Is Two Routers on One Network Safe?

I just want to see if this is safe to do or if I am looking at some problems.

What I want to do is take 2 different routers, with 2 different internet connections and have them on the same network.  One router (routerA)will be the default router as far as all the users are concerned and will host all general web and email traffic.  The other (routerB)will only host VPN traffic.  On the default router (routerA) I would have a static route for the permanent VPN's on routerB. (I am not too sure how to handle road warrior VPN's though)

I am forced to use 2 routers rather then a dual wan router becuase we purchased the main router (routerA) not too long ago and are now discovering that we need to ease the bottlenecking on the one internet connection.  I was previously trying to have the VPN router on a different network and have that network connected to routerA, but that was posing a little difficult to get working, so I am trying to come up with a simpler solution.

Will this solution work or will it yeild more headaches?  (if this gets more difficult, I will up the points)
JP DI.T.Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
this should not be a problem.

eb
netnounoursCommented:
If you want to save some headache and give internet access to your road warriors, you may configure the firewall on router 2 to allow them out there  (or use split tunneling - I do not like it).
Brain2000Commented:
Absolutely.  I head up our data lab, and we are running four routers on one LAN.  In fact, we have two labs 20 miles apart, with a fibre 500MBit line between them connected to two switches.  I have two switches on one side, and two switches on the other.

We are running BGP and OER to balance out the traffic.  In case the Lab to Lab line goes down, I have L2TPv3 set up to go over the internet to allow a subset of bandwidth to keep things going until the fibre line is fixed.

The first two routers at each site do all the heavy lifting for each ISP.  Both advertise BGP for two subnets, one at each lab.  The secondary router exists to keep the BGP session up at the opposite lab in case one of the border router dies.  We also run HSRP on the secondary router so the computers at each lab have a gateway at all times.

So while it is logically separated as if it is two separate networks, it's all on one layer 2 broadcast domain that is completely redundant.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Brain2000Commented:
Correction: I meant to say we have "two ROUTERS on one side, and two ROUTERS on the other".
Brain2000Commented:
Question.

You mentioned that you don't have a two wan router, but I didn't fully understand why.  While you can use two routers, you can just plug both wan's into one router and have regular old routing and VPN all in one unit.  Unless it's not powerful enough to handle peak times.
JP DI.T.Author Commented:
The main router is a 3com x5.  I tried to set it up to vpn through a different port than the main WAN port, but when you set up VPN's within the x5, it defaults to the WAN and will not let you change that.

I thought about using the x5 WAN as the VPN connection and hooking up the second internet connection to a different port and directing all general internet traffic to that port, but I couldn't figure out how to do the routing when it won't let me change the default route for 0.0.0.0 traffic.

I think it would be a lot easier to maintain if it was all done in the one unit.  Mind you, using two routers also gives me a little bit of a back up should one router fail.

I have both routers now on the same network as above.  VPN's are connected, however I am having some routing issues with the default router.  If I ping to a remote network (through the VPN) from a users station, it reaches the default router and that's it.  If I change a users default gateway to the VPN router, the ping goes fine to the remote network.  I set up a static route on the default router that directs any traffic destined to the remote network to be routed to the VPN router as the next hop, so I am not really sure what is going wrong?
Brain2000Commented:
This is correct.  Remember, the VPN makes it so the remote user's computer is sitting on the inside of your network (router2 is proxy'ing for them).

So if you put a user on the inside of your network, what gateway do they need to use?  Router1, right?

However, this means all your remote users that are browsing the internet are going to loop through both your routers.  I would consider this a feature.  They should ONLY send traffic that needs to be on the local LAN through the VPN, and all other traffic should use their own home internet line.

Is this making sense?
Brain2000Commented:
I left something out.  The remote users need to uncheck "Use remote gateway as default gateway" in their VPN adapter's IPv4 TCP/IP settings.  That way they'll only send office traffic through the VPN.  Otherwise they'll send all traffic through your VPN.
JP DI.T.Author Commented:
Yes, that makes sense.  However, right now I am just trying the connection with our remote site, that remote site will be diverting its own internet traffic through its internet connection rather then through the VPN and then looping through our routers.

From the remote side I can ping the local VPN router (router B) through the VPN and anything conneted directly to it (basically anything that is using it as the default gateway), but nothing else that i using router A as the default gateway.  

From the local side, I can ping the local VPN router (router B), but cannot ping anything through the VPN on the remote site.  If I change my default gateway to router B, then I can ping the remote site.

In router A (the local default) I have a static route setup to foward all 192.168.3.0 (the remote network) to 192.168.1.22 (the local VPN router).

When I tracert to the remote site, it makes it to router A and then times out after that.

I have a feeling that I am missing something on router A.

I have increased the points.
Brain2000Commented:
Make sure router A has an IP address of 192.168.1.x assigned to the main interface.  I'm not as familiar with the 3com routers.  Perhaps it can't do out and back on the same interface?  If that's the case, does it have an extra ethernet interface?  If so, you could run a line between the two routers and have router A forward the VPN packets over that line.

Until you can traceroute and go from Router A to Router B, it isn't going to work.
JP DI.T.Author Commented:
Ya, the 3com x5 has multiple ports.  So I have been trying exactly what you were thinking.  Still no luck.

So basically it is the same result if I plug router B directly into the network or plug it directly into router A.

I started to think that maybe the problem is more with router B.  Maybe, when I send a ping from the local network, it goes through router A, then to router B, then through the VPN to its destination.  However, when it comes back it goes through the VPN back to router B, but router B does not know to send it back through router A first?  Maybe?

I was hoping to test that theory by adjusting the routes within router B so that it would first send all local ttraffic to router A, but there is no next hop option and the automatic route for the local network has a metric of 0, so I couldn't try to set a static route (not that it would let me do that anyway).

So here is what I came up with:  I went into the local win2003 server and adjusted DHCP option 249 to push static routes to the local clients so the remote networks will go directly to router B rather then to the default gateway.  I also added the same routes on the server itself.

So far, it seems to be working!  I was also thinking that this might also ease up some traffic congestion going through router A.  The road warrior vpns I can figure out later, as long as I have the main static vpns up and running and connecting my servers/networks.

Does this make sense?  Do you think that this will be a safe solution?  Is there anything that I should be careful with this solution?
Brain2000Commented:
Yes.  I briefly thought about pushing static routes to each seat, but didn't mention it because it adds administrative overhead and seats can bypass it if they want.  But yes, that will work just fine.  I would prefer the router solution just because you have more control over the traffic, but that's just my opinion.  It all depends on your office security requirements.

Maybe those 3com's are not capable of simple static routes?  If you ever want to replace them, you can pick up a Cisco 2651 or Cisco 7206 (i.e. NPE-225) for about three hundred bucks on ebay.  I use the 7206 mostly, and have it serving up 5 networks, load balancing two DSL outgoing lines for common traffic, bonding multiple T1 lines for specialized traffic and web servers, VPN incoming from home users... all in one single router!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JP DI.T.Author Commented:
Helped guide me to a solution
JP DI.T.Author Commented:
Thanks!

I agree.  I would prefer to have everything done on the router, but this will hold me over for now while I focus on other priorities.  I will certainly keep that in mind when I will be replacing the router(s)....not really liking the 3coms at this point.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.