• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Sharing resources between two networks in the same Building.

Background Story: Because of the demand my Media department puts on our existing network I have isolated us into our own network.
Our existing network is in 10.10.1.xxx subnet: 255.255.255.0
I have created my network in 10.10.2.xxx with the same subnet. I have my own ISP coming into my network and another going to the first network.

I currently am using a Dell Poweredge server running an open source gateway to offer DHCP, Firewall, NAT, and so forth to the 10.10.2.xxx network. What I really need is to be able to access resources on the 10.10.1.xxx network but keep our ISPs separate.

I would like to avoid using a VPN solution over our to ISPs since I need higher reliability than our main networks ISP can provide.

Both Networks have file servers running Windows 2003 servers and hosting DHCP on the 10.10.1.xxx as well as exchange.

10.10.2.xxx also utilizes a Mac Leopard server.

I am willing to purchase hardware to make this happen.
Thanks for your help. let me know if there is any other information.
0
cpctecharts
Asked:
cpctecharts
  • 4
  • 3
  • 2
2 Solutions
 
GuruChiuCommented:
It should be quite simple:

Setup one of your server to route to both network. e.g. Add another network card to the PowerEdge and configure this new network card with a 10.10.1.xxx address and connect to the 10.10.1.xxx network. For simple illustration, lets call this 10.10.1.254 while it really can be any unused IP address on 10.10.1.xxx. Then on the gateway for the 10.10.1.xxx network, add a route to 10.10.2.0/24 through 10.10.1.254.

There are many other ways to achieve the same result.
0
 
pwindellCommented:
It takes two routers (not one).  So you just can setup your Server to do routing unless the other side does the same with on of their.  In general it is a bad idea to use a server as a router.
You need two LAN Routers, and one new subnet between them. This new subnet can be a "2-host" network with a /30 bit mask (your choice).  Then it needs to be rigged up like this below. Ignore the fact that the WAN Link is a VPN in the diagram,...just pretend that the two VPN Devices are regular LAN Rotuers.  Other than that everything in the diagram is there for a reason, it is all important,...you can not simply pick-and-choose what parts of it you want to do.  
 
 

VPNSample2.jpg
0
 
cpctechartsAuthor Commented:
Pwindell:
Thank you for the diagram. I have placed a Linksys WRT54g running the DD-WRT firmware (with wireless disabled) in place of the VPN device. Could you please give me a little more detail on the routing tables for these devices.

Thanks Again you have me on the right track, I am just having a hard time wrapping my brain around this one.

Shaun
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
pwindellCommented:
You can't.  Those are not routers,....yep,..they call them that in Bestbuy and the other retail stores,...but they are not routers,...what are they?,...they are cheap low-buck "Nat-based Firewalls" designed for "home use".

You have to buy a real router to route between network segments on an network.

You cannot typically buy real routers at retail stores off the shelf,....they are "commercial" products.   You can buy them at places like www.cdw.com and other similar commercial network supply vendors.

You can also build two of them with two linux boxes if you like trying to figure out how to use Linux.  You would run either IPTables or IPChains as long as you don't turn on IP Masquerading because it would then become a firewall like the Linksys boxes.

The text portion of the diagram already explains how to set up the routing once you are using the correct products..
0
 
cpctechartsAuthor Commented:
Pwindell:

That would make sense, and explain why I wasn't getting anywhere. I always assumed flashing the firmware made these more than the cheap boxes they are.

Would a Cisco 851 Ethernet to Ethernet Router be what I am looking for or do I need bigger than that? http://www.cdw.com/shop/products/default.aspx?EDC=788532

I have played with IPtables before, but would prefer to go with a hardware solution.

Thanks again!
0
 
GuruChiuCommented:
CPCtecharts,

Yes, a 851 will work. If you need me to draw a diagram, pls let me know. It will take me a while because I am busy w/ other projects.

Pwindell,

If you do it right, you only need one router. There are cheap and expensive routers. While the expensive routers can do a lot more, in this situation a cheap router can work. In general, I do not use servers to route network traffic because of security concern, but it will work anyway. Since user is already using server to connect to internet, the incremental risk of using a server to route traffic is minimum. A LinkSys WRT54g can route traffic as well, but will need more than just a single LinkSys WRT54g in this case because the LinkSys is only able to route between two subnets. Finally you do not need a VPN tunnel just to connect two network together, and you do not need a new subnet between two router in order to do that.
0
 
cpctechartsAuthor Commented:
GuruChiu:

Thank you for your response. I would greatly appreciate a diagram, as I am a visual learner.

Thanks!
Shaun
0
 
pwindellCommented:

Pwindell,If you do it right, you only need one router.

You can only do it with one Router in the "middle" if both networks are using the same Internet connection.  But if each network has their own firewall and their own separate Internet connection then it requires two LAN Routers.  The only exception to that is if they have lower quality Firewalls that do not monitor connection state on the internet interface which would allow them to use their firewalls as the Default Gateway instead of the LAN Router (bad design but some do that).   But if the firewalls are the quality they should be then the LAN Router must be the Default gateway which then in turn uses the local firewall in that segment as its Default Gateway.  Both sides cannot use the same router as the Default Gateway unless they also use the same network connection.  

One way around that is to buy a more expensive LAN Router that is capable of Source Routing so that if the source is one Network it will use a Different Default gateway then if the source was the other network.

One last way to do it with NO router is if the Firewalls has an additional Interface that can be used as a "second" Internal interface (different subnet).  You do this on both Firewalls and connect the two firewalls to each other over that pair of interfaces.  The firewalls would pull "double-duty" as both Firewalls and LAN Routers at the same time and the firewall could remain the Default Gateway of their respective client.  This of course requires firewalls capable of doing this

Here is an article concerning the "connection state issue" if the Firewall is used as the Default Gateway instead of the LAN Router: This one is in the context of SBS2003 but the principle still applies to non-SBS systems.  The fact that  SBS is on the box is irrelevant, what is relevant is that the box is a fully statefull firewall on all interfaces (not just external).

The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx
0
 
cpctechartsAuthor Commented:
The solutions were given quickly and respectfully to a newbie.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now