Routing between three routers on the same subnet

Hello Folks,

I have a Comcast ISP connection and a modem with 4 ports. I have three routers, each connected to one of the ports on the Comcast modem, each assigned a separate static public IP on same subnet on the WAN interface. The LAN side of my routers are assigned the IP address 192.168.0.1. Router A is the main router and my servers are connected to it. Routers B and C are routers that go to lab computers.

My question is this - I cannot access some public facing services such as FTP or RDP on the servers connected to one of my routers from computers connected Lab routers B and C  but can access those from sites outside of my network. Does anyone know why?

Thanks!

-John
JohnnyD74Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If you have three routers hanging off the Comcast Modem/Router, make sure:

1. A LAN port on the other routers is connected to the Comcast Modem/Router (not the WAN port).
2. Each other router needs a different LAN IP address. 192.168.0.4  .5  and .6 say. They must be different.

This would be good time to change your subnet from 192.168.0 to 192.168.90 or some such (not .0, .1, or .2).
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
do you able to ping between routers LAN interfaces? does these routers LAN interfaces can reach each other?

From wan side, all three routers are connected to comcast modem?  how its connected on lan side
JohnnyD74Author Commented:
My Goal John is to have all routers on the 192.168.0.1 as we set up new computers/devices in this subnet for our clients on the lab computers. Is there any way to accomplish this?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

JohnBusiness Consultant (Owner)Commented:
You can have all routers on 192.168.0  (subnet). You cannot have them all 192.168.0.1  (not all 3). Not possible. They must be different IP addresses but CAN be on one subnet.
AkinsdNetwork AdministratorCommented:
The main purpose of routers is to bridge networks together, in your case, all the routers belong to the same network which would cause conflict. Each router would think it owns the network and would not forward the traffic.
The topology you described would suffice for managing the routers but that's about it

What types of routers are these?

Please provide a network topology diagram showing how the routers are connected, how the networks behind them are connected, local IP address, What the computers are using as gateway etc
JohnnyD74Author Commented:
I currently have all 3 routers on 192.168.0.1 but each has a different Comcast public IP address. All 3 seem to be routing traffic just fine from the outside but I can't access some services on the main router from the lab routers
JohnBusiness Consultant (Owner)Commented:
There is no way you can see services on Router 1 from Router 3 if they have the same IP address. I am fairly sure that just will not work. Why?  The routers are all disjoint (different external IP addresses). You would have to route externally thought the internet.

It seems vastly easier to have the routers on one network and then you CAN see equipment across the routers. I have done this.
AkinsdNetwork AdministratorCommented:
A topology would help, if you can provide it
You will need to create routes that point to each router's IP address or publish the network using a dynamic routing protocol (OSPF, EIGRP etc)

For static route:
eg
Router 1, Management IP (192.168.0.10, Network 192.168.10.0 /24)
Router 2, Management IP (192.168.0.20, Network 192.168.20.0 /24)

For Router 1 to know about 192.168.20.0 network on router 2,
you would need a route like
ip route 192.168.20.0 255.255.255.0 192.168.0.10

For Router 2 to know about 192.168.10.0 network on router 1,
you would need a route like
ip route 192.168.10.0 255.255.255.0 192.168.0.20

This is assuming all routers can ping one another
JohnBusiness Consultant (Owner)Commented:
@JohnnyD74 - Your routers all have separate external IP addresses. What you are say is that if MY subnet is 192.168.0 you should see my gear. This does not work.
JohnnyD74Author Commented:
Hi Folks. Here is my current arrangement now (the public IP's are fictitious but you will get the idea)
2015-09-26_18-08-18.jpg
JohnnyD74Author Commented:
My Goal is to keep all routers at 192.168.0.1 if possible (two lab routers for device setup purposes)
JohnBusiness Consultant (Owner)Commented:
I see what you are trying to do, but it will not work between routers, only out through the internet. Otherwise you would be connecting to every 192.168.0 network in the world.
AkinsdNetwork AdministratorCommented:
Thanks for the diagram
That topology won't work if you need inter-connectivity between the network.

The only way is if your devices are connecting via host names rather than IP. This also requires that you have a domain environment. In such situation, you will need to implement double NAt which would only solve half the problem

Visualize it this way
You have a house on Main street in Oakland with address 555 Main Street
You also have a second house in San Francisco with address 555 Main Street

If asked to go to 555 Main Street, how would you determine whether to go to San Francisco or Oakland.

That's exactly the scenario you've created here
A packet from computer 2 with ip address 192.168.0.3 destined for computer 3 with ip 192.168.0.3 won't go anywhere
JohnBusiness Consultant (Owner)Commented:
With respect, I am not sure that you understand subnets. 192.168.0.1 is NOT a subnet. It is an IP address.

192.168.0.1 through to 192.168.0.255 IS a subnet comprised of 245 distinct IP addresses.

You can do what you want on ONE network (ONE external IP) and several routers all with distinct LAN addresses.
AkinsdNetwork AdministratorCommented:
It can only work halfway if these conditions are met
- Domain Environment
- Communication is by hostname
- Double NAT is in place (This means you would create another set of subnets and do one to one mapping. So if Computer2.dc1.local wants to connect to Computer3.dc2.local, you can create a subnet like 172.16.3.0 /24. Computer 1 would query the DNS which would supply the address 172.16.3.5. When the traffic gets to Router C, it will translate that address to 192.168.0.5. You would implement a similar setup eg 172.16.2.0 /24 for Router B

This type of scenario usually happens when 2 companies merge and both are on the same IP scheme.
You would use this temporarily to connect important resources, and then implement better scheme at a later time.

I hope this helps
Fred MarshallPrincipalCommented:
I should think that a reasonable goal might be to keep all the computers, servers, printers, etc. on 192.168.0.0/24.
The only real issue here is keeping all the routers on the same IP address.
So, perhaps a good solution would be to change the router addresses to:
192.168.0.1
192.168.0.2
192.168.0.3
while keeping their subnets at 192.168.0.0/24

If you're using DHCP then this is a fairly easy change.
If you're using a lot of static-addressed computers then it's a bit of trouble perhaps.
You might keep the segment with the most trouble at 192.168.0.1 on the router and change those with least work involved.
Then you can connect them all together.

If you have some extra public addresses, you could do this:
Add a router to one segment with the address 192.168.0.2 (or some other in the range) and a public IP on the WAN and have it take over the DHCP server role so that new gateway addresses are distributed over time.
If the lease time is short then this won't take long.
If the lease time is long then shorten it to 4-8 hours.  That won't hurt anyway.
Change any static-address devices to have the new gateway.
Then retire the router with 192.168.0.1 and connect this subnet segment to the one that will continue using 192.168.0.1 at the router.

Use the retired router on the next segment and use it as 192.168.0.3 (or some other in the range) and the same public IP address as before..
Do the same thing there.
Then, when this is done, you can connect this segment to the other two.

You can assign whichever public IP address to each router as makes sense.

But, if you can connect them all together, why use 3 routers and 3 public IP addresses anyway?
Why not just one?
JohnnyD74Author Commented:
Thanks so much folks. I understand the routing issue. Would this work if Comcast would give me two separate IP addresses on different subnets? I don't know if that is possible...but thought it might work as then the networks would be completely separate correct?
JohnBusiness Consultant (Owner)Commented:
Putting Routers on two separate IP addresses with two separate subnets will not allow interconnection of the subnets unless you route out through the internet. That seems very complicated.
JohnnyD74Author Commented:
Thanks so much for all the feedback, folks! I am going to try Askinsd's suggestion of setting up a double NAT. I will post the results when I am done - have a big project today so it may not be for a few days. Thanks again!!!
Fred MarshallPrincipalCommented:
Double NAT will work but it forces you to set up all new subnets in 2 of the 3 segments.
I don't see that meeting your objectives as I understood them.

I'd merge into a single subnet with a single router/gateway.  
It's easy and direct.
Change from /24 to /23 if necessary.

I had written a longer response with more information but when I hit "Submit" it got lost.....
More if you like.

How many devices in total need IP addresses?
Is DHCP the normal way for things to get their addresses or not?  It matters in how much work you will need to do.
JohnBusiness Consultant (Owner)Commented:
As I  (and others) have noted before, one subnet is trivial to accomplish without the complications you face. Why do you need separate subnets for internal communication?
JohnnyD74Author Commented:
Hi Folks,

The reason (as I explained in my original post) is that we use the two lab computer to set up devices for use in our client's environment's which all use the 192.168.0.X subnet. We simply want have an isolated environment which will allow us to set up units per our company standard config.

I will be working with our firewall vendor to see if there is anything we can do to make this work and will post the results!
AkinsdNetwork AdministratorCommented:
Any update from your ISP?

Giving you additional public IPs would not solve the underlying problem which is 2 networks having exact same scheme.

Another simple scenario is having 3 kids and naming all 3 kids Bob. It doesn't matter if all 3 Bobs are in the same room or separate rooms. If Peter is sent to deliver a letter to Bob. Two things will happen.
1. If he knows all 3 Bobs, he'll ask you "Which Bob should I deliver the letter to" With no distinction, that letter is going nowhere.
2. Since all 3 Bobs are in separate rooms, he'll automatically deliver the letter to the Bob that's in the same room as him.

So to reiterate my previous answer, you will need to setup double NAT and your primary mode of communication would be via host names.

I hope this helps.
Fred MarshallPrincipalCommented:
I still don't know why you need 3 public IP addresses for this overall network.
Please?
JohnnyD74Author Commented:
Hi Fred,

I understand what you are saying but the reason I want both lab networks on the 192.168.0.X subnet is that we set up firewalls and other devices here in our shop before taking them onsite to install for our clients. All of our client's subnets are configured for 192.168.0.X per our standard so we also want to configure the devices we set up before we take them onsite to that same standard. I hope this helps.

My next step is to talk with WatchGuard support to see how I might make the double NAT solution work as currently, only some packets are being routed.

Thanks,

John
Fred MarshallPrincipalCommented:
All of our client's subnets are configured for 192.168.0.X per our standard
If I may humbly suggest, you would be *much* better off selecting a "standard" that's not so "standard" i.e. "common".  I have adopted using "unusual" subnets to avoid this very thing.  Then, you might expand your "standard" to not have the same subnet introduced into the same site.

So, you might use: 172.29.99.0/24 and, if there are others, 172.29.98.0/24 and 172.29.97.0/24 , etc.
There's a lot less chance of a conflicting overlap if you do that.  One might be tempted to use a subnet in 10.0.0.0 but then you run into the chance of a very large subnet defined with that network address and, thus, overlapping.  I believe that 172.xxx.xxx.xxx is less commonly used in equipment while 10.0.0.0 and 192.168.0.0 or 192.168.1.0 are very common.
JohnBusiness Consultant (Owner)Commented:
As I have noted above and I fully agree with Fred that you use one subnet in the way suggested.
Fred MarshallPrincipalCommented:
My last post was more future-oriented.  Back to the case at hand and to amplify on John Hurst's comment: Why is it not fairly trivial to change the "standard" IP addresses to match another subnet?  The firewalls will go away no doubt.  Right?  I hope there's not a conflict that suggests: "My firewall is better than your firewall"  :-)
JohnnyD74Author Commented:
Hi Fred,

I completely agree with you and I would do it over if I could but I created those standards 8 years ago when I started our firm. Now that they are in place, things are working okay and I don't want to change due to the fact that it is already a well established standard for us. Thanks for your help!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnnyD74Author Commented:
The double NAT solution is working satisfactorily for me. Thanks all!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.