2 networks need to be accessed
Hi,
One of our customers has about 20 Windows based PCs and shares one broadband connection throughout the office. A new system is about to be put in place that dicates that they use a different broadband connection with the new system, and keep this system seperate from any existing setup (on a different subnet).
The problem that I have is that the users will need to have the facility to access both systems. At the moment they have a 192.168.1.x subnet (running a server for one system with a SQUID proxy server managing access to their broadband connection).
The current system and configuration allows access to their server and ordering through their web based system which is tied down to their static WAN IP address. The new system will use an alternative online ordering system which must be tied down to an alternative static WAN IP address through an alternative provider (can't use existing connection) and on a seperate network.
What is the best way to add another subnet to their existing network infrastructure that will keep the systems seperate, but allow the users to access the 2 different systems?
Apologies if there is ample information about this, however a quick search never brought any suitable information back, and this fairly urgent.
Thanks in advance for your help,
gb
One of our customers has about 20 Windows based PCs and shares one broadband connection throughout the office. A new system is about to be put in place that dicates that they use a different broadband connection with the new system, and keep this system seperate from any existing setup (on a different subnet).
The problem that I have is that the users will need to have the facility to access both systems. At the moment they have a 192.168.1.x subnet (running a server for one system with a SQUID proxy server managing access to their broadband connection).
The current system and configuration allows access to their server and ordering through their web based system which is tied down to their static WAN IP address. The new system will use an alternative online ordering system which must be tied down to an alternative static WAN IP address through an alternative provider (can't use existing connection) and on a seperate network.
What is the best way to add another subnet to their existing network infrastructure that will keep the systems seperate, but allow the users to access the 2 different systems?
Apologies if there is ample information about this, however a quick search never brought any suitable information back, and this fairly urgent.
Thanks in advance for your help,
gb
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are using cisco routers to terminate the internet bandwidth.
LAN1:192.168.1.0/24
LAN2:192.168.2.0/24
Internet1-----------Router
|
Switch
|
Internet2-----------Router
Assuming that default gateway for both networks is set to LAN interface of routers.
Just add a route to LAN2 on router1 and on router2 add route to LAN1.
LAN1:192.168.1.0/24
LAN2:192.168.2.0/24
Internet1-----------Router
|
Switch
|
Internet2-----------Router
Assuming that default gateway for both networks is set to LAN interface of routers.
Just add a route to LAN2 on router1 and on router2 add route to LAN1.
That would work to, i guess it depends on why the "need" to be seperate.
If its to simplify things for a SOX audit or something like that your leaving yourself open to get picked appart.
As in this senerio, they are not completly seperate as traffic (and worms etc.. ) would be flowing between the two.
I guess when it comes down to it we need more information :D
If its to simplify things for a SOX audit or something like that your leaving yourself open to get picked appart.
As in this senerio, they are not completly seperate as traffic (and worms etc.. ) would be flowing between the two.
I guess when it comes down to it we need more information :D
ASKER
Thanks for your input everyone, let me provide you with some more information:
Currently, my client doesn't have a Windows based server - they basically have a peer to peer network with a Unix server which runs a stock system, and allows access through some client software on the Windows PCs. They have a linux firewall which is managed and controlled by the firm (firm A) which provides the stock system - providing access to some online aspects of their ordering system which is allowed based on access through the proxy and out through a static WAN IP.
The new system (windows client software, web based and again, access granted or denied based on access from a specific static IP address - the new broadband connection) they are putting in is going to run in parallel with the current system (hopefully on their existing machines), however, firm A doesn't allow for any other systems to use their Internet connection, will not amend their firewall accordingly and actually insist on a seperate network for any other systems.
As we have been approached to oversee the installation of the new system, we have complete control over which setup is put in place for that, however, our hands are tied by firm A on the existing setup.
With this in mind, what would be the best way to allow us to setup a VPN to allow traffic from both networks to access their respective software online (through their respective static WAN IP addresses / Routers)
Sorry for the headache
Thanks
gb
Currently, my client doesn't have a Windows based server - they basically have a peer to peer network with a Unix server which runs a stock system, and allows access through some client software on the Windows PCs. They have a linux firewall which is managed and controlled by the firm (firm A) which provides the stock system - providing access to some online aspects of their ordering system which is allowed based on access through the proxy and out through a static WAN IP.
The new system (windows client software, web based and again, access granted or denied based on access from a specific static IP address - the new broadband connection) they are putting in is going to run in parallel with the current system (hopefully on their existing machines), however, firm A doesn't allow for any other systems to use their Internet connection, will not amend their firewall accordingly and actually insist on a seperate network for any other systems.
As we have been approached to oversee the installation of the new system, we have complete control over which setup is put in place for that, however, our hands are tied by firm A on the existing setup.
With this in mind, what would be the best way to allow us to setup a VPN to allow traffic from both networks to access their respective software online (through their respective static WAN IP addresses / Routers)
Sorry for the headache
Thanks
gb
With two switches, instead of one.
ASKER
Can you elaborate - why 2 switches and in what kind of setup / topology?
Thanks
gb
Thanks
gb
I would recommend using prashax's architecture, but minus the switch - a simple VPN will allow you much more control of who and what accesses each network.
Just my opinion,
-Jon
Just my opinion,
-Jon
The two switches separate the problem correctly. One switch to WAN A the other to WAN B. This establishes the primary requirement first, separate network connections. There are numerous ways to hook the two together, and cause them to interchange data under your full control, you don't have to put them at the frontend either, they can be anywhere in your physical layout, as long as one is on each segment, just as it is with your upstream provider, it's how they separate segments.
The VPN means translation and most routers don't like it, it's overused, only necessary about 1% or so of the time, etc.. The switches need no configuration nor software. It's the simplest and least expensive solution.
Because the system is Unix, Windows approach really doesn't apply. Unix and Linux are in and of themselves full routers, with more capabilities than Windows for separating segments readily into discontinuous connections which can be bridged only by the servers. The client software sounds like Samba, or similar. Right, Firm A stands firm, do it their way. One switch to Firm A then and at some point the other switch to Firm B [however and wherever you install it to Firm B]. Unix or Linux should easily be able to make the decision of which traffic goes to A which does not. B then can remain pretty much an independent set, more fluid than A and able to route to more than just an upstream private connect, as would be the case say for a parts store, warehouse ordering site, etc..
The suggestion of Router1 and Router2 means you'll be doing a lot of configuration and spending a lot more money than is probably necessary, since Unix and Linux are fairly immune and don't really need routers on the front end, just for the LAN segment perhaps to provide private IP Addressing, but even this doesn't entail the requirement of an hardware router.
It's really just a suggestion that you look up some switching network setups and see how they do it. Even LanSurveyor [which you can download for a free trial] will show you that the ISP is set up the way I describe.
The VPN means translation and most routers don't like it, it's overused, only necessary about 1% or so of the time, etc.. The switches need no configuration nor software. It's the simplest and least expensive solution.
Because the system is Unix, Windows approach really doesn't apply. Unix and Linux are in and of themselves full routers, with more capabilities than Windows for separating segments readily into discontinuous connections which can be bridged only by the servers. The client software sounds like Samba, or similar. Right, Firm A stands firm, do it their way. One switch to Firm A then and at some point the other switch to Firm B [however and wherever you install it to Firm B]. Unix or Linux should easily be able to make the decision of which traffic goes to A which does not. B then can remain pretty much an independent set, more fluid than A and able to route to more than just an upstream private connect, as would be the case say for a parts store, warehouse ordering site, etc..
The suggestion of Router1 and Router2 means you'll be doing a lot of configuration and spending a lot more money than is probably necessary, since Unix and Linux are fairly immune and don't really need routers on the front end, just for the LAN segment perhaps to provide private IP Addressing, but even this doesn't entail the requirement of an hardware router.
It's really just a suggestion that you look up some switching network setups and see how they do it. Even LanSurveyor [which you can download for a free trial] will show you that the ISP is set up the way I describe.
ASKER
Thanks for the prompt responses everyone:
GinEric, are you suggesting this type of setup?
Internet1 / WAN A (192.168.1.x)-------------
|
Internet2 / WAN B (192.168.2.x)-------------
Apologies if I have led you up the garden path, but:
The Unix server may have been a bit of a red herring. This is soley used internally for the stock management system. There is another system from firm A used in conjunction with this, however, this is Internet browser based and totally seperate to this system. Access to this is controlled through the SQUID firewall.
All computers on the LAN access the Internet by going through the proxy server - this allows them access to the online version of the system, and they access the Unix server through the emulation software on their windows desktops.
If the switches require no configuration (would you recommend managed?), the problem I have getting my head around is how I configure the client machines to access the Internet through WAN B when required, when they are all configured to access the Internet by using port 8080 on the proxy - Bearing in mind that they need to be able to access both WAN A and WAN B at different points during the day to access either online system.
From reading other posts, I am aware that you can install some software to jump between different settings to access different networks - http://stafney.com/~tstafney/opensource/IpManager/ - will this be something that would be required? - although this would have an affect on accessing the stock system at the same time!
Maybe terminal services is the way to go zepher_hex & ecszone - however, how does the licencing work on terminal services? Will 20 simultaneous connections require 20 CAL's, and would it have to be a decent spec?
Thanks again for all your prompt responses - I look forward to hearing your input again,
Thanks
gb
GinEric, are you suggesting this type of setup?
Internet1 / WAN A (192.168.1.x)-------------
|
Internet2 / WAN B (192.168.2.x)-------------
Apologies if I have led you up the garden path, but:
The Unix server may have been a bit of a red herring. This is soley used internally for the stock management system. There is another system from firm A used in conjunction with this, however, this is Internet browser based and totally seperate to this system. Access to this is controlled through the SQUID firewall.
All computers on the LAN access the Internet by going through the proxy server - this allows them access to the online version of the system, and they access the Unix server through the emulation software on their windows desktops.
If the switches require no configuration (would you recommend managed?), the problem I have getting my head around is how I configure the client machines to access the Internet through WAN B when required, when they are all configured to access the Internet by using port 8080 on the proxy - Bearing in mind that they need to be able to access both WAN A and WAN B at different points during the day to access either online system.
From reading other posts, I am aware that you can install some software to jump between different settings to access different networks - http://stafney.com/~tstafney/opensource/IpManager/ - will this be something that would be required? - although this would have an affect on accessing the stock system at the same time!
Maybe terminal services is the way to go zepher_hex & ecszone - however, how does the licencing work on terminal services? Will 20 simultaneous connections require 20 CAL's, and would it have to be a decent spec?
Thanks again for all your prompt responses - I look forward to hearing your input again,
Thanks
gb
You need a controller between the two switches, a server perferably.
I've worked with the various Stock Exchanges; no, they will not let you change anything on their mainframes, which is where their connections come from, their way or the highway.
If the system is Windows, you need a Client Access License per machine. There is no such requirement for either Linux or your Stock Exchange mainframe connections [however, these are actually part of your brokers license].
A better configuration would be:
Internet1 WAN A <~> --------------------------
|O W|
|U I |
|T T|
|E C|
Internet2 WAN B <~> --------------------------
The Router Switch can be either a server or a router, probably an intelligent one, which can decide which traffic goes where. Since it seems that WAN A is only using an http port, 8080, which is normally a secure port, such traffic shouldn't even go to WAN B if you've configured your network correctly. Be that as it may, using the server/router to make the decision may turn out to be more reliable. Points [1] and [2] are just the "switch function" of two paths controlled by the server/router, perhaps two NIC's, perhaps a NIC tied to a post router that understands port forwarding and pass through for certain defined ports. The third part, anomally or not, is that all the Windows machines can have more than one IP Address, particularly on the LAN side. I just sort of figured that somewhere in this setup you actually do have a server and the Windows machines are not connected directly to the Internet.
You don't really need two IP Addresses per machine, so don't take that the wrong way. But you do need something to decide which connection is going to get the encrypted traffic and which is not. It would be a waste of time to encrypt and decrypt all connections to the Internet. You need only really encrypt those which are financial related and that would seem to be the brokerage system. Like Merril Lynch used to do, it uses port 8080, which is a basic secured web server on a single port. True, the data received will be on thousands of ports, but the secure sockets layer should take care of that encryption for you. It was as simple as running two web servers, one public and one private. But you still have the problem of connecting to two ISP's, principally, and that does involve some switching and routing.
What's missing from your diagram is where "your servers" are. Are they WAN B? If so, that changes the whole scenario to a sort of exclusive or condition, A exclusive OR B. Where you can go to A or B, but never the twain shall meet. That should have been served by the separate servers, but again, your diagram shows no servers.
Obviously, if both A and B are using port 8080, you have a problem, except that their IP Addresses should be distinct and therefore traffic should be routed correctly by default.
Since there are a number of ways to solve this, I would suggest you keep drawing it out and get to understand exactly what it is you want to do. It still looks a little confusing.
I've worked with the various Stock Exchanges; no, they will not let you change anything on their mainframes, which is where their connections come from, their way or the highway.
If the system is Windows, you need a Client Access License per machine. There is no such requirement for either Linux or your Stock Exchange mainframe connections [however, these are actually part of your brokers license].
A better configuration would be:
Internet1 WAN A <~> --------------------------
|O W|
|U I |
|T T|
|E C|
Internet2 WAN B <~> --------------------------
The Router Switch can be either a server or a router, probably an intelligent one, which can decide which traffic goes where. Since it seems that WAN A is only using an http port, 8080, which is normally a secure port, such traffic shouldn't even go to WAN B if you've configured your network correctly. Be that as it may, using the server/router to make the decision may turn out to be more reliable. Points [1] and [2] are just the "switch function" of two paths controlled by the server/router, perhaps two NIC's, perhaps a NIC tied to a post router that understands port forwarding and pass through for certain defined ports. The third part, anomally or not, is that all the Windows machines can have more than one IP Address, particularly on the LAN side. I just sort of figured that somewhere in this setup you actually do have a server and the Windows machines are not connected directly to the Internet.
You don't really need two IP Addresses per machine, so don't take that the wrong way. But you do need something to decide which connection is going to get the encrypted traffic and which is not. It would be a waste of time to encrypt and decrypt all connections to the Internet. You need only really encrypt those which are financial related and that would seem to be the brokerage system. Like Merril Lynch used to do, it uses port 8080, which is a basic secured web server on a single port. True, the data received will be on thousands of ports, but the secure sockets layer should take care of that encryption for you. It was as simple as running two web servers, one public and one private. But you still have the problem of connecting to two ISP's, principally, and that does involve some switching and routing.
What's missing from your diagram is where "your servers" are. Are they WAN B? If so, that changes the whole scenario to a sort of exclusive or condition, A exclusive OR B. Where you can go to A or B, but never the twain shall meet. That should have been served by the separate servers, but again, your diagram shows no servers.
Obviously, if both A and B are using port 8080, you have a problem, except that their IP Addresses should be distinct and therefore traffic should be routed correctly by default.
Since there are a number of ways to solve this, I would suggest you keep drawing it out and get to understand exactly what it is you want to do. It still looks a little confusing.
Will you have one more router for other internet connection.