Solved

Need to have 2 separate networks with 1 ISP connection

Posted on 2008-09-30
10
1,230 Views
Last Modified: 2012-05-05
We have a very basic workgroup network run by a Netgear FVS318.  The proprietary software we use runs an SQL database and only one of these databases can run on a network at at time.  The problem is we need to run another instance of the software and database concurrently and independent of each other but the software will not allow it.

I need to "split" the network into 2 separate networks where one group of computers cannot see each other while being able to keep the current router if at all possible.  We do have a windows 2003 enterprise server that is not being used to its potential at all.  DHCP is on the router.  Any ideas on what would be the easiest way to accomplish this?
0
Comment
Question by:stin27
  • 6
  • 2
  • 2
10 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22612270
Unfortunately this is not possible directly on the FVS318. You need to do 1 of 2 things:
1) Create separate VLANs for the two networks. For this you need a managed L2 switch.
2) Use a cheap router to break up the broadcast domain. Just connect its WAN port to the FVS318 and turn on NAT on the router. This means that the computers inside that router can see everything outside the router (including other servers/PCs) but the PCs on the FVS318 cannot see the devices behind the router. The only drawback to this is that it KILLS LAN throughput. You'd be lucky to get 8Mbps on the LAN between the router and the machines if you do this.
In short - no, its not possible on the FVS318 without additional hardware.
Does that answer your question? Let me know if you need more help!
0
 
LVL 12

Expert Comment

by:rionroc
ID: 22612285
Hello

I'm assuming your ISP provided you more than 1 IP address.

While ISP provided a direct connection to the router or computer.

Connect Cat5 cable from ISP to the switch.
Connect from switch with 2 routers.

first router:
>wan:
ip address: x.x.x.1
submask: x.x.x.x
gateway: x.x.x.x
dns:x.x.x.x

>lan: ( dhcp from 192.168.20.1 to 192.168.20.254 )
ip address: 192.168.20.1
submask: 255.255.255.0


second router:
>wan:
ip address: x.x.x.2
submask: x.x.x.x
gateway: x.x.x.x
dns:x.x.x.x

>lan: ( dhcp from 192.168.30.1 to 192.168.30.254 )
ip address: 192.168.30.1
submask: 255.255.255.0


Note: If you want one output line connection, you can connect both router [lan cables] to a switch again.

eq:
>
>>isp
>>>>>>>>switch
>>>>>>>>>>>>>>>>>>router1
>>>>>>>>>>>>>>>>>>router2
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>switch
>connecting clients using dhcp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>client1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>client2
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>client3

Sorry if I got your question in wrong understanding.


Great is our GOD.
:)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22612355
Great is our GOD indeed. :)
As far as that response though, I was under the impression they wanted everything behind their firewall and probably don't have more than one public IP.
Any clarifications on this stin27?
0
 

Author Comment

by:stin27
ID: 22612546
I was afraid that the FVS318 router would not be able to do this but needed to hear it from someone else first :)  The main reason for wanting to keep the FVS318 in the loop is because it is the VPN hub for 3 other remote locations (all with FVS318's) and would like to keep it uniform and simple.

Pugglewuggle: I believe we have a block of 5 public IP's to work with and only one is currently in use.  It will be tomorrow (Wednesday) before I can confirm that for sure.  I don't think option #2 would work -- the guys I work with are not very technical but slowness will cause problems.  Regarding option 1, I have very little knowledge of VLAN's.  Is it possible to set up each LAN as their own VPN endpoint with an L2 switch?

Rionroc:  I get where you are going and I think you got the question right.  Is it possible to use another FVS318 as the second router after the switch?  Also, I am assuming that it can be an unmanaged switch, correct?

Thank you both for the prompt responses and suggestions.  I will check on the IP's tomorrow.

0
 
LVL 12

Accepted Solution

by:
rionroc earned 250 total points
ID: 22614060
Hello

>> Is it possible to use another FVS318 as the second router after the switch?
Yes, but too expensive, get another switch [only] with 4 or 8 ports.

>>Also, I am assuming that it can be an unmanaged switch, correct?
Possible, but you can apply this if you want too.


>>isp
>>>>
>>>>switch>WAN port: 10/100 Mbps Ethernet RJ-45 port to connect to any broadband modem (isp connected)
>>>>LAN ports: eight (8) 10/100Mbps auto-sensing>>> port [1],  port[2], port[3]
>>>>using dhcp server>>>>>...................................................v           v
.................................................................................................. v           v
.................................................................................................. v           v
>>>>>>>>>>>>>>>>>>>>>>using>>>>>>>>>>>>>router wan>     v
>>>>>>>>>>>>>>>>>>>>dhcp server>>>>>>>>>>>router Lan>     v
...................................................................................................v           v
...................................................................................................v           v
24portswitch1[only].first division..............................................<v
               v    v         24portwitch2[only].second division........................<v
               v    v ............................................ v .............v
.....client[1].. v..using first dhcp server         v .............v
....................v
..........client[2]..using first dhcp server          
....................................................................v .............v
....................................................................v....client[1].using second dhcp server
.............................................................client[2].using second dhcp server


[OR] you can use FVS318 Lan port[1] only for the other division/connection though a router, the rest of the port[2 to 7] can be use for the other division/connection also.

If you want another division or third, connect to the port[2] or any port you wanted too.

You can add more switch if you want more client connections.

I hope that helps too.

Great is our GOD.
:)
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22617087
The problem you will run into with this is that those routers are probably running NAT. If you use the FVS318 as the VPN gateway for your organization then your remote users will be able to access NOTHING behind the routers. In a situation like this, the only way to allow connections into a NAT router is to setup port forwarding - and then all clients on remote VPN have to access internal resources by port on the WAN IP address of the router.
This just isn't a feasible solution if remote clients need access inside.
Plus you won't be able to have communication between the two routers either if you need to. NAT just about kills that ability.
Consider this before trying. Rionroc's response would get you online, but it would break everything else.
What you might consider doing is getting a cheap Cisco router if this is a small business or you can afford it. The Cisco 851 is a good choice - about $350 USD. It can do all of this and more - you can replace your current firewall/routers/etc. with it. It has the best firewall of any router on the market and has enterprise networking features you can't find anywhere else. You can make multiple VLANs and assign them to different ports. The 851 also functions as a VPN server/gateway. Not to mention it's faster than just about everything else out there in its price range. It's a very good device. I recommend it if you can afford it.
Let me know if you have more questions!
0
 

Author Comment

by:stin27
ID: 22621769
The FVS 318 is running NAT and cannot be turned off, as far as I can tell.  I also checked and we do have a block of 5 external IP's.

I guess I should explain the scope of the VPN.  It may not change anything, but maybe it will.  Our current VPN structure has a HQ location and is the central hub for the remote VPN locations -- this is the location I am trying to modify.  All locations have an FVS 318 and we are only using gateway to gateway connections - no clients.

The only thing the VPN is used for is updating the database at all locations for the software causing all this headache.  There is a program within the software that pushes out any changes/updates that we make within it.  The only configuration for the software to connect is to set the remote gateway's local IP and the name of the database server.

We are adding another 'location' within the same building as HQ and that is why we are needing a separate network since you cannot have 2 instances of the database running on one network.  And since this is a remote location technically speaking, we would need it to be VPN capable with the original network.

I like the idea of having 2 FVS routers behind a network switch if it will work simply because it would be less configuration and is more in line with what we already have.  However if it cannot work, I am not against going with the Cisco router just as long as the 2 VLANs cannot interfere with each other except in the case of the central database sending updates to the remote one.  One question about the Cisco router:  Can each VLAN be assigned its own external IP if necessary?  Don't think it would be necessary but good to know.

I know I've got a decision to make on this and I appreciate your help.  Given full disclosure on the VPN, does that change anything in your opinion?
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22621908
Yes, leave NAT on on the FVS.
So here's what you do - go ahead and purchase another FVS318 (or bigger model if you like to use as the VPN hub since it will require more power - how big is this DB, how often is it updated, what's the internet speed at the main office up and down, and how many remote sites connect at once?) and use it as the hub device. Also, purchase a little 10/100 unmanaged "dumb" switch  (usually about $40 USD for a 4 or 5 port one). Then plug the internet connection into one port of the switch and the two FVSes into two of the other ports. Then, give each of the FVSes different public IP addresses and configure the remote ones to use the Hub one as the VPN server/gateway. No configuration of the little switch is necessary - you can then plug in more FVSes/whatever later to connect directly to the internet and have a public IP too (just remember it is not secure and will not have a firewall, so avoid connection things like PCs or servers to it).
Here's a quick diagram:

Internet ------ Unmanaged switch ----- FVS318 ("remote" network)
                                     |
                                     ---------------------- FVSxxx ("remote" network)
the xxx just means whatever model of FSV you use.
:) Glad to have helped you out. Any questions?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621912
Oops - diagram should read:
Internet ------ Unmanaged switch ----- FVS318 ("remote" network)
                                    |
                                    ---------------------- FVSxxx ("Hub" network)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621916
One other thing - make sure the cord between the switch and either FVS is not more than 300 feet. Ethernet cables cannot be more than 300 ft. or you lose your signal.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now