Routing: Need to join two networks together, but maintain their seperation
Hello, I have a production network and database, and a development network and database, and they have previously been at different locations, but now I have moved everything into one location, and I'm trying to find the best way for them to co-exist and make our development/deployment processes as easy as possible while still maintaining our ability to test in an isolated environment.
Currently, what I have done as a first try at setting it up is simply to setup the developmental firewall, a Netgear FVS338, attached to the main production firewall, another identical Netgear, with NAT.
The production network is 192.168.1.x, and the development network is 192.168.99.x.
I'd like to be able to share files between the two networks, possibly even create a trust relationship between my two domain controllers, but the NAT configuration is definitely preventing that... The Netgears both have a choice of NAT or "Classical Routing", but I can't seem to figure out how to make that do what I want, or at the very least, from what I've read, it seems like I'd have to create a static route for each machine on the network.
Can anybody recommend the correct setup for what we're trying to do? I've got a diagram of how I'm setup now, I'll upload that in a few...
Thanks in advance!
--Jon
Currently, what I have done as a first try at setting it up is simply to setup the developmental firewall, a Netgear FVS338, attached to the main production firewall, another identical Netgear, with NAT.
The production network is 192.168.1.x, and the development network is 192.168.99.x.
I'd like to be able to share files between the two networks, possibly even create a trust relationship between my two domain controllers, but the NAT configuration is definitely preventing that... The Netgears both have a choice of NAT or "Classical Routing", but I can't seem to figure out how to make that do what I want, or at the very least, from what I've read, it seems like I'd have to create a static route for each machine on the network.
Can anybody recommend the correct setup for what we're trying to do? I've got a diagram of how I'm setup now, I'll upload that in a few...
Thanks in advance!
--Jon
X-treem
create the routes on the firewall, that should do the job
Jon,
I am not sure which Netgear product you are using but all you really need is a router to be able to route between these two networks.
So lets just say your Netgear routers have multiple interfaces you can configure seperatly.
So you would have for example one WAN and LAN connection now if you have another port you can configure seperately as another LAN/WAN port you can create a connection between the two Netgears.
NetgearA - new interface would be 192.168.252.2 subnet 255.255.255.252
NetgearB - new interface would be 192.168.252.3 subnet 255.255.255.252
and you can route between them now by adding a static route on NetgearA of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.252.3
And a similiar static route on NetgearB of
Destination 192.168.1.0 255.255.255.0 gateway 192.168.252.2
I am not sure which Netgear product you are using but all you really need is a router to be able to route between these two networks.
So lets just say your Netgear routers have multiple interfaces you can configure seperatly.
So you would have for example one WAN and LAN connection now if you have another port you can configure seperately as another LAN/WAN port you can create a connection between the two Netgears.
NetgearA - new interface would be 192.168.252.2 subnet 255.255.255.252
NetgearB - new interface would be 192.168.252.3 subnet 255.255.255.252
and you can route between them now by adding a static route on NetgearA of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.252.3
And a similiar static route on NetgearB of
Destination 192.168.1.0 255.255.255.0 gateway 192.168.252.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you schmitty007, it looks like you've understood my needs perfectly!
This netgear only has the following "interfaces": Broadband, Dialup, and Lan... but it also has a feature called "Multi Homing", which I've never used before... I'm thinking that I need to add 192.168.252.2 & 192.168.252.3 to routers A & B respectively under multi-homing, yes?
Also, I can set router B to "classic routing" and turn off NAT, should I do that?
Thanks a million for your quick and knowledgeable response!
--Jon
This netgear only has the following "interfaces": Broadband, Dialup, and Lan... but it also has a feature called "Multi Homing", which I've never used before... I'm thinking that I need to add 192.168.252.2 & 192.168.252.3 to routers A & B respectively under multi-homing, yes?
Also, I can set router B to "classic routing" and turn off NAT, should I do that?
Thanks a million for your quick and knowledgeable response!
--Jon
Hmm you can look at this document from Netgear.
It seems it will allow you to create a second LAN inside of your firewall I've personally never have done this with the Netgear product. It appears that it should be able to accomplish this just in a round about way. It does say it can use this multi-homing interface as a gateway.
With that you might not need to switch it from NAT to classical routing. As I said I never used Netgear much mostly Cisco and business/enterprise products.
You can give it a try during your maintenance window.
It seems it will allow you to create a second LAN inside of your firewall I've personally never have done this with the Netgear product. It appears that it should be able to accomplish this just in a round about way. It does say it can use this multi-homing interface as a gateway.
With that you might not need to switch it from NAT to classical routing. As I said I never used Netgear much mostly Cisco and business/enterprise products.
You can give it a try during your maintenance window.
ASKER
Referring back to your previous comment, where you said:
I do indeed have an interface on the 1.x network, from both routers, so I did go ahead and add that route to "router A", and now if I ping 192.168.99.112, a workstation, I get timeouts, so I did a traceroute, and it looks like this:
So it does seem to find it's way to the router, but it gets lost after that. Do I need to add a reciprocating route on "router B"?
Thanks in advance!
If both firewalls have an interface on the 192.168.1.x network you would only have to add a static route on your production firewall of
Destination 192.168.99.0 255.255.255.0 gateway 192.168.1.x and x being the IP of the development firewall.
I do indeed have an interface on the 1.x network, from both routers, so I did go ahead and add that route to "router A", and now if I ping 192.168.99.112, a workstation, I get timeouts, so I did a traceroute, and it looks like this:
tracert 192.168.99.112
Tracing route to 192.168.99.112 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 6 ms 1 ms <1 ms 192.168.1.142
3 * * * Request timed out.
4 * etc., all timeouts after 1.142.So it does seem to find it's way to the router, but it gets lost after that. Do I need to add a reciprocating route on "router B"?
Thanks in advance!
Yes it seems you so. On most routers if an interface is directly connected to a subnet you do not but with the netgear you may need to.
ASKER
It doesn't want to let me enter that route... it says "command returned error"...
Hmmm, the error was when I was trying to add that route to the "broadband" interface, but it just let me enter it to the LAN interface... Should I not be connecting the uplink to the WAN interface on router B maybe? Hmmm, no, because then I wouldn't have an interface on the 1.x network anymore.
Do I need to fall back to the multi-homing technique, or am I just missing something here that can get this going?
Hmmm, the error was when I was trying to add that route to the "broadband" interface, but it just let me enter it to the LAN interface... Should I not be connecting the uplink to the WAN interface on router B maybe? Hmmm, no, because then I wouldn't have an interface on the 1.x network anymore.
Do I need to fall back to the multi-homing technique, or am I just missing something here that can get this going?
ASKER
Aha! Figured it out! I still had to add one more rule to the firewall of router B to just "allow all inbound traffic", and voila! Thanks for your help!
ASKER
Excellent and timely answer! Thanks a million!
Excellent glad you have it figured and working.