Multiple routers in network and Internet loss

Got called in to look at a very strange network the other day...  They were running a business off a (A) Linksys E2500 home wireless router.  Now off of this router is one cable going to a (B) Mako dual wan appliance, which then goes to a (C) Cybera appliance which hosts a VPN connection as well as a (D) Cisco RV042 router.  Now the other cable off the original router goes to another (E) E2500 Linksys router which only has a laptop and provides wireless to a printer and cell phones for employees.  

Now router (A) is controlling PPPoE from a bridged DSL modem.  Router (A) IP is 192.168.1.1 and servicing everything via DHCP (This will change in near future).  Router (E) acting as an access point is also LAN IP of 192.168.1.1 and handing out DHCP.  The laptop connected to (E) also has a secondary NIC via USB that connects to some point in the other side of the network.  The Mako fails over to secondary ISP (Cellular) after only a few minutes and generally won't return.  I believe either the laptop router (E) is creating the problem.  Router (A) is experiencing over 2,000ms latency and over 5% packet loss.  So I removed router (A) and reconfigured the DSL modem to handle the PPPoE and this now becomes router (A) in the equation.  This router is set to 192.168.0.1 and has around 25ms latency with less than 2% packets loss and everything works great!  We are keeping an eye on this for a week or so, before any more changes are made.

Eventually the Mako should be the router and have multiple subnets, and the DSL modem will be a bridge again.  Not worried about this part of the story.

My question refers to: "I believe either the laptop router (E) is creating the problem."  Please make your argument as to what the problem was.
LVL 5
Jason JohanknechtIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
All I can say is wow and why did they set it up like that.  The RV042 router can support dual WAN and a VPN router.  Why do they need (B) Mako dual wan appliance and (C) Cybera appliance which hosts a VPN connection?  Why can't they just connect the RV042 straight to the modem?  

This is a bad design and not to mention they are running multiple NATs and unnecessarily complex to troubleshoot.  One low-end Sonicwall UTM appliance will replace and can do everything you stated after the modem.
3
Jason JohanknechtIT ManagerAuthor Commented:
Thank you for that reply.  I have the owners talked into changing things, but only after they confirm with all groups involved that my plan is approved overall.  I walked into this network for the first time, and no one could explain why half of it exists at all.  The mako is for a credit card payment system of some sort (which I will not be supporting), and the Cybera is part of a Verifone system (which might control the gas pumps and POS system.  The RV042 appears to me to just be leftover from who knows what.  The cabling is very back and forth twisted mess, so I could only take their word on what is connected to what.  In the end the Mako will be the router and the Cybera will be behind that with its VPN (Mandated by their corporate).  All else will be removed.
0
N8iveITCommented:
One thought ... wherever devices are connected to devices, I would recommend making sure they are hard-coded to the highest common denominator of "<speed>/Full-Duplex" (wherever possible) for the short-term.

The other thought is ... What Wayne88 said ... "Why did they set it up like that?"
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Wayne88Commented:
"Cybera will be behind that with its VPN (Mandated by their corporate)"

Ok so this must stay and you can accomodate this in different ways (DMZ, port forward, etc.) after the main router.

Sorry Jason, I won't be much help.  Not sure where to start.
0
Blue Street TechLast KnightCommented:
Hi Jason,

I fully agree! Get rid of all those junky, residential-grade network devices that are pretty much worthless from a security standpoint. All of them run a 1996 technology...SPI (Stateful Packet Inspection). You need a NGFW (Next-Generation Firewall) to protect the network from today's threats. Go with a SonicWALL TZ300 at minimum and it will handle all of the load that all four units are doing now easily. I say minimum because that is the lowest device that will perform DPI-SSL and has the capabilities of running a virtualized, multi-engine, network sandbox. In order to determine the correct unit you need to perform a sizing analysis. I can help you with that if you like...just send me an email.

Let me know if you have any specific questions!
1
Blue Street TechLast KnightCommented:
The mako is for a credit card payment system of some sort (which I will not be supporting), and the Cybera is part of a Verifone system (which might control the gas pumps and POS system.
Regardless if these are separate circuits or just disparate routers performing roles you can consolidate and isolate the networks with one SonicWALL security appliance so that all traffic has security contexting and is segmented accordingly (gas pumps, credit card processing, POS, etc.).

Why did they set it up like that?
I believe Jimmy set it up...hence the coined phrase "Jimmy-rigged"! It's cause they have no clue what they are doing. All that gear is very low quality and architecture is a ridiculous. Maybe they set this up in 1996 "set it and forget" back when they though interoperability should always trump security. Also a clean space is a clean mind. Anytime I walk into a server room/data-center and see a cabling disaster is reveals a lack of critical thought processes...design & planning. I'd consider them as a client meaning I'd be willing to bet all they want is the laptop fixed and could care less about the other issues (that we see).

In terms of throubleshooting this...

Router (A) IP is 192.168.1.1 and servicing everything via DHCP (This will change in near future).  Router (E) acting as an access point is also LAN IP of 192.168.1.1 and handing out DHCP.
Even if Router (E) is configured to be a passthrough (plugging into its LAN ports) it's management port should not conflict with Router (A), which it appears to do. Only one DHCP server should exist (notice I didn't say scopes), but if because of limitations there has to be more there should only be one per subnet. This can cause conflicts where one DHCP table doesn't talk to the other...double assignments can occur, etc.

The laptop connected to (E) also has a secondary NIC via USB that connects to some point in the other side of the network.
ipconfig /all on the laptop and determine which networks are being received...it could be creating a loop. Also, what "other side of the network" there are no sides, what do you mean by this? Lastly, understand the laptop's purpose too; what is it used for and why does it have two NICs in use?

The Mako fails over to secondary ISP (Cellular) after only a few minutes and generally won't return.
Failback is a must! Otherwise, there are going to be performance degredations when everything is running on a narrow 4G service, which will result in more support calls, and client frustrations. Verify the equipment has the capabilities to and if it does reconfigure the Failover function. If it doesn't then make your case that they need one single piece of equipment to run all of this, like a SonicWALL.

I believe either the laptop router (E) is creating the problem.  Router (A) is experiencing over 2,000ms latency and over 5% packet loss.  So I removed router (A) and reconfigured the DSL modem to handle the PPPoE and this now becomes router (A) in the equation.  This router is set to 192.168.0.1 and has around 25ms latency with less than 2% packets loss and everything works great!  We are keeping an eye on this for a week or so, before any more changes are made.
Great! Physically recycle that router...don't even leave it on the shelf for some idiot to try an plug in again...its worthless!

Also, double NAT is not ideal but it will work. It has downsides though and will grossly limit the network if the requirements fall into those limitations. With all these devices, the network will degrade wherever the weakest link exists.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wayne88Commented:
"Even if Router (E) is configured to be a passthrough (plugging into its LAN ports) it's management port should not conflict with Router (A), which it appears to do. Only one DHCP server should exist, but if because of limitations there has to be more there should only be one per subnet. This can cause conflicts where one DHCP table doesn't talk to the other...double assignments can occur, etc."

I just have a feeling the above environment involved one router (if not more) grabbing DHCP address from another router then there are multiple NATs.  I am throwing in the towel.
0
Jason JohanknechtIT ManagerAuthor Commented:
Thank you all for the comments.  This was really to validate to client that this network was a mess and changes need to be made.  Blue Street, you went far above and beyond the call of duty on this one!  I hope others see your response for future benefits.
2
Blue Street TechLast KnightCommented:
Thank you for the compliments! I'm glad I could help...thanks for the points!
0
Wayne88Commented:
Glad to be a help. Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.