Solved

Router Selection for Multiple Subnet NATing

Posted on 2011-02-19
18
1,833 Views
Last Modified: 2012-05-11
I currently have a router (Linksys RV042) that only allows port forwarding to 1 subnet.  I am attempting to allow an H.323 device on the Internet to connect to an H.323 device behind the firewall and then further down the network across another VPN span to another subnet.  Presently I can route traffic fine in terms of getting out, however obviously with H.323 udp packets I have some additional problems because while the tcp traffic can negotiate, the udp packets are dropped since there's no apparent route back even when masquerading the public IP from the internal H.323 device since the RV042 has no way of understanding the route back down the inside device when traffic is inbound.

Here's a quick diagram of the network (presently I don't have the two VPNs teamed, as that's another issue I'm tackling right now, but that's really a different matter).

You can see from this that my immediate need is to connect the "Office 1" "H.323 1" device to the "Remote Site / Node 2" "H.323 2" device.  That is what that red arrow between the two indicates.

So essentially I need to understand what router would be optimal in this situation.  Cisco / Linksys is telling me that they don't think they have a small business class router that will handle it and that I'll probably have to jump up to enterprise class.  It seems that perhaps DD-WRT or RouterOS (MikroTik) could handle this or perhaps another solution.  Can someone please recommend a router or appropriate OS that would be ideal for this and support a bunch of video traffic in this regard?

Another important feature is that I must be able to assign public IPs to devices down inside the network on the other subnets as well.  Each of these devices on the internal network is to offer publicly accessible services from various kinds of devices.

So a recommendation for an appropriate router would be superb.

A bonus is that I must be able to team the two VPNs, which I could essentially use to create perhaps one homogenous subnet, which would also work, but I'm unclear about the best option for teaming VPNs at the moment.
0
Comment
Question by:gpsocs
  • 7
  • 6
  • 5
18 Comments
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 325 total points
ID: 34933908
I use a sonicwall tz210 (not wireless) and it does all this for under $600
0
 

Author Comment

by:gpsocs
ID: 34934277
Would a tz180 accomplish the same thing, even temporarily?  I have an old one of these units in storage and just remembered it once you noted this newer model.

Certainly would welcome other recommendations as well.

0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 34934372
I don't know off the top of my head, it may have silly dhcp limitations. Check the manual. Also if you can use the sonic enhanced os it's much better.
0
 

Author Comment

by:gpsocs
ID: 34934396
So essentially I'll be able to take a block of IPs with a 210 and NAT any device on any subnet behind the 210 up to that ip, correct?  Any tutorials or sections in the instruction manual that point me in a more positive direction on this?  I'd like to see some solid info on how to do what I want to do before I go out and rush the owner of the business into purchasing this as we have a Monday deadline to get this set and going.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 325 total points
ID: 34934735
The 210 has a 4000 ip range limit, whatever the /?? Is for that. I currently have 4 255.255.255.0 subnets getting dhcp from and going through it's firewall. I have multiple external ips pointing to a few different servers on different subnets. There are tons of tutorials on sonicwalls website.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 175 total points
ID: 34935625
i believe the tz180 would do fine.  update the firmware before you start.  is it standard or enhanced os?  now, you might have some throughput issues which would be solved with some of the newer TZ models or NSA models.

as far as homogeneously designing your VPNs, the sonicwalls will handle that also.  as pointed out by aaron, you'll want the enhanced OS, but that should come standard on most the new models...double-check just in case, however.  also, depending on how many vpns you'll want to create, you might need to be licensed for more than the default...which i can't remember on the 180 off the top of my head.

regarding homogeneous, are you talking hub and spoke vpns or mesh vpns?  mesh just means that every remote site has a vpn to every other remote site.  hub and spoke is a little simpler to maintain as each remote site has only one vpn back to HQ.  kb below is for hub and spoke.

hub and spoke:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3552
0
 

Author Comment

by:gpsocs
ID: 34935672
The two VPNs are managed by the resellers (TW Telecom and AT&T) and are supposed to be MPLS.  However, I fear, they are simply ON MPLS vs them just giving us a true MPLS cloud.  That is the real problem at the moment and we should have a homogenous subnet across the entire VPN cloud from what I understand now of a true MPLS network...

So currently it is a mesh style vpn where each node is just a node or peer in the VPN it appears.  We have no real control over the VPNs.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34935696
ok...does the ISP hand off an ethernet connection to you that represents the other two mpls connections OR do you get two ethernet connections?  i have a couple of clients that are part of an mpls solution and i get to create my own subnet across the connection.  i could use RIP or another routing protocol or i could create a subnet and just setup routes.  i choose the later.  it works well and i don't mind the extra work to create the routes.

anyway, knowing a little more about how you connect to the "mpls" would be helpful.
0
 

Author Comment

by:gpsocs
ID: 34935773
I'm semi new to this project, however it appears that each point has a router. (AT&T have Cisco routers; TW Telecom has perhaps Avaya, but I can't recall) and they simply give us a private internal ip.  So, sure we can ping, for example, the external ip address of the juniper router upstream to tw telecom, but we only have the internal ip 10.0.2.0/24 to work with.

Now, this does not appear to be optimal and we're going to actually speak with them to get a true mpls cloud for each vpn vs what we have, however for now we have to work with what we have temporarily just because we have to have a few sites up immediately.

I'll split this off into another question to get into more detail and the nitty gritty of this point as I need some solid information and suggestions regarding what to specifically tell the ISPs what we need to actually have happen.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 33

Expert Comment

by:digitap
ID: 34935805
thanks for the extra info.  when we setup our mpls type connection, we put in a layer 3 switch at each mpls site.  the ISP let us pick our own subnet.  so, for instance, we chose 10.0.1.0/24.  HQ was 10.0.1.1, site 2 was 10.0.1.2, etc.  this was the MAN IP of the layer 3 switch.  at HQ, we had 192.168.1.0/24, at site 2 we had 192.168.2.0/24, etc.  on each router, we made the MAN IP the gateway for the switch.  for the hosts, the LAN IP is the gateway.  we setup routes on each router for the remote site's network using the MAN IP of that layer 3 switch as the gateway.

in this instance, we had a mesh.  also, since the mpls network is "private", we didn't need to setup VPNs between each site.
0
 

Author Comment

by:gpsocs
ID: 34938757
Turns out the TZ 180 I have was able to be updated to SonicOS Enhanced 4.2.1.0-20e.  This sounds promising.  

Do either of you have suggestions towards the tutorials / wizards that would get my horse pointed north regarding the subnet issue as it presently stands?  I know that I had a nightmare of a time with port forwarding NAT before on this unit a few years ago which was one reason we moved away from it sadly.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 175 total points
ID: 34938802
if you are just talking about opening ports then simply run the public server wizard.  here's a KB,

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027


is this what you're talking about?
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 325 total points
ID: 34938804
I use the wizard whenever I want an outside ip to hit a server as it make the address objects and groups. Then I just add and remove services from the group depending on the type of server.

Rule 1 with sonicwall is to make everything an address object.

  If you aren't sending everything then make a service group just for that address object.

Then make a route and a firewall rule.

If you are making subnets, make the subnet first under networking. It should make the dhcp and address object automatically. If you change dhcp then make a change to the subnet it will magically change your dhcp for you.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 175 total points
ID: 34938817
to clarify, when you create a new subnet and assign it to an interface, it will create DHCP and the relative address objects.  is this what you were referring to aaron?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 34939103
Yes, you said it a little clearer than I.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34939213
cool...
0
 

Author Comment

by:gpsocs
ID: 34939850
Okay, this question is getting a bit lengthy.  Let's cap this off and start some more... :)  I need to get into some other specifics now that I'm config'ing the unit.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34940287
cool...thx for the pts!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now