses as there are number of laptops around the offices that sometimes go on home and/or other office networks. Hope that's none too vague for people.
The scenario is, we have three seperate ADSL lines into the building, 2x2Mbs and a new 8Mbs line coming in the next week or so. Currently we have about 40 PCs hooked up to the first 2Mbs line, and the email server hooked up to the 2nd (don't ask). If the main line goes down, it basically means that all the 40 PCs drop. Each user logs in via Windows 2003 SBS.
Each of the ADSL lines have a Belkin Router with DHCP enabled, and a Watchguard Firewall box attached.
What I WANT to acheive is to have the PCs spread over the three lines, with certain boxes going through certain lines (eg Reprographics goes through the 8mbs line) BUT to have a fall back in case one of the lines fails, all it's "users" temporarily switch to another line. Ideally I'd like to be able to control this centrally from the Server. Most of the PCs have fairly static IP addresses (in that they rarely change once assigned), but I'd rather not have FIXED IP addresses as there are number of laptops around the offices that sometimes go on home and/or other office networks. Hope that's none too vague for people.
The first part is easy: set up different scopes on your DHCP server for the three different groups of users/computers (i.e. one that goes from 192.168.1.2-50 another from 51-150 and the last from 151-254). Do Mac address reservations on your DHCP server. Have each of the scopes point to a different gateway.
The 2nd part is more difficult. You can try this... in your DHCP scopes, set up multiple 003 Router entries for each scope. Arrange the entries so that the primary is on top and the failovers are below in whatever order you want. The only problem with this is the computer will only failover if the gateway is unpingable (i.e the router is dead -- not the connection the router is hosting). The other alternative I can think of is to purchase a router that has the feature built in... like a Sonicwall TZ170.
You can also set up a batch file to do the testing:
ping -n 1 <something pingable only by router1>
if errorlevel 1 route add 0.0.0.0 mask 0.0.0.0 192.168.1.2
ping -n 1 <something pingable only by router1> <-- so that it fails back when the line comes back up
if errorlevel 0 route add 0.0.0.0 mask 0.0.0.0 192.168.1.1
The 2nd part is more difficult. You can try this... in your DHCP scopes, set up multiple 003 Router entries for each scope. Arrange the entries so that the primary is on top and the failovers are below in whatever order you want. The only problem with this is the computer will only failover if the gateway is unpingable (i.e the router is dead -- not the connection the router is hosting). The other alternative I can think of is to purchase a router that has the feature built in... like a Sonicwall TZ170.
You can also set up a batch file to do the testing:
ping -n 1 <something pingable only by router1>
if errorlevel 1 route add 0.0.0.0 mask 0.0.0.0 192.168.1.2
ping -n 1 <something pingable only by router1> <-- so that it fails back when the line comes back up
if errorlevel 0 route add 0.0.0.0 mask 0.0.0.0 192.168.1.1
Allow me to modify something in victornegri's explanation:
Don't set up multiple router entries for each scope. Just point each scope to its own router. Once you've done that, if a line drops, just go the scope in question and change it's router option to point to a different router. Then, have your clients reboot (or do an IPCONFIG /RELEASE and then an IPCONFIG /RENEW at a command prompt... I find it easier to say "Okay, go ahead and reboot your computer and then the internet will be back up." Once the line comes back up, you can change it back.
<-=+=->
Don't set up multiple router entries for each scope. Just point each scope to its own router. Once you've done that, if a line drops, just go the scope in question and change it's router option to point to a different router. Then, have your clients reboot (or do an IPCONFIG /RELEASE and then an IPCONFIG /RENEW at a command prompt... I find it easier to say "Okay, go ahead and reboot your computer and then the internet will be back up." Once the line comes back up, you can change it back.
<-=+=->
ASKER
Question time then - SplinterCell - whilst this sounds "easy" I'm not always in the office, so it needs to be an automatic system realistically. This system sounds far from auto.
Rob, liking the sound of this one. How quickly does the switch-over take, and is it reasonably seamless. Also, had a look at the pricing of this unit and it looks a good price. Also looking at the Netgear equivelant (FVS124G), anybody got any experience of this one?
Rob, liking the sound of this one. How quickly does the switch-over take, and is it reasonably seamless. Also, had a look at the pricing of this unit and it looks a good price. Also looking at the Netgear equivelant (FVS124G), anybody got any experience of this one?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, this is looking good. I'm going to try to source an RV042, although I might have one problem in that the two lines are in completely different parts of the building. Trying to work out wiring, does it need connecting directly to the modems, or will it still go through main network?
What do you mean by "through the main network" ? You can make use of an existing CAT5 cable that is part of your network but I wouldn't connect it to the LAN side of your network (through your LAN switches), that would by-pass all firewalls and put every system at risk. However, the modem and router do not have to be side by side.
ASKER
That's kind of what I mean, I'm going to have to run a seperate cable from the modem to the router box, as the building is a C17th Century hunting lodge with foot thick walls :(
ASKER
One problem I have come across on various mailing lists regarding the dual WAN routers is that of how and when they switch between ports. One of our departments does all of it's work on a secure (off-site) web-site for ecommerce. I suspect that the site will check the IP address of the "calling" computer throughout the process. Many people have complained regarding Dual-WAN routers that they switch their load-balancing "per packet" which would obviously cause problems. Does anybody know if there is any way to change any of these routers to "per session" switching?
The load balancing routers I have used maintain a connection through one port. So if I were to logon to site abc.com it will be maintained on port 1, when I or someone else, logs onto site def.com it may go through port 2. If the connection is lost on port 1, your connection is lost and you would have to hit refresh to have it reconnect through port 2. A "conversation" is maintained over 1 port but multiple connections are distributed over the 2 WAN ports. However, if a new connection is started when port 1 is down, it is automatically forced through the only open port.
ASKER
Okay, I think this will work - I'll dole out some points to Rob (majority) and Splinter (assistance) - cheers guys. I'll perhaps post up some results in the next few weeks.
Thanks jbromley,
--Rob
--Rob
Why not replace the Bekins with a dual WAN port router such as the Linksys RV042. This will allow automatic load balancing and automatic fail over in the event one or the other ISP's goes down. Then just leave your Mail Server on the 3rd line. Make sure the 8mb line is connected to the primary connection of the Linksys so that if ever a single user, they will be sure to get that line. This way you won't need a 3rd Watchguard either.