Multiple routers in network and Internet loss

Got called in to look at a very strange network the other day...  They were running a business off a (A) Linksys E2500 home wireless router.  Now off of this router is one cable going to a (B) Mako dual wan appliance, which then goes to a (C) Cybera appliance which hosts a VPN connection as well as a (D) Cisco RV042 router.  Now the other cable off the original router goes to another (E) E2500 Linksys router which only has a laptop and provides wireless to a printer and cell phones for employees.  

Now router (A) is controlling PPPoE from a bridged DSL modem.  Router (A) IP is 192.168.1.1 and servicing everything via DHCP (This will change in near future).  Router (E) acting as an access point is also LAN IP of 192.168.1.1 and handing out DHCP.  The laptop connected to (E) also has a secondary NIC via USB that connects to some point in the other side of the network.  The Mako fails over to secondary ISP (Cellular) after only a few minutes and generally won't return.  I believe either the laptop router (E) is creating the problem.  Router (A) is experiencing over 2,000ms latency and over 5% packet loss.  So I removed router (A) and reconfigured the DSL modem to handle the PPPoE and this now becomes router (A) in the equation.  This router is set to 192.168.0.1 and has around 25ms latency with less than 2% packets loss and everything works great!  We are keeping an eye on this for a week or so, before any more changes are made.

Eventually the Mako should be the router and have multiple subnets, and the DSL modem will be a bridge again.  Not worried about this part of the story.

My question refers to: "I believe either the laptop router (E) is creating the problem."  Please make your argument as to what the problem was.
LVL 4
Jason JohanknechtIT ManagerAsked:
Who is Participating?
 
Blue Street TechLast KnightCommented:
The mako is for a credit card payment system of some sort (which I will not be supporting), and the Cybera is part of a Verifone system (which might control the gas pumps and POS system.
Regardless if these are separate circuits or just disparate routers performing roles you can consolidate and isolate the networks with one SonicWALL security appliance so that all traffic has security contexting and is segmented accordingly (gas pumps, credit card processing, POS, etc.).

Why did they set it up like that?
I believe Jimmy set it up...hence the coined phrase "Jimmy-rigged"! It's cause they have no clue what they are doing. All that gear is very low quality and architecture is a ridiculous. Maybe they set this up in 1996 "set it and forget" back when they though interoperability should always trump security. Also a clean space is a clean mind. Anytime I walk into a server room/data-center and see a cabling disaster is reveals a lack of critical thought processes...design & planning. I'd consider them as a client meaning I'd be willing to bet all they want is the laptop fixed and could care less about the other issues (that we see).

In terms of throubleshooting this...

Router (A) IP is 192.168.1.1 and servicing everything via DHCP (This will change in near future).  Router (E) acting as an access point is also LAN IP of 192.168.1.1 and handing out DHCP.
Even if Router (E) is configured to be a passthrough (plugging into its LAN ports) it's management port should not conflict with Router (A), which it appears to do. Only one DHCP server should exist (notice I didn't say scopes), but if because of limitations there has to be more there should only be one per subnet. This can cause conflicts where one DHCP table doesn't talk to the other...double assignments can occur, etc.

The laptop connected to (E) also has a secondary NIC via USB that connects to some point in the other side of the network.
ipconfig /all on the laptop and determine which networks are being received...it could be creating a loop. Also, what "other side of the network" there are no sides, what do you mean by this? Lastly, understand the laptop's purpose too; what is it used for and why does it have two NICs in use?

The Mako fails over to secondary ISP (Cellular) after only a few minutes and generally won't return.
Failback is a must! Otherwise, there are going to be performance degredations when everything is running on a narrow 4G service, which will result in more support calls, and client frustrations. Verify the equipment has the capabilities to and if it does reconfigure the Failover function. If it doesn't then make your case that they need one single piece of equipment to run all of this, like a SonicWALL.

I believe either the laptop router (E) is creating the problem.  Router (A) is experiencing over 2,000ms latency and over 5% packet loss.  So I removed router (A) and reconfigured the DSL modem to handle the PPPoE and this now becomes router (A) in the equation.  This router is set to 192.168.0.1 and has around 25ms latency with less than 2% packets loss and everything works great!  We are keeping an eye on this for a week or so, before any more changes are made.
Great! Physically recycle that router...don't even leave it on the shelf for some idiot to try an plug in again...its worthless!

Also, double NAT is not ideal but it will work. It has downsides though and will grossly limit the network if the requirements fall into those limitations. With all these devices, the network will degrade wherever the weakest link exists.
2
 
Wayne88Commented:
All I can say is wow and why did they set it up like that.  The RV042 router can support dual WAN and a VPN router.  Why do they need (B) Mako dual wan appliance and (C) Cybera appliance which hosts a VPN connection?  Why can't they just connect the RV042 straight to the modem?  

This is a bad design and not to mention they are running multiple NATs and unnecessarily complex to troubleshoot.  One low-end Sonicwall UTM appliance will replace and can do everything you stated after the modem.
3
 
Jason JohanknechtIT ManagerAuthor Commented:
Thank you for that reply.  I have the owners talked into changing things, but only after they confirm with all groups involved that my plan is approved overall.  I walked into this network for the first time, and no one could explain why half of it exists at all.  The mako is for a credit card payment system of some sort (which I will not be supporting), and the Cybera is part of a Verifone system (which might control the gas pumps and POS system.  The RV042 appears to me to just be leftover from who knows what.  The cabling is very back and forth twisted mess, so I could only take their word on what is connected to what.  In the end the Mako will be the router and the Cybera will be behind that with its VPN (Mandated by their corporate).  All else will be removed.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
David GipeCommented:
One thought ... wherever devices are connected to devices, I would recommend making sure they are hard-coded to the highest common denominator of "<speed>/Full-Duplex" (wherever possible) for the short-term.

The other thought is ... What Wayne88 said ... "Why did they set it up like that?"
0
 
Wayne88Commented:
"Cybera will be behind that with its VPN (Mandated by their corporate)"

Ok so this must stay and you can accomodate this in different ways (DMZ, port forward, etc.) after the main router.

Sorry Jason, I won't be much help.  Not sure where to start.
0
 
Blue Street TechLast KnightCommented:
Hi Jason,

I fully agree! Get rid of all those junky, residential-grade network devices that are pretty much worthless from a security standpoint. All of them run a 1996 technology...SPI (Stateful Packet Inspection). You need a NGFW (Next-Generation Firewall) to protect the network from today's threats. Go with a SonicWALL TZ300 at minimum and it will handle all of the load that all four units are doing now easily. I say minimum because that is the lowest device that will perform DPI-SSL and has the capabilities of running a virtualized, multi-engine, network sandbox. In order to determine the correct unit you need to perform a sizing analysis. I can help you with that if you like...just send me an email.

Let me know if you have any specific questions!
1
 
Wayne88Commented:
"Even if Router (E) is configured to be a passthrough (plugging into its LAN ports) it's management port should not conflict with Router (A), which it appears to do. Only one DHCP server should exist, but if because of limitations there has to be more there should only be one per subnet. This can cause conflicts where one DHCP table doesn't talk to the other...double assignments can occur, etc."

I just have a feeling the above environment involved one router (if not more) grabbing DHCP address from another router then there are multiple NATs.  I am throwing in the towel.
0
 
Jason JohanknechtIT ManagerAuthor Commented:
Thank you all for the comments.  This was really to validate to client that this network was a mess and changes need to be made.  Blue Street, you went far above and beyond the call of duty on this one!  I hope others see your response for future benefits.
2
 
Blue Street TechLast KnightCommented:
Thank you for the compliments! I'm glad I could help...thanks for the points!
0
 
Wayne88Commented:
Glad to be a help. Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.