Routing: Need to join two networks together, but maintain their seperation

Jon Jaques
Jon Jaques used Ask the Experts™
on
Hello, I have a production network and database, and a development network and database, and they have previously been at different locations, but now I have moved everything into one location, and I'm trying to find the best way for them to co-exist and make our development/deployment processes as easy as possible while still maintaining our ability to test in an isolated environment.

Currently, what I have done as a first try at setting it up is simply to setup the developmental firewall, a Netgear FVS338, attached to the main production firewall, another identical Netgear, with NAT.

The production network is 192.168.1.x, and the development network is 192.168.99.x.

I'd like to be able to share files between the two networks, possibly even create a trust relationship between my two domain controllers, but the NAT configuration is definitely preventing that... The Netgears both have a choice of NAT or "Classical Routing", but I can't seem to figure out how to make that do what I want, or at the very least, from what I've read, it seems like I'd have to create a static route for each machine on the network.

Can anybody recommend the correct setup for what we're trying to do? I've got a diagram of how I'm setup now, I'll upload that in a few...

Thanks in advance!

--Jon

This is my current setup...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
create the routes on the firewall, that should do the job
Jon,
 I am not sure which Netgear product you are using but all you really need is a router to be able to route between these two networks.

So lets just say your Netgear routers have multiple interfaces you can configure seperatly.
So you would have for example one WAN and LAN connection now if you have another port you can configure seperately as another LAN/WAN port you can create a connection between the two Netgears.
NetgearA - new interface would be 192.168.252.2 subnet 255.255.255.252
NetgearB - new interface would be 192.168.252.3 subnet 255.255.255.252

and you can route between them now by adding a static route on NetgearA of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.252.3
And a similiar static route on NetgearB of
Destination 192.168.1.0 255.255.255.0 gateway 192.168.252.2
 example
Just saw you updated with a image.
If both firewalls have an interface on the 192.168.1.x network you would only have to add a static route on your production firewall of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.1.x and x being the IP of the development firewall.
The development firewall may need to be in classic routing mode. Or you can use the diagram and set up I posted above this keeps the networks totally separate with the development Netgear only having an IP on its subnet and the PPP subnet.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Jon JaquesInformation Technologist

Author

Commented:
Thank you schmitty007, it looks like you've understood my needs perfectly!

This netgear only has the following "interfaces": Broadband, Dialup, and Lan... but it also has a feature called "Multi Homing", which I've never used before... I'm thinking that I need to add 192.168.252.2 & 192.168.252.3 to routers A & B respectively under multi-homing, yes?

Also, I can set router B to "classic routing" and turn off NAT, should I do that?

Thanks a million for your quick and knowledgeable response!

--Jon
Hmm you can look at this document from Netgear.

It seems it will allow you to create a second LAN inside of your firewall I've personally never have done this with the Netgear product. It appears that it should be able to accomplish this just in a round about way. It does say it can use this multi-homing interface as a gateway.
With that you might not need to switch it from NAT to classical routing. As I said I never used Netgear much mostly Cisco and business/enterprise products.
You can give it a try during your maintenance window.
Jon JaquesInformation Technologist

Author

Commented:
Referring back to your previous comment, where you said:
If both firewalls have an interface on the 192.168.1.x network you would only have to add a static route on your production firewall of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.1.x and x being the IP of the development firewall.

I do indeed have an interface on the 1.x network, from both routers, so I did go ahead and add that route to "router A", and now if I ping 192.168.99.112, a workstation, I get timeouts, so I did a traceroute, and it looks like this:

tracert 192.168.99.112

Tracing route to 192.168.99.112 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     6 ms     1 ms    <1 ms  192.168.1.142
  3     *        *        *     Request timed out.
  4     *     etc., all timeouts after 1.142.

Open in new window


So it does seem to find it's way to the router, but it gets lost after that. Do I need to add a reciprocating route on "router B"?

Thanks in advance!
Yes it seems you so. On most routers if an interface is directly connected to a subnet you do not but with the netgear you may need to.
Jon JaquesInformation Technologist

Author

Commented:
It doesn't want to let me enter that route... it says "command returned error"...

Hmmm, the error was when I was trying to add that route to the "broadband" interface, but it just let me enter it to the LAN interface... Should I not be connecting the uplink to the WAN interface on router B maybe? Hmmm, no, because then I wouldn't have an interface on the 1.x network anymore.

Do I need to fall back to the multi-homing technique, or am I just missing something here that can get this going?
Jon JaquesInformation Technologist

Author

Commented:
Aha! Figured it out! I still had to add one more rule to the firewall of router B to just "allow all inbound traffic", and voila! Thanks for your help!
Jon JaquesInformation Technologist

Author

Commented:
Excellent and timely answer! Thanks a million!
Excellent glad you have it figured and working.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial