share 1 ISP connection with 2 LANs?

I have a client with two VERY small businesses. He has one business with a
simple LAN and another business with SBS. They are running on different
segments by connecting a second router to the primary, giving the second
router different segment and hanging SBS off that LAN. My client now wants to
VPN into SBS and I don't think there's a way to do it with this
configuration. We have a static gateway IP address and 2 separate static WAN
IP addresses.

Can anyone suggest a way to drop two LANs off one ISP connection, each one
using a separate static WAN IP address. Can I connect WAN to a switch, then
drop 2 routers off it configured with separate static IP addresses ? VPN
should terminate at SBS, not router.

Thanks for any help with this. I know it's hodge podge but every body is
feeling the pinch and running lean

With two static IP addresses from your ISP? Quite easy actually. Just pick
up a *good* business class router (or UTM device is recommended) and they
will let you do exactly what you want. Consumer-class devices are limited
because internally they only have one WAN port and one LAN port, and then a
switch is hung off the LAN port to expose 4 or 5 ports. A *real* router
will have 4 or 5 ports, but they aren't on a switch. They are independently
assignable and routable.

-Cliff



"Dabbler" <> wrote in message
news54A70DB-6749-49A7-B48E-...
> I have a client with two VERY small businesses. He has one business with a
> simple LAN and another business with SBS. They are running on different
> segments by connecting a second router to the primary, giving the second
> router different segment and hanging SBS off that LAN. My client now wants
> to
> VPN into SBS and I don't think there's a way to do it with this
> configuration. We have a static gateway IP address and 2 separate static
> WAN
> IP addresses.
>
> Can anyone suggest a way to drop two LANs off one ISP connection, each one
> using a separate static WAN IP address. Can I connect WAN to a switch,
> then
> drop 2 routers off it configured with separate static IP addresses ? VPN
> should terminate at SBS, not router.
>
> Thanks for any help with this. I know it's hodge podge but every body is
> feeling the pinch and running lean

most consumer-class routers will do routing for a subnet.

Depending on the version of SBS ISA may be involved, otherwise yes, you need
a firewall.

"Cliff Galiher" <> wrote in message
news:...
> With two static IP addresses from your ISP? Quite easy actually. Just
> pick up a *good* business class router (or UTM device is recommended) and
> they will let you do exactly what you want. Consumer-class devices are
> limited because internally they only have one WAN port and one LAN port,
> and then a switch is hung off the LAN port to expose 4 or 5 ports. A
> *real* router will have 4 or 5 ports, but they aren't on a switch. They
> are independently assignable and routable.
>
> -Cliff
>
>
>
> "Dabbler" <> wrote in message
> news54A70DB-6749-49A7-B48E-...
>> I have a client with two VERY small businesses. He has one business with
>> a
>> simple LAN and another business with SBS. They are running on different
>> segments by connecting a second router to the primary, giving the second
>> router different segment and hanging SBS off that LAN. My client now
>> wants to
>> VPN into SBS and I don't think there's a way to do it with this
>> configuration. We have a static gateway IP address and 2 separate static
>> WAN
>> IP addresses.
>>
>> Can anyone suggest a way to drop two LANs off one ISP connection, each
>> one
>> using a separate static WAN IP address. Can I connect WAN to a switch,
>> then
>> drop 2 routers off it configured with separate static IP addresses ? VPN
>> should terminate at SBS, not router.
>>
>> Thanks for any help with this. I know it's hodge podge but every body is
>> feeling the pinch and running lean
>

I've done this in the past, on dynamic IP, with no problems.

It's been awhile, though. I think the smaller workgroup had their own
router that connected to our router--separate subnet.

This was SBS 2003 premium, two nics, one connecting to that same router, and
one to the rest of the larger SBS network.

Your case, with multiple fixed public IP addresses should be more flexible
than mine was--but how this works depends on the capabilities of that
router. I would expect it to be able to forward VPN traffic to the SBS
server at a minimum, and perhaps even be capable of forwarding based on
which public IP address the traffic originates from.

We need to know more about that gateway device--the "router" that connects
to your ISP.



"Dabbler" <> wrote in message
news54A70DB-6749-49A7-B48E-...
> I have a client with two VERY small businesses. He has one business with a
> simple LAN and another business with SBS. They are running on different
> segments by connecting a second router to the primary, giving the second
> router different segment and hanging SBS off that LAN. My client now wants
> to
> VPN into SBS and I don't think there's a way to do it with this
> configuration. We have a static gateway IP address and 2 separate static
> WAN
> IP addresses.
>
> Can anyone suggest a way to drop two LANs off one ISP connection, each one
> using a separate static WAN IP address. Can I connect WAN to a switch,
> then
> drop 2 routers off it configured with separate static IP addresses ? VPN
> should terminate at SBS, not router.
>
> Thanks for any help with this. I know it's hodge podge but every body is
> feeling the pinch and running lean

Agreed, but if I read his post correctly, he wants *TWO* subnets. And most
consumer routers don't do that. They have *just* enough horsepower ot
handle NAT tables for one subnet and they'll do a DMZ, but no NATing there,
so no subnet. I haven't seen a consumer router do two subnets off the
shelf.

-Cliff


"SuperGumby [SBS MVP]" <> wrote in message
news:#...
> most consumer-class routers will do routing for a subnet.
>
> Depending on the version of SBS ISA may be involved, otherwise yes, you
> need a firewall.
>
> "Cliff Galiher" <> wrote in message
> news:...
>> With two static IP addresses from your ISP? Quite easy actually. Just
>> pick up a *good* business class router (or UTM device is recommended) and
>> they will let you do exactly what you want. Consumer-class devices are
>> limited because internally they only have one WAN port and one LAN port,
>> and then a switch is hung off the LAN port to expose 4 or 5 ports. A
>> *real* router will have 4 or 5 ports, but they aren't on a switch. They
>> are independently assignable and routable.
>>
>> -Cliff
>>
>>
>>
>> "Dabbler" <> wrote in message
>> news54A70DB-6749-49A7-B48E-...
>>> I have a client with two VERY small businesses. He has one business with
>>> a
>>> simple LAN and another business with SBS. They are running on different
>>> segments by connecting a second router to the primary, giving the second
>>> router different segment and hanging SBS off that LAN. My client now
>>> wants to
>>> VPN into SBS and I don't think there's a way to do it with this
>>> configuration. We have a static gateway IP address and 2 separate
>>> static WAN
>>> IP addresses.
>>>
>>> Can anyone suggest a way to drop two LANs off one ISP connection, each
>>> one
>>> using a separate static WAN IP address. Can I connect WAN to a switch,
>>> then
>>> drop 2 routers off it configured with separate static IP addresses ? VPN
>>> should terminate at SBS, not router.
>>>
>>> Thanks for any help with this. I know it's hodge podge but every body is
>>> feeling the pinch and running lean
>>
>
>

the OP doesn't ask about two different (public) subnets, simply 2 IPs, which
on any DSL line I deal with will be on the same subnet.

2 private subnets (directly attached) to most commodity routers can also be
done by sub/super netting.

"Cliff Galiher" <> wrote in message
news:...
> Agreed, but if I read his post correctly, he wants *TWO* subnets. And
> most consumer routers don't do that. They have *just* enough horsepower
> ot handle NAT tables for one subnet and they'll do a DMZ, but no NATing
> there, so no subnet. I haven't seen a consumer router do two subnets off
> the shelf.
>
> -Cliff
>
>
> "SuperGumby [SBS MVP]" <> wrote in message
> news:#...
>> most consumer-class routers will do routing for a subnet.
>>
>> Depending on the version of SBS ISA may be involved, otherwise yes, you
>> need a firewall.
>>
>> "Cliff Galiher" <> wrote in message
>> news:...
>>> With two static IP addresses from your ISP? Quite easy actually. Just
>>> pick up a *good* business class router (or UTM device is recommended)
>>> and they will let you do exactly what you want. Consumer-class devices
>>> are limited because internally they only have one WAN port and one LAN
>>> port, and then a switch is hung off the LAN port to expose 4 or 5 ports.
>>> A *real* router will have 4 or 5 ports, but they aren't on a switch.
>>> They are independently assignable and routable.
>>>
>>> -Cliff
>>>
>>>
>>>
>>> "Dabbler" <> wrote in message
>>> news54A70DB-6749-49A7-B48E-...
>>>> I have a client with two VERY small businesses. He has one business
>>>> with a
>>>> simple LAN and another business with SBS. They are running on different
>>>> segments by connecting a second router to the primary, giving the
>>>> second
>>>> router different segment and hanging SBS off that LAN. My client now
>>>> wants to
>>>> VPN into SBS and I don't think there's a way to do it with this
>>>> configuration. We have a static gateway IP address and 2 separate
>>>> static WAN
>>>> IP addresses.
>>>>
>>>> Can anyone suggest a way to drop two LANs off one ISP connection, each
>>>> one
>>>> using a separate static WAN IP address. Can I connect WAN to a switch,
>>>> then
>>>> drop 2 routers off it configured with separate static IP addresses ?
>>>> VPN
>>>> should terminate at SBS, not router.
>>>>
>>>> Thanks for any help with this. I know it's hodge podge but every body
>>>> is
>>>> feeling the pinch and running lean
>>>
>>
>>

SG: I'm basing my suggestion based on the OP's request which I've requoted
below.

>Can anyone suggest a way to drop two LANs off one ISP connection, each one
>using a separate static WAN IP address.

The two LANs, as you rightly state, could exist on the same switch, but most
(if not all) consumer routers won't maintain two separate NAT tables, one
for each WAN IP, and keep the two subnets separate. The request, at least
by my interpretation, appears to attempt to keep a security barrier between
the two LANs where traffic is not co-mingling. The only way I know to do
this is through two separate switches (or a VLAN capable switch) and a
device capable of routing and mapping multiple public IP addresses to
multiple internal subnets.

I suppose at this point the OP will need to clarify their needs...

-Cliff


"SuperGumby [SBS MVP]" <> wrote in message
news:#...
> the OP doesn't ask about two different (public) subnets, simply 2 IPs,
> which on any DSL line I deal with will be on the same subnet.
>
> 2 private subnets (directly attached) to most commodity routers can also
> be done by sub/super netting.
>
> "Cliff Galiher" <> wrote in message
> news:...
>> Agreed, but if I read his post correctly, he wants *TWO* subnets. And
>> most consumer routers don't do that. They have *just* enough horsepower
>> ot handle NAT tables for one subnet and they'll do a DMZ, but no NATing
>> there, so no subnet. I haven't seen a consumer router do two subnets off
>> the shelf.
>>
>> -Cliff
>>
>>
>> "SuperGumby [SBS MVP]" <> wrote in message
>> news:#...
>>> most consumer-class routers will do routing for a subnet.
>>>
>>> Depending on the version of SBS ISA may be involved, otherwise yes, you
>>> need a firewall.
>>>
>>> "Cliff Galiher" <> wrote in message
>>> news:...
>>>> With two static IP addresses from your ISP? Quite easy actually. Just
>>>> pick up a *good* business class router (or UTM device is recommended)
>>>> and they will let you do exactly what you want. Consumer-class devices
>>>> are limited because internally they only have one WAN port and one LAN
>>>> port, and then a switch is hung off the LAN port to expose 4 or 5
>>>> ports. A *real* router will have 4 or 5 ports, but they aren't on a
>>>> switch. They are independently assignable and routable.
>>>>
>>>> -Cliff
>>>>
>>>>
>>>>
>>>> "Dabbler" <> wrote in message
>>>> news54A70DB-6749-49A7-B48E-...
>>>>> I have a client with two VERY small businesses. He has one business
>>>>> with a
>>>>> simple LAN and another business with SBS. They are running on
>>>>> different
>>>>> segments by connecting a second router to the primary, giving the
>>>>> second
>>>>> router different segment and hanging SBS off that LAN. My client now
>>>>> wants to
>>>>> VPN into SBS and I don't think there's a way to do it with this
>>>>> configuration. We have a static gateway IP address and 2 separate
>>>>> static WAN
>>>>> IP addresses.
>>>>>
>>>>> Can anyone suggest a way to drop two LANs off one ISP connection, each
>>>>> one
>>>>> using a separate static WAN IP address. Can I connect WAN to a switch,
>>>>> then
>>>>> drop 2 routers off it configured with separate static IP addresses ?
>>>>> VPN
>>>>> should terminate at SBS, not router.
>>>>>
>>>>> Thanks for any help with this. I know it's hodge podge but every body
>>>>> is
>>>>> feeling the pinch and running lean
>>>>
>>>
>>>
>
>

On the public side he has two public IP's, probably in the same subnet,
rather than two public subnets. Routers handle such standing on their heads
with one hand tied behind their back.

I'd actually be a little surprised if the 2 'networks' behind the current
routers need to be on physically distinct ethernet segments but if necessary
it is quite likely the existing devices could be configured so that one
network sits behind it's existing router, cascaded off the other.

We however should stop theorising and allow the OP to come back with more
information.

"Cliff Galiher" <> wrote in message
news:...
> SG: I'm basing my suggestion based on the OP's request which I've
> requoted below.
>
>>Can anyone suggest a way to drop two LANs off one ISP connection, each one
>>using a separate static WAN IP address.
>
> The two LANs, as you rightly state, could exist on the same switch, but
> most (if not all) consumer routers won't maintain two separate NAT tables,
> one for each WAN IP, and keep the two subnets separate. The request, at
> least by my interpretation, appears to attempt to keep a security barrier
> between the two LANs where traffic is not co-mingling. The only way I
> know to do this is through two separate switches (or a VLAN capable
> switch) and a device capable of routing and mapping multiple public IP
> addresses to multiple internal subnets.
>
> I suppose at this point the OP will need to clarify their needs...
>
> -Cliff
>
>
> "SuperGumby [SBS MVP]" <> wrote in message
> news:#...
>> the OP doesn't ask about two different (public) subnets, simply 2 IPs,
>> which on any DSL line I deal with will be on the same subnet.
>>
>> 2 private subnets (directly attached) to most commodity routers can also
>> be done by sub/super netting.
>>
>> "Cliff Galiher" <> wrote in message
>> news:...
>>> Agreed, but if I read his post correctly, he wants *TWO* subnets. And
>>> most consumer routers don't do that. They have *just* enough horsepower
>>> ot handle NAT tables for one subnet and they'll do a DMZ, but no NATing
>>> there, so no subnet. I haven't seen a consumer router do two subnets
>>> off the shelf.
>>>
>>> -Cliff
>>>
>>>
>>> "SuperGumby [SBS MVP]" <> wrote in message
>>> news:#...
>>>> most consumer-class routers will do routing for a subnet.
>>>>
>>>> Depending on the version of SBS ISA may be involved, otherwise yes, you
>>>> need a firewall.
>>>>
>>>> "Cliff Galiher" <> wrote in message
>>>> news:...
>>>>> With two static IP addresses from your ISP? Quite easy actually.
>>>>> Just pick up a *good* business class router (or UTM device is
>>>>> recommended) and they will let you do exactly what you want.
>>>>> Consumer-class devices are limited because internally they only have
>>>>> one WAN port and one LAN port, and then a switch is hung off the LAN
>>>>> port to expose 4 or 5 ports. A *real* router will have 4 or 5 ports,
>>>>> but they aren't on a switch. They are independently assignable and
>>>>> routable.
>>>>>
>>>>> -Cliff
>>>>>
>>>>>
>>>>>
>>>>> "Dabbler" <> wrote in message
>>>>> news54A70DB-6749-49A7-B48E-...
>>>>>> I have a client with two VERY small businesses. He has one business
>>>>>> with a
>>>>>> simple LAN and another business with SBS. They are running on
>>>>>> different
>>>>>> segments by connecting a second router to the primary, giving the
>>>>>> second
>>>>>> router different segment and hanging SBS off that LAN. My client now
>>>>>> wants to
>>>>>> VPN into SBS and I don't think there's a way to do it with this
>>>>>> configuration. We have a static gateway IP address and 2 separate
>>>>>> static WAN
>>>>>> IP addresses.
>>>>>>
>>>>>> Can anyone suggest a way to drop two LANs off one ISP connection,
>>>>>> each one
>>>>>> using a separate static WAN IP address. Can I connect WAN to a
>>>>>> switch, then
>>>>>> drop 2 routers off it configured with separate static IP addresses ?
>>>>>> VPN
>>>>>> should terminate at SBS, not router.
>>>>>>
>>>>>> Thanks for any help with this. I know it's hodge podge but every body
>>>>>> is
>>>>>> feeling the pinch and running lean
>>>>>
>>>>
>>>>
>>
>>

In article <D54A70DB-6749-49A7-B48E->,
says...
> I have a client with two VERY small businesses. He has one business with a
> simple LAN and another business with SBS. They are running on different
> segments by connecting a second router to the primary, giving the second
> router different segment and hanging SBS off that LAN. My client now wants to
> VPN into SBS and I don't think there's a way to do it with this
> configuration. We have a static gateway IP address and 2 separate static WAN
> IP addresses.
>

If you have 2 Static IP then connect a network switch to the ISP device
and then two routers to the switch and set each up with a public static
IP.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)