[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Bouncing Traffic through office

Posted on 2014-08-21
5
Medium Priority
?
147 Views
Last Modified: 2014-11-18
Hi

We have a customer who has 2 broadband lines in their office on the same network. They use a specific piece of software that needs to connect using "line 2" which is a dedicated line for their software. They use a route add on each machine to direct the traffic for the specific external IP range to that line.

What could we do for them to allow them to direct traffic through line 2 when outside the office - so they can use laptops.

Obviously a VPN was the first thought, but that would just route the traffic to the main line - it wouldn't route it back out again on line 2 i don't think.

thanks

Steve
0
Comment
Question by:stevie_dee
  • 3
  • 2
5 Comments
 
LVL 31

Accepted Solution

by:
Frosty555 earned 2000 total points
ID: 40276902
I don't know exactly how your network is set up but I can take a guess. This sounds very similar to how a few of my clients are set up (they have a software provider that insists on a dedicated Internet connection for their services).

Your software provider probably has a dedicated router onsite which uses the dedicated broadband Internet "Line 2" to esbalish a site-to-site VPN with their servers outside your network. Then they tell you to set up set up static routes on your PCs so that traffic destined for their particular subnet routes traffic through THEIR router, instead of yours.

For your own network, you have your own router connecting to the "Line 1" broadband that does all of your own network's normal Internet routing, and it is configured as the default gateway for your PCs and they use it for normal Internet traffic.

I've made a little diagram of what I think your network looks like. Obviously I made assumptions about what are the actual network addresses and subnets that you are using so you'll have to bear with me and translate what I put in the diagram in your head to what your actual network is using.

Hypothetical diagram of your network
Assuming this is pretty much correct, I think you should do a few things:

1) First, instead of adding static routes to each PC, instead add the static route to "10.0.0.0/24" network to ROUTER 1.

Since Router 1 is the default gateway for your PCs, they will send all traffic that isn't on the local subnet there. ROUTER 1 will then send traffic for the 10.0.0.0/24 subnet to ROUTER 2, which will then route it via whatever VPN / tunneling system it has using Broadband Line 2.

This means that you do not need any special configuration on your PCs. As far as they are concerned, the 10.0.0.0/24 subnet that your dedicated software is using is just another address out on the Internet somewhere. They do not need to know that it is in-fact being routed via ROUTER 2 over a different Internet connection.


2) Set up a remote access VPN on ROUTER 1. I'm going to assume that you will use the Routing and Remote Access service of a typical Windows Server to set up PPTP VPN and do the necessary port forward of TCP Port 1723 and GRE Protocol 47 on ROUTER 1. But whatever you were planning on doing for a VPN, implement that.

The critical step for your clients is to make they are configured to "use the default gateway of the remote connection". That is to say, when your clients are connected to the VPN, ALL Internet traffic passes through the VPN, not just traffic destined for the one local subnet.

In a standard Windows 7 Native VPN Connection, this option is configured under Properties->Networking->TCP/IPv4->Properties->Advanced->"Use default gateway on remote network"

When you do this, ALL Internet traffic (including traffic destined for 10.0.0.0/24) from the VPN client will go through your VPN (via Broadband Line 1) to the default gateway (ROUTER 1). ROUTER 1 will direct the traffic for the 10.0.0.0/24 subnet to ROUTER 2, which will route it to your software provider via Broadband Line 2, and you'll have connectivity.

Your remote access clients would connect to the VPN on the WAN IP of Line 1, e.g. 123.123.123.123.

Of course this does mean that ALL Internet traffic for  your remote users will go over the VPN, which will impact the overall Internet speeds of your clients while they are connected to the VPN since their download speed would be limited to Broadband Line 1's upload speeds.

If you'd rather have just the two subnets (192.168.1.0/24 and 10.0.0.0/24) go through the VPN connection and have all other Internet traffic bypass the VPN, you'd have to set up the static routes on thet VPN client for the 10.0.0.0/24 subnet after they establish connectivity to your VPN so that traffic for 10.0.0.0/24 is routed to ROUTER 1 via the VPN. You can do this manually with a "route add" command at the command prompt in Windows after VPN connectivity is established. Some VPN clients support adding the route for you automatically. I think OpenVPN and Cisco AnyConnect does support it, but the Native Windows PPTP VPN client doesn't really do it, at least not easily.
0
 

Author Comment

by:stevie_dee
ID: 40277039
Frosty555 - thanks so much! for your details response!

Your presumptions are pretty much spot on - just a few amends as per the updated diagram (Sorry for the Plagiarism)

Network Diagram V2
Router 1 runs DHCP as there is no server onsite currently. It gives the default GW as 192.168.1.1.

We set a static route on each machine to point all traffic for 99.99.99.99 to go through 192.168.1.254

The software package in question talks directly to an external IP  not internal - so i presume NO vpn is used - only a firewall locking down the incoming traffic on the remote end.

Also, router 2 is locked down so we cant make any changes on it.

Does that change your recommendations?

Thanks

Steve
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 40277175
Nope that sounds just about right, I would not expect the software package to talk to any internal IP addresses. It simply tries to send packets to 99.99.99.99, the routing table on the computer tells it to send those packets to the 192.168.1.254 gateway (Router 2), and Router 2 handles it from there. It might be a VPN, it might be a simple firewall, it doesn't really matter, as far as you are concerned the process is transparent.

So yes, basically instead of setting the static route on every machine telling it to send traffic destined for 99.99.99.99 to the 192.168.1.254 gatway, put that static route on Router 1 instead.

The flow of traffic will change from:
    PC->Router 2->99.99.99.99
                   [via LINE 2]

To this:
    PC->Router 1->Router 2->99.99.99.99
                                   [via LINE 2]

The extra "hop" should be unnoticeable provided that Router 1 and your Switch are decent quality pieces of equipment.

And your VPN traffic will look like this:

    Remote PC->VPN Tunnel->Router1->Router 2->99.99.99.99
                              [via LINE 1]                      [via LINE 2]

Hopefully Router 1 supports some kind of remote access VPN internally. If not, you might need to find other equipment to implement the remote access VPN, or replace the router. Most of my experience has been with Windows Server running RRAS, but there are plenty of other VPN products out there both in software and hardware form that will arguably do a better job.
0
 

Author Comment

by:stevie_dee
ID: 40277297
Ok, all makes sense, thanks for explaining!

The current router is just BT's own fire router, but I guess a Draytek 2860 or similar would do the job.

Thanks for all your help!

Regards

Steve
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 40277497
ISP-provided routers are often quite "dumbed down". I'm not sure about BT's router, you'll have to check in the configuration options and see what is available.

A Draytek 2860 definitely should be able to do it.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question