Two Networks - One ISP

Posted on 2013-05-28
Medium Priority
Last Modified: 2013-05-28
I hope I can explain this well enough for someone to help me.

I have two networks in my building. They both have a totally separate network infrastructure. Each network has its own firewall (Sonicwall NSA 3500) and each has a different Internet Service Provider.

On one of the networks (call it network-1) I have a fiber primary WAN connection and a Comcast 100mbps business class line on a secondary WAN as a fail-over.

On the second network (call it network-2) I have a fiber primary WAN connection, but no secondary WAN as a fail-over.

What I want to do is use the Comcast 100mbps business class line as a fail-over WAN on both networks. I have 5 static IP addresses with the 100mbps line and I think I can just assign an IP address to the secondary WAN both networks, give them the same gateway address, and that will work.

My problem is, I can’t have connectivity between these two networks. I’m concerned that because the two secondary WAN interfaces have addresses that are on the same segment there will be problems.

Can anyone give me advice on this? Is there a way of doing this safely?
Question by:TwoKJM
LVL 22

Assisted Solution

CompProbSolv earned 750 total points
ID: 39201914
Since the Comcast WAN is separated from your two LANs by the firewalls, they are really no more connected to each other than they are to anyone else on the internet.  You should be fine.
LVL 26

Accepted Solution

Fred Marshall earned 750 total points
ID: 39202188
Yet, I presume the two networks are collocated so that the physical connection you want is available.....

Here's what I do with no worse "interconnection" than being a node on the internet:

Install an "Internet Switch" that is connected between the Comcast interface and the other public IP addressed devices on your side of things.

Then you connect the WAN ports to the switch and assign them out of your public IP address block.  
And, as you plan, point to the appropriate gateway addresses.

You can have *all* the public addresses running through this one switch - even if there are different ISPs, address blocks, etc.  Then, if it's a managed switch, you can monitor what's going on.  If the networks are protected from the internet, then they are protected from this "mini-internet" at the switch.

Expert Comment

ID: 39202330
If I'm understanding your question, you have two Internet connections, and two separate internal network. And you want to be able to share the two Internet connections (one as primary; one as failover), without allowing connectivity between the two internal networks.

The problem with using a switch is that you won't have the failover. At best, you'd be able to manually set the routers to the second default gateway, in the event the primary fails. But that's certainly not automatic.

I'd suggest getting a decent router - I'd use a SonicWALL, but you'd be fine with any decent brand - and connecting both Internet routers to it: One as Primary WAN; the other as Failover. Then I'd connect each network's switch to that router, but define the ports as being in different networks. (I.e. port 1 is in, and port 2 is in Each network will connect to its own router port, and that router can reach the Internet using either ISP, with automatic failover. You can configure firewall rules in the SonicWALL to prevent the two internal LANs from talking to each other.

Alternately, you could get two additional routers - one for each internal LAN, and then feed both of THEM to the centralized Internet router (which is still connected to both ISP routers.) In this model, you would keep all the LAN ports on the central router in the same LAN.

Author Comment

ID: 39202371

I actually have two Sonicwall Firewalls with multiple WAN interfaces. One Firewall on each network. I have three ISPs in total.

I have one ISP assigned to each Firewall as the as the primary WAN. My question was about sharing the third ISP as a fail-over on both Firewalls. Since I have a block of 5 IP addresses with the third ISP, I think the switch will work.


Expert Comment

ID: 39202398
In that case, I suspect you're right.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question