Solved

2 networks need to be accessed

Posted on 2006-06-26
12
388 Views
Last Modified: 2013-12-07
Hi,

One of our customers has about 20 Windows based PCs and shares one broadband connection throughout the office.  A new system is about to be put in place that dicates that they use a different broadband connection with the new system, and keep this system seperate from any existing setup (on a different subnet).

The problem that I have is that the users will need to have the facility to access both systems.  At the moment they have a 192.168.1.x subnet (running a server for one system with a SQUID proxy server managing access to their broadband connection).

The current system and configuration allows access to their server and ordering through their web based system which is tied down to their static WAN IP address.  The new system will use an alternative online ordering system which must be tied down to an alternative static WAN IP address through an alternative provider (can't use existing connection) and on a seperate network.

What is the best way to add another subnet to their existing network infrastructure that will keep the systems seperate, but allow the users to access the 2 different systems?  

Apologies if there is ample information about this, however a quick search never brought any suitable information back, and this fairly urgent.

Thanks in advance for your help,
gb

0
Comment
Question by:grantballantyne
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 42

Accepted Solution

by:
zephyr_hex earned 250 total points
ID: 16985500
VPN
VPN allows you to have a virtual connection between 2 separate networks
the 2 networks are distinct, but the users will be able to access the 2 different systems.

your other option is to add a terminal server to the new network, and have the users RDP in to that network.
0
 
LVL 11

Assisted Solution

by:Eric
Eric earned 250 total points
ID: 16985676
IF the domains are NOT in the same forest, you can only be a member of one domain at a time, so then go with the terminal server.

That is probably your best solution.  It sounds like there is something requireing them be seperate.. if so terminal services is much easier to document etc..

hopefully you only need to go one direction with this. otherwise you may need 2 terminal servers?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16985681
Are you using routers to terminate internet.

Will you have one more router for other internet connection.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16985736
If you are using cisco routers to terminate the internet bandwidth.


LAN1:192.168.1.0/24
LAN2:192.168.2.0/24

Internet1-----------Router1---------------LAN1
                                              |
                                           Switch
                                              |
Internet2-----------Router2---------------LAN2

Assuming that default gateway for both networks is set to LAN interface of routers.

Just add a route to LAN2 on router1 and on router2 add route to LAN1.
0
 
LVL 11

Expert Comment

by:Eric
ID: 16985792
That  would work to, i guess it depends on why the "need" to be seperate.

If its to simplify things for a SOX audit or something like that your leaving yourself open to get picked appart.
As in this senerio, they are not completly seperate as traffic (and worms etc.. ) would be flowing between the two.

I guess when it comes down to it we need more information :D
0
 

Author Comment

by:grantballantyne
ID: 16986948
Thanks for your input everyone, let me provide you with some more information:

Currently, my client doesn't have a Windows based server - they basically have a peer to peer network with a Unix server which runs a stock system, and allows access through some client software on the Windows PCs.  They have a linux firewall which is managed and controlled by the firm (firm A) which provides the stock system - providing access to some online aspects of their ordering system which is allowed based on access through the proxy and out through a static WAN IP.  

The new system (windows client software, web based and again, access granted or denied based on access from a specific static IP address - the new broadband connection) they are putting in is going to run in parallel with the current system (hopefully on their existing machines), however, firm A doesn't allow for any other systems to use their Internet connection, will not amend their firewall accordingly and actually insist on a seperate network for any other systems.

As we have been approached to oversee the installation of the new system, we have complete control over which setup is put in place for that, however, our hands are tied by firm A on the existing setup.

With this in mind, what would be the best way to allow us to setup a VPN to allow traffic from both networks to access their respective software online (through their respective static WAN IP addresses / Routers)

Sorry for the headache
Thanks
gb
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 12

Expert Comment

by:GinEric
ID: 16987833
With two switches, instead of one.
0
 

Author Comment

by:grantballantyne
ID: 16988227
Can you elaborate - why 2 switches and in what kind of setup / topology?

Thanks
gb
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16988773
I would recommend using prashax's architecture, but minus the switch - a simple VPN will allow you much more control of who and what accesses each network.

Just my opinion,
-Jon
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16989399
The two switches separate the problem correctly.  One switch to WAN A the other to WAN B.  This establishes the primary requirement first, separate network connections.  There are numerous ways to hook the two together, and cause them to interchange data under your full control, you don't have to put them at the frontend either, they can be anywhere in your physical layout, as long as one is on each segment, just as it is with your upstream provider, it's how they separate segments.

The VPN means translation and most routers don't like it, it's overused, only necessary about 1% or so of the time, etc..  The switches need no configuration nor software.  It's the simplest and least expensive solution.

Because the system is Unix, Windows approach really doesn't apply.  Unix and Linux are in and of themselves full routers, with more capabilities than Windows for separating segments readily into discontinuous connections which can be bridged only by the servers.  The client software sounds like Samba, or similar.  Right, Firm A stands firm, do it their way.  One switch to Firm A then and at some point the other switch to Firm B [however and wherever you install it to Firm B].  Unix or Linux should easily be able to make the decision of which traffic goes to A which does not.  B then can remain pretty much an independent set, more fluid than A and able to route to more than just an upstream private connect, as would be the case say for a parts store, warehouse ordering site, etc..

The suggestion of Router1 and Router2 means you'll be doing a lot of configuration and spending a lot more money than is probably necessary, since Unix and Linux are fairly immune and don't really need routers on the front end, just for the LAN segment perhaps to provide private IP Addressing, but even this doesn't entail the requirement of an hardware router.

It's really just a suggestion that you look up some switching network setups and see how they do it.  Even LanSurveyor [which you can download for a free trial] will show you that the ISP is set up the way I describe.

0
 

Author Comment

by:grantballantyne
ID: 16991303
Thanks for the prompt responses everyone:

GinEric, are you suggesting this type of setup?

Internet1 / WAN A (192.168.1.x)----------------Proxy 192.168.1.100:8080----------------------------switch1------------------LAN                                        
                                                                                                                                               |
Internet2 / WAN B (192.168.2.x)--------------------------------------------------------------------------switch2

Apologies if I have led you up the garden path, but:
The Unix server may have been a bit of a red herring.  This is soley used internally for the stock management system.  There is another system from firm A used in conjunction with this, however, this is Internet browser based and totally seperate to this system.  Access to this is controlled through the SQUID firewall.  

All computers on the LAN access the Internet by going through the proxy server - this allows them access to the online version of the system, and they access the Unix server through the emulation software on their windows desktops.

If the switches require no configuration (would you recommend managed?), the problem I have getting my head around is how I configure the client machines to access the Internet through WAN B when required, when they are all configured to access the Internet by using port 8080 on the proxy - Bearing in mind that they need to be able to access both WAN A and WAN B at different points during the day to access either online system.

From reading other posts, I am aware that you can install some software to jump between different settings to access different networks - http://stafney.com/~tstafney/opensource/IpManager/ - will this be something that would be required? - although this would have an affect on accessing the stock system at the same time!

Maybe terminal services is the way to go zepher_hex & ecszone - however, how does the licencing work on terminal services? Will 20 simultaneous connections require 20 CAL's, and would it have to be a decent spec?

Thanks again for all your prompt responses - I look forward to hearing your input again,

Thanks
gb
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17023512
You need a controller between the two switches, a server perferably.

I've worked with the various Stock Exchanges; no, they will not let you change anything on their mainframes, which is where their connections come from, their way or the highway.

If the system is Windows, you need a Client Access License per machine.  There is no such requirement for either Linux or your Stock Exchange mainframe connections [however, these are actually part of your brokers license].

A better configuration would be:

Internet1 WAN A <~> -----------------------------------|R  S|--[1]----<Proxy 192.168.1.100:8080>----LAN A (192.168.1.x)                                
                                                                             |O W|
                                                                             |U  I |
                                                                             |T  T|
                                                                             |E  C|
Internet2 WAN B <~> ------------------------------------|R  H|--[2]----<proxied or not segment B>----LAN B (can be IP and/or port specific)

The Router Switch can be either a server or a router, probably an intelligent one, which can decide which traffic goes where.  Since it seems that WAN A is only using an http port, 8080, which is normally a secure port, such traffic shouldn't even go to WAN B if you've configured your network correctly.  Be that as it may, using the server/router to make the decision may turn out to be more reliable.  Points [1] and [2] are just the "switch function" of two paths controlled by the server/router, perhaps two NIC's, perhaps a NIC tied to a post router that understands port forwarding and pass through for certain defined ports.  The third part, anomally or not, is that all the Windows machines can have more than one IP Address, particularly on the LAN side.  I just sort of figured that somewhere in this setup you actually do have a server and the Windows machines are not connected directly to the Internet.

You don't really need two IP Addresses per machine, so don't take that the wrong way.  But you do need something to decide which connection is going to get the encrypted traffic and which is not.  It would be a waste of time to encrypt and decrypt all connections to the Internet.  You need only really encrypt those which are financial related and that would seem to be the brokerage system.  Like Merril Lynch used to do, it uses port 8080, which is a basic secured web server on a single port.  True, the data received will be on thousands of ports, but the secure sockets layer should take care of that encryption for you.  It was as simple as running two web servers, one public and one private.  But you still have the problem of connecting to two ISP's, principally, and that does involve some switching  and routing.

What's missing from your diagram is where "your servers" are.  Are they WAN B?  If so, that changes the whole scenario to a sort of exclusive or condition, A exclusive OR B.  Where you can go to A or B, but never the twain shall meet.  That should have been served by the separate servers, but again, your diagram shows no servers.

Obviously, if both A and B are using port 8080, you have a problem, except that their IP Addresses should be distinct and therefore traffic should be routed correctly by default.

Since there are a number of ways to solve this, I would suggest you keep drawing it out and get to understand exactly what it is you want to do.  It still looks a little confusing.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Setting Port speed and duplex on Cisco 3560 switch 2 29
cisco nexus experiance 2 30
server plus 2 47
High Density Switches 8 26
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now