Router Configuration Assistance

Posted on 2008-11-19
Medium Priority
Last Modified: 2012-05-05
I have a client I need to make a change to their router setup and trying to figure the best way around this.  

Basically, the company currently has two locations connected to each other by a standard T1 line.    The remote location also has a DSL router setup from AT and T.    The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office.   The router has 2 ethernet ports.  The access layer switch is plugged into one of the ports and the other is currently open and can be configured.   The DSL router is plugged into the switch as part of the Clients attempt to do it himself.  

 I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port.   That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP.   Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out.  I then have two default routes pointing to both the DSL Ethernet port and the Serial port.

Wanted to get opinions of this solution and if anyone has set up something similiar and what they did?  Or if anyone else has a different suggestion.
Question by:FrontlineTech
  • 2
  • 2
  • 2
LVL 28

Expert Comment

ID: 22999254
Basically I think you are on the right track. What I don't understand is, does each site have a single router doing both T1 and DSL, or 2 routers? What kind of router? Set up the default route to the internet and specific routes to the other office.

As far as DSL access lists, you should be very strict inbound from the DSL. But you probably don't need an access list on the T1 unless there's a reason you don't trust the other office.

Author Comment

ID: 22999509
The main office has a seperate T1 to the internet.   There is a point to point T1 connecting the main office to the remote office.  We do not want ANY internet traffic for the Remote office to go over the T1... instead we want the internet traffic to go out the DSL.  Meanwhile, the remote users will still access servers and file shares over the T1 back at the main office.

So the parameters are:

1) Remote site Internet can ONLY go out DSL
2) Any other remote site traffic goes ONLY through the T1.  

The DSL router is a Cayman ROuter/Modem combo provided by AT and T

The DSL router has a Built in Firewall and will take care of most of the security.

Looking a little further I am thinking of using Policy Route Maps with extended access lists.  So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
LVL 28

Expert Comment

ID: 22999536
You're making it too complicated, standard routing will do the trick for you. How does the inter-office T1 connect at the remote site?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Accepted Solution

airwrck earned 2000 total points
ID: 23019676
greetings FrontlineTech.  Here's one solution in detail

At the remote site, set all the workstations default gateway to the remote T1 router.  You can leave the Remote T1 router Ethernet and the DSL router on the same subnet.
In the T1 router at the remote, set up two routes:  one default route to the Internet, which points to the DSL router Ethernet port, and one route that points to the T1 interface at the "other" office.
In the Internet router at the Main office, configure a route that sends all the traffic back to the remote office to the Ethernet interface in the T1 router.
In the Main office, on the T1 router, configure a route that sends traffic bound for the remote office to the serial interface of the remote office.

On a Cisco router, it would look like this:
Given Remote subnet at (/24 is shorthand notation for a subnet mask of
Given Remote router Ethernet at
Given Remote DSL router at
Given Remote Serial at
Given Main T1 Serial at
Given Main subnet at
Given Main T1 Ethernet at
Substitute the IP addresses with your correct numbers

Remote T1 router config-add two static routes:
ip route  !sends all traffic by default to the DSL Remote router)
ip route  !sends all the Main office traffic over the T1)
(if the Main office has multiple subnets, then put in a static route to for each of those subnets, too)

Main T1 router config-add one static route
ip route !routes return Remote traffic to the Remote serial intfc

Main Internet router config-add one static route
ip route !routes return Remote traffic to the Main T1 router

This is a configuration that most network engineers would understand if they saw it on 3 routers.

A policy route would be a valid idea too, but since you haven't tried basic static routes yet, I'd suggest you give this a try first.  Also, remember, that even with policy route in the Remote T1 router, you would still need to route the packets destined for the Remote office back from the Main office, because if you don't, the packets returning from the Internet will be dropped (null0).

The way to test your configuration is to do traceroutes both to the main office and the internet from a workstaion at the Remote that has it's default gateway reconfigured, and see which interfaces the traceroutes hit on the way out.  (tracert in a Windows cmd window)

Good luck!  If you need remote assistance, ping me offlist.

Expert Comment

ID: 23019686
I forgot one route on the Main T1 router - my apologies
ip route !where is the Main Internet router Ethernet interface

Author Closing Comment

ID: 31518417
I used aspects of this, but he put int he best effort.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question