[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to use two DSL Internet connections for VPN and Terminal Server access - for load splitting

Posted on 2006-05-28
7
Medium Priority
?
420 Views
Last Modified: 2010-04-12
Wanting to provide good performance for outside users accessing the Terminal Server, I have provisioned two 1+ meg DSL Internet lines with static IP and connected each to a VPN Router (Netgear FVS338).  The intention is to provide Terminal Server access to about 25 outside users - splitting them into two groups and providing a different static IP address to each group - but both will access the same Terminal Server.  In addition, inside users (on the office LAN) also use the Terminal Server and have the regular email and Internet browser traffic needs of an office user.  The Terminal Server is Windows 2003 Enterprise with gigabit NIC.

Things are presently set up with VPN Router A providing service to some external users already, and the second Router B is only providing default-route NAT access to the Internet for the inside users email and web browsing.  Before this scheme was set up, there was only one DSL connection for both VPN and inside users and the conflicting traffic needs of each group caused a lot of grumbling.

Now I would like to start using the second DSL Internet (Router B) and provide its static IP to the second group of outside users.  But initial tests have failed to achieve a connection to the Terminal Server through the second IP - I guess it is a routing or default route issue, because the Terminal Server has to be able to route it's reply traffic back through the router the connection came in on.

I've researched this enough to realize that maybe I need to have a dual-WAN router, but surely I could add a third router between the Terminal Server and the two Netgears to accomplish the same thing?  I favour this approach, because actually I would like to provide a *third* DSL Internet connection for the inside-originated Internet traffic, and restrict the other two routers to incoming Terminal Server traffic only.

There are other networking requirements including some Frame Relay in the mix too, but I am leaving that out for simplicity.

I would love some advice on setting this up!
0
Comment
Question by:mluckham
  • 4
  • 3
7 Comments
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 2000 total points
ID: 16783786
The main issue that causes problems is the default gateway. If we assume a remote user can connect through service 'A' now, when he connects through service 'B' traffic is forwarded to the terminal server but  the reply is sent to the default gateway which is 'A', and lost.
If you can make your remote users recognizable by dividing them into 2 groups, group 1 uses 'A' and is assigned an IP in subnet 192.168.100.0 , and group 2 uses 'B' and is assigned an IP in subnet 192.168.200.0 , then group 1 is OK with the default gateway, but you need to add a routing statement on the terminal server for group 2 (assuming router 'B' has a LAN IP of 192.168.1.254):

route  add  192.168.200.0  mask  255.255.255.0  192.168.1.254
                 ^group 2 subnet        ^subnet mask   ^router's LAN IP for 'B'

The other option, which would be much easier to implement, would be the dual WAN port router. This has the advantage of having the same LAN gateway address for both WAN connections. I would simply make a 3rd connection for local users only.

As for bottlenecks you might want to look at another terminal server. Depending on the kind of use, it may be pushing it's limits.
0
 
LVL 1

Author Comment

by:mluckham
ID: 16783999
Thank you, I wondered if that would work.  Most of the incoming traffic is indeed from branch LANs with their own unique subnets (planned out some time ago).  For those that are not, they can use the static IP for the 'default route' router.  When I add the third DSL line and router, the other two will be VPN-only with appropriate static routes so that should solve the default route issue and keep the email/web browser traffic separated.

The other thing I wondered about was whether the TS should have another NIC and an internal subnet with only one of the VPN routers on it ... but I would still need to add the static routes as you recommend - so no gain from doing so, other than keeping the traffic separated.

The bottlenecks are not due to the Terminal Server, but the relatively low-bandwidth pipeline (DSL Internet) between the TS and the remote users, complicated by not having QoS routers ... so bursty Internet traffic (large emails and web pages) cause frequent and annoying delays for the TS session users.

I will configure some test VPN circuits and the TS routes as you suggest, and let you know what happens.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16784060
I agree, I don't see much advantage to a second NIC. I suppose if the local users had a separate one there might be some performance improvement for them, but TS doesn't use much bandwidth, so a 100mbps pipe and in your case Gigabit, should be fine.
Let us know how you make out with your tests.
--Rob
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 1

Author Comment

by:mluckham
ID: 16786159
Thanks Robwill - it works fine.

I didn't add any static routes to the TS though, I put them into Router A.  There was already a static route from Router B to Router A for a different reason.

Thanks for your help, and quick response!

Mike
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16786185
Thanks mluckham.
Adding to the router will work fine, and likely not to be accidentally changed as well. I didn't think to suggest putting there, as not all smaller routers allow static routes.
Cheers.
--Rob
0
 
LVL 1

Author Comment

by:mluckham
ID: 16793983
I consider these medium-range routers, with quite a few features.  For example, in addition to static routes and dial backup, the FVS-338 even has multi-home IP addressability - which came in handy when I ran out of DHCP addresses and added a new overlay subnet on top of the smaller existing one.

My only complaints about them are sluggish web interface, and Netgear's habit of releasing new products that require several firmware releases to get right.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16794431
I am not familiar with that model but it sounds like it has some nice features. I have worked with a few of there units and quite like them but I must say some have their share of problems and tech support is none existent.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question